def register(self, object_type, template_attribute, secret,
credential=None):
object_type = attr.ObjectType(object_type)
return self._register(object_type=object_type,
template_attribute=template_attribute,
secret=secret,
credential=credential)
def test_get_attributes(self):
"""
Test that a secret's attributes can be retrieved with proper input.
"""
result = results.GetAttributesResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid='aaaaaaaa-1111-2222-3333-ffffffffffff',
attributes=[
obj.Attribute(
attribute_name=obj.Attribute.AttributeName('Name'),
attribute_index=obj.Attribute.AttributeIndex(0),
attribute_value=attr.Name(
name_value=attr.Name.NameValue('Test Name'),
name_type=attr.Name.NameType(
enums.NameType.UNINTERPRETED_TEXT_STRING))),
obj.Attribute(
attribute_name=obj.Attribute.AttributeName('Object Type'),
attribute_value=attr.ObjectType(
enums.ObjectType.SYMMETRIC_KEY))
])
with ProxyKmipClient() as client:
client.proxy.get_attributes.return_value = result
result = client.get_attributes(
'aaaaaaaa-1111-2222-3333-ffffffffffff',
['Name', 'Object Type'])
client.proxy.get_attributes.assert_called_with(
'aaaaaaaa-1111-2222-3333-ffffffffffff',
['Name', 'Object Type'])
self.assertIsInstance(result[0], six.string_types)
self.assertIsInstance(result[1], list)
for r in result[1]:
self.assertIsInstance(r, obj.Attribute)
def read(self, istream):
super(CreateRequestPayload, self).read(istream)
tstream = BytearrayStream(istream.read(self.length))
self.object_type = attributes.ObjectType()
self.template_attribute = TemplateAttribute()
self.object_type.read(tstream)
self.template_attribute.read(tstream)
self.is_oversized(tstream)
self.validate()
def test_get_secret_symmetric_return_value_invalid_key_value_type(self):
sample_secret = self.sample_secret
sample_secret.key_block.key_value.key_value = 'invalid_key_value_type'
self.secret_store.client.get = mock.create_autospec(
proxy.KMIPProxy.get,
return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=sample_secret))
metadata = {kss.KMIPSecretStore.KEY_UUID: 'uuid'}
self.assertRaises(secret_store.SecretGeneralException,
self.secret_store.get_secret, metadata)
def setUp(self):
super(WhenTestingKMIPSecretStore, self).setUp()
self.kmipclient_mock = mock.MagicMock(name="KMIP client mock")
CONF = cfg.CONF
CONF.kmip_plugin.keyfile = None
self.credential = None
self.secret_store = kss.KMIPSecretStore(CONF)
self.secret_store.client = self.kmipclient_mock
self.secret_store.credential = self.credential
self.sample_secret_features = {
'key_format_type': enums.KeyFormatType.RAW,
'key_value': {
'bytes': bytearray(b'\x00\x00\x00')
},
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
'cryptographic_length': 128
}
self.sample_secret = secrets.SecretFactory().create_secret(
enums.ObjectType.SYMMETRIC_KEY, self.sample_secret_features)
self.secret_store.client.create = mock.create_autospec(
proxy.KMIPProxy.create,
return_value=results.CreateResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.register = mock.create_autospec(
proxy.KMIPProxy.register,
return_value=results.RegisterResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.destroy = mock.create_autospec(
proxy.KMIPProxy.destroy,
return_value=results.DestroyResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS)))
self.secret_store.client.get = mock.create_autospec(
proxy.KMIPProxy.get,
return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=self.sample_secret))
self.attribute_factory = attributes.AttributeFactory()
def read(self, istream):
super(GetResponsePayload, self).read(istream)
tstream = BytearrayStream(istream.read(self.length))
self.object_type = attributes.ObjectType()
self.unique_identifier = attributes.UniqueIdentifier()
self.object_type.read(tstream)
self.unique_identifier.read(tstream)
secret_type = self.object_type.value
self.secret = self.secret_factory.create(secret_type)
self.secret.read(tstream)
self.is_oversized(tstream)
self.validate()
def test_get_secret(self, kmip_secret, secret_type, kmip_type,
key_format_type, expected_secret, pkcs1_only):
self.secret_store.pkcs1_only = pkcs1_only
self.secret_store.client.proxy.get = mock.MagicMock(
proxy.KMIPProxy().get, return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(kmip_type),
secret=kmip_secret))
uuid = utils.generate_test_uuid(0)
metadata = {kss.KMIPSecretStore.KEY_UUID: uuid}
secret_dto = self.secret_store.get_secret(secret_type, metadata)
self.secret_store.client.proxy.get.assert_called_once_with(uuid)
self.assertEqual(secret_store.SecretDTO, type(secret_dto))
self.assertEqual(secret_type, secret_dto.type)
self.assertEqual(expected_secret, secret_dto.secret)
def read(self, istream):
super(CreateResponsePayload, self).read(istream)
tstream = BytearrayStream(istream.read(self.length))
self.object_type = attributes.ObjectType()
self.unique_identifier = attributes.UniqueIdentifier()
self.object_type.read(tstream)
self.unique_identifier.read(tstream)
if self.is_tag_next(Tags.TEMPLATE_ATTRIBUTE, tstream):
self.template_attribute = TemplateAttribute()
self.template_attribute.read(tstream)
self.is_oversized(tstream)
self.validate()
def test_get_secret_symmetric_return_value_key_value_string(self):
sample_secret = self.sample_secret
sample_secret.key_block.key_value.key_value = (objects.KeyValueString(
value=bytearray(b'\x00\x00\x00')))
self.secret_store.client.get = mock.create_autospec(
proxy.KMIPProxy.get,
return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=sample_secret))
metadata = {kss.KMIPSecretStore.KEY_UUID: 'uuid'}
return_value = self.secret_store.get_secret(metadata)
self.assertEqual(secret_store.SecretDTO, type(return_value))
self.assertEqual(secret_store.SecretType.SYMMETRIC, return_value.type)
self.assertEqual(return_value.secret, "AAAA")
def read(self, istream):
super(RegisterRequestPayload, self).read(istream)
tstream = BytearrayStream(istream.read(self.length))
self.object_type = attributes.ObjectType()
self.template_attribute = TemplateAttribute()
self.object_type.read(tstream)
self.template_attribute.read(tstream)
secret_type = self.object_type.value
secret = self.secret_factory.create(secret_type)
if self.is_tag_next(secret.tag, tstream):
self.secret = secret
self.secret.read(tstream)
self.is_oversized(tstream)
self.validate()
def create_attribute_value(self, name, value):
# Switch on the name of the attribute
if name is enums.AttributeType.UNIQUE_IDENTIFIER:
return attributes.UniqueIdentifier(value)
elif name is enums.AttributeType.NAME:
return self._create_name(value)
elif name is enums.AttributeType.OBJECT_TYPE:
return attributes.ObjectType(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM:
return attributes.CryptographicAlgorithm(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_LENGTH:
return self._create_cryptographic_length(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_PARAMETERS:
return self._create_cryptographic_parameters(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_DOMAIN_PARAMETERS:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_TYPE:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_LENGTH:
return primitives.Integer(value, enums.Tags.CERTIFICATE_LENGTH)
elif name is enums.AttributeType.X_509_CERTIFICATE_IDENTIFIER:
raise NotImplementedError()
elif name is enums.AttributeType.X_509_CERTIFICATE_SUBJECT:
raise NotImplementedError()
elif name is enums.AttributeType.X_509_CERTIFICATE_ISSUER:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_IDENTIFIER:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_SUBJECT:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_ISSUER:
raise NotImplementedError()
elif name is enums.AttributeType.DIGITAL_SIGNATURE_ALGORITHM:
raise NotImplementedError()
elif name is enums.AttributeType.DIGEST:
return attributes.Digest()
elif name is enums.AttributeType.OPERATION_POLICY_NAME:
return attributes.OperationPolicyName(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK:
return self._create_cryptographic_usage_mask(value)
elif name is enums.AttributeType.LEASE_TIME:
return primitives.Interval(value, enums.Tags.LEASE_TIME)
elif name is enums.AttributeType.USAGE_LIMITS:
raise NotImplementedError()
elif name is enums.AttributeType.STATE:
return attributes.State(value)
elif name is enums.AttributeType.INITIAL_DATE:
return primitives.DateTime(value, enums.Tags.INITIAL_DATE)
elif name is enums.AttributeType.ACTIVATION_DATE:
return primitives.DateTime(value, enums.Tags.ACTIVATION_DATE)
elif name is enums.AttributeType.PROCESS_START_DATE:
return primitives.DateTime(value, enums.Tags.PROCESS_START_DATE)
elif name is enums.AttributeType.PROTECT_STOP_DATE:
return primitives.DateTime(value, enums.Tags.PROTECT_STOP_DATE)
elif name is enums.AttributeType.DEACTIVATION_DATE:
return primitives.DateTime(value, enums.Tags.DEACTIVATION_DATE)
elif name is enums.AttributeType.DESTROY_DATE:
return primitives.DateTime(value, enums.Tags.DESTROY_DATE)
elif name is enums.AttributeType.COMPROMISE_OCCURRENCE_DATE:
return primitives.DateTime(value,
enums.Tags.COMPROMISE_OCCURRENCE_DATE)
elif name is enums.AttributeType.COMPROMISE_DATE:
return primitives.DateTime(value, enums.Tags.COMPROMISE_DATE)
elif name is enums.AttributeType.REVOCATION_REASON:
raise NotImplementedError()
elif name is enums.AttributeType.ARCHIVE_DATE:
return primitives.DateTime(value, enums.Tags.ARCHIVE_DATE)
elif name is enums.AttributeType.OBJECT_GROUP:
return self._create_object_group(value)
elif name is enums.AttributeType.FRESH:
return primitives.Boolean(value, enums.Tags.FRESH)
elif name is enums.AttributeType.LINK:
raise NotImplementedError()
elif name is enums.AttributeType.APPLICATION_SPECIFIC_INFORMATION:
return self._create_application_specific_information(value)
elif name is enums.AttributeType.CONTACT_INFORMATION:
return self._create_contact_information(value)
elif name is enums.AttributeType.LAST_CHANGE_DATE:
return primitives.DateTime(value, enums.Tags.LAST_CHANGE_DATE)
elif name is enums.AttributeType.CUSTOM_ATTRIBUTE:
return attributes.CustomAttribute(value)
else:
if not isinstance(name, str):
raise ValueError('Unrecognized attribute type: '
'{0}'.format(name))
elif name.startswith('x-'):
# Custom attribute indicated
return attributes.CustomAttribute(value)
def create(self, object_type, template_attribute, credential=None):
object_type = attr.ObjectType(object_type)
return self._create(object_type=object_type,
template_attribute=template_attribute,
credential=credential)
def setUp(self):
super(WhenTestingKMIPSecretStore, self).setUp()
self.expected_username = "******"
self.expected_password = "******"
CONF = kss.CONF
CONF.kmip_plugin.username = self.expected_username
CONF.kmip_plugin.password = self.expected_password
CONF.kmip_plugin.keyfile = None
CONF.kmip_plugin.pkcs1_only = False
self.secret_store = kss.KMIPSecretStore(CONF)
self.credential = self.secret_store.credential
self.symmetric_type = secret_store.SecretType.SYMMETRIC
self.sample_secret_features = {
'key_format_type': enums.KeyFormatType.RAW,
'key_value': {
'bytes': bytearray(b'\x00\x00\x00')
},
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
'cryptographic_length': 128
}
self.symmetric_key_uuid = 'dde870ad-cea3-41a3-9bb9-e8ab579a2f91'
self.public_key_uuid = 'cb908abb-d363-4d9f-8ef2-5e84d27dd25c'
self.private_key_uuid = '2d4c0544-4ec6-45b7-81cd-b23c75744eac'
self.sample_secret = get_sample_symmetric_key()
self.secret_store.client.proxy.open = mock.MagicMock(
proxy.KMIPProxy().open)
self.secret_store.client.proxy.close = mock.MagicMock(
proxy.KMIPProxy().close)
self.secret_store.client.proxy.create = mock.MagicMock(
proxy.KMIPProxy().create, return_value=results.CreateResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier(
self.symmetric_key_uuid)))
self.secret_store.client.proxy.create_key_pair = mock.MagicMock(
proxy.KMIPProxy().create_key_pair,
return_value=results.CreateKeyPairResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
private_key_uuid=attr.UniqueIdentifier(self.private_key_uuid),
public_key_uuid=attr.UniqueIdentifier(self.public_key_uuid)))
self.secret_store.client.proxy.register = mock.MagicMock(
proxy.KMIPProxy().register, return_value=results.RegisterResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.proxy.destroy = mock.MagicMock(
proxy.KMIPProxy().destroy, return_value=results.DestroyResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS)))
self.secret_store.client.proxy.get = mock.MagicMock(
proxy.KMIPProxy().get, return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=self.sample_secret))
self.attribute_factory = attributes.AttributeFactory()
def _process_get(self, payload):
self._logger.info("Processing operation: Get")
unique_identifier = self._id_placeholder
if payload.unique_identifier:
unique_identifier = payload.unique_identifier.value
key_format_type = None
if payload.key_format_type:
key_format_type = payload.key_format_type.value
if payload.key_compression_type:
raise exceptions.KeyCompressionTypeNotSupported(
"Key compression is not supported.")
if payload.key_wrapping_specification:
raise exceptions.PermissionDenied("Key wrapping is not supported.")
# TODO (peterhamilton) Process key wrapping information
# 1. Error check wrapping keys for accessibility and usability
object_type = self._get_object_type(unique_identifier)
managed_object = self._data_session.query(object_type).filter(
object_type.unique_identifier == unique_identifier).one()
# Determine if the request should be carried out under the object's
# operation policy. If not, feign ignorance of the object.
is_allowed = self._is_allowed_by_operation_policy(
managed_object.operation_policy_name, self._client_identity,
managed_object._owner, managed_object._object_type,
enums.Operation.GET)
if not is_allowed:
raise exceptions.ItemNotFound(
"Could not locate object: {0}".format(unique_identifier))
if key_format_type:
if not hasattr(managed_object, 'key_format_type'):
raise exceptions.KeyFormatTypeNotSupported(
"Key format is not applicable to the specified object.")
# TODO (peterhamilton) Convert key to desired format if possible
if key_format_type != managed_object.key_format_type:
raise exceptions.KeyFormatTypeNotSupported(
"Key format conversion from {0} to {1} is "
"unsupported.".format(managed_object.key_format_type.name,
key_format_type.name))
object_type = managed_object.object_type.name
self._logger.info("Getting a {0} with ID: {1}".format(
''.join([x.capitalize() for x in object_type.split('_')]),
managed_object.unique_identifier))
core_secret = self._build_core_object(managed_object)
response_payload = get.GetResponsePayload(
object_type=attributes.ObjectType(managed_object._object_type),
unique_identifier=attributes.UniqueIdentifier(unique_identifier),
secret=core_secret)
return response_payload
