def setup(self):
service_name = 'test_service'
self._fs_driver = LocalFileDriver(REGION, service_name)
self._s3_driver = S3Driver('test_prefix',
service_name,
REGION,
file_driver=self._fs_driver)
def test_clear(self):
"""LocalFileDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', True, REGION) # pretend it's encrypted
self._fs_driver.save_credentials(descriptor, credentials)
LocalFileDriver.clear()
assert_false(self._fs_driver.has_credentials(descriptor))
class TestS3DriverWithFileDriver(object):
def setup(self):
service_name = 'test_service'
self._fs_driver = LocalFileDriver(REGION, service_name)
self._s3_driver = S3Driver('test_prefix',
service_name,
REGION,
file_driver=self._fs_driver)
@mock_s3
@mock_kms
def test_load_credentials(self):
"""S3Driver - With File Driver - Load Credentials - Pulls into LocalFileStore
Here we use the S3Driver's caching ability to yank stuff into a local driver."""
remove_temp_secrets()
creds = {'my_secret': 'i ate two portions of biscuits and gravy'}
input_credentials = Credentials(creds,
is_encrypted=False,
region=REGION)
descriptor = 'test_descriptor'
# Annoyingly, moto needs us to create the bucket first
# We put a random unrelated object into the bucket and this will set up the bucket for us
put_mock_s3_object(self._s3_driver.get_s3_secrets_bucket(), 'aaa',
'bbb', REGION)
# First, check if the Local driver can find the credentials (we don't expect it to)
assert_false(self._fs_driver.has_credentials(descriptor))
# Save the credentials using S3 driver
result = self._s3_driver.save_credentials_into_s3(
descriptor, input_credentials, KMS_ALIAS)
assert_true(result)
# We still don't expect the Local driver to find the credentials
assert_false(self._fs_driver.has_credentials(descriptor))
# Use S3Driver to warm up the Local driver
self._s3_driver.load_credentials(descriptor)
# Now we should be able to get the credentials from the local fs
assert_true(self._fs_driver.has_credentials(descriptor))
credentials = self._fs_driver.load_credentials(descriptor)
assert_is_not_none(credentials)
assert_true(credentials.is_encrypted())
loaded_creds = json.loads(credentials.get_data_kms_decrypted())
assert_equal(loaded_creds, creds)
remove_temp_secrets()
def test_save_and_load_credentials_persists_statically(self):
"""LocalFileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._fs_driver.save_credentials(descriptor, credentials))
driver2 = LocalFileDriver(REGION, 'service') # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
def teardown():
LocalFileDriver.clear()
def setup(self):
LocalFileDriver.clear()
self._fs_driver = LocalFileDriver(REGION, 'service')
class TestLocalFileDriver(object):
def setup(self):
LocalFileDriver.clear()
self._fs_driver = LocalFileDriver(REGION, 'service')
@staticmethod
def teardown():
LocalFileDriver.clear()
def test_save_and_has_credentials(self):
"""LocalFileDriver - Save and Has Credentials"""
assert_false(self._fs_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa', True) # pretend it's encrypted
self._fs_driver.save_credentials('descriptor', credentials)
assert_true(self._fs_driver.has_credentials('descriptor'))
@mock_kms
def test_save_and_load_credentials(self):
"""LocalFileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._fs_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._fs_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
@mock_kms
def test_save_and_load_credentials_persists_statically(self):
"""LocalFileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._fs_driver.save_credentials(descriptor, credentials))
driver2 = LocalFileDriver(REGION, 'service') # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
def test_save_errors_on_unencrypted(self):
"""LocalFileDriver - Save Errors on Unencrypted Credentials"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor5'
raw_credentials = json.dumps(raw_credentials_dict)
credentials = Credentials(raw_credentials, False, REGION)
assert_false(self._fs_driver.save_credentials(descriptor, credentials))
assert_false(self._fs_driver.has_credentials(descriptor))
def test_clear(self):
"""LocalFileDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', True, REGION) # pretend it's encrypted
self._fs_driver.save_credentials(descriptor, credentials)
LocalFileDriver.clear()
assert_false(self._fs_driver.has_credentials(descriptor))
def test_get_load_credentials_temp_dir():
"""LocalFileDriver - Get Load Credentials Temp Dir"""
temp_dir = LocalFileDriver.get_local_credentials_temp_dir()
assert_equal(temp_dir.split('/')[-1], 'stream_alert_secrets')
def remove_temp_secrets():
"""Remove the local secrets directory that may be left from previous runs"""
LocalFileDriver.clear()