def setup(self):
self.kms_mocker = mock_kms()
self.kms_mocker.start()
setup_mock_kms(REGION, KMS_ALIAS)
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)
def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
REGION, KMS_ALIAS)
self._credentials = Credentials(self._encrypted_payload,
is_encrypted=True,
region=REGION)
class TestCredentialsEmpty:
def setup(self):
self._plaintext_payload = ''
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)
def test_encrypt(self):
"""Credentials - Empty Credentials - Encrypt - Does nothing when payload is empty"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
assert_equal(self._credentials.data(), '')
def test_save_and_has_credentials(self):
"""LocalFileDriver - Save and Has Credentials"""
assert_false(self._fs_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa', True) # pretend it's encrypted
self._fs_driver.save_credentials('descriptor', credentials)
assert_true(self._fs_driver.has_credentials('descriptor'))
class TestCredentialsUnencrypted:
def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)
def test_is_encrypted(self):
"""Credentials - Plaintext Credentials - Is Encrypted"""
assert_false(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Plaintext Credentials - Data"""
assert_equal(self._credentials.data(), self._plaintext_payload)
@patch('logging.Logger.error')
def test_get_data_kms_decrypted(self, logging_error):
"""Credentials - Plaintext Credentials - KMS Decrypt"""
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_error.assert_called_with(
'Cannot decrypt Credentials as they are already decrypted')
@mock_kms
def test_encrypt(self):
"""Credentials - Plaintext Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
assert_equal(self._credentials.data(),
'InBsYWludGV4dCBjcmVkZW50aWFscyI='.encode())
def test_save_and_has_credentials(self):
"""EphemeralUnencryptedDriver - Save and Has Credentials"""
assert_false(self._ep_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa', False)
assert_true(self._ep_driver.save_credentials('descriptor',
credentials))
assert_true(self._ep_driver.has_credentials('descriptor'))
def test_save_errors_on_unencrypted(self):
"""SpooledTempfileDriver - Save Errors on Unencrypted Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor5'
credentials = Credentials(raw_credentials, False)
assert_false(self._sp_driver.save_credentials(descriptor, credentials))
assert_false(self._sp_driver.has_credentials(descriptor))
def test_clear(self):
"""SpooledTempfileDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', True) # pretend it's encrypted
assert_true(self._sp_driver.save_credentials(descriptor, credentials))
SpooledTempfileDriver.clear()
assert_false(self._sp_driver.has_credentials(descriptor))
def test_save_and_has_credentials(self):
"""SpooledTempfileDriver - Save and Has Credentials"""
assert_false(self._sp_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa',
True) # let's pretend they're encrypted
assert_true(self._sp_driver.save_credentials('descriptor',
credentials))
assert_true(self._sp_driver.has_credentials('descriptor'))
def test_clear(self):
"""EphemeralUnencryptedDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', False)
self._ep_driver.save_credentials(descriptor, credentials)
EphemeralUnencryptedDriver.clear()
assert_false(self._ep_driver.has_credentials(descriptor))
def test_clear(self):
"""LocalFileDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', True,
REGION) # pretend it's encrypted
self._fs_driver.save_credentials(descriptor, credentials)
LocalFileDriver.clear()
assert_false(self._fs_driver.has_credentials(descriptor))
def test_save_and_load_credentials(self):
"""EphemeralUnencryptedDriver - Save and Load Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', False)
assert_true(self._ep_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._ep_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_false(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.data(), 'aaaa')
def test_save_errors_on_unencrypted(self):
"""LocalFileDriver - Save Errors on Unencrypted Credentials"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor5'
raw_credentials = json.dumps(raw_credentials_dict)
credentials = Credentials(raw_credentials, False, REGION)
assert_false(self._fs_driver.save_credentials(descriptor, credentials))
assert_false(self._fs_driver.has_credentials(descriptor))
def test_save_and_has_credentials(self):
"""SSMDriver - Save and Has Credentials"""
descriptor = 'unit-test'
# Verify Credentials don't already exist
assert_is_none(self._ssm_driver.load_credentials(descriptor))
credentials = Credentials('CREDS', is_encrypted=False)
self._ssm_driver.save_credentials(descriptor, credentials, KMS_ALIAS)
# Verify they saved correctly
result = self._ssm_driver.load_credentials(descriptor)
assert_is_not_none(result)
def test_save_and_load_credentials_persists_statically(self):
"""EphemeralUnencryptedDriver - Save and Load Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', False)
assert_true(self._ep_driver.save_credentials(descriptor, credentials))
driver2 = EphemeralUnencryptedDriver(
'service') # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_false(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.data(), 'aaaa')
class TestCredentialsEncrypted:
def setup(self):
self.kms_mocker = mock_kms()
self.kms_mocker.start()
setup_mock_kms(REGION, KMS_ALIAS)
self._plaintext_payload = 'plaintext credentials'
self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
REGION, KMS_ALIAS)
self._credentials = Credentials(self._encrypted_payload,
is_encrypted=True,
region=REGION)
def teardown(self):
self.kms_mocker.stop()
def test_is_encrypted(self):
"""Credentials - Encrypted Credentials - Is Encrypted"""
assert_true(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Encrypted Credentials - Data"""
assert_equal(self._credentials.data(), self._encrypted_payload)
def test_get_data_kms_decrypted(self):
"""Credentials - Encrypted Credentials - KMS Decrypt"""
decrypted = self._credentials.get_data_kms_decrypted()
assert_equal(decrypted, self._plaintext_payload.encode())
def test_encrypt(self):
"""Credentials - Encrypted Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_equal(self._credentials.data(), self._encrypted_payload)
@patch('boto3.client')
@patch('logging.Logger.exception')
def test_decrypt_kms_error(self, logging_exception, boto3):
"""Credentials - Encrypted Credentials - KMS Decrypt - Errors if KMS Fails to Respond"""
# We pretend that KMS errors out
boto3_client = MagicMock()
boto3.return_value = boto3_client
response = MagicMock()
boto3_client.decrypt.side_effect = ClientError(response, 'kms_decrypt')
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_exception.assert_called_with(
'an error occurred during credentials decryption')
def test_save_and_load_credentials(self):
"""SpooledTempfileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._sp_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._sp_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(),
raw_credentials.encode())
def test_save_and_load_credentials_persists_statically(self):
"""LocalFileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._fs_driver.save_credentials(descriptor, credentials))
driver2 = LocalFileDriver(
REGION, 'service') # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(),
raw_credentials.encode())
def test_save_automatically_decrypts(self):
"""EphemeralUnencryptedDriver - Save Automatically Decrypts"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor5'
raw_credentials = json.dumps(raw_credentials_dict)
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._ep_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._ep_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_false(loaded_credentials.is_encrypted())
assert_equal(json.loads(loaded_credentials.data()),
raw_credentials_dict)
def test_save_and_load_credentials_persists_statically(self):
"""SpooledTempfileDriver - Save and Load Credentials"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor'
raw_credentials = json.dumps(raw_credentials_dict)
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True)
assert_true(self._sp_driver.save_credentials(descriptor, credentials))
driver2 = SpooledTempfileDriver(
'service', REGION) # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(),
raw_credentials.encode())
class TestCredentialsUnencrypted:
def setup(self):
self.kms_mocker = mock_kms()
self.kms_mocker.start()
setup_mock_kms(REGION, KMS_ALIAS)
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)
def teardown(self):
self.kms_mocker.stop()
def test_is_encrypted(self):
"""Credentials - Plaintext Credentials - Is Encrypted"""
assert_false(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Plaintext Credentials - Data"""
assert_equal(self._credentials.data(), self._plaintext_payload)
@patch('logging.Logger.error')
def test_get_data_kms_decrypted(self, logging_error):
"""Credentials - Plaintext Credentials - KMS Decrypt"""
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_error.assert_called_with(
'Cannot decrypt Credentials as they are already decrypted')
def test_encrypt(self):
"""Credentials - Plaintext Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
# moto changed from simply base64 encoding data to actually
# doing proper encryption/decryption. See here:
# https://github.com/earlrob/moto/commit/98581b9196768ad8d5eaa1e02ca744c0c3b2098e
assert_not_equal(self._credentials.data(), 'plaintext credentials')
def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)