def generate_asymmetric_encryption_keys(self, meta, content_type, tenant, kek_repo): """Delegates generating a asymmteric keys to the first supported plugin based on `meta`. meta will provide extra information to help key generation. Based on passpharse in meta this method will return a tuple with two/three objects. Note that this key can be used by clients for their encryption processes. This generated key is then be encrypted via the plug-in key encryption process, and that encrypted datum is then returned from this method. """ encrypting_plugin = \ self._determine_crypto_plugin(meta.algorithm, meta.bit_length, meta.passphrase) kek_datum, kek_meta_dto = self._find_or_create_kek_objects( encrypting_plugin, tenant, kek_repo) generate_dto = plugin_mod.GenerateDTO(meta.algorithm, meta.bit_length, None, meta.passphrase) # generate the secret. private_key_dto, public_key_dto, passwd_dto = \ encrypting_plugin.generate_asymmetric( generate_dto, kek_meta_dto, tenant.keystone_id) # Create an encrypted datum instances for each secret type # and add the created cypher text. priv_datum = models.EncryptedDatum(None, kek_datum) priv_datum.content_type = content_type priv_datum.cypher_text = base64.b64encode(private_key_dto.cypher_text) priv_datum.kek_meta_extended = private_key_dto.kek_meta_extended public_datum = models.EncryptedDatum(None, kek_datum) public_datum.content_type = content_type public_datum.cypher_text = base64.b64encode(public_key_dto.cypher_text) public_datum.kek_meta_extended = public_key_dto.kek_meta_extended passwd_datum = None if passwd_dto: passwd_datum = models.EncryptedDatum(None, kek_datum) passwd_datum.content_type = content_type passwd_datum.cypher_text = base64.b64encode(passwd_dto.cypher_text) passwd_datum.kek_meta_extended = \ passwd_dto.kek_meta_extended return (priv_datum, public_datum, passwd_datum)
def setUp(self): super(WhenTestingAugmentFieldsWithContentTypes, self).setUp() self.secret = models.Secret({}) self.secret.secret_id = "secret#1" self.datum = models.EncryptedDatum(self.secret) self.secret.encrypted_data = [self.datum]
def create_encrypted_datum(secret=None, kek_datum=None, session=None): enc_datum = models.EncryptedDatum() enc_datum.secret_id = secret.id enc_datum.kek_id = kek_datum.id enc_datum_repo = repositories.get_encrypted_datum_repository() enc_datum_repo.create_from(enc_datum, session=session) return enc_datum
def generate_symmetric_encryption_key(self, secret, content_type, tenant, kek_repo): """Delegates generating a key to the first supported plugin. Note that this key can be used by clients for their encryption processes. This generated key is then be encrypted via the plug-in key encryption process, and that encrypted datum is then returned from this method. """ encrypting_plugin = \ self._determine_crypto_plugin(secret.algorithm, secret.bit_length, secret.mode) kek_datum, kek_meta_dto = self._find_or_create_kek_objects( encrypting_plugin, tenant, kek_repo) # Create an encrypted datum instance and add the created cypher text. datum = models.EncryptedDatum(secret, kek_datum) datum.content_type = content_type generate_dto = plugin_mod.GenerateDTO(secret.algorithm, secret.bit_length, secret.mode, None) # Create the encrypted meta. response_dto = encrypting_plugin.generate_symmetric( generate_dto, kek_meta_dto, tenant.keystone_id) # Convert binary data into a text-based format. # TODO(jwood) Figure out by storing binary (BYTEA) data in Postgres # isn't working. datum.cypher_text = base64.b64encode(response_dto.cypher_text) datum.kek_meta_extended = response_dto.kek_meta_extended return datum
def setUp(self): self.tenant_id = 'tenantid1234' self.keystone_id = 'keystone1234' self.name = 'name1234' self.mime_type = 'text/plain' secret_id = "idsecret1" datum_id = "iddatum1" self.secret_algorithm = "algo" self.secret_bit_length = 512 self.secret_cypher_type = "cytype" self.datum = models.EncryptedDatum() self.datum.id = datum_id self.datum.secret_id = secret_id self.datum.mime_type = self.mime_type self.datum.cypher_text = "cypher_text" self.datum.kek_metadata = "kekedata" self.secret = create_secret(self.mime_type, id=secret_id, name=self.name, algorithm=self.secret_algorithm, bit_length=self.secret_bit_length, cypher_type=self.secret_cypher_type, encrypted_datum=self.datum) self.tenant = models.Tenant() self.tenant.id = self.tenant_id self.keystone_id = self.keystone_id self.tenant_repo = MagicMock() self.tenant_repo.get.return_value = self.tenant self.secret_repo = MagicMock() self.secret_repo.get.return_value = self.secret self.secret_repo.delete_entity_by_id.return_value = None self.tenant_secret_repo = MagicMock() self.tenant_secret_repo.create_from.return_value = None self.datum_repo = MagicMock() self.datum_repo.create_from.return_value = None self.policy = MagicMock() self.req = MagicMock() self.req.accept = 'application/json' self.resp = MagicMock() self.conf = MagicMock() self.conf.crypto.namespace = 'barbican.test.crypto.plugin' self.conf.crypto.enabled_crypto_plugins = ['test_crypto'] self.crypto_mgr = CryptoExtensionManager(conf=self.conf) self.policy = MagicMock() self.resource = res.SecretResource(self.crypto_mgr, self.tenant_repo, self.secret_repo, self.tenant_secret_repo, self.datum_repo, self.policy)
def setUp(self): super(TestSecretStoreBase, self).setUp() self.patchers = [] # List of patchers utilized in this test class. self.project_id = '12345' self.content_type = 'application/octet-stream' self.content_encoding = 'base64' self.secret = base64.b64encode(b'secret') self.decrypted_secret = b'decrypted_secret' self.cypher_text = b'cypher_text' self.kek_meta_extended = 'kek-meta-extended' self.spec_aes = secret_store.KeySpec('AES', 64, 'CBC') self.spec_rsa = secret_store.KeySpec('RSA', 1024, passphrase='changeit') self.project_model = mock.MagicMock() self.project_model.id = 'project-model-id' self.project_model.external_id = self.project_id self.secret_dto = secret_store.SecretDTO( secret_store.SecretType.OPAQUE, self.secret, secret_store.KeySpec(), self.content_type) self.response_dto = base.ResponseDTO( self.cypher_text, kek_meta_extended=self.kek_meta_extended) self.private_key_dto = base.ResponseDTO(self.cypher_text) self.public_key_dto = base.ResponseDTO(self.cypher_text) self.passphrase_dto = base.ResponseDTO(self.cypher_text) self.kek_meta_project_model = models.KEKDatum() self.kek_meta_project_model.plugin_name = 'plugin-name' self.kek_meta_project_model.kek_label = 'kek-meta-label' self.kek_meta_project_model.algorithm = 'kek-meta-algo' self.kek_meta_project_model.bit_length = 1024 self.kek_meta_project_model.mode = 'kek=meta-mode' self.kek_meta_project_model.plugin_meta = 'kek-meta-plugin-meta' self.encrypted_datum_model = models.EncryptedDatum() self.encrypted_datum_model.kek_meta_project = ( self.kek_meta_project_model) self.encrypted_datum_model.cypher_text = base64.b64encode( b'cypher_text') self.encrypted_datum_model.content_type = 'content_type' self.encrypted_datum_model.kek_meta_extended = 'extended_meta' self.secret_model = models.Secret({ 'algorithm': 'myalg', 'bit_length': 1024, 'mode': 'mymode' }) self.secret_model.id = 'secret-model-id' self.secret_model.encrypted_data = [self.encrypted_datum_model] self.context = store_crypto.StoreCryptoContext( secret_model=self.secret_model, project_model=self.project_model, content_type=self.content_type)
def _store_secret_and_datum(context, secret_model, kek_datum_model, generated_dto): # Create Secret entities in data store. if not secret_model.id: secret_model.project_id = context.project_model.id repositories.get_secret_repository().create_from(secret_model) # setup and store encrypted datum datum_model = models.EncryptedDatum(secret_model, kek_datum_model) datum_model.content_type = context.content_type datum_model.cypher_text = base64.b64encode(generated_dto.cypher_text) datum_model.kek_meta_extended = generated_dto.kek_meta_extended repositories.get_encrypted_datum_repository().create_from(datum_model)
def encrypt(self, unencrypted, content_type, content_encoding, secret, tenant, kek_repo, enforce_text_only=False): """Delegates encryption to first plugin that supports it.""" if len(self.extensions) < 1: raise CryptoPluginNotFound() for ext in self.extensions: if ext.obj.supports(plugin_mod.PluginSupportTypes.ENCRYPT_DECRYPT): encrypting_plugin = ext.obj break else: raise CryptoSupportedPluginNotFound() unencrypted, content_type = normalize_before_encryption( unencrypted, content_type, content_encoding, enforce_text_only=enforce_text_only) # Find or create a key encryption key metadata. kek_datum, kek_meta_dto = self._find_or_create_kek_objects( encrypting_plugin, tenant, kek_repo) encrypt_dto = plugin_mod.EncryptDTO(unencrypted) # Create an encrypted datum instance and add the encrypted cypher text. datum = models.EncryptedDatum(secret, kek_datum) datum.content_type = content_type response_dto = encrypting_plugin.encrypt(encrypt_dto, kek_meta_dto, tenant.keystone_id) datum.cypher_text = response_dto.cypher_text datum.kek_meta_extended = response_dto.kek_meta_extended # Convert binary data into a text-based format. #TODO(jwood) Figure out by storing binary (BYTEA) data in Postgres # isn't working. datum.cypher_text = base64.b64encode(datum.cypher_text) return datum
def _store_secret_and_datum(context, secret_model, kek_datum_model, generated_dto): # Create Secret entities in data store. if not secret_model.id: repositories.get_secret_repository().create_from(secret_model) new_assoc = models.ProjectSecret() new_assoc.project_id = context.project_model.id new_assoc.secret_id = secret_model.id new_assoc.role = "admin" new_assoc.status = models.States.ACTIVE repositories.get_project_secret_repository().create_from(new_assoc) # setup and store encrypted datum datum_model = models.EncryptedDatum(secret_model, kek_datum_model) datum_model.content_type = context.content_type datum_model.cypher_text = base64.b64encode(generated_dto.cypher_text) datum_model.kek_meta_extended = generated_dto.kek_meta_extended datum_model.secret_id = secret_model.id repositories.get_encrypted_datum_repository().create_from(datum_model)
def setUp(self): self.secret = models.Secret({}) self.secret.secret_id = "secret#1" self.datum = models.EncryptedDatum(self.secret) self.secret.encrypted_data = [self.datum]
def _init(self): self.project_id = 'projectid1234' self.external_project_id = 'keystone1234' self.name = 'name1234' secret_id = utils.generate_test_valid_uuid() datum_id = "iddatum1" kek_id = "idkek1" self.secret_algorithm = "AES" self.secret_bit_length = 256 self.secret_mode = "CBC" self.kek_project = models.KEKDatum() self.kek_project.id = kek_id self.kek_project.active = True self.kek_project.bind_completed = False self.kek_project.kek_label = "kek_label" self.datum = models.EncryptedDatum() self.datum.id = datum_id self.datum.secret_id = secret_id self.datum.kek_id = kek_id self.datum.kek_meta_project = self.kek_project self.datum.content_type = "text/plain" self.datum.cypher_text = "aaaa" # base64 value. self.secret = create_secret(id_ref=secret_id, name=self.name, algorithm=self.secret_algorithm, bit_length=self.secret_bit_length, mode=self.secret_mode, encrypted_datum=self.datum, content_type=self.datum.content_type) self.secret.secret_acls = [] self.secret.project = mock.MagicMock() self.secret.project.external_id = self.external_project_id # Set up mocked project self.project = models.Project() self.project.id = self.project_id self.project.external_id = self.external_project_id # Set up mocked project repo self.project_repo = mock.MagicMock() self.project_repo.get.return_value = self.project self.project_repo.find_by_external_project_id.return_value = ( self.project) self.setup_project_repository_mock(self.project_repo) # Set up mocked secret repo self.secret_repo = mock.Mock() self.secret_repo.get = mock.Mock(return_value=self.secret) self.secret_repo.get_secret_by_id = mock.Mock(return_value=self.secret) self.secret_repo.delete_entity_by_id = mock.Mock(return_value=None) self.setup_secret_repository_mock(self.secret_repo) # Set up mocked encrypted datum repo self.datum_repo = mock.MagicMock() self.datum_repo.create_from.return_value = None self.setup_encrypted_datum_repository_mock(self.datum_repo) # Set up mocked kek datum repo self.setup_kek_datum_repository_mock() # Set up mocked secret meta repo self.secret_meta_repo = mock.MagicMock() self.secret_meta_repo.get_metadata_for_secret.return_value = None self.setup_secret_meta_repository_mock(self.secret_meta_repo) # Set up mocked transport key self.transport_key_model = models.TransportKey("default_plugin", "my transport key") # Set up mocked transport key repo self.transport_key_repo = mock.MagicMock() self.transport_key_repo.get.return_value = self.transport_key_model self.setup_transport_key_repository_mock(self.transport_key_repo) self.transport_key_id = 'tkey12345'
def _do_create_instance(self): return models.EncryptedDatum()