def _get_mocked_kek_meta_dto(self):
# For SimpleCryptoPlugin, per-project KEKs are stored in
# kek_meta_dto.plugin_meta. SimpleCryptoPlugin does a get-or-create
# on the plugin_meta field, so plugin_meta should be None initially.
kek_meta_dto = plugin.KEKMetaDTO(mock.MagicMock())
kek_meta_dto.plugin_meta = None
return self.plugin.bind_kek_metadata(kek_meta_dto)
def get_secret(self, secret_metadata, context):
"""Retrieve a secret.
:param secret_metadata: secret metadata
:param context: StoreCryptoContext for secret
:returns: SecretDTO that contains secret
"""
if (not context.secret_model
or not context.secret_model.encrypted_data):
raise sstore.SecretNotFoundException()
# TODO(john-wood-w) Need to revisit 1 to many datum relationship.
datum_model = context.secret_model.encrypted_data[0]
# Find HSM-style 'crypto' plugin.
decrypting_plugin = manager.get_manager().get_plugin_retrieve(
datum_model.kek_meta_project.plugin_name)
# wrap the KEKDatum instance in our DTO
kek_meta_dto = crypto.KEKMetaDTO(datum_model.kek_meta_project)
# Convert from text-based storage format to binary.
encrypted = base64.b64decode(datum_model.cypher_text)
decrypt_dto = crypto.DecryptDTO(encrypted)
# Decrypt the secret.
secret = decrypting_plugin.decrypt(decrypt_dto, kek_meta_dto,
datum_model.kek_meta_extended,
context.project_model.external_id)
key_spec = sstore.KeySpec(alg=context.secret_model.algorithm,
bit_length=context.secret_model.bit_length,
mode=context.secret_model.mode)
return sstore.SecretDTO(sstore.SecretType.SYMMETRIC, secret, key_spec,
datum_model.content_type)
def test_bind_kek_metadata_without_existing_key(self):
with mock.patch.object(self.plugin.pkcs11, 'generate_wrapped_kek'):
kek_datum = models.KEKDatum()
dto = plugin_import.KEKMetaDTO(kek_datum)
dto = self.plugin.bind_kek_metadata(dto)
self.assertEqual(dto.algorithm, "AES")
self.assertEqual(dto.bit_length, 256)
self.assertEqual(dto.mode, "CBC")
def test_bind_kek_metadata_with_existing_key(self):
kek_datum = models.KEKDatum()
dto = plugin_import.KEKMetaDTO(kek_datum)
dto.plugin_meta = '{}'
dto = self.plugin.bind_kek_metadata(dto)
self.assertEqual(self.pkcs11.generate_key.call_count, 0)
self.assertEqual(self.pkcs11.wrap_key.call_count, 0)
self.assertEqual(self.pkcs11.compute_hmac.call_count, 0)
def test_bind_kek_metadata_without_existing_key(self):
kek_datum = models.KEKDatum()
dto = plugin_import.KEKMetaDTO(kek_datum)
dto = self.plugin.bind_kek_metadata(dto)
self.assertEqual(dto.algorithm, 'AES')
self.assertEqual(dto.bit_length, 256)
self.assertEqual(dto.mode, 'CBC')
self.assertEqual(self.pkcs11.get_key_handle.call_count, 2)
self.assertEqual(self.pkcs11.generate_key.call_count, 1)
self.assertEqual(self.pkcs11.wrap_key.call_count, 1)
self.assertEqual(self.pkcs11.compute_hmac.call_count, 1)
def test_bind_operation(self):
kek_meta_dto = crypto.KEKMetaDTO(self.kek_meta_project_model)
self.kek_meta_project_model.bind_completed = False
store_crypto._indicate_bind_completed(kek_meta_dto,
self.kek_meta_project_model)
self.assertTrue(self.kek_meta_project_model.bind_completed)
self.assertEqual(self.kek_meta_project_model.algorithm,
kek_meta_dto.algorithm)
self.assertEqual(self.kek_meta_project_model.bit_length,
kek_meta_dto.bit_length)
self.assertEqual(self.kek_meta_project_model.mode, kek_meta_dto.mode)
self.assertEqual(self.kek_meta_project_model.plugin_meta,
kek_meta_dto.plugin_meta)
def _find_or_create_kek_objects(plugin_inst, project_model):
kek_repo = repositories.get_kek_datum_repository()
# Find or create a key encryption key.
full_plugin_name = utils.generate_fullname_for(plugin_inst)
kek_datum_model = kek_repo.find_or_create_kek_datum(
project_model, full_plugin_name)
# Bind to the plugin's key management.
# TODO(jwood): Does this need to be in a critical section? Should the
# bind operation just be declared idempotent in the plugin contract?
kek_meta_dto = crypto.KEKMetaDTO(kek_datum_model)
if not kek_datum_model.bind_completed:
kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
# By contract, enforce that plugins return a
# (typically modified) DTO.
if kek_meta_dto is None:
raise crypto.CryptoKEKBindingException(full_plugin_name)
_indicate_bind_completed(kek_meta_dto, kek_datum_model)
kek_repo.save(kek_datum_model)
return kek_datum_model, kek_meta_dto
