def test_generate_symmetric_key_return_value(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128,
'mode')
return_value = self.secret_store.generate_symmetric_key(key_spec)
expected = {kss.KMIPSecretStore.KEY_UUID: self.symmetric_key_uuid}
self.assertEqual(expected, return_value)
def test_generate_asymmetric_key_assert_called(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048,
'mode')
self.secret_store.generate_asymmetric_key(key_spec)
self.secret_store.client.proxy.create_key_pair.assert_called_once_with(
common_template_attribute=mock.ANY)
def test_generate_symmetric_key_assert_called(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128,
'mode')
self.secret_store.generate_symmetric_key(key_spec)
self.secret_store.client.proxy.create.assert_called_once_with(
enums.ObjectType.SYMMETRIC_KEY, mock.ANY)
def test_generate_asymmetric_key_assert_called(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA,
2048, 'mode')
self.secret_store.generate_asymmetric_key(key_spec)
self.secret_store.client.create_key_pair.assert_called_once_with(
enums.CryptographicAlgorithm.RSA,
2048)
def test_get_generate_supported_plugin(self):
plugin = TestSecretStore([str.KeyAlgorithm.AES])
plugin_mock = mock.MagicMock(obj=plugin)
self.manager.extensions = [plugin_mock]
keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128)
self.assertEqual(plugin,
self.manager.get_plugin_generate(keySpec))
def test_generate_symmetric_key_raises_exception(self):
key_spec = ss.KeySpec(ss.KeyAlgorithm.AES, 128)
self.plugin.key_manager.create_key.side_effect = exception.Forbidden()
self.assertRaises(
ss.SecretGeneralException,
self.plugin.generate_symmetric_key,
key_spec
)
def test_get_generate_no_plugin_found(self):
self.manager.extensions = []
keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128)
self.assertRaises(
str.SecretStorePluginsNotConfigured,
self.manager.get_plugin_generate,
keySpec,
)
def test_generate_asymmetric_key_error_opening_connection(self):
self.secret_store.client.proxy.open = mock.Mock(
side_effect=socket.error)
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048,
'mode')
self.assertRaises(secret_store.SecretGeneralException,
self.secret_store.generate_asymmetric_key, key_spec)
def test_generate_symmetric_key_assert_called(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128,
'mode')
self.secret_store.generate_symmetric_key(key_spec)
self.secret_store.client.create.assert_called_once_with(
object_type=enums.ObjectType.SYMMETRIC_KEY,
template_attribute=mock.ANY,
credential=self.credential)
def test_generate_symmetric_key_error_opening_connection(self):
self.secret_store.client.open.side_effect = Exception
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES,
128, 'mode')
self.assertRaises(
secret_store.SecretGeneralException,
self.secret_store.generate_symmetric_key,
key_spec)
def generate_asymmetric_secret(spec, content_type, project_model):
"""Generate an asymmetric secret and store into a secure backend."""
# Locate a suitable plugin to store the secret.
key_spec = secret_store.KeySpec(alg=spec.get('algorithm'),
bit_length=spec.get('bit_length'),
passphrase=spec.get('passphrase'))
plugin_manager = secret_store.get_manager()
generate_plugin = plugin_manager.get_plugin_generate(key_spec)
# Create secret models to eventually save metadata to.
private_secret_model = models.Secret(spec)
private_secret_model['secret_type'] = secret_store.SecretType.PRIVATE
public_secret_model = models.Secret(spec)
public_secret_model['secret_type'] = secret_store.SecretType.PUBLIC
passphrase_secret_model = (models.Secret(spec)
if spec.get('passphrase') else None)
if passphrase_secret_model:
passphrase_type = secret_store.SecretType.PASSPHRASE
passphrase_secret_model['secret_type'] = passphrase_type
asymmetric_meta_dto = _generate_asymmetric_key(
generate_plugin,
key_spec,
private_secret_model,
public_secret_model,
passphrase_secret_model,
project_model,
content_type
)
_save_secret_in_repo(private_secret_model, project_model)
_save_secret_metadata_in_repo(private_secret_model,
asymmetric_meta_dto.private_key_meta,
generate_plugin,
content_type)
_save_secret_in_repo(public_secret_model, project_model)
_save_secret_metadata_in_repo(public_secret_model,
asymmetric_meta_dto.public_key_meta,
generate_plugin,
content_type)
if passphrase_secret_model:
_save_secret_in_repo(passphrase_secret_model, project_model)
_save_secret_metadata_in_repo(passphrase_secret_model,
asymmetric_meta_dto.passphrase_meta,
generate_plugin,
content_type)
container_model = _create_container_for_asymmetric_secret(spec,
project_model)
_save_asymmetric_secret_in_repo(
container_model, private_secret_model, public_secret_model,
passphrase_secret_model)
return container_model
def test_generate_asymmetric_key_server_error_occurs(self):
self.secret_store.client.create_key_pair.side_effect = Exception
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA,
2048, 'mode')
self.assertRaises(
secret_store.SecretGeneralException,
self.secret_store.generate_asymmetric_key,
key_spec)
def test_generate_asymmetric_key(self):
key_spec = sstore.KeySpec(sstore.KeyAlgorithm.RSA, 2048)
self.plugin.generate_asymmetric_key(key_spec)
self.keyclient_mock.generate_asymmetric_key.assert_called_once_with(
mock.ANY,
sstore.KeyAlgorithm.RSA.upper(),
2048,
mock.ANY)
def test_generate_symmetric_key(self):
key_spec = ss.KeySpec(ss.KeyAlgorithm.AES, 128)
response = self.plugin.generate_symmetric_key(key_spec)
self.plugin.key_manager.create_key.assert_called_once_with(
mock.ANY, ss.KeyAlgorithm.AES, 128)
expected_response = {css.CastellanSecretStore.KEY_ID: key_ref1}
self.assertEqual(response, expected_response)
def test_store_secret_valid_algorithm_invalid_bit_length(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 56,
'mode')
secret_dto = secret_store.SecretDTO(secret_store.SecretType.SYMMETRIC,
"AAAA",
key_spec,
'content_type',
transport_key=None)
self.assertRaises(secret_store.SecretAlgorithmNotSupportedException,
self.secret_store.store_secret, secret_dto)
def test_get_generate_no_supported_plugin(self):
plugin = TestSecretStore([])
plugin_mock = mock.MagicMock(obj=plugin)
self.manager.extensions = [plugin_mock]
keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128)
self.assertRaises(
str.SecretGenerateSupportedPluginNotFound,
self.manager.get_plugin_generate,
keySpec,
)
def test_generate_symmetric_key_error_occurs(self):
self.secret_store.client.create = mock.create_autospec(
proxy.KMIPProxy.create,
return_value=results.CreateResult(
contents.ResultStatus(enums.ResultStatus.OPERATION_FAILED)))
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128,
'mode')
self.assertRaises(secret_store.SecretGeneralException,
self.secret_store.generate_symmetric_key, key_spec)
def test_generate_asymmetric_throws_exception(self):
key_spec = ss.KeySpec(ss.KeyAlgorithm.RSA, 2048)
self.plugin.key_manager.create_key_pair.side_effect = (
exception.Forbidden()
)
self.assertRaises(
ss.SecretGeneralException,
self.plugin.generate_asymmetric_key,
key_spec
)
def test_store_certificate_secret_return_value(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048)
secret_dto = secret_store.SecretDTO(
secret_store.SecretType.CERTIFICATE,
base64.b64encode(keys.get_certificate_pem()), key_spec,
'content_type')
return_value = self.secret_store.store_secret(secret_dto)
expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'}
self.assertEqual(expected, return_value)
def test_generate_asymmetric_key_server_error_occurs(self):
self.secret_store.client.create_key_pair = mock.MagicMock(
proxy.KMIPProxy().create_key_pair,
return_value=results.CreateKeyPairResult(
contents.ResultStatus(enums.ResultStatus.OPERATION_FAILED)))
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048,
'mode')
self.assertRaises(secret_store.SecretGeneralException,
self.secret_store.generate_asymmetric_key, key_spec)
def store_secret(unencrypted_raw,
content_type_raw,
content_encoding,
secret_model,
project_model,
transport_key_needed=False,
transport_key_id=None):
"""Store a provided secret into secure backend."""
if _secret_already_has_stored_data(secret_model):
raise ValueError('Secret already has encrypted data stored for it.')
# Create a KeySpec to find a plugin that will support storing the secret
key_spec = secret_store.KeySpec(alg=secret_model.algorithm,
bit_length=secret_model.bit_length,
mode=secret_model.mode)
# If there is no secret data to store, then just create Secret entity and
# leave. A subsequent call to this method should provide both the Secret
# entity created here *and* the secret data to store into it.
if not unencrypted_raw:
key_model = _get_transport_key_model(key_spec,
transport_key_needed,
project_id=project_model.id)
_save_secret_in_repo(secret_model, project_model)
return secret_model, key_model
plugin_name, transport_key = _get_plugin_name_and_transport_key(
transport_key_id)
unencrypted, content_type = tr.normalize_before_encryption(
unencrypted_raw,
content_type_raw,
content_encoding,
secret_model.secret_type,
enforce_text_only=True)
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(key_spec=key_spec,
plugin_name=plugin_name,
project_id=project_model.id)
secret_dto = secret_store.SecretDTO(type=secret_model.secret_type,
secret=unencrypted,
key_spec=key_spec,
content_type=content_type,
transport_key=transport_key)
secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
secret_model, project_model)
_save_secret_in_repo(secret_model, project_model)
_save_secret_metadata_in_repo(secret_model, secret_metadata, store_plugin,
content_type)
return secret_model, None
def _get_barbican_secret(self, managed_object, secret_type):
object_type = managed_object.object_type
secret = managed_object.value
if (object_type == enums.ObjectType.SYMMETRIC_KEY
or object_type == enums.ObjectType.PRIVATE_KEY
or object_type == enums.ObjectType.PUBLIC_KEY):
algorithm = self.kmip_barbican_alg_map[
managed_object.cryptographic_algorithm]
length = managed_object.cryptographic_length
key_spec = ss.KeySpec(algorithm, length)
else:
key_spec = ss.KeySpec()
secret = self._denormalize_secret(secret, secret_type)
secret_dto = ss.SecretDTO(secret_type,
secret,
key_spec,
content_type=None,
transport_key=None)
return secret_dto
def test_get_store_plugin_with_no_tkey_and_supports_storage(self):
plugin = TestSecretStore([str.KeyAlgorithm.AES])
plugin_mock = mock.MagicMock(obj=plugin)
self.manager.extensions = [plugin_mock]
keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128)
self.assertRaises(
str.SecretStoreSupportedPluginNotFound,
self.manager.get_plugin_store,
key_spec=keySpec,
transport_key_needed=True,
)
def test_generate_supports(self):
"""test generate_supports."""
# False return if KeySpec == None
self.assertFalse(self.plugin_to_test.generate_supports(None))
# AES KeySpec should be supported.
key_spec = secret_store.KeySpec(alg='AES', bit_length=64, mode='CBC')
self.assertTrue(self.plugin_to_test.generate_supports(key_spec))
key_spec = secret_store.KeySpec(alg='aes', bit_length=64, mode='CBC')
self.assertTrue(self.plugin_to_test.generate_supports(key_spec))
# RSA KeySpec should be supported.
key_spec = secret_store.KeySpec(alg='RSA', bit_length=2048)
self.assertTrue(self.plugin_to_test.generate_supports(key_spec))
# Camellia KeySpec should not be supported.
self.key_spec = secret_store.KeySpec('Camellia', 64)
self.assertFalse(self.plugin_to_test.generate_supports(self.key_spec))
# Bogus KeySpec should not be supported.
key_spec = secret_store.KeySpec(alg='bogus', bit_length=2048)
self.assertFalse(self.plugin_to_test.generate_supports(key_spec))
def test_get_store_plugin_with_tkey_and_supports_storage(self):
plugin1 = TestSecretStore([str.KeyAlgorithm.AES])
plugin1_mock = mock.MagicMock(obj=plugin1)
plugin2 = TestSecretStoreWithTransportKey([str.KeyAlgorithm.AES])
plugin2_mock = mock.MagicMock(obj=plugin2)
self.manager.extensions = [plugin1_mock, plugin2_mock]
keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128)
self.assertEqual(
plugin2,
self.manager.get_plugin_store(key_spec=keySpec,
transport_key_needed=True))
def test_store_passphrase_secret_assert_called(self):
key_spec = secret_store.KeySpec(None, None, None)
passphrase = base64.b64encode(b"supersecretpassphrase")
secret_dto = secret_store.SecretDTO(secret_store.SecretType.PASSPHRASE,
passphrase,
key_spec,
'content_type',
transport_key=None)
self.secret_store.store_secret(secret_dto)
self.secret_store.client.register.assert_called_once_with(
objects.SecretData(base64.b64decode(passphrase),
enums.SecretDataType.PASSWORD))
def test_store_passphrase_secret_return_value(self):
key_spec = secret_store.KeySpec(None, None, None)
passphrase = b"supersecretpassphrase"
secret_dto = secret_store.SecretDTO(secret_store.SecretType.PASSPHRASE,
base64.b64encode(passphrase),
key_spec,
'content_type',
transport_key=None)
return_value = self.secret_store.store_secret(secret_dto)
expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'}
self.assertEqual(expected, return_value)
def test_store_asymmetric_key_secret_return_value(self, barbican_type,
barbican_key,
pkcs1_only):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048)
secret_dto = secret_store.SecretDTO(barbican_type,
base64.b64encode(barbican_key),
key_spec, 'content_type')
self.secret_store.pkcs1_only = pkcs1_only
return_value = self.secret_store.store_secret(secret_dto)
expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'}
self.assertEqual(expected, return_value)
def test_store_opaque_secret_return_value(self):
key_spec = secret_store.KeySpec(None, None, None)
opaque = b'\x00\x01\x02\x03\x04\x05\x06\x07'
secret_dto = secret_store.SecretDTO(secret_store.SecretType.OPAQUE,
base64.b64encode(opaque),
key_spec,
'content_type',
transport_key=None)
return_value = self.secret_store.store_secret(secret_dto)
expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'}
self.assertEqual(expected, return_value)
def test_store_opaque_secret_assert_called(self):
key_spec = secret_store.KeySpec(None, None, None)
opaque = base64.b64encode(b'\x00\x01\x02\x03\x04\x05\x06\x07')
secret_dto = secret_store.SecretDTO(secret_store.SecretType.OPAQUE,
opaque,
key_spec,
'content_type',
transport_key=None)
self.secret_store.store_secret(secret_dto)
self.secret_store.client.register.assert_called_once_with(
objects.OpaqueObject(base64.b64decode(opaque),
enums.OpaqueDataType.NONE))
