def test(): from custodia.compat import configparser from custodia.log import setup_logging from .interface import IPA_SECTIONNAME parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation() ) parser.read_string(u""" [auth:ipa] handler = IPAInterface [store:ipa_vault] handler = IPAVault """) setup_logging(debug=True, auditfile=None) config = { 'authenticators': { 'ipa': IPAInterface(parser, IPA_SECTIONNAME) } } v = IPAVault(parser, 'store:ipa_vault') v.finalize_init(config, parser, None) v.set('foo', 'bar', replace=True) print(v.get('foo')) print(v.list()) v.cut('foo') print(v.list())
def setUpClass(cls): cls.tmpdir = tempfile.mkdtemp() cls.parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation(), defaults={'tmpdir': cls.tmpdir}) cls.parser.read_string(CONFIG) cls.backing_store = SqliteStore(cls.parser, 'store:teststore')
def generate_all_keys(custodia_conf): parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation()) with open(custodia_conf) as f: parser.read_file(f) filename = parser.get('store:encgen', 'master_key') key = jwk.JWK(generate='oct', size=256) with open(filename, 'w+') as keyfile: keyfile.write(key.export()) store = SqliteStore(parser, 'store:simple') srv_kid = "srvkid" cli_kid = "clikid" ss_key = jwk.JWK(generate='RSA', kid=srv_kid, use="sig") se_key = jwk.JWK(generate='RSA', kid=srv_kid, use="enc") store.set('kemkeys/sig/%s' % srv_kid, ss_key.export()) store.set('kemkeys/enc/%s' % srv_kid, se_key.export()) cs_key = jwk.JWK(generate='RSA', kid=cli_kid, use="sig") ce_key = jwk.JWK(generate='RSA', kid=cli_kid, use="enc") store.set('kemkeys/sig/%s' % cli_kid, cs_key.export_public()) store.set('kemkeys/enc/%s' % cli_kid, ce_key.export_public()) return ([ss_key.export_public(), se_key.export_public()], [cs_key.export(), ce_key.export()])
def test(): from custodia.compat import configparser from custodia.log import setup_logging from .interface import IPA_SECTIONNAME from .vault import IPAVault parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation()) parser.read_string(u""" [auth:ipa] handler = IPAInterface [store:ipa_vault] handler = IPAVault [store:ipa_certreq] handler = IPAVault backing_store = ipa_vault """) setup_logging(debug=True, auditfile=None) config = {'authenticators': {'ipa': IPAInterface(parser, IPA_SECTIONNAME)}} vault = IPAVault(parser, 'store:ipa_vault') vault.finalize_init(config, parser, None) s = IPACertRequest(parser, 'store:ipa_certreq') s.store = vault s.finalize_init(config, parser, None) print(s.get('keys/HTTP/client1.ipa.example')) print(s.get('keys/HTTP/client1.ipa.example')) print(s.cut('keys/HTTP/client1.ipa.example'))
def setup_method(self, method): self.parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation(), ) self.parser.read_string(CONFIG) # config self.config = { 'debug': False, 'authenticators': {}, 'stores': {}, } # mocked ipalib.api self.p_api = mock.patch('ipalib.api', autospec=ipalib.api) self.m_api = self.p_api.start() self.m_api.isdone.return_value = False self.m_api.env = mock.Mock() self.m_api.env.server = 'server.ipa.example' self.m_api.env.realm = u'IPA.EXAMPLE' self.m_api.Backend = mock.Mock() self.m_api.Command = mock.Mock() self.m_api.Command.ping.return_value = { u'summary': u'IPA server version 4.4.3. API version 2.215', } self.m_api.Command.vaultconfig_show.return_value = { u'result': { u'kra_server_server': [u'ipa.example'], } } # mocked get_principal self.p_get_principal = mock.patch( 'custodia.ipa.interface.get_principal') self.m_get_principal = self.p_get_principal.start() self.m_get_principal.return_value = None # mocked environ (empty dict) self.p_env = mock.patch.dict('os.environ', clear=True) self.p_env.start()
def setUpClass(cls): cls.parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation()) cls.parser.read_string(CONFIG) cls.log_handlers = log.auditlog.logger.handlers[:] log.auditlog.logger.handlers = [logging.NullHandler()] cls.secrets = Secrets(cls.parser, 'authz:secrets') cls.secrets.root.store = SqliteStore(cls.parser, 'store:sqlite') cls.authz = UserNameSpace(cls.parser, 'authz:user')
def _parse_config(args, config): """Parse arguments and create basic configuration """ defaults = { # Do not use getfqdn(). Internaly it calls gethostbyaddr which might # perform a DNS query. 'hostname': socket.gethostname(), } parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation(), defaults=defaults) parser.optionxform = str with args.configfile as f: parser.read_file(f) for s in CONFIG_SPECIALS: config[s] = dict() # add env parser['ENV'] = { k: v.replace('$', '$$') for k, v in os.environ.items() if not set(v).intersection('\r\n\x00') } # parse globals first if parser.has_section('global'): for opt, val in parser.items('global'): if opt in CONFIG_SPECIALS: raise ValueError('"%s" is an invalid ' '[global] option' % opt) config[opt] = val config['tls_verify_client'] = parser.getboolean('global', 'tls_verify_client', fallback=False) config['debug'] = parser.getboolean('global', 'debug', fallback=False) if args.debug: config['debug'] = True config['auditlog'] = os.path.abspath( config.get('auditlog', 'custodia.audit.log')) config['umask'] = int(config.get('umask', '027'), 8) url = config.get('server_url') sock = config.get('server_socket') if bool(url) == bool(sock): raise ValueError("Exactly one of 'server_url' or " "'server_socket' is required.") if sock: server_socket = os.path.abspath(sock) config['server_url'] = 'http+unix://{}/'.format( url_escape(server_socket, '')) return parser
def setUpClass(cls): cls.parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation()) cls.parser.read_string(CONFIG) config = {'server_keys': test_keys[0]['kid']} with open('examples/client_enc.key') as f: data = f.read() cls.client_keys = json_decode(data) cls.kk = kem.KEMKeysStore(config) cls.kk.store = SqliteStore(cls.parser, 'store:sqlite') _store_keys(cls.kk.store, kem.KEY_USAGE_SIG, test_keys) _store_keys(cls.kk.store, kem.KEY_USAGE_ENC, test_keys) _store_keys(cls.kk.store, kem.KEY_USAGE_SIG, cls.client_keys) _store_keys(cls.kk.store, kem.KEY_USAGE_ENC, cls.client_keys)
def setUpClass(cls): # Tests are depending on two existing and distinct users and groups. # We chose 'root' with uid/gid 0 and 'nobody', because both exist on # all relevant platforms. Tests use a mocked request so they run # under any user. cls.user = user = pwd.getpwnam('nobody') cls.group = group = grp.getgrgid(user.pw_gid) cls.parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation(), defaults={ 'other_uid': str(user.pw_uid), 'other_username': user.pw_name, 'other_gid': str(group.gr_gid), 'other_groupname': group.gr_name, }) cls.parser.read_string(CONFIG)
cert[u'serial_number'], cert[u'subject'], cert[u'issuer']) ipa.Command.cert_revoke( cert[u'serial_number'], revocation_reason=self.revocation_reason, ) return certs if __name__ == '__main__': from custodia.compat import configparser from custodia.log import setup_logging from custodia.store.sqlite import SqliteStore parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation()) parser.read_string(u""" [auth:ipa] handler = IPAInterface [store:sqlite] handler = SqliteStore dburi = /tmp/test.sqlite [store:ipa_certreq] handler = IPAVault backing_store = sqlite """) setup_logging(debug=True, auditfile=None) IPAInterface(parser, 'auth:ipa') s = IPACertRequest(parser, 'store:ipa_certreq') s.store = SqliteStore(parser, 'store:sqlite')
class CustodiaConfigParser(configparser.ConfigParser): """Python 3 like config parser with Custodia support. Example config:: [custodia_client] url = https://custodia.example/secrets [example] password = test/key [interpolation] password = ${CUSTODIA:test/key} parser = CustodiaConfigParser() secret = parser.getsecret('example', 'password') secret = parser.get('interpolation', 'password') The Custodia client instance can either be passed to CustodiaConfigParser or loaded from the [custodia_client] section. """ _DEFAULT_INTERPOLATION = configparser.ExtendedInterpolation() custodia_client_section = 'custodia_client' custodia_section = 'CUSTODIA' def __init__(self, defaults=None, dict_type=collections.OrderedDict, allow_no_value=False, custodia_client=None, **kwargs): super(CustodiaConfigParser, self).__init__(defaults=defaults, dict_type=dict_type, allow_no_value=allow_no_value, **kwargs) self._sections[self.custodia_section] = CustodiaMapping(self) self._custodia_client = custodia_client def __getitem__(self, key): item = super(CustodiaConfigParser, self).__getitem__(key) # wrap SectionProxy in CustodiaSectionProxy if not isinstance(item, CustodiaSectionProxy): item = CustodiaSectionProxy(item.parser, item.name) self._proxies[key] = item return item @property def custodia_client(self): if self._custodia_client is None: sec = self.custodia_client_section url = self.get(sec, 'url') client = CustodiaSimpleClient(url) headers = self.get(sec, 'headers', fallback=None) if headers: headers = json.loads(headers) client.headers.update(headers) tls_cafile = self.get(sec, 'tls_cafile', fallback=None) if tls_cafile: client.set_ca_cert(tls_cafile) certfile = self.get(sec, 'tls_certfile', fallback=None) keyfile = self.get(sec, 'tls_keyfile', fallback=None) if certfile: client.set_client_cert(certfile, keyfile) self._custodia_client = client return self._custodia_client def getsecret(self, section, option, **kwargs): """Get a secret from Custodia """ # keyword-only arguments, vars and fallback are directly passed through raw = kwargs.get('raw', False) value = self.get(section, option, **kwargs) if raw: return value return self.custodia_client.get_secret(value)
def parser(): parser = configparser.ConfigParser( interpolation=configparser.ExtendedInterpolation(), ) parser.read_string(CONFIG) return parser