def test_get_encrypted_key(): passwd = u"passwd" ekey = cu.encrypt_key(passwd) assert ekey is not None assert isinstance(ekey, str) ekey2 = cu.encrypt_key(passwd) assert ekey2 == ekey
def test_configure_save_key(set_up): conf_file = set_up passwd = u"passwd" set_configuration(encrypt_key(passwd), None, None, None, conf_file) data = get_configuration(conf_file) key = data['key'].encode('latin1') assert key is not None assert isinstance(key, bytes)
def test_wrong_salt(set_up): my_access = 'another' other_key = cu.encrypt_key('pirillo') sleep(1) du.insert_secret(DOMAIN, my_access, 'login', 'password', None, 'memorable', other_key) #the following shoud produce and InvalidToken error sys.argv=['secret_wallet','get','-d',DOMAIN, '-a', my_access] with io.StringIO() as buf, redirect_stdout(buf): Parser() assert 'InvalidToken' in buf.getvalue()
def set_up(): c_pwd = u"passwd" table_name = "test" key = cu.encrypt_key(c_pwd) parameters.set_salt_key(key) parameters.set_table_name(table_name) du.create_table(table_name) yield parameters.clear()
def test_encrypt_decrypt_info(): c_pwd = u"passwd" m_pwd = u"memorabile" key = cu.encrypt_key(c_pwd) info = {'first': 'value_1', 'second': 'value_2'} ien = du.encrypt_info(info, m_pwd, key) ide = du.decrypt_info(ien, m_pwd, key) for key in info: assert ide[key] == info[key]
def test_encrypt_decrypt_no_config(): c_pwd = u"passwd" m_pwd = u"memorabile" secret = u"mamma" key = cu.encrypt_key(c_pwd) esecret = cu.encrypt(secret, m_pwd, key) v1 = cu.decrypt(esecret, m_pwd, key) esecret2 = cu.encrypt(secret, m_pwd, key) v2 = cu.decrypt(esecret2, m_pwd, key) assert v1 == v2 assert v1 == secret
def test_encrypt_decrypt_secret(set_up): conf_file = set_up c_pwd = u"passwd" m_pwd = u"memorabile" secret = u"mamma" set_configuration(encrypt_key(c_pwd), None, None, None, conf_file) parameters.set_data(get_configuration(conf_file)) esecret = cu.encrypt(secret, m_pwd, parameters.get_salt_key()) v1 = cu.decrypt(esecret, m_pwd, parameters.get_salt_key()) esecret2 = cu.encrypt(secret, m_pwd, parameters.get_salt_key()) v2 = cu.decrypt(esecret2, m_pwd, parameters.get_salt_key()) assert v1 == v2 assert v1 == secret
def test_wrong_salt_key(set_up): c_pwd = 'pirillo' wrong_key = cu.encrypt_key(c_pwd) m_pwd = u"memorabile" domain = u"my_domain" access = u"my_access" secret_uid = u"me@home" secret_pwd = u"ciao mamma" try: du.insert_secret(domain, access, secret_uid, secret_pwd, None, m_pwd, wrong_key) with pytest.raises(cryptography.fernet.InvalidToken): du.get_secret(domain, access, m_pwd) finally: du.delete_secret(domain, access)
def test_configure_save_many(set_up): conf_file = set_up passwd = u"passwd" profile = 'my profile' salt = 'my salt' table = 'my table' set_configuration(encrypt_key(passwd), profile, table, salt, conf_file) data = get_configuration(conf_file) key = data['key'].encode('latin1') assert key is not None assert isinstance(key, bytes) assert profile == data['profile'] assert salt == data['salt'] assert table == data['table_name']
def test_reconf_salt_key(set_up, insert_records): old_mem = "memorable" c_pwd = 'carpiato' new_salt_key = cu.encrypt_key(c_pwd) secrets = du.list_secrets("d1") + du.list_secrets("d2") assert 3 == len(secrets) sec = du.get_secret('d1', 'a1', old_mem) assert "v1" == sec['info']['k1'] du.reconf_salt_key(secrets, old_mem, c_pwd, False) secrets = du.list_secrets("d1") + du.list_secrets("d2") assert 3 == len(secrets) secrets = du.list_secrets("I") + du.list_secrets("D") assert 0 == len(secrets) sec = du.get_secret('d1', 'a1', old_mem, new_salt_key) assert "v1" == sec['info']['k1'] with pytest.raises(cryptography.fernet.InvalidToken): du.get_secret('d1', 'a1', old_mem)
def reconf_salt_key(secrets, old_mem, new_device_pwd, backup=False): """Reconfigure all secrets changing the memorable password input: secrets a list of secrets, as domain, asset pairs old_mem old memorable password new_device_pwd the new device password backup a boolean flag to request a full baclup of the table output: the BackupArn of the table """ ekey = encrypt_key(new_device_pwd) ns = len(secrets) i = 0 arn = None if backup: arn =_backup_table("backup") for s in secrets: i += 1 domain = s[0] access = s[1] try: message = f"[{i}/{ns}] - Reconfiguring the secret ({domain},{access})" logger.info(message) print(message) secret = get_secret(domain, access, old_mem) insert_secret("I", f"{domain}{SEPARATOR}{access}", secret['uid'], secret['pwd'], secret['info'], old_mem, ekey) rename_secret(domain, access, "D", f"{domain}{SEPARATOR}{access}") rename_secret("I", f"{domain}{SEPARATOR}{access}", domain, access) delete_secret("D", f"{domain}{SEPARATOR}{access}") except Exception as e: logger.error(e) message = f"Could not reconfigure ({domain},{access})" print(message) logger.error(message) return arn
def reconf(self): """ Reconfigures either the memorable or the device password. All secrets will be re-encryted with the changed password. It is not possible to change both passwords at the same time. Depending on the size of the wallet, this operation might take some time. A backup of the old table is also performed. """ parser = argparse.ArgumentParser(description=self.reconf.__doc__, prog='secret_wallet reconf') #optional arguments parser.add_argument( '-m', '--memorable', action='store_true', default=False, help='Reconfigure secrets because of a change of memorable password' ) parser.add_argument( '-d', '--device', action='store_true', default=False, help='Reconfigure secrets because of a change of device password') args = iou.my_parse(parser, sys.argv[2:]) if args is None: return try: if args.memorable and args.device: print( "You can't reconfigure both memorable and device password at the same time" ) elif args.memorable: iou.my_output("You are reconfiguring the memorable password") if is_connected(): stop_service() iou.display_reconfiguration_warning() iou.my_output('***Enter the existing memorable password***') old_memorable, _ = pm.get_memorable_password(False) iou.my_output('***Set the new memorable password***') new_memorable, _ = pm.get_memorable_password(True) reconf_memorable(list_secrets(None), old_memorable, new_memorable, True) elif args.device: iou.my_output("You are reconfiguring the device password") if is_connected(): stop_service() iou.display_reconfiguration_warning() iou.my_output('***Enter the existing memorable password***') old_memorable, _ = pm.get_memorable_password(False) iou.my_output('***Set the new device password***') new_device, _ = pm.get_memorable_password(True) reconf_salt_key(list_secrets(None), old_memorable, new_device, True) #now pass it to the configuration file ekey = encrypt_key(new_device) cdata = get_configuration() cdata['key'] = ekey set_configuration_data(cdata) except Exception as e: iou.my_output(repr(e))
def make_configurations(): "Main configuration script" print("\nMain configuration script for your secret wallet.") print( "Please press return to accept the pre-set values in square brackets, or type a new value:\n" ) answ = input("\nDo you want to configure the AWS credentials? (yes|skip) ") if answ.lower().startswith('y'): profile = input('{0:30}[{1:>30}] = '.format( 'AWS profile name', parameters.get_profile_name())) if len(profile) == 0: profile = parameters.get_profile_name() if has_credentials() and profile in get_credentials_sections(): print( 'The AWS profile {0} is already in use. Choose another or reconfigure' .format(profile)) exit(1) parameters.set_profile_name(profile) access_key = input('{0:30}[{1:>30}] = '.format('AWS access key id', '')) secret_access_key = input('{0:30}[{1:>30}] = '.format( 'AWS secret access key', '')) region = input('{0:30}[{1:>30}] = '.format('AWS region', '')) cred = { 'aws access key id': access_key, 'aws seceret access key': secret_access_key, 'aws region': region } display_configuration(CREDENTIALS_FILE, 'AWS credentials are located', cred) answ = input("\nDo you want to set the credentials? (yes|skip|exit) ") if answ.lower().startswith('y'): set_credentials(CREDENTIALS_FILE, access_key, secret_access_key, region) elif answ.lower().startswith('s'): pass else: exit(1) answ = input( "\nDo you want to configure the the secret-wallet parameters? (yes|skip) " ) if answ.lower().startswith('y'): profile = input('{0:30}[{1:>30}] = '.format( 'AWS profile name', parameters.get_profile_name())) if len(profile) == 0: profile = parameters.get_profile_name() table = input('{0:30}[{1:>30}] = '.format('DynameDB table name', parameters.get_table_name())) if len(table) == 0: table = parameters.get_table_name() if has_configuration() and has_table(table): print( 'The secret-wallet has been configured previously for the same table.\nTo protect secrets, you need to call a reconfigure procedure' ) exit(1) conf_pwd = get_password('Configuration password', 6) conf_key = encrypt_key(conf_pwd) conf = { 'configuration key': conf_key, 'profile': profile, 'table': table } parameters.set_profile_name(profile) parameters.set_table_name(table) display_configuration(CONFIG_FILE, 'secret wallet configuration is located', conf) answ = input( "\nDo you want to set the configuration parameters? (yes|exit) ") if answ.lower().startswith('y'): try: set_configuration(conf_key, profile, table, None, CONFIG_FILE) create_table(table) except Exception as e: print(e) print( "Could not write the configuration file. Make sure you have AWS connection and try again" ) else: exit(1)