class TestCredentialsUnencrypted(object): def setup(self): self._plaintext_payload = 'plaintext credentials' self._credentials = Credentials(self._plaintext_payload, is_encrypted=False) def test_is_encrypted(self): """Credentials - Plaintext Credentials - Is Encrypted""" assert_false(self._credentials.is_encrypted()) def test_is_data(self): """Credentials - Plaintext Credentials - Data""" assert_equal(self._credentials.data(), self._plaintext_payload) @patch('logging.Logger.error') def test_get_data_kms_decrypted(self, logging_error): """Credentials - Plaintext Credentials - KMS Decrypt""" assert_is_none(self._credentials.get_data_kms_decrypted()) logging_error.assert_called_with('Cannot decrypt Credentials as they are already decrypted') @mock_kms def test_encrypt(self): """Credentials - Plaintext Credentials - Encrypt Doubly-encrypting the credentials should do nothing. """ self._credentials.encrypt(REGION, KMS_ALIAS) assert_true(self._credentials.is_encrypted()) assert_equal(self._credentials.data(), 'InBsYWludGV4dCBjcmVkZW50aWFscyI=')
class TestCredentialsEmpty(object): def setup(self): self._plaintext_payload = '' self._credentials = Credentials(self._plaintext_payload, is_encrypted=False) @mock_kms def test_encrypt(self): """Credentials - Empty Credentials - Encrypt - Does nothing when payload is empty""" self._credentials.encrypt(REGION, KMS_ALIAS) assert_true(self._credentials.is_encrypted()) assert_equal(self._credentials.data(), '')
class TestCredentialsEncrypted(object): @mock_kms def setup(self): self._plaintext_payload = 'plaintext credentials' self._encrypted_payload = encrypt_with_kms(self._plaintext_payload, REGION, KMS_ALIAS) self._credentials = Credentials(self._encrypted_payload, is_encrypted=True, region=REGION) def test_is_encrypted(self): """Credentials - Encrypted Credentials - Is Encrypted""" assert_true(self._credentials.is_encrypted()) def test_is_data(self): """Credentials - Encrypted Credentials - Data""" assert_equal(self._credentials.data(), self._encrypted_payload) @mock_kms def test_get_data_kms_decrypted(self): """Credentials - Encrypted Credentials - KMS Decrypt""" decrypted = self._credentials.get_data_kms_decrypted() assert_equal(decrypted, self._plaintext_payload) def test_encrypt(self): """Credentials - Encrypted Credentials - Encrypt Doubly-encrypting the credentials should do nothing. """ self._credentials.encrypt(REGION, KMS_ALIAS) assert_equal(self._credentials.data(), self._encrypted_payload) @patch('boto3.client') @patch('logging.Logger.exception') def test_decrypt_kms_error(self, logging_exception, boto3): """Credentials - Encrypted Credentials - KMS Decrypt - Errors if KMS Fails to Respond""" # We pretend that KMS errors out boto3_client = MagicMock() boto3.return_value = boto3_client response = MagicMock() boto3_client.decrypt.side_effect = ClientError(response, 'kms_decrypt') assert_is_none(self._credentials.get_data_kms_decrypted()) logging_exception.assert_called_with( 'an error occurred during credentials decryption')