def test_proxy_server_conf_dir(self):
proxy_server_conf_dir = os.path.join(self.tempdir, 'proxy_server.d')
os.mkdir(proxy_server_conf_dir)
# KmipClient can't read conf from a dir, so check that is caught early
conf = {
'__file__': proxy_server_conf_dir,
'__name__': 'kmip_keymaster',
'key_id': '789'
}
with self.assertRaises(ValueError) as cm:
KmipKeyMaster(None, conf)
self.assertIn('config cannot be read from conf dir', str(cm.exception))
# ...but a conf file in a conf dir could point back to itself for the
# KmipClient config
km_config_file = os.path.join(proxy_server_conf_dir, '40.conf')
km_conf = """
[filter:kmip_keymaster]
keymaster_config_file = %s
[kmip_keymaster]
key_id = 789
""" % km_config_file
with open(km_config_file, 'wb') as fd:
fd.write(dedent(km_conf))
conf = {
'__file__': proxy_server_conf_dir,
'__name__': 'kmip_keymaster',
'keymaster_config_path': km_config_file
}
secrets = {'789': create_secret('AES', 256, b'x' * 32)}
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secrets, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual({None: b'x' * 32}, km._root_secrets)
self.assertEqual(None, km.active_secret_id)
self.assertEqual(km_config_file, km.keymaster_config_path)
self.assertEqual(
calls,
[
(
'__init__',
{
'config_file': km_config_file,
# NB: no "filter:"
'config': 'kmip_keymaster'
}),
('get', '789')
])
def test_config_in_separate_file(self):
km_conf = """
[kmip_keymaster]
key_id = 4321
"""
km_config_file = os.path.join(self.tempdir, 'km.conf')
with open(km_config_file, 'wb') as fd:
fd.write(dedent(km_conf))
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'keymaster_config_path': km_config_file
}
secret = create_secret('AES', 256, b'x' * 32)
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secret, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual(secret.value, km.root_secret)
self.assertEqual(km_config_file, km.keymaster_config_path)
self.assertEqual(
{
'config_file': km_config_file,
'config': 'kmip_keymaster'
}, calls[0]['kwargs'])
self.assertEqual('4321', calls[0]['client'].uid)
def test_multikey_config_in_filter_section(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'key_id': '1234',
'key_id_xyzzy': 'foobar',
'key_id_alt_secret_id': 'foobar',
'active_root_secret_id': 'xyzzy'
}
secrets = {
'1234': create_secret('AES', 256, b'x' * 32),
'foobar': create_secret('AES', 256, b'y' * 32)
}
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secrets, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual(
{
None: b'x' * 32,
'xyzzy': b'y' * 32,
'alt_secret_id': b'y' * 32
}, km._root_secrets)
self.assertEqual('xyzzy', km.active_secret_id)
self.assertIsNone(km.keymaster_config_path)
self.assertEqual(calls, [
('__init__', {
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
}),
('get', '1234'),
('get', 'foobar'),
])
def test_multikey_config_in_separate_file(self):
km_conf = """
[kmip_keymaster]
key_id = 4321
key_id_secret_id = another id
active_root_secret_id = secret_id
"""
km_config_file = os.path.join(self.tempdir, 'km.conf')
with open(km_config_file, 'wb') as fd:
fd.write(dedent(km_conf))
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'keymaster_config_path': km_config_file
}
secrets = {
'4321': create_secret('AES', 256, b'x' * 32),
'another id': create_secret('AES', 256, b'y' * 32)
}
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secrets, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual({
None: b'x' * 32,
'secret_id': b'y' * 32
}, km._root_secrets)
self.assertEqual('secret_id', km.active_secret_id)
self.assertEqual(km_config_file, km.keymaster_config_path)
self.assertEqual(calls, [('__init__', {
'config_file': km_config_file,
'config': 'kmip_keymaster'
}), ('get', '4321'), ('get', 'another id')])
def test_config_in_separate_file(self):
km_conf = """
[kmip_keymaster]
key_id = 4321
"""
km_config_file = os.path.join(self.tempdir, 'km.conf')
with open(km_config_file, 'wt') as fd:
fd.write(dedent(km_conf))
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'keymaster-kmip',
'keymaster_config_path': km_config_file
}
secrets = {'4321': create_secret('AES', 256, b'x' * 32)}
calls = []
with mock.patch(KMIP_CLIENT_CLASS, create_mock_client(secrets, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual({None: b'x' * 32}, km._root_secrets)
self.assertEqual(None, km.active_secret_id)
self.assertEqual(km_config_file, km.keymaster_config_path)
self.assertEqual(calls, [('__init__', {
'config_file': km_config_file,
'config': 'kmip_keymaster'
}), ('get', '4321')])
def test_missing_key_id(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster'
}
with self.assertRaises(ValueError) as cm:
KmipKeyMaster(None, conf)
self.assertIn('key_id option is required', str(cm.exception))
def test_bad_key_algorithm(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'key_id': '1234'
}
secrets = {'1234': create_secret('notAES', 256, b'x' * 32)}
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secrets, calls)):
with self.assertRaises(ValueError) as cm:
KmipKeyMaster(None, conf)
self.assertIn('Expected key 1234 to be an AES-256 key',
str(cm.exception))
self.assertEqual(calls, [('__init__', {
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
}), ('get', '1234')])
def test_missing_key_id(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'kmip_keymaster'
}
secrets = {}
calls = []
with mock.patch(KMIP_CLIENT_CLASS,
create_mock_client(secrets, calls)), \
self.assertRaises(ValueError) as cm:
KmipKeyMaster(None, conf)
self.assertEqual('No secret loaded for active_root_secret_id None',
str(cm.exception))
# We make the client, but never use it
self.assertEqual(calls, [('__init__', {
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
})])
def test_bad_key_length(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'kmip_keymaster',
'key_id': '1234'
}
secrets = {'1234': create_secret('AES', 128, b'x' * 16)}
calls = []
with mock.patch(KMIP_CLIENT_CLASS,
create_mock_client(secrets, calls)), \
self.assertRaises(ValueError) as cm:
KmipKeyMaster(None, conf)
self.assertIn('Expected key 1234 to be an AES-256 key',
str(cm.exception))
self.assertEqual(calls, [('__init__', {
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
}), ('get', '1234')])
def test_bad_key_algorithm(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'key_id': '1234'
}
secret = create_secret('notAES', 256, b'x' * 32)
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secret, calls)):
with self.assertRaises(ValueError) as cm:
KmipKeyMaster(None, conf)
self.assertIn('Expected an AES-256 key', str(cm.exception))
self.assertEqual(
{
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
}, calls[0]['kwargs'])
self.assertEqual('1234', calls[0]['client'].uid)
def test_bad_active_key(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'key_id': '1234',
'key_id_xyzzy': 'foobar',
'active_root_secret_id': 'unknown'
}
secrets = {
'1234': create_secret('AES', 256, b'x' * 32),
'foobar': create_secret('AES', 256, b'y' * 32)
}
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secrets, calls)), \
self.assertRaises(ValueError) as raised:
KmipKeyMaster(None, conf)
self.assertEqual('No secret loaded for active_root_secret_id unknown',
str(raised.exception))
def test_config_in_filter_section(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'filter:kmip_keymaster',
'key_id': '1234'
}
secret = create_secret('AES', 256, b'x' * 32)
calls = []
klass = 'swift.common.middleware.crypto.kmip_keymaster.ProxyKmipClient'
with mock.patch(klass, create_mock_client(secret, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual(secret.value, km.root_secret)
self.assertIsNone(km.keymaster_config_path)
self.assertEqual(
{
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
}, calls[0]['kwargs'])
self.assertEqual('1234', calls[0]['client'].uid)
def test_config_in_filter_section(self):
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'kmip_keymaster',
'key_id': '1234'
}
secrets = {'1234': create_secret('AES', 256, b'x' * 32)}
calls = []
with mock.patch(KMIP_CLIENT_CLASS, create_mock_client(secrets, calls)):
km = KmipKeyMaster(None, conf)
self.assertEqual({None: b'x' * 32}, km._root_secrets)
self.assertEqual(None, km.active_secret_id)
self.assertIsNone(km.keymaster_config_path)
self.assertEqual(calls, [
('__init__', {
'config_file': '/etc/swift/proxy-server.conf',
'config': 'filter:kmip_keymaster'
}),
('get', '1234'),
])
def test_logger_manipulations(self):
root_logger = logging.getLogger()
old_level = root_logger.getEffectiveLevel()
handler = InMemoryHandler()
try:
root_logger.setLevel(logging.DEBUG)
root_logger.addHandler(handler)
conf = {
'__file__': '/etc/swift/proxy-server.conf',
'__name__': 'kmip_keymaster'
}
secrets = {}
calls = []
with mock.patch(KMIP_CLIENT_CLASS,
create_mock_client(secrets, calls)), \
self.assertRaises(ValueError):
# missing key_id, as above, but that's not the interesting bit
KmipKeyMaster(None, conf)
self.assertEqual(handler.messages, [])
logger = logging.getLogger('kmip.services.server.kmip_protocol')
logger.debug('Something secret!')
logger.info('Something useful')
self.assertNotIn('Something secret!', handler.messages)
self.assertIn('Something useful', handler.messages)
logger = logging.getLogger('kmip.core.config_helper')
logger.debug('Also secret')
logger.warning('Also useful')
self.assertNotIn('Also secret', handler.messages)
self.assertIn('Also useful', handler.messages)
logger = logging.getLogger('kmip')
logger.debug('Boring, but not secret')
self.assertIn('Boring, but not secret', handler.messages)
finally:
root_logger.setLevel(old_level)
root_logger.removeHandler(handler)
