def _encrypt_payload(self, headers, body):
"""Encryption enforcement based on configuration - encrypt and add session key params to header or body"""
conf = self._encryption_conf
if conf.use_http_headers:
params = SessionKeyParams.generate(conf)
encryption_params = {
conf.iv_field_name: params.iv_value,
conf.encrypted_key_field_name: params.encrypted_key_value
}
if conf.encryption_certificate_fingerprint_field_name:
encryption_params[conf.encryption_certificate_fingerprint_field_name] = \
conf.encryption_certificate_fingerprint
if conf.encryption_key_fingerprint_field_name:
encryption_params[conf.encryption_key_fingerprint_field_name] = conf.encryption_key_fingerprint
if conf.oaep_padding_digest_algorithm_field_name:
encryption_params[conf.oaep_padding_digest_algorithm_field_name] = conf.oaep_padding_digest_algorithm
encrypted_payload = encrypt_payload(body, conf, params)
headers.update(encryption_params)
else:
encrypted_payload = encrypt_payload(body, conf)
return encrypted_payload
def request(self,
method,
url,
query_params=None,
headers=None,
post_params=None,
body=None,
_preload_content=True,
_request_timeout=None):
check = -1
if body:
if url == "testservice/headers":
iv = headers["x-iv"]
encrypted_key = headers["x-key"]
oaep_digest_algo = headers[
"x-oaep-digest"] if "x-oaep-digest" in headers else None
params = SessionKeyParams(self._config, encrypted_key, iv,
oaep_digest_algo)
else:
params = None
plain = encryption.decrypt_payload(body, self._config, params)
check = plain["data"]["secret2"] - plain["data"]["secret1"]
res = {"data": {"secret": check}}
else:
res = {"data": {"secret": [53, 84, 75]}}
if url == "testservice/headers" and method in ["GET", "POST", "PUT"]:
params = SessionKeyParams.generate(self._config)
json_resp = encryption.encrypt_payload(res, self._config, params)
response_headers = {
"Content-Type": "application/json",
"x-iv": params.iv_value,
"x-key": params.encrypted_key_value,
"x-oaep-digest": self._config.oaep_padding_digest_algorithm
}
mock_headers = Mock(return_value=response_headers)
else:
json_resp = encryption.encrypt_payload(res, self._config)
mock_headers = Mock(
return_value={"Content-Type": "application/json"})
response = Mock()
response.status = 200
response.getheaders = mock_headers
if method in ["GET", "POST", "PUT"]:
response.data = json_resp
else:
response.data = "OK" if check == 0 else "KO"
return response
def test_encrypt_payload_with_multiple_encryption_paths(self):
self._config._paths["$"]._to_encrypt = {
"data1": "encryptedData1",
"data2": "encryptedData2"
}
payload = {
"data1": {
"field1": "value1",
"field2": "value2"
},
"data2": {
"field3": "value3",
"field4": "value4"
},
"encryptedData1": {},
"encryptedData2": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertNotIn("data1", encrypted_payload)
self.assertNotIn("data2", encrypted_payload)
enc_data1 = encrypted_payload["encryptedData1"]
enc_data2 = encrypted_payload["encryptedData2"]
self.assertIsNotNone(enc_data1["iv"])
self.assertIsNotNone(enc_data1["encryptedKey"])
self.assertIsNotNone(enc_data1["encryptedValue"])
self.assertIsNotNone(enc_data2["iv"])
self.assertIsNotNone(enc_data2["encryptedKey"])
self.assertIsNotNone(enc_data2["encryptedValue"])
self.assertNotEqual(enc_data1["iv"], enc_data2["iv"],
"using same set of params")
def test_encrypt_payload_with_type_list(self):
payload = {
"data": ["item1", "item2", "item3"],
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(payload, encrypted_payload, self._config)
def test_encrypt_payload_with_type_boolean(self):
payload = {
"data": False,
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(payload, encrypted_payload, self._config)
def test_encrypt_payload_with_type_string(self):
payload = {
"data": "string",
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(payload, encrypted_payload, self._config)
def test_encrypt_payload_with_type_float(self):
payload = {
"data": 123.34,
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(payload, encrypted_payload, self._config)
def test_encrypt_payload_when_root_as_in_path(self):
self._config._paths["$"]._to_encrypt = {"$": "encryptedData"}
payload = {"field1": "value1", "field2": "value2"}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertNotIn("field1", encrypted_payload)
self.assertNotIn("field2", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload)
self.assertEqual(6, len(encrypted_payload["encryptedData"].keys()))
def test_encrypt_payload_base64_field_encoding(self):
payload = {
"data": {
"field1": "value1",
"field2": "value2"
},
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(payload, encrypted_payload, self._config)
def test_encrypt_payload_skip_when_in_path_does_not_exist(self):
payload = {
"dataNotToEncrypt": {
"field1": "value1",
"field2": "value2"
},
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertEqual(payload, encrypted_payload)
def test_encrypt_payload_hex_field_encoding(self):
self._config._data_encoding = Encoding.HEX
payload = {
"data": {
"field1": "value1",
"field2": "value2"
},
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(payload, encrypted_payload, self._config)
def test_encrypt_payload_when_session_key_params_is_provided(self):
payload = {"data": {}, "encryptedData": {}}
params = SessionKeyParams.generate(self._config)
encrypted_payload = to_test.encrypt_payload(payload, self._config,
params)
self.assertNotIn("data", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload)
self.assertIn("encryptedValue", encrypted_payload["encryptedData"])
self.assertEqual(1, len(encrypted_payload["encryptedData"].keys()))
del payload["encryptedData"]
self.assertEqual(
payload,
to_test.decrypt_payload(encrypted_payload, self._config, params))
def test_encrypt_payload_when_root_as_in_and_out_path(self):
self._config._paths["$"]._to_encrypt = {"$": "$"}
payload = {"field1": "value1", "field2": "value2"}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertNotIn("field1", encrypted_payload)
self.assertNotIn("field2", encrypted_payload)
self.assertIn("iv", encrypted_payload)
self.assertIn("encryptedKey", encrypted_payload)
self.assertIn("encryptedValue", encrypted_payload)
self.assertIn("certFingerprint", encrypted_payload)
self.assertIn("keyFingerprint", encrypted_payload)
self.assertIn("oaepHashingAlgo", encrypted_payload)
def test_encrypt_payload_when_session_key_params_is_None(self):
payload = {
"data": {
"field1": "value1",
"field2": "value2"
},
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config, None)
self.assertNotIn("field1", encrypted_payload)
self.assertNotIn("field2", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload)
self.assertEqual(6, len(encrypted_payload["encryptedData"].keys()))
def test_encrypt_payload_create_node_when_out_path_parent_exists(self):
self._config._paths["$"]._to_encrypt = {"data": "encryptedDataParent.encryptedData"}
payload = {
"data": {
"field1": "value1",
"field2": "value2"
},
"encryptedDataParent": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertNotIn("data", encrypted_payload)
self.assertIn("encryptedDataParent", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload["encryptedDataParent"])
def test_encrypt_payload_when_oaep_padding_digest_algorithm_field_not_set(self):
self._config._oaep_padding_digest_algorithm_field_name = None
payload = {
"data": {
"field1": "value1",
"field2": "value2"
},
"encryptedData": {}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertNotIn("data", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload)
self.assertEqual(5, len(encrypted_payload["encryptedData"].keys()))
def test_encrypt_payload_when_out_path_already_contains_data(self):
payload = {
"data": {
"field1": "value1",
"field2": "value2"
},
"encryptedData": {
"field1": "fieldValue",
"iv": "previousIv"
}
}
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.assertNotIn("data", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload)
self.assertIn("field1", encrypted_payload["encryptedData"])
self.assertIn("iv", encrypted_payload["encryptedData"])
self.assertEqual("fieldValue", encrypted_payload["encryptedData"]["field1"])
self.assertNotEqual("previousIv", encrypted_payload["encryptedData"]["iv"])
def test_encrypt_payload_as_string(self):
payload = '{"data": {"field1": "value1","field2": "value2"},"encryptedData": {}}'
encrypted_payload = to_test.encrypt_payload(payload, self._config)
self.__assert_payload_encrypted(json.loads(payload), encrypted_payload,
self._config)
