def _encrypt_payload(self, headers, body):
"""Encryption enforcement based on configuration - encrypt and add session key params to header or body"""
conf = self._encryption_conf
if conf.use_http_headers:
params = SessionKeyParams.generate(conf)
encryption_params = {
conf.iv_field_name: params.iv_value,
conf.encrypted_key_field_name: params.encrypted_key_value
}
if conf.encryption_certificate_fingerprint_field_name:
encryption_params[conf.encryption_certificate_fingerprint_field_name] = \
conf.encryption_certificate_fingerprint
if conf.encryption_key_fingerprint_field_name:
encryption_params[conf.encryption_key_fingerprint_field_name] = conf.encryption_key_fingerprint
if conf.oaep_padding_digest_algorithm_field_name:
encryption_params[conf.oaep_padding_digest_algorithm_field_name] = conf.oaep_padding_digest_algorithm
encrypted_payload = encrypt_payload(body, conf, params)
headers.update(encryption_params)
else:
encrypted_payload = encrypt_payload(body, conf)
return encrypted_payload
def request(self,
method,
url,
query_params=None,
headers=None,
post_params=None,
body=None,
_preload_content=True,
_request_timeout=None):
check = -1
if body:
if url == "testservice/headers":
iv = headers["x-iv"]
encrypted_key = headers["x-key"]
oaep_digest_algo = headers[
"x-oaep-digest"] if "x-oaep-digest" in headers else None
params = SessionKeyParams(self._config, encrypted_key, iv,
oaep_digest_algo)
else:
params = None
plain = encryption.decrypt_payload(body, self._config, params)
check = plain["data"]["secret2"] - plain["data"]["secret1"]
res = {"data": {"secret": check}}
else:
res = {"data": {"secret": [53, 84, 75]}}
if url == "testservice/headers" and method in ["GET", "POST", "PUT"]:
params = SessionKeyParams.generate(self._config)
json_resp = encryption.encrypt_payload(res, self._config, params)
response_headers = {
"Content-Type": "application/json",
"x-iv": params.iv_value,
"x-key": params.encrypted_key_value,
"x-oaep-digest": self._config.oaep_padding_digest_algorithm
}
mock_headers = Mock(return_value=response_headers)
else:
json_resp = encryption.encrypt_payload(res, self._config)
mock_headers = Mock(
return_value={"Content-Type": "application/json"})
response = Mock()
response.status = 200
response.getheaders = mock_headers
if method in ["GET", "POST", "PUT"]:
response.data = json_resp
else:
response.data = "OK" if check == 0 else "KO"
return response
def test_populate_node_with_key_params(self):
params = SessionKeyParams.generate(self._config)
payload = {"key_params": {}}
node = payload["key_params"]
to_test._populate_node_with_key_params(node, self._config, params)
self.assertEqual(5, len(payload["key_params"].keys()))
self.assertIsNotNone(payload["key_params"][self._config.iv_field_name])
self.assertIsNotNone(payload["key_params"][self._config.encrypted_key_field_name])
self.assertEqual("SHA256", payload["key_params"][self._config.oaep_padding_digest_algorithm_field_name])
self.assertEqual("761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79",
payload["key_params"][self._config.encryption_key_fingerprint_field_name])
self.assertEqual("80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279",
payload["key_params"][self._config.encryption_certificate_fingerprint_field_name])
def test_encrypt_payload_when_session_key_params_is_provided(self):
payload = {"data": {}, "encryptedData": {}}
params = SessionKeyParams.generate(self._config)
encrypted_payload = to_test.encrypt_payload(payload, self._config,
params)
self.assertNotIn("data", encrypted_payload)
self.assertIn("encryptedData", encrypted_payload)
self.assertIn("encryptedValue", encrypted_payload["encryptedData"])
self.assertEqual(1, len(encrypted_payload["encryptedData"].keys()))
del payload["encryptedData"]
self.assertEqual(
payload,
to_test.decrypt_payload(encrypted_payload, self._config, params))
def encrypt_payload(payload, config, _params=None):
"""Encrypt some fields of a JSON payload using the given configuration."""
try:
json_payload = copy.deepcopy(
payload) if type(payload) is dict else json.loads(payload)
for elem, target in config.paths["$"].to_encrypt.items():
if not _params:
params = SessionKeyParams.generate(config)
else:
params = _params
try:
value = pop_node(json_payload, elem)
try:
encrypted_value = _encrypt_value(params.key,
params.iv_spec, value)
crypto_node = get_node(json_payload, target, create=True)
crypto_node[
config.encrypted_value_field_name] = encode_bytes(
encrypted_value, config.data_encoding)
if not _params:
_populate_node_with_key_params(crypto_node, config,
params)
except KeyError:
raise EncryptionError("Field " + target + " not found!")
except KeyError:
pass # data-to-encrypt node not found, nothing to encrypt
return json_payload
except (IOError, ValueError, TypeError) as e:
raise EncryptionError("Payload encryption failed!", e)