def test_sops_branch_is_restored(self):
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
b = {'kms': [ { 'arn': 'test' } ] }
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml',
restore_sops=b)
assert tree['sops']['kms'][0]['arn'] == 'test'
def test_walk_and_encrypt_unencrypted(self):
"""Walk the branch with whitelisted leaves and verify they are untouched."""
m = mock.mock_open(read_data="""{
"str_unencrypted": "STRING",
"list_unencrypted": ["A", "B"],
"dict_unencrypted": {
"key": "value"
},
"foo": "bar"
}""")
# Verify data stays unencrypted upon encryption
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
assert crypttree['str_unencrypted'] == 'STRING'
assert crypttree['list_unencrypted'] == ['A', 'B']
assert crypttree['dict_unencrypted'] == {"key": "value"}
assert crypttree['foo'].startswith("ENC[AES256_GCM,data:")
# Verify we have a MAC and it includes unencrypted values
assert tree['sops']['mac'].startswith("ENC[AES256_GCM,data:")
empty_tree = OrderedDict()
empty_tree['sops'] = dict()
sops.walk_and_encrypt(OrderedDict(empty_tree), key, isRoot=True)
tree_mac = sops.decrypt(tree['sops']['mac'], key,
aad=tree['sops']['lastmodified'].encode('utf-8'))
empty_tree_mac = sops.decrypt(empty_tree['sops']['mac'], key,
aad=empty_tree['sops']['lastmodified'].encode('utf-8'))
assert tree_mac != empty_tree_mac
def test_subtree(self):
"""Extract a subtree from a document."""
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml')
ntree = sops.truncate_tree(dict(tree), '["example"]["nested"]["values"]')
assert ntree == tree["example"]["nested"]["values"]
ntree = sops.truncate_tree(dict(tree), '["example_array"][1]')
assert ntree == tree["example_array"][1]
def test_walk_and_encrypt_and_decrypt(self):
"""Test a roundtrip on the tree encryption/decryption code"""
m = mock.mock_open(read_data=sops.DEFAULT_JSON)
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
cleartree = sops.walk_and_decrypt(OrderedDict(crypttree), key, isRoot=True)
assert cleartree == tree
def test_numbers_encrypt_and_decrypt(self):
"""Test encryption/decryption of numbers"""
m = mock.mock_open(read_data='{"a":1234,"b":[567,890.123],"c":5.4999517527e+10}')
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
assert tree['sops']['mac'].startswith("ENC[AES256_GCM,data:")
cleartree = sops.walk_and_decrypt(OrderedDict(crypttree), key, isRoot=True)
assert cleartree == tree
def test_subtree(self):
"""Extract a subtree from a document."""
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml')
ntree = sops.truncate_tree(dict(tree),
'["example"]["nested"]["values"]')
assert ntree == tree["example"]["nested"]["values"]
ntree = sops.truncate_tree(dict(tree), '["example_array"][1]')
assert ntree == tree["example_array"][1]
def test_walk_and_encrypt_and_decrypt(self):
"""Test a roundtrip on the tree encryption/decryption code"""
m = mock.mock_open(read_data=sops.DEFAULT_JSON)
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
cleartree = sops.walk_and_decrypt(OrderedDict(crypttree),
key,
isRoot=True)
assert cleartree == tree
def test_numbers_encrypt_and_decrypt(self):
"""Test encryption/decryption of numbers"""
m = mock.mock_open(
read_data='{"a":1234,"b":[567,890.123],"c":5.4999517527e+10}')
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
assert tree['sops']['mac'].startswith("ENC[AES256_GCM,data:")
cleartree = sops.walk_and_decrypt(OrderedDict(crypttree),
key,
isRoot=True)
assert cleartree == tree
def test_walk_and_encrypt(self):
"""Walk the branch recursively and encrypts its leaves."""
# - test dict encryption
# - test list values encryption
# - test ScalarString
# - test string encryption
# TODO:
# - test stash value
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(tree, key)
assert crypttree['example_key'].startswith("ENC[AES256_GCM,data:")
assert isinstance(crypttree['example_array'], list)
assert len(crypttree['example_array']) == 2
def test_walk_and_encrypt(self):
"""Walk the branch recursively and encrypts its leaves."""
# - test dict encryption
# - test list values encryption
# - test ScalarString
# - test string encryption
# TODO:
# - test stash value
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(tree, key)
assert crypttree['example_key'].startswith("ENC[AES256_GCM,data:")
assert isinstance(crypttree['example_array'], list)
assert len(crypttree['example_array']) == 2
def test_walk_and_encrypt_and_decrypt_unencrypted(self):
"""Test a roundtrip on the tree encryption/decryption code with unencrypted leaves"""
m = mock.mock_open(read_data="""{
"str_unencrypted": "STRING",
"list_unencrypted": ["A", "B"],
"dict_unencrypted": {
"key": "value"
},
"foo": "bar"
}""")
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
assert tree['sops']['mac'].startswith("ENC[AES256_GCM,data:")
cleartree = sops.walk_and_decrypt(OrderedDict(crypttree), key, isRoot=True)
assert cleartree == tree
def test_walk_and_encrypt_and_decrypt_unencrypted(self):
"""Test a roundtrip on the tree encryption/decryption code with unencrypted leaves"""
m = mock.mock_open(read_data="""{
"str_unencrypted": "STRING",
"list_unencrypted": ["A", "B"],
"dict_unencrypted": {
"key": "value"
},
"foo": "bar"
}""")
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
assert tree['sops']['mac'].startswith("ENC[AES256_GCM,data:")
cleartree = sops.walk_and_decrypt(OrderedDict(crypttree),
key,
isRoot=True)
assert cleartree == tree
def test_walk_and_encrypt_unencrypted(self):
"""Walk the branch with whitelisted leaves and verify they are untouched."""
m = mock.mock_open(read_data="""{
"str_unencrypted": "STRING",
"list_unencrypted": ["A", "B"],
"dict_unencrypted": {
"key": "value"
},
"foo": "bar"
}""")
# Verify data stays unencrypted upon encryption
key = os.urandom(32)
tree = OrderedDict()
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'json')
tree['sops'] = dict()
crypttree = sops.walk_and_encrypt(OrderedDict(tree), key, isRoot=True)
assert crypttree['str_unencrypted'] == 'STRING'
assert crypttree['list_unencrypted'] == ['A', 'B']
assert crypttree['dict_unencrypted'] == {"key": "value"}
assert crypttree['foo'].startswith("ENC[AES256_GCM,data:")
# Verify we have a MAC and it includes unencrypted values
assert tree['sops']['mac'].startswith("ENC[AES256_GCM,data:")
empty_tree = OrderedDict()
empty_tree['sops'] = dict()
sops.walk_and_encrypt(OrderedDict(empty_tree), key, isRoot=True)
tree_mac = sops.decrypt(
tree['sops']['mac'],
key,
aad=tree['sops']['lastmodified'].encode('utf-8'))
empty_tree_mac = sops.decrypt(
empty_tree['sops']['mac'],
key,
aad=empty_tree['sops']['lastmodified'].encode('utf-8'))
assert tree_mac != empty_tree_mac
def test_yaml_loader_is_used_on_yaml_filetype(self):
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml')
assert tree['example_key'] == 'example_value'
def test_sops_branch_is_restored(self):
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
b = {'kms': [{'arn': 'test'}]}
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml', restore_sops=b)
assert tree['sops']['kms'][0]['arn'] == 'test'
def test_yaml_loader_is_used_on_yaml_filetype(self):
m = mock.mock_open(read_data=sops.DEFAULT_YAML)
with mock.patch.object(builtins, 'open', m):
tree = sops.load_file_into_tree('path', 'yaml')
assert tree['example_key'] == 'example_value'
