def test_loading_keys_from_keyczar_formatted_key_files(self): key_path = os.path.join(KEY_FIXTURES_PATH, 'one.json') aes_key = read_crypto_key(key_path=key_path) self.assertEqual(aes_key.hmac_key_string, 'lgI9YdOKlIOtPQFdgB0B6zr0AZ6L2QJuFQg4gTu2dxc') self.assertEqual(aes_key.hmac_key_size, 256) self.assertEqual(aes_key.aes_key_string, 'vKmBE2YeQ9ATyovel7NDjdnbvOMcoU5uPtUVxWxWm58') self.assertEqual(aes_key.mode, 'CBC') self.assertEqual(aes_key.size, 256) key_path = os.path.join(KEY_FIXTURES_PATH, 'two.json') aes_key = read_crypto_key(key_path=key_path) self.assertEqual(aes_key.hmac_key_string, '92ok9S5extxphADmUhObPSD5wugey8eTffoJ2CEg_2s') self.assertEqual(aes_key.hmac_key_size, 256) self.assertEqual(aes_key.aes_key_string, 'fU9hT9pm-b9hu3VyQACLXe2Z7xnaJMZrXiTltyLUzgs') self.assertEqual(aes_key.mode, 'CBC') self.assertEqual(aes_key.size, 256) key_path = os.path.join(KEY_FIXTURES_PATH, 'five.json') aes_key = read_crypto_key(key_path=key_path) self.assertEqual(aes_key.hmac_key_string, 'GCX2uMfOzp1JXYgqH8piEE4_mJOPXydH_fRHPDw9bkM') self.assertEqual(aes_key.hmac_key_size, 256) self.assertEqual(aes_key.aes_key_string, 'EeBcUcbH14tL0w_fF5siEw') self.assertEqual(aes_key.mode, 'CBC') self.assertEqual(aes_key.size, 128)
def test_loading_keys_from_keyczar_formatted_key_files(self): key_path = os.path.join(KEY_FIXTURES_PATH, 'one.json') aes_key = read_crypto_key(key_path=key_path) self.assertEqual(aes_key.hmac_key_string, 'lgI9YdOKlIOtPQFdgB0B6zr0AZ6L2QJuFQg4gTu2dxc') self.assertEqual(aes_key.hmac_key_size, 256) self.assertEqual(aes_key.aes_key_string, 'vKmBE2YeQ9ATyovel7NDjdnbvOMcoU5uPtUVxWxWm58') self.assertEqual(aes_key.mode, 'CBC') self.assertEqual(aes_key.size, 256) key_path = os.path.join(KEY_FIXTURES_PATH, 'two.json') aes_key = read_crypto_key(key_path=key_path) self.assertEqual(aes_key.hmac_key_string, '92ok9S5extxphADmUhObPSD5wugey8eTffoJ2CEg_2s') self.assertEqual(aes_key.hmac_key_size, 256) self.assertEqual(aes_key.aes_key_string, 'fU9hT9pm-b9hu3VyQACLXe2Z7xnaJMZrXiTltyLUzgs') self.assertEqual(aes_key.mode, 'CBC') self.assertEqual(aes_key.size, 256) key_path = os.path.join(KEY_FIXTURES_PATH, 'five.json') aes_key = read_crypto_key(key_path=key_path) self.assertEqual(aes_key.hmac_key_string, 'GCX2uMfOzp1JXYgqH8piEE4_mJOPXydH_fRHPDw9bkM') self.assertEqual(aes_key.hmac_key_size, 256) self.assertEqual(aes_key.aes_key_string, 'EeBcUcbH14tL0w_fF5siEw') self.assertEqual(aes_key.mode, 'CBC') self.assertEqual(aes_key.size, 128)
def _setup_crypto(): if KeyValuePairAPI.crypto_setup: # Crypto already set up return LOG.info("Checking if encryption is enabled for key-value store.") KeyValuePairAPI.is_encryption_enabled = cfg.CONF.keyvalue.enable_encryption LOG.debug("Encryption enabled? : %s", KeyValuePairAPI.is_encryption_enabled) if KeyValuePairAPI.is_encryption_enabled: KeyValuePairAPI.crypto_key_path = cfg.CONF.keyvalue.encryption_key_path LOG.info( "Encryption enabled. Looking for key in path %s", KeyValuePairAPI.crypto_key_path, ) if not os.path.exists(KeyValuePairAPI.crypto_key_path): msg = ("Encryption key file does not exist in path %s." % KeyValuePairAPI.crypto_key_path) LOG.exception(msg) LOG.info("All API requests will now send out BAD_REQUEST " + "if you ask to store secrets in key value store.") KeyValuePairAPI.crypto_key = None else: KeyValuePairAPI.crypto_key = read_crypto_key( key_path=KeyValuePairAPI.crypto_key_path) KeyValuePairAPI.crypto_setup = True
def decrypt_kv(value): original_value = value if isinstance(value, KeyValueLookup) or isinstance(value, UserKeyValueLookup): # Since this is a filter the incoming value is still a KeyValueLookup # object as the jinja rendering is not yet complete. So we cast # the KeyValueLookup object to a simple string before decrypting. is_kv_item = True value = str(value) else: is_kv_item = False # NOTE: If value is None this indicate key value item doesn't exist and we hrow a more # user-friendly error if is_kv_item and value == '': # Build original key name key_name = original_value.get_key_name() raise ValueError( 'Referenced datastore item "%s" doesn\'t exist or it contains an empty ' 'string' % (key_name)) crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def decrypt_kv(value): if isinstance(value, KeyValueLookup): # Since this is a filter the incoming value is still a KeyValueLookup # object as the jinja rendering is not yet complete. So we cast # the KeyValueLookup object to a simple string before decrypting. value = str(value) crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def setUp(self): super(JinjaUtilsDecryptTestCase, self).setUp() crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) self.secret = 'Build a wall' self.secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=self.secret) self.env = jinja_utils.get_jinja_environment()
def decrypt_kv(value): if isinstance(value, KeyValueLookup): # Since this is a filter the incoming value is still a KeyValueLookup # object as the jinja rendering is not yet complete. So we cast # the KeyValueLookup object to a simple string before decrypting. value = str(value) crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def setUp(self): super(JinjaUtilsDecryptTestCase, self).setUp() crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) self.secret = 'Build a wall' self.secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=self.secret) self.env = jinja_utils.get_jinja_environment()
def test_filter_decrypt_kv(self): secret = 'Build a wall' crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=secret) KeyValuePair.add_or_update(KeyValuePairDB(name='k8', value=secret_value, scope=FULL_SYSTEM_SCOPE, secret=True)) env = jinja_utils.get_jinja_environment() context = {} context.update({SYSTEM_SCOPE: KeyValueLookup(scope=SYSTEM_SCOPE)}) context.update({ DATASTORE_PARENT_SCOPE: { SYSTEM_SCOPE: KeyValueLookup(scope=FULL_SYSTEM_SCOPE) } }) template = '{{st2kv.system.k8 | decrypt_kv}}' actual = env.from_string(template).render(context) self.assertEqual(actual, secret)
def decrypt_kv(value): original_value = value if isinstance(value, KeyValueLookup) or isinstance(value, UserKeyValueLookup): # Since this is a filter the incoming value is still a KeyValueLookup # object as the jinja rendering is not yet complete. So we cast # the KeyValueLookup object to a simple string before decrypting. is_kv_item = True value = str(value) else: is_kv_item = False # NOTE: If value is None this indicate key value item doesn't exist and we hrow a more # user-friendly error if is_kv_item and value == '': # Build original key name key_name = original_value.get_key_name() raise ValueError('Referenced datastore item "%s" doesn\'t exist or it contains an empty ' 'string' % (key_name)) crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def _setup_crypto(): if KeyValuePairAPI.crypto_setup: # Crypto already set up return LOG.info('Checking if encryption is enabled for key-value store.') KeyValuePairAPI.is_encryption_enabled = cfg.CONF.keyvalue.enable_encryption LOG.debug('Encryption enabled? : %s', KeyValuePairAPI.is_encryption_enabled) if KeyValuePairAPI.is_encryption_enabled: KeyValuePairAPI.crypto_key_path = cfg.CONF.keyvalue.encryption_key_path LOG.info('Encryption enabled. Looking for key in path %s', KeyValuePairAPI.crypto_key_path) if not os.path.exists(KeyValuePairAPI.crypto_key_path): msg = ('Encryption key file does not exist in path %s.' % KeyValuePairAPI.crypto_key_path) LOG.exception(msg) LOG.info('All API requests will now send out BAD_REQUEST ' + 'if you ask to store secrets in key value store.') KeyValuePairAPI.crypto_key = None else: KeyValuePairAPI.crypto_key = read_crypto_key( key_path=KeyValuePairAPI.crypto_key_path ) KeyValuePairAPI.crypto_setup = True
def test_filter_decrypt_kv(self): secret = 'Build a wall' crypto_key_path = cfg.CONF.keyvalue.encryption_key_path crypto_key = read_crypto_key(key_path=crypto_key_path) secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=secret) KeyValuePair.add_or_update( KeyValuePairDB(name='k8', value=secret_value, scope=FULL_SYSTEM_SCOPE, secret=True)) env = jinja_utils.get_jinja_environment() context = {} context.update({SYSTEM_SCOPE: KeyValueLookup(scope=SYSTEM_SCOPE)}) context.update({ DATASTORE_PARENT_SCOPE: { SYSTEM_SCOPE: KeyValueLookup(scope=FULL_SYSTEM_SCOPE) } }) template = '{{st2kv.system.k8 | decrypt_kv}}' actual = env.from_string(template).render(context) self.assertEqual(actual, secret)