def generate_asymmetric_encryption_keys(self, meta, content_type, tenant,
kek_repo):
"""Delegates generating a asymmteric keys to the first
supported plugin based on `meta`. meta will provide extra
information to help key generation.
Based on passpharse in meta this method will return a tuple
with two/three objects.
Note that this key can be used by clients for their encryption
processes. This generated key is then be encrypted via
the plug-in key encryption process, and that encrypted datum
is then returned from this method.
"""
encrypting_plugin = \
self._determine_crypto_plugin(meta.algorithm,
meta.bit_length,
meta.passphrase)
kek_datum, kek_meta_dto = self._find_or_create_kek_objects(
encrypting_plugin, tenant, kek_repo)
generate_dto = plugin_mod.GenerateDTO(meta.algorithm, meta.bit_length,
None, meta.passphrase)
# generate the secret.
private_key_dto, public_key_dto, passwd_dto = \
encrypting_plugin.generate_asymmetric(
generate_dto,
kek_meta_dto,
tenant.keystone_id)
# Create an encrypted datum instances for each secret type
# and add the created cypher text.
priv_datum = models.EncryptedDatum(None, kek_datum)
priv_datum.content_type = content_type
priv_datum.cypher_text = base64.b64encode(private_key_dto.cypher_text)
priv_datum.kek_meta_extended = private_key_dto.kek_meta_extended
public_datum = models.EncryptedDatum(None, kek_datum)
public_datum.content_type = content_type
public_datum.cypher_text = base64.b64encode(public_key_dto.cypher_text)
public_datum.kek_meta_extended = public_key_dto.kek_meta_extended
passwd_datum = None
if passwd_dto:
passwd_datum = models.EncryptedDatum(None, kek_datum)
passwd_datum.content_type = content_type
passwd_datum.cypher_text = base64.b64encode(passwd_dto.cypher_text)
passwd_datum.kek_meta_extended = \
passwd_dto.kek_meta_extended
return (priv_datum, public_datum, passwd_datum)
def setUp(self):
super(WhenTestingAugmentFieldsWithContentTypes, self).setUp()
self.secret = models.Secret({})
self.secret.secret_id = "secret#1"
self.datum = models.EncryptedDatum(self.secret)
self.secret.encrypted_data = [self.datum]
def create_encrypted_datum(secret=None, kek_datum=None, session=None):
enc_datum = models.EncryptedDatum()
enc_datum.secret_id = secret.id
enc_datum.kek_id = kek_datum.id
enc_datum_repo = repositories.get_encrypted_datum_repository()
enc_datum_repo.create_from(enc_datum, session=session)
return enc_datum
def generate_symmetric_encryption_key(self, secret, content_type, tenant,
kek_repo):
"""Delegates generating a key to the first supported plugin.
Note that this key can be used by clients for their encryption
processes. This generated key is then be encrypted via
the plug-in key encryption process, and that encrypted datum
is then returned from this method.
"""
encrypting_plugin = \
self._determine_crypto_plugin(secret.algorithm,
secret.bit_length,
secret.mode)
kek_datum, kek_meta_dto = self._find_or_create_kek_objects(
encrypting_plugin, tenant, kek_repo)
# Create an encrypted datum instance and add the created cypher text.
datum = models.EncryptedDatum(secret, kek_datum)
datum.content_type = content_type
generate_dto = plugin_mod.GenerateDTO(secret.algorithm,
secret.bit_length, secret.mode,
None)
# Create the encrypted meta.
response_dto = encrypting_plugin.generate_symmetric(
generate_dto, kek_meta_dto, tenant.keystone_id)
# Convert binary data into a text-based format.
# TODO(jwood) Figure out by storing binary (BYTEA) data in Postgres
# isn't working.
datum.cypher_text = base64.b64encode(response_dto.cypher_text)
datum.kek_meta_extended = response_dto.kek_meta_extended
return datum
def setUp(self):
self.tenant_id = 'tenantid1234'
self.keystone_id = 'keystone1234'
self.name = 'name1234'
self.mime_type = 'text/plain'
secret_id = "idsecret1"
datum_id = "iddatum1"
self.secret_algorithm = "algo"
self.secret_bit_length = 512
self.secret_cypher_type = "cytype"
self.datum = models.EncryptedDatum()
self.datum.id = datum_id
self.datum.secret_id = secret_id
self.datum.mime_type = self.mime_type
self.datum.cypher_text = "cypher_text"
self.datum.kek_metadata = "kekedata"
self.secret = create_secret(self.mime_type,
id=secret_id,
name=self.name,
algorithm=self.secret_algorithm,
bit_length=self.secret_bit_length,
cypher_type=self.secret_cypher_type,
encrypted_datum=self.datum)
self.tenant = models.Tenant()
self.tenant.id = self.tenant_id
self.keystone_id = self.keystone_id
self.tenant_repo = MagicMock()
self.tenant_repo.get.return_value = self.tenant
self.secret_repo = MagicMock()
self.secret_repo.get.return_value = self.secret
self.secret_repo.delete_entity_by_id.return_value = None
self.tenant_secret_repo = MagicMock()
self.tenant_secret_repo.create_from.return_value = None
self.datum_repo = MagicMock()
self.datum_repo.create_from.return_value = None
self.policy = MagicMock()
self.req = MagicMock()
self.req.accept = 'application/json'
self.resp = MagicMock()
self.conf = MagicMock()
self.conf.crypto.namespace = 'barbican.test.crypto.plugin'
self.conf.crypto.enabled_crypto_plugins = ['test_crypto']
self.crypto_mgr = CryptoExtensionManager(conf=self.conf)
self.policy = MagicMock()
self.resource = res.SecretResource(self.crypto_mgr, self.tenant_repo,
self.secret_repo,
self.tenant_secret_repo,
self.datum_repo, self.policy)
def setUp(self):
super(TestSecretStoreBase, self).setUp()
self.patchers = [] # List of patchers utilized in this test class.
self.project_id = '12345'
self.content_type = 'application/octet-stream'
self.content_encoding = 'base64'
self.secret = base64.b64encode(b'secret')
self.decrypted_secret = b'decrypted_secret'
self.cypher_text = b'cypher_text'
self.kek_meta_extended = 'kek-meta-extended'
self.spec_aes = secret_store.KeySpec('AES', 64, 'CBC')
self.spec_rsa = secret_store.KeySpec('RSA',
1024,
passphrase='changeit')
self.project_model = mock.MagicMock()
self.project_model.id = 'project-model-id'
self.project_model.external_id = self.project_id
self.secret_dto = secret_store.SecretDTO(
secret_store.SecretType.OPAQUE, self.secret,
secret_store.KeySpec(), self.content_type)
self.response_dto = base.ResponseDTO(
self.cypher_text, kek_meta_extended=self.kek_meta_extended)
self.private_key_dto = base.ResponseDTO(self.cypher_text)
self.public_key_dto = base.ResponseDTO(self.cypher_text)
self.passphrase_dto = base.ResponseDTO(self.cypher_text)
self.kek_meta_project_model = models.KEKDatum()
self.kek_meta_project_model.plugin_name = 'plugin-name'
self.kek_meta_project_model.kek_label = 'kek-meta-label'
self.kek_meta_project_model.algorithm = 'kek-meta-algo'
self.kek_meta_project_model.bit_length = 1024
self.kek_meta_project_model.mode = 'kek=meta-mode'
self.kek_meta_project_model.plugin_meta = 'kek-meta-plugin-meta'
self.encrypted_datum_model = models.EncryptedDatum()
self.encrypted_datum_model.kek_meta_project = (
self.kek_meta_project_model)
self.encrypted_datum_model.cypher_text = base64.b64encode(
b'cypher_text')
self.encrypted_datum_model.content_type = 'content_type'
self.encrypted_datum_model.kek_meta_extended = 'extended_meta'
self.secret_model = models.Secret({
'algorithm': 'myalg',
'bit_length': 1024,
'mode': 'mymode'
})
self.secret_model.id = 'secret-model-id'
self.secret_model.encrypted_data = [self.encrypted_datum_model]
self.context = store_crypto.StoreCryptoContext(
secret_model=self.secret_model,
project_model=self.project_model,
content_type=self.content_type)
def _store_secret_and_datum(context, secret_model, kek_datum_model,
generated_dto):
# Create Secret entities in data store.
if not secret_model.id:
secret_model.project_id = context.project_model.id
repositories.get_secret_repository().create_from(secret_model)
# setup and store encrypted datum
datum_model = models.EncryptedDatum(secret_model, kek_datum_model)
datum_model.content_type = context.content_type
datum_model.cypher_text = base64.b64encode(generated_dto.cypher_text)
datum_model.kek_meta_extended = generated_dto.kek_meta_extended
repositories.get_encrypted_datum_repository().create_from(datum_model)
def encrypt(self,
unencrypted,
content_type,
content_encoding,
secret,
tenant,
kek_repo,
enforce_text_only=False):
"""Delegates encryption to first plugin that supports it."""
if len(self.extensions) < 1:
raise CryptoPluginNotFound()
for ext in self.extensions:
if ext.obj.supports(plugin_mod.PluginSupportTypes.ENCRYPT_DECRYPT):
encrypting_plugin = ext.obj
break
else:
raise CryptoSupportedPluginNotFound()
unencrypted, content_type = normalize_before_encryption(
unencrypted,
content_type,
content_encoding,
enforce_text_only=enforce_text_only)
# Find or create a key encryption key metadata.
kek_datum, kek_meta_dto = self._find_or_create_kek_objects(
encrypting_plugin, tenant, kek_repo)
encrypt_dto = plugin_mod.EncryptDTO(unencrypted)
# Create an encrypted datum instance and add the encrypted cypher text.
datum = models.EncryptedDatum(secret, kek_datum)
datum.content_type = content_type
response_dto = encrypting_plugin.encrypt(encrypt_dto, kek_meta_dto,
tenant.keystone_id)
datum.cypher_text = response_dto.cypher_text
datum.kek_meta_extended = response_dto.kek_meta_extended
# Convert binary data into a text-based format.
#TODO(jwood) Figure out by storing binary (BYTEA) data in Postgres
# isn't working.
datum.cypher_text = base64.b64encode(datum.cypher_text)
return datum
def _store_secret_and_datum(context, secret_model, kek_datum_model,
generated_dto):
# Create Secret entities in data store.
if not secret_model.id:
repositories.get_secret_repository().create_from(secret_model)
new_assoc = models.ProjectSecret()
new_assoc.project_id = context.project_model.id
new_assoc.secret_id = secret_model.id
new_assoc.role = "admin"
new_assoc.status = models.States.ACTIVE
repositories.get_project_secret_repository().create_from(new_assoc)
# setup and store encrypted datum
datum_model = models.EncryptedDatum(secret_model, kek_datum_model)
datum_model.content_type = context.content_type
datum_model.cypher_text = base64.b64encode(generated_dto.cypher_text)
datum_model.kek_meta_extended = generated_dto.kek_meta_extended
datum_model.secret_id = secret_model.id
repositories.get_encrypted_datum_repository().create_from(datum_model)
def setUp(self):
self.secret = models.Secret({})
self.secret.secret_id = "secret#1"
self.datum = models.EncryptedDatum(self.secret)
self.secret.encrypted_data = [self.datum]
def _init(self):
self.project_id = 'projectid1234'
self.external_project_id = 'keystone1234'
self.name = 'name1234'
secret_id = utils.generate_test_valid_uuid()
datum_id = "iddatum1"
kek_id = "idkek1"
self.secret_algorithm = "AES"
self.secret_bit_length = 256
self.secret_mode = "CBC"
self.kek_project = models.KEKDatum()
self.kek_project.id = kek_id
self.kek_project.active = True
self.kek_project.bind_completed = False
self.kek_project.kek_label = "kek_label"
self.datum = models.EncryptedDatum()
self.datum.id = datum_id
self.datum.secret_id = secret_id
self.datum.kek_id = kek_id
self.datum.kek_meta_project = self.kek_project
self.datum.content_type = "text/plain"
self.datum.cypher_text = "aaaa" # base64 value.
self.secret = create_secret(id_ref=secret_id,
name=self.name,
algorithm=self.secret_algorithm,
bit_length=self.secret_bit_length,
mode=self.secret_mode,
encrypted_datum=self.datum,
content_type=self.datum.content_type)
self.secret.secret_acls = []
self.secret.project = mock.MagicMock()
self.secret.project.external_id = self.external_project_id
# Set up mocked project
self.project = models.Project()
self.project.id = self.project_id
self.project.external_id = self.external_project_id
# Set up mocked project repo
self.project_repo = mock.MagicMock()
self.project_repo.get.return_value = self.project
self.project_repo.find_by_external_project_id.return_value = (
self.project)
self.setup_project_repository_mock(self.project_repo)
# Set up mocked secret repo
self.secret_repo = mock.Mock()
self.secret_repo.get = mock.Mock(return_value=self.secret)
self.secret_repo.get_secret_by_id = mock.Mock(return_value=self.secret)
self.secret_repo.delete_entity_by_id = mock.Mock(return_value=None)
self.setup_secret_repository_mock(self.secret_repo)
# Set up mocked encrypted datum repo
self.datum_repo = mock.MagicMock()
self.datum_repo.create_from.return_value = None
self.setup_encrypted_datum_repository_mock(self.datum_repo)
# Set up mocked kek datum repo
self.setup_kek_datum_repository_mock()
# Set up mocked secret meta repo
self.secret_meta_repo = mock.MagicMock()
self.secret_meta_repo.get_metadata_for_secret.return_value = None
self.setup_secret_meta_repository_mock(self.secret_meta_repo)
# Set up mocked transport key
self.transport_key_model = models.TransportKey("default_plugin",
"my transport key")
# Set up mocked transport key repo
self.transport_key_repo = mock.MagicMock()
self.transport_key_repo.get.return_value = self.transport_key_model
self.setup_transport_key_repository_mock(self.transport_key_repo)
self.transport_key_id = 'tkey12345'
def _do_create_instance(self):
return models.EncryptedDatum()
