def create_kek_datum(project=None, plugin_name="plugin", session=None):
kek_datum = models.KEKDatum()
kek_datum.plugin_name = plugin_name
kek_datum.project_id = project.id
kek_datum_repo = repositories.get_kek_datum_repository()
kek_datum_repo.create_from(kek_datum, session=session)
return kek_datum
def find_or_create_kek_datum(self,
tenant,
plugin_name,
suppress_exception=False,
session=None):
"""Find or create a KEK datum instance."""
kek_datum = None
session = self.get_session(session)
# TODO(jfwood): Reverse this...attempt insert first, then get on fail.
try:
query = session.query(models.KEKDatum) \
.filter_by(tenant_id=tenant.id) \
.filter_by(plugin_name=plugin_name) \
.filter_by(active=True) \
.filter_by(deleted=False)
kek_datum = query.one()
except sa_orm.exc.NoResultFound:
kek_datum = models.KEKDatum()
kek_datum.kek_label = "tenant-{0}-key-{1}".format(
tenant.keystone_id, uuid.uuid4())
kek_datum.tenant_id = tenant.id
kek_datum.plugin_name = plugin_name
kek_datum.status = models.States.ACTIVE
self.save(kek_datum)
return kek_datum
def test_bind_kek_metadata_without_existing_key(self):
with mock.patch.object(self.plugin.pkcs11, 'generate_wrapped_kek'):
kek_datum = models.KEKDatum()
dto = plugin_import.KEKMetaDTO(kek_datum)
dto = self.plugin.bind_kek_metadata(dto)
self.assertEqual(dto.algorithm, "AES")
self.assertEqual(dto.bit_length, 256)
self.assertEqual(dto.mode, "CBC")
def setUp(self):
super(TestSecretStoreBase, self).setUp()
self.patchers = [] # List of patchers utilized in this test class.
self.project_id = '12345'
self.content_type = 'application/octet-stream'
self.content_encoding = 'base64'
self.secret = base64.b64encode(b'secret')
self.decrypted_secret = b'decrypted_secret'
self.cypher_text = b'cypher_text'
self.kek_meta_extended = 'kek-meta-extended'
self.spec_aes = secret_store.KeySpec('AES', 64, 'CBC')
self.spec_rsa = secret_store.KeySpec('RSA',
1024,
passphrase='changeit')
self.project_model = mock.MagicMock()
self.project_model.id = 'project-model-id'
self.project_model.external_id = self.project_id
self.secret_dto = secret_store.SecretDTO(
secret_store.SecretType.OPAQUE, self.secret,
secret_store.KeySpec(), self.content_type)
self.response_dto = base.ResponseDTO(
self.cypher_text, kek_meta_extended=self.kek_meta_extended)
self.private_key_dto = base.ResponseDTO(self.cypher_text)
self.public_key_dto = base.ResponseDTO(self.cypher_text)
self.passphrase_dto = base.ResponseDTO(self.cypher_text)
self.kek_meta_project_model = models.KEKDatum()
self.kek_meta_project_model.plugin_name = 'plugin-name'
self.kek_meta_project_model.kek_label = 'kek-meta-label'
self.kek_meta_project_model.algorithm = 'kek-meta-algo'
self.kek_meta_project_model.bit_length = 1024
self.kek_meta_project_model.mode = 'kek=meta-mode'
self.kek_meta_project_model.plugin_meta = 'kek-meta-plugin-meta'
self.encrypted_datum_model = models.EncryptedDatum()
self.encrypted_datum_model.kek_meta_project = (
self.kek_meta_project_model)
self.encrypted_datum_model.cypher_text = base64.b64encode(
b'cypher_text')
self.encrypted_datum_model.content_type = 'content_type'
self.encrypted_datum_model.kek_meta_extended = 'extended_meta'
self.secret_model = models.Secret({
'algorithm': 'myalg',
'bit_length': 1024,
'mode': 'mymode'
})
self.secret_model.id = 'secret-model-id'
self.secret_model.encrypted_data = [self.encrypted_datum_model]
self.context = store_crypto.StoreCryptoContext(
secret_model=self.secret_model,
project_model=self.project_model,
content_type=self.content_type)
def test_bind_kek_metadata_with_existing_key(self):
kek_datum = models.KEKDatum()
dto = plugin_import.KEKMetaDTO(kek_datum)
dto.plugin_meta = '{}'
dto = self.plugin.bind_kek_metadata(dto)
self.assertEqual(0, self.pkcs11.generate_key.call_count)
self.assertEqual(0, self.pkcs11.wrap_key.call_count)
self.assertEqual(0, self.pkcs11.compute_hmac.call_count)
def test_bind_kek_metadata_without_existing_key(self):
kek_datum = models.KEKDatum()
dto = plugin_import.KEKMetaDTO(kek_datum)
dto = self.plugin.bind_kek_metadata(dto)
self.assertEqual('AES', dto.algorithm)
self.assertEqual(256, dto.bit_length)
self.assertEqual('CBC', dto.mode)
self.assertEqual(2, self.pkcs11.get_key_handle.call_count)
self.assertEqual(1, self.pkcs11.generate_key.call_count)
self.assertEqual(1, self.pkcs11.wrap_key.call_count)
self.assertEqual(1, self.pkcs11.compute_hmac.call_count)
def find_or_create_kek_datum(self,
project,
plugin_name,
suppress_exception=False,
session=None):
"""Find or create a KEK datum instance."""
if not plugin_name:
raise exception.BarbicanException(
u._('Tried to register crypto plugin with null or empty '
'name.'))
kek_datum = None
session = self.get_session(session)
# TODO(jfwood): Reverse this...attempt insert first, then get on fail.
try:
query = session.query(models.KEKDatum)
query = query.filter_by(project_id=project.id,
plugin_name=plugin_name,
active=True,
deleted=False)
kek_datum = query.one()
except sa_orm.exc.NoResultFound:
kek_datum = models.KEKDatum()
kek_datum.kek_label = "project-{0}-key-{1}".format(
project.external_id, uuid.uuid4())
kek_datum.project_id = project.id
kek_datum.plugin_name = plugin_name
kek_datum.status = models.States.ACTIVE
self.save(kek_datum)
return kek_datum
def _init(self):
self.project_id = 'projectid1234'
self.external_project_id = 'keystone1234'
self.name = 'name1234'
secret_id = utils.generate_test_valid_uuid()
datum_id = "iddatum1"
kek_id = "idkek1"
self.secret_algorithm = "AES"
self.secret_bit_length = 256
self.secret_mode = "CBC"
self.kek_project = models.KEKDatum()
self.kek_project.id = kek_id
self.kek_project.active = True
self.kek_project.bind_completed = False
self.kek_project.kek_label = "kek_label"
self.datum = models.EncryptedDatum()
self.datum.id = datum_id
self.datum.secret_id = secret_id
self.datum.kek_id = kek_id
self.datum.kek_meta_project = self.kek_project
self.datum.content_type = "text/plain"
self.datum.cypher_text = "aaaa" # base64 value.
self.secret = create_secret(id_ref=secret_id,
name=self.name,
algorithm=self.secret_algorithm,
bit_length=self.secret_bit_length,
mode=self.secret_mode,
encrypted_datum=self.datum,
content_type=self.datum.content_type)
self.secret.secret_acls = []
self.secret.project = mock.MagicMock()
self.secret.project.external_id = self.external_project_id
# Set up mocked project
self.project = models.Project()
self.project.id = self.project_id
self.project.external_id = self.external_project_id
# Set up mocked project repo
self.project_repo = mock.MagicMock()
self.project_repo.get.return_value = self.project
self.project_repo.find_by_external_project_id.return_value = (
self.project)
self.setup_project_repository_mock(self.project_repo)
# Set up mocked secret repo
self.secret_repo = mock.Mock()
self.secret_repo.get = mock.Mock(return_value=self.secret)
self.secret_repo.get_secret_by_id = mock.Mock(return_value=self.secret)
self.secret_repo.delete_entity_by_id = mock.Mock(return_value=None)
self.setup_secret_repository_mock(self.secret_repo)
# Set up mocked encrypted datum repo
self.datum_repo = mock.MagicMock()
self.datum_repo.create_from.return_value = None
self.setup_encrypted_datum_repository_mock(self.datum_repo)
# Set up mocked kek datum repo
self.setup_kek_datum_repository_mock()
# Set up mocked secret meta repo
self.secret_meta_repo = mock.MagicMock()
self.secret_meta_repo.get_metadata_for_secret.return_value = None
self.setup_secret_meta_repository_mock(self.secret_meta_repo)
# Set up mocked transport key
self.transport_key_model = models.TransportKey("default_plugin",
"my transport key")
# Set up mocked transport key repo
self.transport_key_repo = mock.MagicMock()
self.transport_key_repo.get.return_value = self.transport_key_model
self.setup_transport_key_repository_mock(self.transport_key_repo)
self.transport_key_id = 'tkey12345'
def _init(self,
payload=b'not-encrypted',
payload_content_type='text/plain',
payload_content_encoding=None):
self.name = 'name'
self.payload = payload
self.payload_content_type = payload_content_type
self.payload_content_encoding = payload_content_encoding
self.secret_algorithm = 'AES'
self.secret_bit_length = 256
self.secret_mode = 'CBC'
self.secret_req = {
'name': self.name,
'algorithm': self.secret_algorithm,
'bit_length': self.secret_bit_length,
'creator_id': None,
'mode': self.secret_mode
}
if payload:
self.secret_req['payload'] = payload
if payload_content_type:
self.secret_req['payload_content_type'] = payload_content_type
if payload_content_encoding:
self.secret_req['payload_content_encoding'] = (
payload_content_encoding)
# Set up mocked project
self.external_project_id = 'keystone1234'
self.project_entity_id = 'tid1234'
self.project = models.Project()
self.project.id = self.project_entity_id
self.project.external_id = self.external_project_id
# Set up mocked project repo
self.project_repo = mock.MagicMock()
self.project_repo.find_by_external_project_id.return_value = (
self.project)
self.setup_project_repository_mock(self.project_repo)
# Set up mocked secret
self.secret = models.Secret()
self.secret.id = utils.generate_test_valid_uuid()
# Set up mocked secret repo
self.secret_repo = mock.MagicMock()
self.secret_repo.create_from.return_value = self.secret
self.setup_secret_repository_mock(self.secret_repo)
# Set up mocked encrypted datum repo
self.datum_repo = mock.MagicMock()
self.datum_repo.create_from.return_value = None
self.setup_encrypted_datum_repository_mock(self.datum_repo)
# Set up mocked kek datum
self.kek_datum = models.KEKDatum()
self.kek_datum.kek_label = "kek_label"
self.kek_datum.bind_completed = False
self.kek_datum.algorithm = ''
self.kek_datum.bit_length = 0
self.kek_datum.mode = ''
self.kek_datum.plugin_meta = ''
# Set up mocked kek datum repo
self.kek_repo = mock.MagicMock()
self.kek_repo.find_or_create_kek_datum.return_value = self.kek_datum
self.setup_kek_datum_repository_mock(self.kek_repo)
# Set up mocked secret meta repo
self.setup_secret_meta_repository_mock()
# Set up mocked transport key
self.transport_key = models.TransportKey('default_plugin_name',
'XXXABCDEF')
self.transport_key_id = 'tkey12345'
self.tkey_url = hrefs.convert_transport_key_to_href(
self.transport_key.id)
# Set up mocked transport key
self.setup_transport_key_repository_mock()
def _do_create_instance(self):
return models.KEKDatum()
