def test_generate_symmetric_key_return_value(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128, 'mode') return_value = self.secret_store.generate_symmetric_key(key_spec) expected = {kss.KMIPSecretStore.KEY_UUID: self.symmetric_key_uuid} self.assertEqual(expected, return_value)
def test_generate_asymmetric_key_assert_called(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048, 'mode') self.secret_store.generate_asymmetric_key(key_spec) self.secret_store.client.proxy.create_key_pair.assert_called_once_with( common_template_attribute=mock.ANY)
def test_generate_symmetric_key_assert_called(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128, 'mode') self.secret_store.generate_symmetric_key(key_spec) self.secret_store.client.proxy.create.assert_called_once_with( enums.ObjectType.SYMMETRIC_KEY, mock.ANY)
def test_generate_asymmetric_key_assert_called(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048, 'mode') self.secret_store.generate_asymmetric_key(key_spec) self.secret_store.client.create_key_pair.assert_called_once_with( enums.CryptographicAlgorithm.RSA, 2048)
def test_get_generate_supported_plugin(self): plugin = TestSecretStore([str.KeyAlgorithm.AES]) plugin_mock = mock.MagicMock(obj=plugin) self.manager.extensions = [plugin_mock] keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128) self.assertEqual(plugin, self.manager.get_plugin_generate(keySpec))
def test_generate_symmetric_key_raises_exception(self): key_spec = ss.KeySpec(ss.KeyAlgorithm.AES, 128) self.plugin.key_manager.create_key.side_effect = exception.Forbidden() self.assertRaises( ss.SecretGeneralException, self.plugin.generate_symmetric_key, key_spec )
def test_get_generate_no_plugin_found(self): self.manager.extensions = [] keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128) self.assertRaises( str.SecretStorePluginsNotConfigured, self.manager.get_plugin_generate, keySpec, )
def test_generate_asymmetric_key_error_opening_connection(self): self.secret_store.client.proxy.open = mock.Mock( side_effect=socket.error) key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048, 'mode') self.assertRaises(secret_store.SecretGeneralException, self.secret_store.generate_asymmetric_key, key_spec)
def test_generate_symmetric_key_assert_called(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128, 'mode') self.secret_store.generate_symmetric_key(key_spec) self.secret_store.client.create.assert_called_once_with( object_type=enums.ObjectType.SYMMETRIC_KEY, template_attribute=mock.ANY, credential=self.credential)
def test_generate_symmetric_key_error_opening_connection(self): self.secret_store.client.open.side_effect = Exception key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128, 'mode') self.assertRaises( secret_store.SecretGeneralException, self.secret_store.generate_symmetric_key, key_spec)
def generate_asymmetric_secret(spec, content_type, project_model): """Generate an asymmetric secret and store into a secure backend.""" # Locate a suitable plugin to store the secret. key_spec = secret_store.KeySpec(alg=spec.get('algorithm'), bit_length=spec.get('bit_length'), passphrase=spec.get('passphrase')) plugin_manager = secret_store.get_manager() generate_plugin = plugin_manager.get_plugin_generate(key_spec) # Create secret models to eventually save metadata to. private_secret_model = models.Secret(spec) private_secret_model['secret_type'] = secret_store.SecretType.PRIVATE public_secret_model = models.Secret(spec) public_secret_model['secret_type'] = secret_store.SecretType.PUBLIC passphrase_secret_model = (models.Secret(spec) if spec.get('passphrase') else None) if passphrase_secret_model: passphrase_type = secret_store.SecretType.PASSPHRASE passphrase_secret_model['secret_type'] = passphrase_type asymmetric_meta_dto = _generate_asymmetric_key( generate_plugin, key_spec, private_secret_model, public_secret_model, passphrase_secret_model, project_model, content_type ) _save_secret_in_repo(private_secret_model, project_model) _save_secret_metadata_in_repo(private_secret_model, asymmetric_meta_dto.private_key_meta, generate_plugin, content_type) _save_secret_in_repo(public_secret_model, project_model) _save_secret_metadata_in_repo(public_secret_model, asymmetric_meta_dto.public_key_meta, generate_plugin, content_type) if passphrase_secret_model: _save_secret_in_repo(passphrase_secret_model, project_model) _save_secret_metadata_in_repo(passphrase_secret_model, asymmetric_meta_dto.passphrase_meta, generate_plugin, content_type) container_model = _create_container_for_asymmetric_secret(spec, project_model) _save_asymmetric_secret_in_repo( container_model, private_secret_model, public_secret_model, passphrase_secret_model) return container_model
def test_generate_asymmetric_key_server_error_occurs(self): self.secret_store.client.create_key_pair.side_effect = Exception key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048, 'mode') self.assertRaises( secret_store.SecretGeneralException, self.secret_store.generate_asymmetric_key, key_spec)
def test_generate_asymmetric_key(self): key_spec = sstore.KeySpec(sstore.KeyAlgorithm.RSA, 2048) self.plugin.generate_asymmetric_key(key_spec) self.keyclient_mock.generate_asymmetric_key.assert_called_once_with( mock.ANY, sstore.KeyAlgorithm.RSA.upper(), 2048, mock.ANY)
def test_generate_symmetric_key(self): key_spec = ss.KeySpec(ss.KeyAlgorithm.AES, 128) response = self.plugin.generate_symmetric_key(key_spec) self.plugin.key_manager.create_key.assert_called_once_with( mock.ANY, ss.KeyAlgorithm.AES, 128) expected_response = {css.CastellanSecretStore.KEY_ID: key_ref1} self.assertEqual(response, expected_response)
def test_store_secret_valid_algorithm_invalid_bit_length(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 56, 'mode') secret_dto = secret_store.SecretDTO(secret_store.SecretType.SYMMETRIC, "AAAA", key_spec, 'content_type', transport_key=None) self.assertRaises(secret_store.SecretAlgorithmNotSupportedException, self.secret_store.store_secret, secret_dto)
def test_get_generate_no_supported_plugin(self): plugin = TestSecretStore([]) plugin_mock = mock.MagicMock(obj=plugin) self.manager.extensions = [plugin_mock] keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128) self.assertRaises( str.SecretGenerateSupportedPluginNotFound, self.manager.get_plugin_generate, keySpec, )
def test_generate_symmetric_key_error_occurs(self): self.secret_store.client.create = mock.create_autospec( proxy.KMIPProxy.create, return_value=results.CreateResult( contents.ResultStatus(enums.ResultStatus.OPERATION_FAILED))) key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES, 128, 'mode') self.assertRaises(secret_store.SecretGeneralException, self.secret_store.generate_symmetric_key, key_spec)
def test_generate_asymmetric_throws_exception(self): key_spec = ss.KeySpec(ss.KeyAlgorithm.RSA, 2048) self.plugin.key_manager.create_key_pair.side_effect = ( exception.Forbidden() ) self.assertRaises( ss.SecretGeneralException, self.plugin.generate_asymmetric_key, key_spec )
def test_store_certificate_secret_return_value(self): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048) secret_dto = secret_store.SecretDTO( secret_store.SecretType.CERTIFICATE, base64.b64encode(keys.get_certificate_pem()), key_spec, 'content_type') return_value = self.secret_store.store_secret(secret_dto) expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'} self.assertEqual(expected, return_value)
def test_generate_asymmetric_key_server_error_occurs(self): self.secret_store.client.create_key_pair = mock.MagicMock( proxy.KMIPProxy().create_key_pair, return_value=results.CreateKeyPairResult( contents.ResultStatus(enums.ResultStatus.OPERATION_FAILED))) key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048, 'mode') self.assertRaises(secret_store.SecretGeneralException, self.secret_store.generate_asymmetric_key, key_spec)
def store_secret(unencrypted_raw, content_type_raw, content_encoding, secret_model, project_model, transport_key_needed=False, transport_key_id=None): """Store a provided secret into secure backend.""" if _secret_already_has_stored_data(secret_model): raise ValueError('Secret already has encrypted data stored for it.') # Create a KeySpec to find a plugin that will support storing the secret key_spec = secret_store.KeySpec(alg=secret_model.algorithm, bit_length=secret_model.bit_length, mode=secret_model.mode) # If there is no secret data to store, then just create Secret entity and # leave. A subsequent call to this method should provide both the Secret # entity created here *and* the secret data to store into it. if not unencrypted_raw: key_model = _get_transport_key_model(key_spec, transport_key_needed, project_id=project_model.id) _save_secret_in_repo(secret_model, project_model) return secret_model, key_model plugin_name, transport_key = _get_plugin_name_and_transport_key( transport_key_id) unencrypted, content_type = tr.normalize_before_encryption( unencrypted_raw, content_type_raw, content_encoding, secret_model.secret_type, enforce_text_only=True) plugin_manager = secret_store.get_manager() store_plugin = plugin_manager.get_plugin_store(key_spec=key_spec, plugin_name=plugin_name, project_id=project_model.id) secret_dto = secret_store.SecretDTO(type=secret_model.secret_type, secret=unencrypted, key_spec=key_spec, content_type=content_type, transport_key=transport_key) secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto, secret_model, project_model) _save_secret_in_repo(secret_model, project_model) _save_secret_metadata_in_repo(secret_model, secret_metadata, store_plugin, content_type) return secret_model, None
def _get_barbican_secret(self, managed_object, secret_type): object_type = managed_object.object_type secret = managed_object.value if (object_type == enums.ObjectType.SYMMETRIC_KEY or object_type == enums.ObjectType.PRIVATE_KEY or object_type == enums.ObjectType.PUBLIC_KEY): algorithm = self.kmip_barbican_alg_map[ managed_object.cryptographic_algorithm] length = managed_object.cryptographic_length key_spec = ss.KeySpec(algorithm, length) else: key_spec = ss.KeySpec() secret = self._denormalize_secret(secret, secret_type) secret_dto = ss.SecretDTO(secret_type, secret, key_spec, content_type=None, transport_key=None) return secret_dto
def test_get_store_plugin_with_no_tkey_and_supports_storage(self): plugin = TestSecretStore([str.KeyAlgorithm.AES]) plugin_mock = mock.MagicMock(obj=plugin) self.manager.extensions = [plugin_mock] keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128) self.assertRaises( str.SecretStoreSupportedPluginNotFound, self.manager.get_plugin_store, key_spec=keySpec, transport_key_needed=True, )
def test_generate_supports(self): """test generate_supports.""" # False return if KeySpec == None self.assertFalse(self.plugin_to_test.generate_supports(None)) # AES KeySpec should be supported. key_spec = secret_store.KeySpec(alg='AES', bit_length=64, mode='CBC') self.assertTrue(self.plugin_to_test.generate_supports(key_spec)) key_spec = secret_store.KeySpec(alg='aes', bit_length=64, mode='CBC') self.assertTrue(self.plugin_to_test.generate_supports(key_spec)) # RSA KeySpec should be supported. key_spec = secret_store.KeySpec(alg='RSA', bit_length=2048) self.assertTrue(self.plugin_to_test.generate_supports(key_spec)) # Camellia KeySpec should not be supported. self.key_spec = secret_store.KeySpec('Camellia', 64) self.assertFalse(self.plugin_to_test.generate_supports(self.key_spec)) # Bogus KeySpec should not be supported. key_spec = secret_store.KeySpec(alg='bogus', bit_length=2048) self.assertFalse(self.plugin_to_test.generate_supports(key_spec))
def test_get_store_plugin_with_tkey_and_supports_storage(self): plugin1 = TestSecretStore([str.KeyAlgorithm.AES]) plugin1_mock = mock.MagicMock(obj=plugin1) plugin2 = TestSecretStoreWithTransportKey([str.KeyAlgorithm.AES]) plugin2_mock = mock.MagicMock(obj=plugin2) self.manager.extensions = [plugin1_mock, plugin2_mock] keySpec = str.KeySpec(str.KeyAlgorithm.AES, 128) self.assertEqual( plugin2, self.manager.get_plugin_store(key_spec=keySpec, transport_key_needed=True))
def test_store_passphrase_secret_assert_called(self): key_spec = secret_store.KeySpec(None, None, None) passphrase = base64.b64encode(b"supersecretpassphrase") secret_dto = secret_store.SecretDTO(secret_store.SecretType.PASSPHRASE, passphrase, key_spec, 'content_type', transport_key=None) self.secret_store.store_secret(secret_dto) self.secret_store.client.register.assert_called_once_with( objects.SecretData(base64.b64decode(passphrase), enums.SecretDataType.PASSWORD))
def test_store_passphrase_secret_return_value(self): key_spec = secret_store.KeySpec(None, None, None) passphrase = b"supersecretpassphrase" secret_dto = secret_store.SecretDTO(secret_store.SecretType.PASSPHRASE, base64.b64encode(passphrase), key_spec, 'content_type', transport_key=None) return_value = self.secret_store.store_secret(secret_dto) expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'} self.assertEqual(expected, return_value)
def test_store_asymmetric_key_secret_return_value(self, barbican_type, barbican_key, pkcs1_only): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048) secret_dto = secret_store.SecretDTO(barbican_type, base64.b64encode(barbican_key), key_spec, 'content_type') self.secret_store.pkcs1_only = pkcs1_only return_value = self.secret_store.store_secret(secret_dto) expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'} self.assertEqual(expected, return_value)
def test_store_opaque_secret_return_value(self): key_spec = secret_store.KeySpec(None, None, None) opaque = b'\x00\x01\x02\x03\x04\x05\x06\x07' secret_dto = secret_store.SecretDTO(secret_store.SecretType.OPAQUE, base64.b64encode(opaque), key_spec, 'content_type', transport_key=None) return_value = self.secret_store.store_secret(secret_dto) expected = {kss.KMIPSecretStore.KEY_UUID: 'uuid'} self.assertEqual(expected, return_value)
def test_store_opaque_secret_assert_called(self): key_spec = secret_store.KeySpec(None, None, None) opaque = base64.b64encode(b'\x00\x01\x02\x03\x04\x05\x06\x07') secret_dto = secret_store.SecretDTO(secret_store.SecretType.OPAQUE, opaque, key_spec, 'content_type', transport_key=None) self.secret_store.store_secret(secret_dto) self.secret_store.client.register.assert_called_once_with( objects.OpaqueObject(base64.b64decode(opaque), enums.OpaqueDataType.NONE))