def testNonStringValue(self): try: secretary.extractEnvelopes({1: 2}) except ValueError as e: self.assertEquals("Input must be str or unicode, was dict({1: 2})", str(e)) else: self.fail("Expected exception ValueError")
def process_env(filename, verifySecrets, env): result = copy(env) for key, value in env.iteritems(): # Can't support non-string keys consistently if not isinstance(key, (str, unicode)): raise ValueError( "Only string dict keys are supported, please use quotes around the key '%s' in %s" % (key, filename)) # Coerce types to string and serialize non-scalars if not isinstance(value, (str, unicode)): if isinstance(value, bool): value = 'true' if value else 'false' elif isinstance(value, (int, float)): value = str(value) else: value = json.dumps(value) result[key] = value # Check for unencrypted secrets if (('password' in key.lower() or 'pwd' in key.lower() or 'key' in key.lower() or 'token' in key.lower()) and 'public' not in key.lower() and 'id' not in key.lower() and 'routing' not in key.lower()) and len( secretary.extractEnvelopes(value)) == 0: if verifySecrets: raise RuntimeError('Found unencrypted secret in %s: %s' % (filename, key)) else: logging.warn('Found unencrypted secret in %s: %s' % (filename, key)) return result
def testExtractEnvelopes(self): envelopes = secretary.extractEnvelopes( "amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(2, len(envelopes)) self.assertEqual(["ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes( "amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/ENC[KMS,123abc+/=]" ) self.assertEqual(3, len(envelopes)) self.assertEqual([ "ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]", "ENC[KMS,123abc+/=]" ], envelopes) envelopes = secretary.extractEnvelopes( "amqp://ENC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes( "amqp://ENC[NACL,:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes( "amqp://NC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes( "amqp://ENC[NACL,abc:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
def verify_secrets(services, enforce): for service in services: # Check for unencrypted secrets for key, value in service.config.get('env', {}).iteritems(): # Skip secretary keys if isinstance(value, secretary.KeyValue): continue if (('password' in key.lower() or 'pwd' in key.lower() or 'key' in key.lower() or 'token' in key.lower()) and 'public' not in key.lower() and 'id' not in key.lower() and 'routing' not in key.lower()) and len( secretary.extractEnvelopes(value)) == 0: if enforce: raise RuntimeError('Found unencrypted secret in %s: %s' % (service.filename, key)) else: logging.warn('Found unencrypted secret in %s: %s' % (service.filename, key))
def testExtractEnvelopes(self): envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(2, len(envelopes)) self.assertEqual(["ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/ENC[KMS,123abc+/=]") self.assertEqual(3, len(envelopes)) self.assertEqual(["ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]", "ENC[KMS,123abc+/=]"], envelopes) envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes("amqp://NC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes) envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,abc:ENC[NACL,pWd123+/=]@rabbit:5672/") self.assertEqual(1, len(envelopes)) self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
def process_env(filename, verifySecrets, env): result = copy(env) for key, value in env.iteritems(): # Can't support non-string keys consistently if not isinstance(key, (str, unicode)): raise ValueError("Only string dict keys are supported, please use quotes around the key '%s' in %s" % (key, filename)) # Coerce types to string and serialize non-scalars if not isinstance(value, (str, unicode)): if isinstance(value, bool): value = 'true' if value else 'false' elif isinstance(value, (int, float)): value = str(value) else: value = json.dumps(value) result[key] = value # Check for unencrypted secrets if (('password' in key.lower() or 'pwd' in key.lower() or 'key' in key.lower() or 'token' in key.lower()) and 'public' not in key.lower() and 'id' not in key.lower() and 'routing' not in key.lower()) and len(secretary.extractEnvelopes(value)) == 0: if verifySecrets: raise RuntimeError('Found unencrypted secret in %s: %s' % (filename, key)) else: logging.warn('Found unencrypted secret in %s: %s' % (filename, key)) return result