def test_read_encrypted_data_bag_item(): """ Ensures that when the --decrypt flag is not passed the content is not decrypted. """ # setup: upload secret args = parse_args([ 'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_FILE_2, '-c', test_base.CFG_FILE, '--secret-file', test_base.SECRETS_FILE ]) cmd = UploadAWSDataBag(args) validate_common_props(cmd) cmd.execute() # test: read secret args = parse_args([ 'data', 'bag', 'show', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_NAME_2, '-c', test_base.CFG_FILE ]) cmd = ShowAWSDataBag(args) validate_common_props(cmd) assert cmd.item == test_base.DATA_BAG_ITEM_NAME_2 data_bag_item = cmd.execute() assert "encrypted_data" in data_bag_item assert "username" not in data_bag_item with open(test_base.DATA_BAG_ITEM_FILE_2) as data_file: orig_data = json.load(data_file) with pytest.raises(AssertionError): compare_json(orig_data, data_bag_item)
def list_databags(cloud, messer_config): args = messer.parse_args( ['data', 'bag', 'show', cloud, '-c', messer_config.name]) cmd = MesserCommandLoader(cloud, 'messer.databag').load("Show{cloud}DataBag", args) return cmd.execute()
def create_data_bag(cloud, bag, messer_config): args = messer.parse_args( ['data', 'bag', 'create', cloud, bag, '-c', messer_config.name]) cmd = MesserCommandLoader(cloud, 'messer.databag').load("Create{cloud}DataBag", args) return cmd.execute()
def teardown_function(function): """ Delete both secret files as cleanup step """ args = parse_args([ 'data', 'bag', 'delete', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_NAME, '-c', test_base.CFG_FILE ]) cmd = DeleteAWSDataBag(args) cmd.execute() args = parse_args([ 'data', 'bag', 'delete', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_NAME_2, '-c', test_base.CFG_FILE ]) cmd = DeleteAWSDataBag(args) cmd.execute()
def test_parse_use_default_config(): """ Ensures that when no config is specified as an argument it attempts to use the file installed via pip """ args = parse_args(['data', 'bag', 'create', 'aws', DATA_BAG]) assert isinstance(args.config, types.FileType) is True assert args.config.name == get_default_config()
def test_parse_use_specified_config(): """ Ensures that the the -c argument correctly returns a file type """ args = parse_args(['data', 'bag', 'create', 'aws', DATA_BAG, '-c', CFG_FILE, ]) assert isinstance(args.config, types.FileType) is True assert args.config.name == CFG_FILE
def decrypt_databag_item(cloud, bag, item, messer_config): args = messer.parse_args([ 'data', 'bag', 'show', cloud, bag, item, '-c', messer_config.name, '--decrypt' ]) cmd = MesserCommandLoader(cloud, 'messer.databag').load("Show{cloud}DataBag", args) return cmd.execute()
def test_parse_encryption_rotate(): """ Make sure all the options are present for rotating existing cipher text keys """ args = parse_args(['encryption', 'increment', 'aws', 'adobe-messer-unittest']) assert args.key_name == 'adobe-messer-unittest' assert inspect.isfunction(args.command) is True assert args.command.__name__ == 'increment_key_version_aws'
def test_parse_delete_data_bag(): """ Make sure all the options are present for deleting a data bags """ args = parse_args(['data', 'bag', 'delete', 'aws', DATA_BAG]) assert args.name == DATA_BAG assert inspect.isfunction(args.command) is True assert args.command.__name__ == 'delete_data_bag_aws'
def test_parse_encryption_create(): """ Make sure all the options are present for creating new cipher text keys """ args = parse_args(['encryption', 'create', 'aws', 'adobe-messer-unittest']) assert args.key_name == 'adobe-messer-unittest' assert inspect.isfunction(args.command) is True assert args.command.__name__ == 'create_key_aws'
def test_parse_create_data_bag(): """ Make sure that all of the options are available for creating data bags """ args = parse_args(['data', 'bag', 'create', 'aws', DATA_BAG]) assert inspect.isfunction(args.command) is True assert args.command.__name__ == "create_data_bag_aws" assert args.name == DATA_BAG
def test_parse_show_data_bag_item(): """ make sure that all of the options are available for viewing encrypted data bag items """ args = parse_args(['data', 'bag', 'show', 'aws', DATA_BAG, DATA_BAG_ITEM_NAME]) assert args.item == DATA_BAG_ITEM_NAME assert args.name == DATA_BAG assert inspect.isfunction(args.command) is True assert args.command.__name__ == 'show_data_bag_aws'
def test_get_or_create_key(): """ Ensures that getting the master key by alias returns the proper id. """ args = parse_args([ 'encryption', 'create', 'aws', 'adobe-messer-unittest', '-c', test_base.CFG_FILE ]) cmd = CreateAWSEncryptionKey(args) assert cmd.get_master_key('alias/adobe-messer-unittest') == TEST_KEY_ID
def test_cannot_overwrite_existing_secrets(): """ Attempt to write over secret1, and verifies that it fails. """ arglist = [ 'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_FILE, '-c', test_base.CFG_FILE, '--secret-file', test_base.SECRETS_FILE ] args = parse_args(arglist) cmd = UploadAWSDataBag(args) validate_common_props(cmd) if not data_bag_exists(cmd, test_base.DATA_BAG_ITEM_FILE): cmd.execute() cmd = UploadAWSDataBag(parse_args(arglist)) assert isinstance(args.item, types.FileType) assert cmd.item.name == test_base.DATA_BAG_ITEM_FILE with pytest.raises(AttributeError): assert cmd.args.secrets_file is test_base.SECRETS_FILE with pytest.raises(RuntimeError): cmd.execute()
def test_delete_data_bag_fails_if_not_empty(): """ Tests to make sure that messer cannot delete a data bag with items in it. """ args = parse_args([ 'data', 'bag', 'delete', 'aws', test_base.DATA_BAG, '-c', test_base.CFG_FILE ]) cmd = DeleteAWSDataBag(args) assert cmd.name == test_base.DATA_BAG with pytest.raises(RuntimeError): cmd.execute()
def create_data_bag_item(cloud, bag, item, key, messer_config): filename = write_item_to_disk(item) try: args = messer.parse_args([ 'data', 'bag', 'from', 'file', cloud, bag, filename, '--secret-file', key, '-c', messer_config.name ]) cmd = MesserCommandLoader(cloud, 'messer.databag').load( "Upload{cloud}DataBag", args) return cmd.execute() finally: os.remove(filename)
def test_new_key_version(): """ Ensures that key rotation generates an incremental version """ args = parse_args([ 'encryption', 'create', 'aws', 'adobe-messer-unittest-rotation', '-c', test_base.CFG_FILE ]) create_cmd = CreateAWSEncryptionKey(args) create_cmd.execute() assert get_latest_key_version(create_cmd.keys_bucket, create_cmd.args.key_name) == VERSION_0 # increment the key version of the newly created key and get the latest version which should be 1. args = parse_args([ 'encryption', 'increment', 'aws', 'adobe-messer-unittest-rotation', '-c', test_base.CFG_FILE ]) cmd = IncrementAWSKeyVersion(args) cmd.execute() assert get_latest_key_version(cmd.keys_bucket, cmd.args.key_name) == VERSION_1 # delete version 1 of this key del_cmd = DeleteAWSEncryptionKey( parse_args([ 'encryption', 'delete', 'aws', 'adobe-messer-unittest-rotation', '1', '--no-prompt', '-c', test_base.CFG_FILE ])) del_cmd.execute() assert get_latest_key_version(cmd.keys_bucket, cmd.args.key_name) == VERSION_0 # delete base key to have a fresh version of the key and then create the said key del_cmd = DeleteAWSEncryptionKey( parse_args([ 'encryption', 'delete', 'aws', 'adobe-messer-unittest-rotation', '--no-prompt', '-c', test_base.CFG_FILE ])) del_cmd.execute()
def test_parse_create_data_bag_item(): """ make sure that all of the options are available for creating encrypted data bag items """ args = parse_args(['data', 'bag', 'from', 'file', 'aws', DATA_BAG, DATA_BAG_ITEM_FILE, '--secret-file', SECRETS_FILE]) assert isinstance(args.item, types.FileType) assert args.item.name == DATA_BAG_ITEM_FILE assert args.name == DATA_BAG assert inspect.isfunction(args.command) is True assert args.command.__name__ == 'upload_data_bag_aws' assert args.secret_file == SECRETS_FILE
def test_create_data_bag(): """ Ensures that messer can create data bags with folder names that match it's policy """ args = parse_args([ 'data', 'bag', 'create', 'aws', test_base.DATA_BAG, '-c', test_base.CFG_FILE ]) cmd = CreateAWSDataBag(args) validate_common_props(cmd) cmd.execute() assert cmd.secrets_bucket.get_key(cmd.name + "/").name == test_base.DATA_BAG + "/"
def test_read_non_existing_folder(): """ Listing the contents of 'some-none-existing-folder' on the secrets bucket returns no results (no exception) """ args = parse_args([ 'data', 'bag', 'show', 'aws', "some-none-existing-folder", '-c', test_base.CFG_FILE, '--decrypt' ]) cmd = ShowAWSDataBag(args) assert not cmd.name == test_base.DATA_BAG cmd.execute() assert cmd.exists(cmd.path) is False
def test_create_envelope_key_fails_on_duplicate(): """ Ensures that we can create only one key with the same name and version. """ args = parse_args([ 'encryption', 'create', 'aws', 'adobe-messer-unittest', '-c', test_base.CFG_FILE ]) cmd = CreateAWSEncryptionKey(args) exception_thrown = False try: cmd.execute() except RuntimeError, e: exception_thrown = True
def test_delete_data_bag_item(): """ Tests to make sure that messer can delete a secret """ # setup: upload secret args = parse_args([ 'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_FILE, '-c', test_base.CFG_FILE, '--secret-file', test_base.SECRETS_FILE ]) cmd = UploadAWSDataBag(args) validate_common_props(cmd) cmd.execute() # test to delete the data bag item args = parse_args([ 'data', 'bag', 'delete', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_NAME, '-c', test_base.CFG_FILE ]) cmd = DeleteAWSDataBag(args) assert cmd.name == test_base.DATA_BAG assert cmd.item == 'secret1' assert cmd.execute() == 1
def setup_encryptor(): # use this key to fetch the encryption object. args = parse_args([ 'encryption', 'create', 'aws', 'adobe-messer-unittest', '-c', test_base.CFG_FILE ]) cmd = CreateAWSEncryptionKey(args) encrypter = AWSEncryptionKeyLoader.load(cmd.args.key_name, cmd.keys_bucket, cmd.kms, VERSION_0) return dict(encryptor=encrypter, name=cmd.args.key_name, key_version=get_latest_key_version(cmd.keys_bucket, cmd.args.key_name))
def test_role_s3_policy_restricts_read_existing_folder(): """ Ensures that the unit test role cannot list the contents of the 'dev' folder on the secrets bucket """ args = parse_args( ['data', 'bag', 'create', 'aws', "dev", '-c', test_base.CFG_FILE]) cmd = CreateAWSDataBag(args) exception_thrown = None assert not cmd.name == test_base.DATA_BAG try: cmd.execute() except S3ResponseError, e: exception_thrown = True assert e.status == 403 assert e.reason == "Forbidden"
def test_role_restricts_kms_key_creation_s3(): """ Access to the cipher text key 'adobe-common' in S3 is NOT allowed by the unit test policy """ args = parse_args([ 'encryption', 'create', 'aws', 'adobe-common', '-c', test_base.CFG_FILE ]) cmd = CreateAWSEncryptionKey(args) exception_thrown = False try: cmd.execute() except S3ResponseError, e: exception_thrown = True assert e.status == 403 assert e.reason == "Forbidden"
def test_s3_policy_restricts_write(): """ Ensures that the unit test role does not have permission to write to folders which are not specifically defined. """ args = parse_args([ 'data', 'bag', 'create', 'aws', "some-other-data-bag", '-c', test_base.CFG_FILE ]) cmd = CreateAWSDataBag(args) assert not cmd.name == test_base.DATA_BAG try: cmd.execute() except S3ResponseError, e: assert e.status == 403 assert e.reason == "Forbidden" assert e.error_code == "AccessDenied"
def test_can_overwrite_existing_secrets_with_force_flag(): """ Attempt to write over secret1 using the --force flag, and verifies that it succeeds. """ args = parse_args([ 'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_FILE, '-c', test_base.CFG_FILE, '--force', '--secret-file', test_base.SECRETS_FILE ]) cmd = UploadAWSDataBag(args) assert not cmd.exists('secret2') is None validate_common_props(cmd) assert isinstance(args.item, types.FileType) assert cmd.item.name == test_base.DATA_BAG_ITEM_FILE with pytest.raises(AttributeError): assert cmd.args.secrets_file is test_base.SECRETS_FILE assert cmd.execute() > 0
def test_create_aws_config(): """ Ensures that specifying a new config file creates the file. :return: """ args = parse_args(['configure', 'aws', '-c' 'new.ini', '-m' 'adobe-test', '-e' 'Dev', '-r' 'us-east-2', '-b' 'test-bucket']) cmd = AWSConfigure(args) cmd.execute() config = MesserAWSConfig(args.config) assert config.master_key == 'adobe-test' assert config.region == 'us-east-2' # make sure dev gets converted to lower case assert config.tier == 'dev' assert config.secrets_bucket == 'test-bucket' os.remove(config.filename)
def test_create_encrypted_item_from_file(): """ Ensures that secrets can be created from json files using the encryption keys provided to the role. """ args = parse_args([ 'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG, test_base.DATA_BAG_ITEM_FILE_2, '-c', test_base.CFG_FILE, '--secret-file', test_base.SECRETS_FILE ]) cmd = UploadAWSDataBag(args) validate_common_props(cmd) assert isinstance(args.item, types.FileType) assert cmd.item.name == test_base.DATA_BAG_ITEM_FILE_2 assert cmd.args.secret_file is test_base.SECRETS_FILE bytes_written = cmd.execute() assert bytes_written > 0 # check that files exist in both buckets assert cmd.secrets_bucket.get_key(cmd.path + "/secret2").name == 'unittest/secret2'
def increment_envelope_key(cloud, key_name, messer_config): args = messer.parse_args( ['encryption', 'increment', cloud, key_name, '-c', messer_config.name]) cmd = MesserCommandLoader(cloud, 'messer.encryption').load( "Increment{cloud}KeyVersion", args) return cmd.execute()