def setup(self): self._plaintext_payload = 'plaintext credentials' self._encrypted_payload = encrypt_with_kms(self._plaintext_payload, REGION, KMS_ALIAS) self._credentials = Credentials(self._encrypted_payload, is_encrypted=True, region=REGION)
class TestCredentialsEmpty(object): def setup(self): self._plaintext_payload = '' self._credentials = Credentials(self._plaintext_payload, is_encrypted=False) @mock_kms def test_encrypt(self): """Credentials - Empty Credentials - Encrypt - Does nothing when payload is empty""" self._credentials.encrypt(REGION, KMS_ALIAS) assert_true(self._credentials.is_encrypted()) assert_equal(self._credentials.data(), '')
def test_save_credentials_into_s3(self): """S3Driver - Save Credentials We test a full cycle of using save_credentials() then subsequently pulling them out with load_credentials().""" creds = {'url': 'http://best.website.ever/test'} input_credentials = Credentials(creds, is_encrypted=False, region=REGION) descriptor = 'test_descriptor' # Annoyingly, moto needs us to create the bucket first # We put a random unrelated object into the bucket and this will set up the bucket for us put_mock_s3_object(self._s3_driver.get_s3_secrets_bucket(), 'aaa', 'bbb', REGION) result = self._s3_driver.save_credentials_into_s3( descriptor, input_credentials, KMS_ALIAS) assert_true(result) credentials = self._s3_driver.load_credentials(descriptor) assert_is_not_none(credentials) assert_true(credentials.is_encrypted()) loaded_creds = json.loads(credentials.get_data_kms_decrypted()) assert_equal(loaded_creds, creds)
def test_save_and_has_credentials(self): """LocalFileDriver - Save and Has Credentials""" assert_false(self._fs_driver.has_credentials('descriptor')) credentials = Credentials('aaaa', True) # pretend it's encrypted self._fs_driver.save_credentials('descriptor', credentials) assert_true(self._fs_driver.has_credentials('descriptor'))
def test_save_and_has_credentials(self): """EphemeralUnencryptedDriver - Save and Has Credentials""" assert_false(self._ep_driver.has_credentials('descriptor')) credentials = Credentials('aaaa', False) assert_true(self._ep_driver.save_credentials('descriptor', credentials)) assert_true(self._ep_driver.has_credentials('descriptor'))
def test_save_and_has_credentials(self): """SpooledTempfileDriver - Save and Has Credentials""" assert_false(self._sp_driver.has_credentials('descriptor')) credentials = Credentials('aaaa', True) # let's pretend they're encrypted assert_true(self._sp_driver.save_credentials('descriptor', credentials)) assert_true(self._sp_driver.has_credentials('descriptor'))
class TestCredentialsUnencrypted(object): def setup(self): self._plaintext_payload = 'plaintext credentials' self._credentials = Credentials(self._plaintext_payload, is_encrypted=False) def test_is_encrypted(self): """Credentials - Plaintext Credentials - Is Encrypted""" assert_false(self._credentials.is_encrypted()) def test_is_data(self): """Credentials - Plaintext Credentials - Data""" assert_equal(self._credentials.data(), self._plaintext_payload) @patch('logging.Logger.error') def test_get_data_kms_decrypted(self, logging_error): """Credentials - Plaintext Credentials - KMS Decrypt""" assert_is_none(self._credentials.get_data_kms_decrypted()) logging_error.assert_called_with('Cannot decrypt Credentials as they are already decrypted') @mock_kms def test_encrypt(self): """Credentials - Plaintext Credentials - Encrypt Doubly-encrypting the credentials should do nothing. """ self._credentials.encrypt(REGION, KMS_ALIAS) assert_true(self._credentials.is_encrypted()) assert_equal(self._credentials.data(), 'InBsYWludGV4dCBjcmVkZW50aWFscyI=')
def test_save_credentials_into_s3_blank_credentials(self): """S3Driver - Save Credentials does nothing when Credentials are Blank""" input_credentials = Credentials('', is_encrypted=False, region=REGION) descriptor = 'test_descriptor22' result = self._s3_driver.save_credentials_into_s3(descriptor, input_credentials, KMS_ALIAS) assert_true(result) assert_is_none(self._s3_driver.load_credentials(descriptor))
def test_save_errors_on_unencrypted(self): """SpooledTempfileDriver - Save Errors on Unencrypted Credentials""" raw_credentials = 'aaaa' descriptor = 'descriptor5' credentials = Credentials(raw_credentials, False) assert_false(self._sp_driver.save_credentials(descriptor, credentials)) assert_false(self._sp_driver.has_credentials(descriptor))
def test_clear(self): """EphemeralUnencryptedDriver - Clear Credentials""" descriptor = 'descriptor' credentials = Credentials('aaaa', False) self._ep_driver.save_credentials(descriptor, credentials) EphemeralUnencryptedDriver.clear() assert_false(self._ep_driver.has_credentials(descriptor))
def test_clear(self): """LocalFileDriver - Clear Credentials""" descriptor = 'descriptor' credentials = Credentials('aaaa', True, REGION) # pretend it's encrypted self._fs_driver.save_credentials(descriptor, credentials) LocalFileDriver.clear() assert_false(self._fs_driver.has_credentials(descriptor))
def test_clear(self): """SpooledTempfileDriver - Clear Credentials""" descriptor = 'descriptor' credentials = Credentials('aaaa', True) # pretend it's encrypted assert_true(self._sp_driver.save_credentials(descriptor, credentials)) SpooledTempfileDriver.clear() assert_false(self._sp_driver.has_credentials(descriptor))
def test_save_and_load_credentials(self): """EphemeralUnencryptedDriver - Save and Load Credentials""" descriptor = 'descriptor' credentials = Credentials('aaaa', False) assert_true(self._ep_driver.save_credentials(descriptor, credentials)) loaded_credentials = self._ep_driver.load_credentials(descriptor) assert_is_not_none(loaded_credentials) assert_false(loaded_credentials.is_encrypted()) assert_equal(loaded_credentials.data(), 'aaaa')
def test_save_and_load_credentials_persists_statically(self): """EphemeralUnencryptedDriver - Save and Load Credentials""" descriptor = 'descriptor' credentials = Credentials('aaaa', False) assert_true(self._ep_driver.save_credentials(descriptor, credentials)) driver2 = EphemeralUnencryptedDriver('service') # Create a separate, identical driver loaded_credentials = driver2.load_credentials(descriptor) assert_is_not_none(loaded_credentials) assert_false(loaded_credentials.is_encrypted()) assert_equal(loaded_credentials.data(), 'aaaa')
def test_save_errors_on_unencrypted(self): """LocalFileDriver - Save Errors on Unencrypted Credentials""" raw_credentials_dict = { 'python': 'is very difficult', 'someone': 'save meeeee', } descriptor = 'descriptor5' raw_credentials = json.dumps(raw_credentials_dict) credentials = Credentials(raw_credentials, False, REGION) assert_false(self._fs_driver.save_credentials(descriptor, credentials)) assert_false(self._fs_driver.has_credentials(descriptor))
def test_save_and_load_credentials(self): """SpooledTempfileDriver - Save and Load Credentials""" raw_credentials = 'aaaa' descriptor = 'descriptor' encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS) credentials = Credentials(encrypted_raw_credentials, True, REGION) assert_true(self._sp_driver.save_credentials(descriptor, credentials)) loaded_credentials = self._sp_driver.load_credentials(descriptor) assert_is_not_none(loaded_credentials) assert_true(loaded_credentials.is_encrypted()) assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
def test_save_and_load_credentials_persists_statically(self): """LocalFileDriver - Save and Load Credentials""" raw_credentials = 'aaaa' descriptor = 'descriptor' encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS) credentials = Credentials(encrypted_raw_credentials, True, REGION) assert_true(self._fs_driver.save_credentials(descriptor, credentials)) driver2 = LocalFileDriver(REGION, 'service') # Create a separate, identical driver loaded_credentials = driver2.load_credentials(descriptor) assert_is_not_none(loaded_credentials) assert_true(loaded_credentials.is_encrypted()) assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
class TestCredentialsEncrypted(object): @mock_kms def setup(self): self._plaintext_payload = 'plaintext credentials' self._encrypted_payload = encrypt_with_kms(self._plaintext_payload, REGION, KMS_ALIAS) self._credentials = Credentials(self._encrypted_payload, is_encrypted=True, region=REGION) def test_is_encrypted(self): """Credentials - Encrypted Credentials - Is Encrypted""" assert_true(self._credentials.is_encrypted()) def test_is_data(self): """Credentials - Encrypted Credentials - Data""" assert_equal(self._credentials.data(), self._encrypted_payload) @mock_kms def test_get_data_kms_decrypted(self): """Credentials - Encrypted Credentials - KMS Decrypt""" decrypted = self._credentials.get_data_kms_decrypted() assert_equal(decrypted, self._plaintext_payload) def test_encrypt(self): """Credentials - Encrypted Credentials - Encrypt Doubly-encrypting the credentials should do nothing. """ self._credentials.encrypt(REGION, KMS_ALIAS) assert_equal(self._credentials.data(), self._encrypted_payload) @patch('boto3.client') @patch('logging.Logger.exception') def test_decrypt_kms_error(self, logging_exception, boto3): """Credentials - Encrypted Credentials - KMS Decrypt - Errors if KMS Fails to Respond""" # We pretend that KMS errors out boto3_client = MagicMock() boto3.return_value = boto3_client response = MagicMock() boto3_client.decrypt.side_effect = ClientError(response, 'kms_decrypt') assert_is_none(self._credentials.get_data_kms_decrypted()) logging_exception.assert_called_with( 'an error occurred during credentials decryption')
def test_load_credentials(self): """S3Driver - With File Driver - Load Credentials - Pulls into LocalFileStore Here we use the S3Driver's caching ability to yank stuff into a local driver.""" remove_temp_secrets() creds = {'my_secret': 'i ate two portions of biscuits and gravy'} input_credentials = Credentials(creds, is_encrypted=False, region=REGION) descriptor = 'test_descriptor' # Annoyingly, moto needs us to create the bucket first # We put a random unrelated object into the bucket and this will set up the bucket for us put_mock_s3_object(self._s3_driver.get_s3_secrets_bucket(), 'aaa', 'bbb', REGION) # First, check if the Local driver can find the credentials (we don't expect it to) assert_false(self._fs_driver.has_credentials(descriptor)) # Save the credentials using S3 driver result = self._s3_driver.save_credentials_into_s3( descriptor, input_credentials, KMS_ALIAS) assert_true(result) # We still don't expect the Local driver to find the credentials assert_false(self._fs_driver.has_credentials(descriptor)) # Use S3Driver to warm up the Local driver self._s3_driver.load_credentials(descriptor) # Now we should be able to get the credentials from the local fs assert_true(self._fs_driver.has_credentials(descriptor)) credentials = self._fs_driver.load_credentials(descriptor) assert_is_not_none(credentials) assert_true(credentials.is_encrypted()) loaded_creds = json.loads(credentials.get_data_kms_decrypted()) assert_equal(loaded_creds, creds) remove_temp_secrets()
def test_save_automatically_decrypts(self): """EphemeralUnencryptedDriver - Save Automatically Decrypts""" raw_credentials_dict = { 'python': 'is very difficult', 'someone': 'save meeeee', } descriptor = 'descriptor5' raw_credentials = json.dumps(raw_credentials_dict) encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS) credentials = Credentials(encrypted_raw_credentials, True, REGION) assert_true(self._ep_driver.save_credentials(descriptor, credentials)) loaded_credentials = self._ep_driver.load_credentials(descriptor) assert_is_not_none(loaded_credentials) assert_false(loaded_credentials.is_encrypted()) assert_equal(json.loads(loaded_credentials.data()), raw_credentials_dict)
def test_save_and_load_credentials_persists_statically(self): """SpooledTempfileDriver - Save and Load Credentials""" raw_credentials_dict = { 'python': 'is very difficult', 'someone': 'save meeeee', } descriptor = 'descriptor' raw_credentials = json.dumps(raw_credentials_dict) encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS) credentials = Credentials(encrypted_raw_credentials, True) assert_true(self._sp_driver.save_credentials(descriptor, credentials)) driver2 = SpooledTempfileDriver('service', REGION) # Create a separate, identical driver loaded_credentials = driver2.load_credentials(descriptor) assert_is_not_none(loaded_credentials) assert_true(loaded_credentials.is_encrypted()) assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
def setup(self): self._plaintext_payload = '' self._credentials = Credentials(self._plaintext_payload, is_encrypted=False)