eb0deeb9e5
Added secret encryption/decryption to pegleg cli. Change-Id: I95b993748d99fc4398eee1d1c59e74f382497f74
95 lines
3.3 KiB
Python
95 lines
3.3 KiB
Python
# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import click
|
|
import os
|
|
import tempfile
|
|
|
|
import mock
|
|
import pytest
|
|
import yaml
|
|
|
|
from pegleg.engine.util import encryption as crypt
|
|
from tests.unit import test_utils
|
|
from pegleg.engine import secrets
|
|
from pegleg.engine.util.pegleg_managed_document import \
|
|
PeglegManagedSecretsDocument
|
|
from pegleg.engine.util.pegleg_secret_management import PeglegSecretManagement
|
|
from pegleg.engine.util.pegleg_secret_management import ENV_PASSPHRASE
|
|
from pegleg.engine.util.pegleg_secret_management import ENV_SALT
|
|
|
|
TEST_DATA = """
|
|
---
|
|
schema: deckhand/Passphrase/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: osh_addons_keystone_ranger-agent_password
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: 512363f37eab654313991174aef9f867d
|
|
...
|
|
"""
|
|
|
|
|
|
def test_encrypt_and_decrypt():
|
|
data = test_utils.rand_name("this is an example of un-encrypted "
|
|
"data.", "pegleg").encode()
|
|
passphrase = test_utils.rand_name("passphrase1", "pegleg").encode()
|
|
salt = test_utils.rand_name("salt1", "pegleg").encode()
|
|
enc1 = crypt.encrypt(data, passphrase, salt)
|
|
dec1 = crypt.decrypt(enc1, passphrase, salt)
|
|
assert data == dec1
|
|
enc2 = crypt.encrypt(dec1, passphrase, salt)
|
|
dec2 = crypt.decrypt(enc2, passphrase, salt)
|
|
assert data == dec2
|
|
|
|
|
|
@mock.patch.dict(os.environ, {ENV_PASSPHRASE:'aShortPassphrase',
|
|
ENV_SALT: 'MySecretSalt'})
|
|
def test_short_passphrase():
|
|
with pytest.raises(click.ClickException,
|
|
match=r'.*is not at least 24-character long.*'):
|
|
PeglegSecretManagement('file_path')
|
|
|
|
|
|
def test_PeglegManagedDocument():
|
|
test_data = yaml.load(TEST_DATA)
|
|
doc = PeglegManagedSecretsDocument(test_data)
|
|
assert doc.is_storage_policy_encrypted() is True
|
|
assert doc.is_encrypted() is False
|
|
|
|
|
|
@mock.patch.dict(os.environ, {ENV_PASSPHRASE:'ytrr89erARAiPE34692iwUMvWqqBvC',
|
|
ENV_SALT: 'MySecretSalt'})
|
|
def test_encrypt_document():
|
|
# write the test data to temp file
|
|
test_data = yaml.load(TEST_DATA)
|
|
dir = tempfile.mkdtemp()
|
|
file_path = os.path.join(dir, 'secrets_file.yaml')
|
|
save_path = os.path.join(dir, 'encrypted_secrets_file.yaml')
|
|
with open(file_path, 'w') as stream:
|
|
yaml.dump(test_data,
|
|
stream,
|
|
explicit_start=True,
|
|
explicit_end=True,
|
|
default_flow_style=False)
|
|
# read back the secrets data file and encrypt it
|
|
doc_mgr = PeglegSecretManagement(file_path)
|
|
doc_mgr.encrypt_secrets(save_path, 'test_author')
|
|
doc = doc_mgr.documents[0]
|
|
assert doc.is_encrypted()
|
|
assert doc.data['encrypted']['by'] == 'test_author'
|