Source code for keystone.tests.unit.credential.test_fernet_provider

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import fixtures
import hashlib
import uuid

from oslo_log import log

from keystone.common import fernet_utils
from keystone.credential.providers import fernet as credential_fernet
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import database


[docs]class TestFernetCredentialProvider(unit.TestCase):
[docs]    def setUp(self):
        super(TestFernetCredentialProvider, self).setUp()
        self.provider = credential_fernet.Provider()
        self.useFixture(database.Database())
        self.useFixture(
            ksfixtures.KeyRepository(
                self.config_fixture,
                'credential',
                credential_fernet.MAX_ACTIVE_KEYS
            )
        )

[docs]    def test_valid_data_encryption(self):
        blob = uuid.uuid4().hex
        encrypted_blob, primary_key_hash = self.provider.encrypt(blob)
        decrypted_blob = self.provider.decrypt(encrypted_blob)

        self.assertNotEqual(blob, encrypted_blob)
        self.assertEqual(blob, decrypted_blob)
        self.assertIsNotNone(primary_key_hash)


[docs]class TestFernetCredentialProviderWithNullKey(unit.TestCase):
[docs]    def setUp(self):
        super(TestFernetCredentialProviderWithNullKey, self).setUp()
        self.provider = credential_fernet.Provider()
        self.useFixture(database.Database())
        # Only do this to set the key_repository location in configuration. To
        # test the null key path, we need to make it so that the key repository
        # doesn't actually exist. If you're running the tests locally and have
        # bootstrapped a credential key repository in
        # `/etc/keystone/credential-keys` this will fail unless we override the
        # default.
        self.config_fixture.config(
            group='credential',
            key_repository=self.useFixture(fixtures.TempDir()).path
        )

[docs]    def test_encryption_with_null_key(self):
        null_key = fernet_utils.NULL_KEY
        null_key_hash = hashlib.sha1(null_key).hexdigest()

        blob = uuid.uuid4().hex
        encrypted_blob, primary_key_hash = self.provider.encrypt(blob)
        self.assertEqual(null_key_hash, primary_key_hash)
        self.assertNotEqual(blob, encrypted_blob)

        decrypted_blob = self.provider.decrypt(encrypted_blob)
        self.assertEqual(blob, decrypted_blob)

[docs]    def test_warning_is_logged_when_encrypting_with_null_key(self):
        blob = uuid.uuid4().hex
        logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
        expected_output = (
            'Encrypting credentials with the null key. Please properly '
            'encrypt credentials using `keystone-manage credential_setup`, '
            '`keystone-manage credential_migrate`, and `keystone-manage '
            'credential_rotate`'
        )
        encrypted_blob, primary_key_hash = self.provider.encrypt(blob)
        self.assertIn(expected_output, logging_fixture.output)