diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2014-10-24 19:53:16 -0400 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-07 07:44:56 +0000 |
| commit | fc5c614950dd39c7d002377f810f37ef36b0e8a4 (patch) | |
| tree | 85198dcc3cf3cd20c45b23a5ffaa4c08f056eca5 /ipatests | |
| parent | 8ee975b276d0728130a148b01f9bfc0b77524ae0 (diff) | |
| download | freeipa-fc5c614950dd39c7d002377f810f37ef36b0e8a4.tar.gz freeipa-fc5c614950dd39c7d002377f810f37ef36b0e8a4.tar.xz freeipa-fc5c614950dd39c7d002377f810f37ef36b0e8a4.zip | |
Added symmetric and asymmetric vaults.
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipatests')
| -rw-r--r-- | ipatests/test_xmlrpc/test_vault_plugin.py | 221 |
1 files changed, 198 insertions, 23 deletions
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 9a40547b1..f8b57855a 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -22,15 +22,63 @@ Test the `ipalib/plugins/vault.py` module. """ from ipalib import api, errors -from xmlrpc_test import Declarative +from xmlrpc_test import Declarative, fuzzy_string vault_name = u'test_vault' service_name = u'HTTP/server.example.com' user_name = u'testuser' +standard_vault_name = u'standard_test_vault' +symmetric_vault_name = u'symmetric_test_vault' +asymmetric_vault_name = u'asymmetric_test_vault' + # binary data from \x00 to \xff secret = ''.join(map(chr, xrange(0, 256))) +password = u'password' + +public_key = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/ +pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe +k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB +tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N +otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO +pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6 +3wIDAQAB +-----END PUBLIC KEY----- +""" + +private_key = """ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1 ++weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2 +38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ +OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr +igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9 +i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi +jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8 +X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7 +8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33 +e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom +fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27 +Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc +k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V +NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC +N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON +axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU +EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+ +YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx +lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh +higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/ +1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh +hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P +D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt +Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ +kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw== +-----END RSA PRIVATE KEY----- +""" + class test_vault_plugin(Declarative): @@ -42,6 +90,9 @@ class test_vault_plugin(Declarative): }), ('vault_del', [vault_name], {'shared': True, 'continue': True}), ('vault_del', [vault_name], {'user': user_name, 'continue': True}), + ('vault_del', [standard_vault_name], {'continue': True}), + ('vault_del', [symmetric_vault_name], {'continue': True}), + ('vault_del', [asymmetric_vault_name], {'continue': True}), ] tests = [ @@ -61,6 +112,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -81,6 +133,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -100,6 +153,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -119,6 +173,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -156,6 +211,7 @@ class test_vault_plugin(Declarative): % (vault_name, service_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -178,6 +234,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -199,6 +256,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -219,6 +277,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -258,6 +317,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -280,6 +340,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -301,6 +362,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -321,6 +383,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -360,6 +423,7 @@ class test_vault_plugin(Declarative): % (vault_name, user_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -382,6 +446,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, ], }, @@ -403,6 +468,7 @@ class test_vault_plugin(Declarative): 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], + 'ipavaulttype': [u'standard'], }, }, }, @@ -423,6 +489,7 @@ class test_vault_plugin(Declarative): 'result': { 'cn': [vault_name], 'description': [u'Test vault'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -446,50 +513,53 @@ class test_vault_plugin(Declarative): }, { - 'desc': 'Create vault for archival', + 'desc': 'Create standard vault', 'command': ( 'vault_add', - [vault_name], + [standard_vault_name], {}, ), 'expected': { - 'value': vault_name, - 'summary': 'Added vault "%s"' % vault_name, + 'value': standard_vault_name, + 'summary': 'Added vault "%s"' % standard_vault_name, 'result': { - 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' - % (vault_name, api.env.basedn), + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' + % (standard_vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], - 'cn': [vault_name], + 'cn': [standard_vault_name], + 'ipavaulttype': [u'standard'], }, }, }, { - 'desc': 'Archive secret', + 'desc': 'Archive secret into standard vault', 'command': ( 'vault_archive', - [vault_name], + [standard_vault_name], { 'data': secret, }, ), 'expected': { - 'value': vault_name, - 'summary': 'Archived data into vault "%s"' % vault_name, + 'value': standard_vault_name, + 'summary': 'Archived data into vault "%s"' + % standard_vault_name, 'result': {}, }, }, { - 'desc': 'Retrieve secret', + 'desc': 'Retrieve secret from standard vault', 'command': ( 'vault_retrieve', - [vault_name], + [standard_vault_name], {}, ), 'expected': { - 'value': vault_name, - 'summary': 'Retrieved data from vault "%s"' % vault_name, + 'value': standard_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % standard_vault_name, 'result': { 'data': secret, }, @@ -497,17 +567,122 @@ class test_vault_plugin(Declarative): }, { - 'desc': 'Delete vault for archival', + 'desc': 'Create symmetric vault', 'command': ( - 'vault_del', - [vault_name], - {}, + 'vault_add', + [symmetric_vault_name], + { + 'ipavaulttype': u'symmetric', + 'password': password, + }, ), 'expected': { - 'value': [vault_name], - 'summary': u'Deleted vault "%s"' % vault_name, + 'value': symmetric_vault_name, + 'summary': 'Added vault "%s"' % symmetric_vault_name, 'result': { - 'failed': (), + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' + % (symmetric_vault_name, api.env.basedn), + 'objectclass': [u'top', u'ipaVault'], + 'cn': [symmetric_vault_name], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Archive secret into symmetric vault', + 'command': ( + 'vault_archive', + [symmetric_vault_name], + { + 'password': password, + 'data': secret, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Archived data into vault "%s"' + % symmetric_vault_name, + 'result': {}, + }, + }, + + { + 'desc': 'Retrieve secret from symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_name], + { + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % symmetric_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + + { + 'desc': 'Create asymmetric vault', + 'command': ( + 'vault_add', + [asymmetric_vault_name], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Added vault "%s"' % asymmetric_vault_name, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' + % (asymmetric_vault_name, api.env.basedn), + 'objectclass': [u'top', u'ipaVault'], + 'cn': [asymmetric_vault_name], + 'ipavaulttype': [u'asymmetric'], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Archive secret into asymmetric vault', + 'command': ( + 'vault_archive', + [asymmetric_vault_name], + { + 'data': secret, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Archived data into vault "%s"' + % asymmetric_vault_name, + 'result': {}, + }, + }, + + { + 'desc': 'Retrieve secret from asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_name], + { + 'private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % asymmetric_vault_name, + 'result': { + 'data': secret, }, }, }, |