# Authors: # Endi S. Dewata # # Copyright (C) 2015 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . """ Test the `ipalib/plugins/vault.py` module. """ import nose from ipalib import api, errors from xmlrpc_test import Declarative, fuzzy_string vault_name = u'test_vault' service_name = u'HTTP/server.example.com' user_name = u'testuser' standard_vault_name = u'standard_test_vault' symmetric_vault_name = u'symmetric_test_vault' asymmetric_vault_name = u'asymmetric_test_vault' # binary data from \x00 to \xff secret = ''.join(map(chr, xrange(0, 256))) password = u'password' other_password = u'other_password' public_key = """ -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/ pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6 3wIDAQAB -----END PUBLIC KEY----- """ private_key = """ -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1 +weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2 38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9 i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8 X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7 8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33 e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27 Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+ YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/ 1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw== -----END RSA PRIVATE KEY----- """ other_public_key = """ -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7E/QLVyKjrgDctZ50U7 rmtL7Ks1QLoccp9WvZJ6WI1rYd0fX5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkk Rl/3wK7fWNLenH/+VHOaTQc20exg7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLH w3zrmrO5SIZ8njxMoDcQJa2vu/t281U/I7ti8ue09FSitIECU05vgmPS+MnXR8HK PxXqrNkjl29mXNbPiByWwlse3Prwved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1 O8gRaRg1r+ENVpmMSvXo4+8+bR3rEYddD5zU7nKXafeuthXlXplae/8uZmCiSI63 TwIDAQAB -----END PUBLIC KEY----- """ other_private_key = """ -----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCAQEAv7E/QLVyKjrgDctZ50U7rmtL7Ks1QLoccp9WvZJ6WI1rYd0f X5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkkRl/3wK7fWNLenH/+VHOaTQc20exg 7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLHw3zrmrO5SIZ8njxMoDcQJa2vu/t2 81U/I7ti8ue09FSitIECU05vgmPS+MnXR8HKPxXqrNkjl29mXNbPiByWwlse3Prw ved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1O8gRaRg1r+ENVpmMSvXo4+8+bR3r EYddD5zU7nKXafeuthXlXplae/8uZmCiSI63TwIDAQABAoIBAQCA+0GFR9F+isjx Xy+qBpKmxLl8kKKvX8r+cSpLOkEqTlW/rqqKgnI0vVuL/L2UJKKsLvpghBxoBZyC RCvtatBGrhIlS0UrHg/9m73Ek1hylfUUAQokTn4PrkwWJSgmm/xOATmZSs5ymNTn yFCmXl69sdNR77YvD5bQXeBtOT+bKXy7yQ1TmYPwwSjL+WSlMV6ZfE3HNVmxPTpk CTFS638cJblWk9MUIy8HIlhu6If2P4RnHr7ZGGivhREayvs0zXcAfqhIyFHruxSE yYnmqH9paWjv5mP3YyLoKr+NUvvxnBr/9wCTt0TKgG8G6rpkHuPDLQni9wUGnew8 QdMgFEohAoGBAPH4vaVB5gDVfvIqwJBsBLHpPq72GvxjrM/exD0jIIpXZxz9gCql CmC5b1RS1uy8PMoc/RO4CE7UTLaTesciP6LjTD1RhH3rLLJO8/iVC1RXgMrCLHLm ZQnDhIQGGNQxpvBjQy5ZOWat2dFxYhHN630IFPOtrWsOmJ5HsL1JrjzxAoGBAMrO R1zNwQ42VbJS6AFshZVjmUV2h3REGh4zG/9IqL0Hz493hyCTGoDPLLXIbtkqNqzQ XibSZ9RMVPKKTiNQTx91DTgh4Anz8xUr84tA2iAf3ayNWKi3Y3GhmP2EWp1qYeom kV8Uq0lt4dHZuEo3LuqvbtbzlF9qUXqKS5qy6Tg/AoGBAKCp02o2HjzxhS/QeTmr r1ZeE7PiTzrECAuh01TwzPtuW1XhcEdgfEqK9cPcmT5pIkflBZkhOcr1pdYYiI5O TEigeY/BX6KoE251hALLG9GtpCN82DyWhAH+oy9ySOwj5793eTT+I2HtD1LE4SQH QVQsmJTP/fS2pVl7KnwUvy9RAoGBAKzo2qchNewsHzx+uxgbsnkABfnXaP2T4sDE yqYJCPTB6BFl02vOf9Y6zN/gF8JH333P2bY3xhaXTgXMLXqmSg+D+NVW7HEP8Lyo UGj1zgN9p74qdODEGqETKiFb6vYzcW/1mhP6x18/tDz658k+611kXZge7O288+MK bhNjXrx5AoGBAMox25PcxVgOjCd9+LdUcIOG6LQ971eCH1NKL9YAekICnwMrStbK veCYju6ok4ZWnMiH8MR1jgC39RWtjJZwynCuPXUP2/vZkoVf1tCZyz7dSm8TdS/2 5NdOHVy7+NQcEPSm7/FmXdpcR9ZSGAuxMBfnEUibdyz5LdJGnFUN/+HS -----END RSA PRIVATE KEY----- """ class test_vault_plugin(Declarative): @classmethod def setup_class(cls): if not api.Backend.rpcclient.isconnected(): api.Backend.rpcclient.connect(fallback=False) if not api.Command.kra_is_enabled()['result']: raise nose.SkipTest('KRA service is not enabled') super(test_vault_plugin, cls).setup_class() cleanup_commands = [ ('vault_del', [vault_name], {'continue': True}), ('vault_del', [vault_name], { 'service': service_name, 'continue': True }), ('vault_del', [vault_name], {'shared': True, 'continue': True}), ('vault_del', [vault_name], {'username': user_name, 'continue': True}), ('vault_del', [standard_vault_name], {'continue': True}), ('vault_del', [symmetric_vault_name], {'continue': True}), ('vault_del', [asymmetric_vault_name], {'continue': True}), ] tests = [ { 'desc': 'Create private vault', 'command': ( 'vault_add', [vault_name], { 'ipavaulttype': u'standard', }, ), 'expected': { 'value': vault_name, 'summary': 'Added vault "%s"' % vault_name, 'result': { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Find private vaults', 'command': ( 'vault_find', [], {}, ), 'expected': { 'count': 1, 'truncated': False, 'summary': u'1 vault matched', 'result': [ { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], }, ], }, }, { 'desc': 'Show private vault', 'command': ( 'vault_show', [vault_name], {}, ), 'expected': { 'value': vault_name, 'summary': None, 'result': { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Modify private vault', 'command': ( 'vault_mod', [vault_name], { 'description': u'Test vault', }, ), 'expected': { 'value': vault_name, 'summary': u'Modified vault "%s"' % vault_name, 'result': { 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Delete private vault', 'command': ( 'vault_del', [vault_name], {}, ), 'expected': { 'value': [vault_name], 'summary': u'Deleted vault "%s"' % vault_name, 'result': { 'failed': (), }, }, }, { 'desc': 'Create service vault', 'command': ( 'vault_add', [vault_name], { 'ipavaulttype': u'standard', 'service': service_name, }, ), 'expected': { 'value': vault_name, 'summary': u'Added vault "%s"' % vault_name, 'result': { 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Find service vaults', 'command': ( 'vault_find', [], { 'service': service_name, }, ), 'expected': { 'count': 1, 'truncated': False, 'summary': u'1 vault matched', 'result': [ { 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], }, ], }, }, { 'desc': 'Show service vault', 'command': ( 'vault_show', [vault_name], { 'service': service_name, }, ), 'expected': { 'value': vault_name, 'summary': None, 'result': { 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Modify service vault', 'command': ( 'vault_mod', [vault_name], { 'service': service_name, 'description': u'Test vault', }, ), 'expected': { 'value': vault_name, 'summary': u'Modified vault "%s"' % vault_name, 'result': { 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Delete service vault', 'command': ( 'vault_del', [vault_name], { 'service': service_name, }, ), 'expected': { 'value': [vault_name], 'summary': u'Deleted vault "%s"' % vault_name, 'result': { 'failed': (), }, }, }, { 'desc': 'Create shared vault', 'command': ( 'vault_add', [vault_name], { 'ipavaulttype': u'standard', 'shared': True }, ), 'expected': { 'value': vault_name, 'summary': u'Added vault "%s"' % vault_name, 'result': { 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Find shared vaults', 'command': ( 'vault_find', [], { 'shared': True }, ), 'expected': { 'count': 1, 'truncated': False, 'summary': u'1 vault matched', 'result': [ { 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], }, ], }, }, { 'desc': 'Show shared vault', 'command': ( 'vault_show', [vault_name], { 'shared': True }, ), 'expected': { 'value': vault_name, 'summary': None, 'result': { 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Modify shared vault', 'command': ( 'vault_mod', [vault_name], { 'shared': True, 'description': u'Test vault', }, ), 'expected': { 'value': vault_name, 'summary': u'Modified vault "%s"' % vault_name, 'result': { 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Delete shared vault', 'command': ( 'vault_del', [vault_name], { 'shared': True }, ), 'expected': { 'value': [vault_name], 'summary': u'Deleted vault "%s"' % vault_name, 'result': { 'failed': (), }, }, }, { 'desc': 'Create user vault', 'command': ( 'vault_add', [vault_name], { 'ipavaulttype': u'standard', 'username': user_name, }, ), 'expected': { 'value': vault_name, 'summary': u'Added vault "%s"' % vault_name, 'result': { 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Find user vaults', 'command': ( 'vault_find', [], { 'username': user_name, }, ), 'expected': { 'count': 1, 'truncated': False, 'summary': u'1 vault matched', 'result': [ { 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], }, ], }, }, { 'desc': 'Show user vault', 'command': ( 'vault_show', [vault_name], { 'username': user_name, }, ), 'expected': { 'value': vault_name, 'summary': None, 'result': { 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Modify user vault', 'command': ( 'vault_mod', [vault_name], { 'username': user_name, 'description': u'Test vault', }, ), 'expected': { 'value': vault_name, 'summary': u'Modified vault "%s"' % vault_name, 'result': { 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Delete user vault', 'command': ( 'vault_del', [vault_name], { 'username': user_name, }, ), 'expected': { 'value': [vault_name], 'summary': u'Deleted vault "%s"' % vault_name, 'result': { 'failed': (), }, }, }, { 'desc': 'Create standard vault', 'command': ( 'vault_add', [standard_vault_name], { 'ipavaulttype': u'standard', }, ), 'expected': { 'value': standard_vault_name, 'summary': 'Added vault "%s"' % standard_vault_name, 'result': { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (standard_vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [standard_vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Archive secret into standard vault', 'command': ( 'vault_archive', [standard_vault_name], { 'data': secret, }, ), 'expected': { 'value': standard_vault_name, 'summary': 'Archived data into vault "%s"' % standard_vault_name, 'result': {}, }, }, { 'desc': 'Retrieve secret from standard vault', 'command': ( 'vault_retrieve', [standard_vault_name], {}, ), 'expected': { 'value': standard_vault_name, 'summary': 'Retrieved data from vault "%s"' % standard_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Change standard vault to symmetric vault', 'command': ( 'vault_mod', [standard_vault_name], { 'ipavaulttype': u'symmetric', 'new_password': password, }, ), 'expected': { 'value': standard_vault_name, 'summary': u'Modified vault "%s"' % standard_vault_name, 'result': { 'cn': [standard_vault_name], 'ipavaulttype': [u'symmetric'], 'ipavaultsalt': [fuzzy_string], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Retrieve secret from standard vault converted to ' 'symmetric vault', 'command': ( 'vault_retrieve', [standard_vault_name], { 'password': password, }, ), 'expected': { 'value': standard_vault_name, 'summary': 'Retrieved data from vault "%s"' % standard_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Create symmetric vault', 'command': ( 'vault_add', [symmetric_vault_name], { 'ipavaulttype': u'symmetric', 'password': password, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': 'Added vault "%s"' % symmetric_vault_name, 'result': { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (symmetric_vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [symmetric_vault_name], 'ipavaulttype': [u'symmetric'], 'ipavaultsalt': [fuzzy_string], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Archive secret into symmetric vault', 'command': ( 'vault_archive', [symmetric_vault_name], { 'password': password, 'data': secret, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': 'Archived data into vault "%s"' % symmetric_vault_name, 'result': {}, }, }, { 'desc': 'Retrieve secret from symmetric vault', 'command': ( 'vault_retrieve', [symmetric_vault_name], { 'password': password, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': 'Retrieved data from vault "%s"' % symmetric_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Change symmetric vault password', 'command': ( 'vault_mod', [symmetric_vault_name], { 'old_password': password, 'new_password': other_password, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': u'Modified vault "%s"' % symmetric_vault_name, 'result': { 'cn': [symmetric_vault_name], 'ipavaulttype': [u'symmetric'], 'ipavaultsalt': [fuzzy_string], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Retrieve secret from symmetric vault with new password', 'command': ( 'vault_retrieve', [symmetric_vault_name], { 'password': other_password, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': 'Retrieved data from vault "%s"' % symmetric_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Change symmetric vault to asymmetric vault', 'command': ( 'vault_mod', [symmetric_vault_name], { 'ipavaulttype': u'asymmetric', 'old_password': other_password, 'ipavaultpublickey': public_key, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': u'Modified vault "%s"' % symmetric_vault_name, 'result': { 'cn': [symmetric_vault_name], 'ipavaulttype': [u'asymmetric'], 'ipavaultpublickey': [public_key], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Retrieve secret from symmetric vault converted to ' 'asymmetric vault', 'command': ( 'vault_retrieve', [symmetric_vault_name], { 'private_key': private_key, }, ), 'expected': { 'value': symmetric_vault_name, 'summary': 'Retrieved data from vault "%s"' % symmetric_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Create asymmetric vault', 'command': ( 'vault_add', [asymmetric_vault_name], { 'ipavaulttype': u'asymmetric', 'ipavaultpublickey': public_key, }, ), 'expected': { 'value': asymmetric_vault_name, 'summary': 'Added vault "%s"' % asymmetric_vault_name, 'result': { 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (asymmetric_vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [asymmetric_vault_name], 'ipavaulttype': [u'asymmetric'], 'ipavaultpublickey': [public_key], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Archive secret into asymmetric vault', 'command': ( 'vault_archive', [asymmetric_vault_name], { 'data': secret, }, ), 'expected': { 'value': asymmetric_vault_name, 'summary': 'Archived data into vault "%s"' % asymmetric_vault_name, 'result': {}, }, }, { 'desc': 'Retrieve secret from asymmetric vault', 'command': ( 'vault_retrieve', [asymmetric_vault_name], { 'private_key': private_key, }, ), 'expected': { 'value': asymmetric_vault_name, 'summary': 'Retrieved data from vault "%s"' % asymmetric_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Change asymmetric vault keys', 'command': ( 'vault_mod', [asymmetric_vault_name], { 'private_key': private_key, 'ipavaultpublickey': other_public_key, }, ), 'expected': { 'value': asymmetric_vault_name, 'summary': u'Modified vault "%s"' % asymmetric_vault_name, 'result': { 'cn': [asymmetric_vault_name], 'ipavaulttype': [u'asymmetric'], 'ipavaultpublickey': [other_public_key], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Retrieve secret from asymmetric vault with new keys', 'command': ( 'vault_retrieve', [asymmetric_vault_name], { 'private_key': other_private_key, }, ), 'expected': { 'value': asymmetric_vault_name, 'summary': 'Retrieved data from vault "%s"' % asymmetric_vault_name, 'result': { 'data': secret, }, }, }, { 'desc': 'Change asymmetric vault to standard vault', 'command': ( 'vault_mod', [asymmetric_vault_name], { 'ipavaulttype': u'standard', 'private_key': other_private_key, }, ), 'expected': { 'value': asymmetric_vault_name, 'summary': u'Modified vault "%s"' % asymmetric_vault_name, 'result': { 'cn': [asymmetric_vault_name], 'ipavaulttype': [u'standard'], 'owner_user': [u'admin'], }, }, }, { 'desc': 'Retrieve secret from asymmetric vault converted to ' 'standard vault', 'command': ( 'vault_retrieve', [asymmetric_vault_name], {}, ), 'expected': { 'value': asymmetric_vault_name, 'summary': 'Retrieved data from vault "%s"' % asymmetric_vault_name, 'result': { 'data': secret, }, }, }, ]