diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-07-31 07:53:15 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-08-25 19:11:53 +0200 |
commit | e46d9236d19f714b67fdf2865f19146c3016f46d (patch) | |
tree | 1694978180059eb1e3b111d92e08c0a7924881e1 /ipatests/test_xmlrpc/test_vault_plugin.py | |
parent | b4daa45baad9dca020540ecde1b1e7a9b98b1995 (diff) | |
download | freeipa-e46d9236d19f714b67fdf2865f19146c3016f46d.tar.gz freeipa-e46d9236d19f714b67fdf2865f19146c3016f46d.tar.xz freeipa-e46d9236d19f714b67fdf2865f19146c3016f46d.zip |
Added support for changing vault encryption.
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipatests/test_xmlrpc/test_vault_plugin.py')
-rw-r--r-- | ipatests/test_xmlrpc/test_vault_plugin.py | 249 |
1 files changed, 249 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 03fb6ad02..18032e287 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -37,6 +37,7 @@ asymmetric_vault_name = u'asymmetric_test_vault' secret = ''.join(map(chr, xrange(0, 256))) password = u'password' +other_password = u'other_password' public_key = """ -----BEGIN PUBLIC KEY----- @@ -80,6 +81,48 @@ kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw== -----END RSA PRIVATE KEY----- """ +other_public_key = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7E/QLVyKjrgDctZ50U7 +rmtL7Ks1QLoccp9WvZJ6WI1rYd0fX5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkk +Rl/3wK7fWNLenH/+VHOaTQc20exg7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLH +w3zrmrO5SIZ8njxMoDcQJa2vu/t281U/I7ti8ue09FSitIECU05vgmPS+MnXR8HK +PxXqrNkjl29mXNbPiByWwlse3Prwved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1 +O8gRaRg1r+ENVpmMSvXo4+8+bR3rEYddD5zU7nKXafeuthXlXplae/8uZmCiSI63 +TwIDAQAB +-----END PUBLIC KEY----- +""" + +other_private_key = """ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAv7E/QLVyKjrgDctZ50U7rmtL7Ks1QLoccp9WvZJ6WI1rYd0f +X5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkkRl/3wK7fWNLenH/+VHOaTQc20exg +7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLHw3zrmrO5SIZ8njxMoDcQJa2vu/t2 +81U/I7ti8ue09FSitIECU05vgmPS+MnXR8HKPxXqrNkjl29mXNbPiByWwlse3Prw +ved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1O8gRaRg1r+ENVpmMSvXo4+8+bR3r +EYddD5zU7nKXafeuthXlXplae/8uZmCiSI63TwIDAQABAoIBAQCA+0GFR9F+isjx +Xy+qBpKmxLl8kKKvX8r+cSpLOkEqTlW/rqqKgnI0vVuL/L2UJKKsLvpghBxoBZyC +RCvtatBGrhIlS0UrHg/9m73Ek1hylfUUAQokTn4PrkwWJSgmm/xOATmZSs5ymNTn +yFCmXl69sdNR77YvD5bQXeBtOT+bKXy7yQ1TmYPwwSjL+WSlMV6ZfE3HNVmxPTpk +CTFS638cJblWk9MUIy8HIlhu6If2P4RnHr7ZGGivhREayvs0zXcAfqhIyFHruxSE +yYnmqH9paWjv5mP3YyLoKr+NUvvxnBr/9wCTt0TKgG8G6rpkHuPDLQni9wUGnew8 +QdMgFEohAoGBAPH4vaVB5gDVfvIqwJBsBLHpPq72GvxjrM/exD0jIIpXZxz9gCql +CmC5b1RS1uy8PMoc/RO4CE7UTLaTesciP6LjTD1RhH3rLLJO8/iVC1RXgMrCLHLm +ZQnDhIQGGNQxpvBjQy5ZOWat2dFxYhHN630IFPOtrWsOmJ5HsL1JrjzxAoGBAMrO +R1zNwQ42VbJS6AFshZVjmUV2h3REGh4zG/9IqL0Hz493hyCTGoDPLLXIbtkqNqzQ +XibSZ9RMVPKKTiNQTx91DTgh4Anz8xUr84tA2iAf3ayNWKi3Y3GhmP2EWp1qYeom +kV8Uq0lt4dHZuEo3LuqvbtbzlF9qUXqKS5qy6Tg/AoGBAKCp02o2HjzxhS/QeTmr +r1ZeE7PiTzrECAuh01TwzPtuW1XhcEdgfEqK9cPcmT5pIkflBZkhOcr1pdYYiI5O +TEigeY/BX6KoE251hALLG9GtpCN82DyWhAH+oy9ySOwj5793eTT+I2HtD1LE4SQH +QVQsmJTP/fS2pVl7KnwUvy9RAoGBAKzo2qchNewsHzx+uxgbsnkABfnXaP2T4sDE +yqYJCPTB6BFl02vOf9Y6zN/gF8JH333P2bY3xhaXTgXMLXqmSg+D+NVW7HEP8Lyo +UGj1zgN9p74qdODEGqETKiFb6vYzcW/1mhP6x18/tDz658k+611kXZge7O288+MK +bhNjXrx5AoGBAMox25PcxVgOjCd9+LdUcIOG6LQ971eCH1NKL9YAekICnwMrStbK +veCYju6ok4ZWnMiH8MR1jgC39RWtjJZwynCuPXUP2/vZkoVf1tCZyz7dSm8TdS/2 +5NdOHVy7+NQcEPSm7/FmXdpcR9ZSGAuxMBfnEUibdyz5LdJGnFUN/+HS +-----END RSA PRIVATE KEY----- +""" + class test_vault_plugin(Declarative): @@ -591,6 +634,48 @@ class test_vault_plugin(Declarative): }, { + 'desc': 'Change standard vault to symmetric vault', + 'command': ( + 'vault_mod', + [standard_vault_name], + { + 'ipavaulttype': u'symmetric', + 'new_password': password, + }, + ), + 'expected': { + 'value': standard_vault_name, + 'summary': u'Modified vault "%s"' % standard_vault_name, + 'result': { + 'cn': [standard_vault_name], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'owner_user': [u'admin'], + }, + }, + }, + + { + 'desc': 'Retrieve secret from standard vault converted to ' + 'symmetric vault', + 'command': ( + 'vault_retrieve', + [standard_vault_name], + { + 'password': password, + }, + ), + 'expected': { + 'value': standard_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % standard_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + + { 'desc': 'Create symmetric vault', 'command': ( 'vault_add', @@ -653,6 +738,90 @@ class test_vault_plugin(Declarative): }, { + 'desc': 'Change symmetric vault password', + 'command': ( + 'vault_mod', + [symmetric_vault_name], + { + 'old_password': password, + 'new_password': other_password, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': u'Modified vault "%s"' % symmetric_vault_name, + 'result': { + 'cn': [symmetric_vault_name], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'owner_user': [u'admin'], + }, + }, + }, + + { + 'desc': 'Retrieve secret from symmetric vault with new password', + 'command': ( + 'vault_retrieve', + [symmetric_vault_name], + { + 'password': other_password, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % symmetric_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + + { + 'desc': 'Change symmetric vault to asymmetric vault', + 'command': ( + 'vault_mod', + [symmetric_vault_name], + { + 'ipavaulttype': u'asymmetric', + 'old_password': other_password, + 'ipavaultpublickey': public_key, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': u'Modified vault "%s"' % symmetric_vault_name, + 'result': { + 'cn': [symmetric_vault_name], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultpublickey': [public_key], + 'owner_user': [u'admin'], + }, + }, + }, + + { + 'desc': 'Retrieve secret from symmetric vault converted to ' + 'asymmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_name], + { + 'private_key': private_key, + }, + ), + 'expected': { + 'value': symmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % symmetric_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + + { 'desc': 'Create asymmetric vault', 'command': ( 'vault_add', @@ -713,4 +882,84 @@ class test_vault_plugin(Declarative): }, }, + { + 'desc': 'Change asymmetric vault keys', + 'command': ( + 'vault_mod', + [asymmetric_vault_name], + { + 'private_key': private_key, + 'ipavaultpublickey': other_public_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': u'Modified vault "%s"' % asymmetric_vault_name, + 'result': { + 'cn': [asymmetric_vault_name], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultpublickey': [other_public_key], + 'owner_user': [u'admin'], + }, + }, + }, + + { + 'desc': 'Retrieve secret from asymmetric vault with new keys', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_name], + { + 'private_key': other_private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % asymmetric_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + + { + 'desc': 'Change asymmetric vault to standard vault', + 'command': ( + 'vault_mod', + [asymmetric_vault_name], + { + 'ipavaulttype': u'standard', + 'private_key': other_private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': u'Modified vault "%s"' % asymmetric_vault_name, + 'result': { + 'cn': [asymmetric_vault_name], + 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], + }, + }, + }, + + { + 'desc': 'Retrieve secret from asymmetric vault converted to ' + 'standard vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_name], + {}, + ), + 'expected': { + 'value': asymmetric_vault_name, + 'summary': 'Retrieved data from vault "%s"' + % asymmetric_vault_name, + 'result': { + 'data': secret, + }, + }, + }, + ] |