# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import six import mock import shutil import sqlalchemy from sqlalchemy.orm import exc import tempfile import testtools import time import kmip from kmip.core import attributes from kmip.core import enums from kmip.core import exceptions from kmip.core import misc from kmip.core import objects from kmip.core import primitives from kmip.core import secrets from kmip.core.factories import attributes as factory from kmip.core.messages import contents from kmip.core.messages import messages from kmip.core.messages.payloads import activate from kmip.core.messages.payloads import revoke from kmip.core.messages.payloads import create from kmip.core.messages.payloads import create_key_pair from kmip.core.messages.payloads import derive_key from kmip.core.messages.payloads import destroy from kmip.core.messages.payloads import discover_versions from kmip.core.messages.payloads import encrypt from kmip.core.messages.payloads import get from kmip.core.messages.payloads import get_attribute_list from kmip.core.messages.payloads import get_attributes from kmip.core.messages.payloads import query from kmip.core.messages.payloads import register from kmip.core.messages.payloads import mac from kmip.core.messages.payloads import locate from kmip.pie import objects as pie_objects from kmip.pie import sqltypes from kmip.services.server import engine class MockRegexString(str): """ A comparator string for doing simple containment regex comparisons for mock asserts. """ def __eq__(self, other): return self in other class TestKmipEngine(testtools.TestCase): """ A test suite for the KmipEngine. """ def setUp(self): super(TestKmipEngine, self).setUp() self.engine = sqlalchemy.create_engine( 'sqlite:///:memory:', ) sqltypes.Base.metadata.create_all(self.engine) self.session_factory = sqlalchemy.orm.sessionmaker( bind=self.engine ) self.temp_dir = tempfile.mkdtemp() self.addCleanup(shutil.rmtree, self.temp_dir) def tearDown(self): super(TestKmipEngine, self).tearDown() def _build_request(self): payload = discover_versions.DiscoverVersionsRequestPayload() batch = [ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ), request_payload=payload ) ] protocol = contents.ProtocolVersion.create(1, 0) max_size = contents.MaximumResponseSize(2 ** 20) asynch = contents.AsynchronousIndicator(False) # TODO (peterhamilton) Change this insanity in the substructs. username = objects.Credential.UsernamePasswordCredential.Username( "tester" ) password = objects.Credential.UsernamePasswordCredential.Password( "password" ) creds = objects.Credential.UsernamePasswordCredential( username=username, password=password ) auth = contents.Authentication(creds) batch_error_option = contents.BatchErrorContinuationOption( enums.BatchErrorContinuationOption.STOP ) batch_order_option = contents.BatchOrderOption(True) timestamp = contents.TimeStamp(int(time.time())) header = messages.RequestHeader( protocol_version=protocol, maximum_response_size=max_size, asynchronous_indicator=asynch, authentication=auth, batch_error_cont_option=batch_error_option, batch_order_option=batch_order_option, time_stamp=timestamp, batch_count=contents.BatchCount(len(batch)) ) return messages.RequestMessage( request_header=header, batch_items=batch ) def test_init(self): """ Test that a KmipEngine can be instantiated without any errors. """ engine.KmipEngine() @mock.patch('sqlalchemy.create_engine') def test_init_create_engine(self, create_engine_mock): """ Test that the right arguments are used to create the engine's SQLite backend. """ engine.KmipEngine() args = ("sqlite:////tmp/pykmip.database",) fargs = { 'echo': False, 'connect_args': {'check_same_thread': False} } create_engine_mock.assert_called_once_with(*args, **fargs) def test_load_operation_policies(self): """ Test that the KmipEngine can correctly load operation policies. """ e = engine.KmipEngine() e._logger = mock.MagicMock() policy_file = tempfile.NamedTemporaryFile( dir=self.temp_dir ) with open(policy_file.name, 'w') as f: f.write( '{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}' ) self.assertEqual(2, len(e._operation_policies)) e._load_operation_policies(self.temp_dir) e._logger.info.assert_any_call( "Loading user-defined operation policy files from: {0}".format( self.temp_dir ) ) e._logger.info.assert_any_call( "Loading user-defined operation policies from file: {0}".format( policy_file.name ) ) self.assertEqual(3, len(e._operation_policies)) self.assertIn('test', e._operation_policies.keys()) test_policy = { enums.ObjectType.CERTIFICATE: { enums.Operation.LOCATE: enums.Policy.ALLOW_ALL } } self.assertEqual(test_policy, e._operation_policies.get('test')) def test_load_operation_policies_with_file_read_error(self): """ Test that the KmipEngine can correctly handle load errors. """ e = engine.KmipEngine() e._logger = mock.MagicMock() policy_file = tempfile.NamedTemporaryFile( dir=self.temp_dir ) with open(policy_file.name, 'w') as f: f.write( '{"test": {"INVALID": {"LOCATE": "ALLOW_ALL"}}}' ) self.assertEqual(2, len(e._operation_policies)) e._load_operation_policies(self.temp_dir) e._logger.info.assert_any_call( "Loading user-defined operation policy files from: {0}".format( self.temp_dir ) ) e._logger.info.assert_any_call( "Loading user-defined operation policies from file: {0}".format( policy_file.name ) ) e._logger.error.assert_called_once_with( "A failure occurred while loading policies." ) e._logger.exception.assert_called_once() self.assertEqual(2, len(e._operation_policies)) def test_load_operation_policies_with_reserved(self): """ Test that the KmipEngine can correctly load operation policies, even when a policy attempts to overwrite a reserved one. """ e = engine.KmipEngine() e._logger = mock.MagicMock() policy_file = tempfile.NamedTemporaryFile( dir=self.temp_dir ) with open(policy_file.name, 'w') as f: f.write( '{"public": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}' ) self.assertEqual(2, len(e._operation_policies)) e._load_operation_policies(self.temp_dir) e._logger.info.assert_any_call( "Loading user-defined operation policy files from: {0}".format( self.temp_dir ) ) e._logger.info.assert_any_call( "Loading user-defined operation policies from file: {0}".format( policy_file.name ) ) e._logger.warning.assert_called_once_with( "Loaded policy 'public' overwrites a reserved policy and will " "be thrown out." ) self.assertEqual(2, len(e._operation_policies)) def test_load_operation_policies_with_duplicate(self): """ Test that the KmipEngine can correctly load operation policies, even when a policy is defined multiple times. """ e = engine.KmipEngine() e._logger = mock.MagicMock() policy_file_a = tempfile.NamedTemporaryFile( dir=self.temp_dir ) with open(policy_file_a.name, 'w') as f: f.write( '{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}' ) policy_file_b = tempfile.NamedTemporaryFile( dir=self.temp_dir ) with open(policy_file_b.name, 'w') as f: f.write( '{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}' ) self.assertEqual(2, len(e._operation_policies)) e._load_operation_policies(self.temp_dir) e._logger.info.assert_any_call( "Loading user-defined operation policy files from: {0}".format( self.temp_dir ) ) e._logger.info.assert_any_call( "Loading user-defined operation policies from file: {0}".format( policy_file_a.name ) ) e._logger.info.assert_any_call( "Loading user-defined operation policies from file: {0}".format( policy_file_b.name ) ) e._logger.warning.assert_called_once_with( "Loaded policy 'test' overwrites a preexisting policy and will " "be thrown out." ) self.assertEqual(3, len(e._operation_policies)) self.assertIn('test', e._operation_policies.keys()) test_policy = { enums.ObjectType.CERTIFICATE: { enums.Operation.LOCATE: enums.Policy.ALLOW_ALL } } self.assertEqual(test_policy, e._operation_policies.get('test')) def test_version_operation_match(self): """ Test that a valid response is generated when trying to invoke an operation supported by a specific version of KMIP. """ e = engine.KmipEngine() e._logger = mock.MagicMock() payload = discover_versions.DiscoverVersionsRequestPayload() e._process_discover_versions(payload) def test_version_operation_mismatch(self): """ Test that an OperationNotSupported error is generated when trying to invoke an operation unsupported by a specific version of KMIP. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._protocol_version = contents.ProtocolVersion.create(1, 0) args = (None, ) regex = "DiscoverVersions is not supported by KMIP {0}".format( e._protocol_version ) six.assertRaisesRegex( self, exceptions.OperationNotSupported, regex, e._process_discover_versions, *args ) def test_process_request(self): """ Test that a basic request is processed correctly. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(1, 1) header = messages.RequestHeader( protocol_version=protocol, maximum_response_size=contents.MaximumResponseSize(2 ** 20), authentication=contents.Authentication(), batch_error_cont_option=contents.BatchErrorContinuationOption( enums.BatchErrorContinuationOption.STOP ), batch_order_option=contents.BatchOrderOption(True), time_stamp=contents.TimeStamp(int(time.time())), batch_count=contents.BatchCount(1) ) payload = discover_versions.DiscoverVersionsRequestPayload() batch = list([ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ), request_payload=payload ) ]) request = messages.RequestMessage( request_header=header, batch_items=batch ) response, max_size = e.process_request(request) e._logger.info.assert_any_call( MockRegexString("Received request at time:") ) e._logger.info.assert_any_call( "Processing operation: DiscoverVersions" ) self.assertIsInstance(response, messages.ResponseMessage) self.assertEqual(2 ** 20, max_size) self.assertIsNotNone(response.response_header) header = response.response_header self.assertIsNotNone(header) self.assertEqual( contents.ProtocolVersion.create(1, 1), header.protocol_version ) self.assertIsInstance(header.time_stamp, contents.TimeStamp) self.assertIsInstance(header.batch_count, contents.BatchCount) self.assertEqual(1, header.batch_count.value) batch = response.batch_items self.assertNotEqual(list(), batch) batch_item = batch[0] self.assertIsInstance(batch_item.operation, contents.Operation) self.assertEqual( enums.Operation.DISCOVER_VERSIONS, batch_item.operation.value ) self.assertIsNone(batch_item.unique_batch_item_id) self.assertEqual( enums.ResultStatus.SUCCESS, batch_item.result_status.value ) self.assertIsNone(batch_item.result_reason) self.assertIsNone(batch_item.result_message) self.assertIsNone(batch_item.async_correlation_value) self.assertIsInstance( batch_item.response_payload, discover_versions.DiscoverVersionsResponsePayload ) self.assertIsNone(batch_item.message_extension) def test_process_request_unsupported_version(self): """ Test that an InvalidMessage exception is raised when processing a request using an unsupported KMIP version. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(0, 1) header = messages.RequestHeader( protocol_version=protocol ) request = messages.RequestMessage( request_header=header ) args = (request, ) regex = "KMIP {0} is not supported by the server.".format( protocol ) six.assertRaisesRegex( self, exceptions.InvalidMessage, regex, e.process_request, *args ) def test_process_request_stale_timestamp(self): """ Test that an InvalidMessage exception is raised when processing a request with a stale timestamp. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(1, 0) header = messages.RequestHeader( protocol_version=protocol, time_stamp=contents.TimeStamp(0) ) request = messages.RequestMessage( request_header=header ) args = (request, ) regex = "Stale request rejected by server." six.assertRaisesRegex( self, exceptions.InvalidMessage, regex, e.process_request, *args ) e._logger.warning.assert_any_call( MockRegexString( "Received request with old timestamp. Possible replay attack." ) ) def test_process_request_future_timestamp(self): """ Test that an InvalidMessage exception is raised when processing a request with a future timestamp. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(1, 0) header = messages.RequestHeader( protocol_version=protocol, time_stamp=contents.TimeStamp(10 ** 10) ) request = messages.RequestMessage( request_header=header ) args = (request, ) regex = "Future request rejected by server." six.assertRaisesRegex( self, exceptions.InvalidMessage, regex, e.process_request, *args ) e._logger.warning.assert_any_call( MockRegexString( "Received request with future timestamp." ) ) def test_process_request_unsupported_async_indicator(self): """ Test than an InvalidMessage error is generated while processing a batch with an unsupported asynchronous indicator option. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(1, 1) header = messages.RequestHeader( protocol_version=protocol, asynchronous_indicator=contents.AsynchronousIndicator(True) ) request = messages.RequestMessage( request_header=header, ) args = (request, ) regex = "Asynchronous operations are not supported." six.assertRaisesRegex( self, exceptions.InvalidMessage, regex, e.process_request, *args ) def test_process_request_unsupported_batch_option(self): """ Test that an InvalidMessage error is generated while processing a batch with an unsupported batch error continuation option. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(1, 1) header = messages.RequestHeader( protocol_version=protocol, authentication=contents.Authentication(), batch_error_cont_option=contents.BatchErrorContinuationOption( enums.BatchErrorContinuationOption.UNDO ) ) request = messages.RequestMessage( request_header=header, ) args = (request, ) regex = "Undo option for batch handling is not supported." six.assertRaisesRegex( self, exceptions.InvalidMessage, regex, e.process_request, *args ) def test_process_request_missing_credential(self): """ Test that the engine does not immediately error out when retrieving a non-existent credential from the request. """ e = engine.KmipEngine() e._logger = mock.MagicMock() protocol = contents.ProtocolVersion.create(1, 1) header = messages.RequestHeader( protocol_version=protocol, authentication=None, batch_error_cont_option=contents.BatchErrorContinuationOption( enums.BatchErrorContinuationOption.STOP ), batch_order_option=contents.BatchOrderOption(True), time_stamp=contents.TimeStamp(int(time.time())), batch_count=contents.BatchCount(1) ) payload = discover_versions.DiscoverVersionsRequestPayload() batch = list([ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ), request_payload=payload ) ]) request = messages.RequestMessage( request_header=header, batch_items=batch ) e.process_request(request) def test_build_error_response(self): """ Test that a bare bones response containing a single error result can be constructed correctly. """ e = engine.KmipEngine() e._logger = mock.MagicMock() response = e.build_error_response( contents.ProtocolVersion.create(1, 1), enums.ResultReason.GENERAL_FAILURE, "A general test failure occurred." ) self.assertIsInstance(response, messages.ResponseMessage) header = response.response_header self.assertEqual( contents.ProtocolVersion.create(1, 1), header.protocol_version ) self.assertIsNotNone(header.time_stamp) self.assertIsNotNone(header.batch_count) self.assertEqual(1, header.batch_count.value) batch = response.batch_items self.assertEqual(1, len(batch)) batch_item = batch[0] self.assertIsNone(batch_item.operation) self.assertIsNone(batch_item.unique_batch_item_id) self.assertEqual( enums.ResultStatus.OPERATION_FAILED, batch_item.result_status.value ) self.assertEqual( enums.ResultReason.GENERAL_FAILURE, batch_item.result_reason.value ) self.assertEqual( "A general test failure occurred.", batch_item.result_message.value ) self.assertIsNone(batch_item.async_correlation_value) self.assertIsNone(batch_item.response_payload) self.assertIsNone(batch_item.message_extension) def test_process_batch(self): """ Test that a batch is processed correctly. """ e = engine.KmipEngine() e._logger = mock.MagicMock() payload = discover_versions.DiscoverVersionsRequestPayload() batch = list([ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ), request_payload=payload ) ]) results = e._process_batch( batch, enums.BatchErrorContinuationOption.STOP, True ) self.assertIsNotNone(results) self.assertEqual(1, len(results)) def test_process_multibatch(self): """ Test that a batch containing multiple operations is processed correctly. """ e = engine.KmipEngine() e._logger = mock.MagicMock() payload = discover_versions.DiscoverVersionsRequestPayload() batch = list([ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ), unique_batch_item_id=contents.UniqueBatchItemID(1), request_payload=payload ), messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ), unique_batch_item_id=contents.UniqueBatchItemID(2), request_payload=payload ) ]) results = e._process_batch( batch, enums.BatchErrorContinuationOption.STOP, True ) self.assertIsNotNone(results) self.assertEqual(2, len(results)) def test_process_batch_missing_batch_id(self): """ Test that an InvalidMessage error is generated while processing a batch with missing batch IDs. """ e = engine.KmipEngine() e._logger = mock.MagicMock() batch = list([ messages.RequestBatchItem(), messages.RequestBatchItem() ]) args = (batch, None, None) six.assertRaisesRegex( self, exceptions.InvalidMessage, "Batch item ID is undefined.", e._process_batch, *args ) def test_process_batch_expected_error(self): """ Test than an expected KMIP error is handled appropriately while processing a batch of operations. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._protocol_version = contents.ProtocolVersion.create(1, 0) batch = list([ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ) ) ]) results = e._process_batch( batch, enums.BatchErrorContinuationOption.STOP, True ) self.assertIsNotNone(results) self.assertEqual(1, len(results)) result = results[0] self.assertIsInstance(result, messages.ResponseBatchItem) self.assertIsNotNone(result.operation) self.assertEqual( enums.Operation.DISCOVER_VERSIONS, result.operation.value ) self.assertIsNone(result.unique_batch_item_id) self.assertIsNotNone(result.result_status) self.assertEqual( enums.ResultStatus.OPERATION_FAILED, result.result_status.value ) self.assertIsNotNone(result.result_reason) self.assertEqual( enums.ResultReason.OPERATION_NOT_SUPPORTED, result.result_reason.value ) self.assertIsNotNone(result.result_message) error_message = "DiscoverVersions is not supported by KMIP {0}".format( e._protocol_version ) self.assertEqual(error_message, result.result_message.value) self.assertIsNone(result.async_correlation_value) self.assertIsNone(result.response_payload) self.assertIsNone(result.message_extension) def test_process_batch_unexpected_error(self): """ Test that an unexpected, non-KMIP error is handled appropriately while processing a batch of operations. """ e = engine.KmipEngine() e._logger = mock.MagicMock() test_exception = Exception("A general test failure occurred.") e._process_operation = mock.MagicMock(side_effect=test_exception) batch = list([ messages.RequestBatchItem( operation=contents.Operation( enums.Operation.DISCOVER_VERSIONS ) ) ]) results = e._process_batch( batch, enums.BatchErrorContinuationOption.STOP, True ) self.assertIsNotNone(results) self.assertEqual(1, len(results)) result = results[0] e._logger.warning.assert_called_with( "Error occurred while processing operation." ) e._logger.exception.assert_called_with(test_exception) self.assertIsInstance(result, messages.ResponseBatchItem) self.assertIsNotNone(result.operation) self.assertEqual( enums.Operation.DISCOVER_VERSIONS, result.operation.value ) self.assertIsNone(result.unique_batch_item_id) self.assertIsNotNone(result.result_status) self.assertEqual( enums.ResultStatus.OPERATION_FAILED, result.result_status.value ) self.assertIsNotNone(result.result_reason) self.assertEqual( enums.ResultReason.GENERAL_FAILURE, result.result_reason.value ) self.assertIsNotNone(result.result_message) self.assertEqual( "Operation failed. See the server logs for more information.", result.result_message.value ) self.assertIsNone(result.async_correlation_value) self.assertIsNone(result.response_payload) self.assertIsNone(result.message_extension) def test_process_operation(self): """ Test that the right subroutine is called when invoking operations supported by the server. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._process_create = mock.MagicMock() e._process_create_key_pair = mock.MagicMock() e._process_register = mock.MagicMock() e._process_locate = mock.MagicMock() e._process_get = mock.MagicMock() e._process_get_attributes = mock.MagicMock() e._process_get_attribute_list = mock.MagicMock() e._process_activate = mock.MagicMock() e._process_revoke = mock.MagicMock() e._process_destroy = mock.MagicMock() e._process_query = mock.MagicMock() e._process_discover_versions = mock.MagicMock() e._process_encrypt = mock.MagicMock() e._process_mac = mock.MagicMock() e._process_operation(enums.Operation.CREATE, None) e._process_operation(enums.Operation.CREATE_KEY_PAIR, None) e._process_operation(enums.Operation.REGISTER, None) e._process_operation(enums.Operation.LOCATE, None) e._process_operation(enums.Operation.GET, None) e._process_operation(enums.Operation.GET_ATTRIBUTES, None) e._process_operation(enums.Operation.GET_ATTRIBUTE_LIST, None) e._process_operation(enums.Operation.ACTIVATE, None) e._process_operation(enums.Operation.REVOKE, None) e._process_operation(enums.Operation.DESTROY, None) e._process_operation(enums.Operation.QUERY, None) e._process_operation(enums.Operation.DISCOVER_VERSIONS, None) e._process_operation(enums.Operation.ENCRYPT, None) e._process_operation(enums.Operation.MAC, None) e._process_create.assert_called_with(None) e._process_create_key_pair.assert_called_with(None) e._process_register.assert_called_with(None) e._process_locate.assert_called_with(None) e._process_get.assert_called_with(None) e._process_get_attributes.assert_called_with(None) e._process_get_attribute_list.assert_called_with(None) e._process_activate.assert_called_with(None) e._process_revoke.assert_called_with(None) e._process_destroy.assert_called_with(None) e._process_query.assert_called_with(None) e._process_discover_versions.assert_called_with(None) e._process_encrypt.assert_called_with(None) e._process_mac.assert_called_with(None) def test_unsupported_operation(self): """ Test that an OperationNotSupported error is generated when invoking an operation not supported by the server. """ e = engine.KmipEngine() e._logger = mock.MagicMock() args = (enums.Operation.POLL, None) regex = "{0} operation is not supported by the server.".format( args[0].name.title() ) six.assertRaisesRegex( self, exceptions.OperationNotSupported, regex, e._process_operation, *args ) def test_get_object_type(self): """ Test that the object type of a stored object can be retrieved correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) object_type = e._get_object_type(id_a) e._data_session.commit() self.assertEqual(pie_objects.OpaqueObject, object_type) def test_get_object_type_missing_object(self): """ Test that an ItemNotFound error is generated when attempting to retrieve the object type of an object that does not exist. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() args = ('1', ) regex = "Could not locate object: 1" six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._get_object_type, *args ) e._data_session.commit() e._logger.warning.assert_called_once_with( "Could not identify object type for object: 1" ) def test_get_object_type_multiple_objects(self): """ Test that a sqlalchemy.orm.exc.MultipleResultsFound error is generated when getting the object type of multiple objects map to the same object ID. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() test_exception = exc.MultipleResultsFound() e._data_session.query = mock.MagicMock(side_effect=test_exception) e._logger = mock.MagicMock() args = ('1', ) self.assertRaises( exc.MultipleResultsFound, e._get_object_type, *args ) e._data_session.commit() e._logger.warning.assert_called_once_with( "Multiple objects found for ID: 1" ) def test_get_object_type_unsupported_type(self): """ Test that an InvalidField error is generated when attempting to get the object type of an object with an unsupported object type. This should never happen by definition, but "Safety first!" """ e = engine.KmipEngine() e._object_map = {enums.ObjectType.OPAQUE_DATA: None} e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) args = (id_a, ) name = enums.ObjectType.OPAQUE_DATA.name regex = "The {0} object type is not supported.".format( ''.join( [x.capitalize() for x in name.split('_')] ) ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._get_object_type, *args ) e._data_session.commit() def test_build_core_object(self): """ Test that kmip.core objects can be built from simpler kmip.pie objects. """ e = engine.KmipEngine() e._logger = mock.MagicMock() # Test building a Certificate. managed_object = pie_objects.X509Certificate(value=b'') core_object = e._build_core_object(managed_object) self.assertIsInstance(core_object, secrets.Certificate) self.assertEqual( b'', core_object.certificate_value.value ) self.assertEqual( enums.CertificateTypeEnum.X_509, core_object.certificate_type.value ) # Test building a Symmetric Key. managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) core_object = e._build_core_object(managed_object) self.assertIsInstance(core_object, secrets.SymmetricKey) self.assertEqual( enums.CryptographicAlgorithm.AES, core_object.key_block.cryptographic_algorithm.value ) self.assertEqual( 0, core_object.key_block.cryptographic_length.value ) self.assertEqual( b'', core_object.key_block.key_value.key_material.value ) # Test building a Public Key. managed_object = pie_objects.PublicKey( enums.CryptographicAlgorithm.RSA, 0, b'' ) core_object = e._build_core_object(managed_object) self.assertIsInstance(core_object, secrets.PublicKey) self.assertEqual( enums.CryptographicAlgorithm.RSA, core_object.key_block.cryptographic_algorithm.value ) self.assertEqual( 0, core_object.key_block.cryptographic_length.value ) self.assertEqual( b'', core_object.key_block.key_value.key_material.value ) # Test building a Private Key. managed_object = pie_objects.PrivateKey( enums.CryptographicAlgorithm.RSA, 0, b'', enums.KeyFormatType.PKCS_8 ) core_object = e._build_core_object(managed_object) self.assertIsInstance(core_object, secrets.PrivateKey) self.assertEqual( enums.CryptographicAlgorithm.RSA, core_object.key_block.cryptographic_algorithm.value ) self.assertEqual( 0, core_object.key_block.cryptographic_length.value ) self.assertEqual( b'', core_object.key_block.key_value.key_material.value ) self.assertEqual( enums.KeyFormatType.PKCS_8, core_object.key_block.key_format_type.value ) # Test building a Secret Data. managed_object = pie_objects.SecretData( b'', enums.SecretDataType.PASSWORD ) core_object = e._build_core_object(managed_object) self.assertIsInstance(core_object, secrets.SecretData) self.assertEqual( enums.SecretDataType.PASSWORD, core_object.secret_data_type.value ) self.assertEqual( b'', core_object.key_block.key_value.key_material.value ) # Test building an Opaque Data. managed_object = pie_objects.OpaqueObject( b'', enums.OpaqueDataType.NONE ) core_object = e._build_core_object(managed_object) self.assertIsInstance(core_object, secrets.OpaqueObject) self.assertEqual( enums.OpaqueDataType.NONE, core_object.opaque_data_type.value ) self.assertEqual( b'', core_object.opaque_data_value.value ) def test_build_core_object_unsupported_type(self): """ Test that an InvalidField error is generated when building kmip.core objects that are unsupported. """ e = engine.KmipEngine() e._logger = mock.MagicMock() args = (None, ) regex = "Cannot build an unsupported object type." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._build_core_object, *args ) class DummyObject: def __init__(self): self._object_type = enums.ObjectType.SPLIT_KEY args = (DummyObject(), ) regex = "The SplitKey object type is not supported." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._build_core_object, *args ) def test_process_template_attribute(self): """ Test that a template attribute structure can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() name = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) algorithm = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) length = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 128 ) mask = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) template_attribute = objects.TemplateAttribute( attributes=[name, algorithm, length, mask] ) result = e._process_template_attribute(template_attribute) self.assertIsInstance(result, dict) self.assertEqual(4, len(result.keys())) self.assertIn('Name', result.keys()) self.assertIn('Cryptographic Algorithm', result.keys()) self.assertIn('Cryptographic Length', result.keys()) self.assertIn('Cryptographic Usage Mask', result.keys()) self.assertEqual([name.attribute_value], result.get('Name')) self.assertEqual( algorithm.attribute_value, result.get('Cryptographic Algorithm') ) self.assertEqual( length.attribute_value, result.get('Cryptographic Length') ) self.assertEqual( mask.attribute_value, result.get('Cryptographic Usage Mask') ) def test_process_template_attribute_unsupported_features(self): """ Test that the right errors are generated when unsupported features are referenced while processing a template attribute. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Test that providing template names generates an InvalidField error. template_attribute = objects.TemplateAttribute( names=[ attributes.Name.create( 'invalid', enums.NameType.UNINTERPRETED_TEXT_STRING ) ] ) args = (template_attribute, ) regex = "Attribute templates are not supported." six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_template_attribute, *args ) # Test that an unrecognized attribute generates an InvalidField error. name = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) name.attribute_name.value = 'invalid' template_attribute = objects.TemplateAttribute(attributes=[name]) args = (template_attribute, ) regex = "The invalid attribute is unsupported." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_template_attribute, *args ) # Test that missing indices generate an InvalidField error. name_a = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) name_b = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) template_attribute = objects.TemplateAttribute( attributes=[name_a, name_b] ) args = (template_attribute, ) regex = "Attribute index missing from multivalued attribute." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_template_attribute, *args ) # Test that a non-zero index generates an InvalidField error. algorithm = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES, 1 ) template_attribute = objects.TemplateAttribute(attributes=[algorithm]) args = (template_attribute, ) regex = "Non-zero attribute index found for single-valued attribute." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_template_attribute, *args ) # Test that setting multiple values for a single-value attribute # generates an InvalidField error. algorithm_a = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) algorithm_b = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.TRIPLE_DES ) template_attribute = objects.TemplateAttribute( attributes=[algorithm_a, algorithm_b] ) args = (template_attribute, ) regex = ( "Cannot set multiple instances of the Cryptographic Algorithm " "attribute." ) six.assertRaisesRegex( self, exceptions.IndexOutOfBounds, regex, e._process_template_attribute, *args ) def test_get_attributes_from_managed_object(self): """ Test that multiple attributes can be retrieved from a given managed object. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() symmetric_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'', masks=[enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT] ) symmetric_key.names = ['Name 1', 'Name 2'] e._data_session.add(symmetric_key) e._data_session.commit() e._data_session = e._data_store_session_factory() result = e._get_attributes_from_managed_object( symmetric_key, ['Unique Identifier', 'Name', 'Cryptographic Algorithm', 'Cryptographic Length', 'Cryptographic Usage Mask', 'invalid'] ) attribute_factory = factory.AttributeFactory() self.assertEqual(6, len(result)) attribute = attribute_factory.create_attribute( enums.AttributeType.UNIQUE_IDENTIFIER, '1' ) self.assertIn(attribute, result) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) self.assertIn(attribute, result) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 0 ) self.assertIn(attribute, result) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT] ) self.assertIn(attribute, result) def test_get_attributes_from_managed_object_with_missing_attribute(self): """ Test that any exceptions are suppressed when attempting to retrieve non-existent attributes from managed objects. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() symmetric_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'', masks=[enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT] ) symmetric_key.names = ['Name 1', 'Name 2'] e._data_session.add(symmetric_key) e._data_session.commit() e._data_session = e._data_store_session_factory() e._get_attribute_from_managed_object = mock.Mock() e._get_attribute_from_managed_object.side_effect = Exception result = e._get_attributes_from_managed_object( symmetric_key, ['Unique Identifier', 'Name', 'Cryptographic Algorithm', 'Cryptographic Length', 'Cryptographic Usage Mask', 'invalid'] ) self.assertEqual(0, len(result)) def test_get_attribute_from_managed_object(self): """ Test that an attribute can be retrieved from a given managed object. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() symmetric_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'', masks=[enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT] ) certificate = pie_objects.X509Certificate( b'' ) opaque_object = pie_objects.OpaqueObject( b'', enums.OpaqueDataType.NONE ) e._data_session.add(symmetric_key) e._data_session.add(certificate) e._data_session.add(opaque_object) e._data_session.commit() e._data_session = e._data_store_session_factory() result = e._get_attribute_from_managed_object( symmetric_key, 'Unique Identifier' ) self.assertEqual('1', result) result = e._get_attribute_from_managed_object( symmetric_key, 'Name' ) self.assertEqual( [attributes.Name( attributes.Name.NameValue('Symmetric Key'), attributes.Name.NameType( enums.NameType.UNINTERPRETED_TEXT_STRING ) )], result ) result = e._get_attribute_from_managed_object( symmetric_key, 'Object Type' ) self.assertEqual(enums.ObjectType.SYMMETRIC_KEY, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Cryptographic Algorithm' ) self.assertEqual(enums.CryptographicAlgorithm.AES, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Cryptographic Length' ) self.assertEqual(0, result) result = e._get_attribute_from_managed_object( certificate, 'Cryptographic Parameters' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'Cryptographic Domain Parameters' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'Certificate Type' ) self.assertEqual(enums.CertificateTypeEnum.X_509, result) result = e._get_attribute_from_managed_object( certificate, 'Certificate Length' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'X.509 Certificate Identifier' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'X.509 Certificate Subject' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'X.509 Certificate Issuer' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'Certificate Identifier' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'Certificate Subject' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'Certificate Issuer' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( certificate, 'Digital Signature Algorithm' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( opaque_object, 'Digest' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Operation Policy Name' ) self.assertEqual('default', result) result = e._get_attribute_from_managed_object( symmetric_key, 'Cryptographic Usage Mask' ) self.assertEqual( [enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT], result ) result = e._get_attribute_from_managed_object( symmetric_key, 'Lease Time' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Usage Limits' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'State' ) self.assertEqual(enums.State.PRE_ACTIVE, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Initial Date' ) self.assertIsNotNone(result) self.assertIsInstance(result, six.integer_types) result = e._get_attribute_from_managed_object( symmetric_key, 'Activation Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Process Start Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Protect Stop Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Deactivation Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Destroy Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Compromise Occurrence Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Compromise Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Revocation Reason' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Archive Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Object Group' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Fresh' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Link' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Application Specific Information' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Contact Information' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'Last Change Date' ) self.assertEqual(None, result) result = e._get_attribute_from_managed_object( symmetric_key, 'invalid' ) self.assertEqual(None, result) def test_set_attributes_on_managed_object(self): """ Test that multiple attributes can be set on a given managed object. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.SecretData( b'', enums.SecretDataType.PASSWORD ) managed_object.names = [] attribute_factory = factory.AttributeFactory() name = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Secret Data', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) mask = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) template_attribute = objects.TemplateAttribute( attributes=[name, mask] ) object_attributes = e._process_template_attribute(template_attribute) self.assertEqual([], managed_object.names) self.assertEqual([], managed_object.cryptographic_usage_masks) e._set_attributes_on_managed_object( managed_object, object_attributes ) self.assertEqual(['Test Secret Data'], managed_object.names) self.assertEqual( [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ], managed_object.cryptographic_usage_masks ) def test_set_attributes_on_managed_object_attribute_mismatch(self): """ Test that an InvalidField error is generated when attempting to set an attribute that is not applicable for a given managed object. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.OpaqueObject( b'', enums.OpaqueDataType.NONE ) attribute_factory = factory.AttributeFactory() mask = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) template_attribute = objects.TemplateAttribute(attributes=[mask]) object_attributes = e._process_template_attribute(template_attribute) args = (managed_object, object_attributes) regex = ( "Cannot set Cryptographic Usage Mask attribute on OpaqueData " "object." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._set_attributes_on_managed_object, *args ) def test_set_attribute_on_managed_object(self): """ Test that various attributes can be set correctly on a given managed object. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() name = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) algorithm = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) length = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 0 ) mask = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) managed_object.names = [] self.assertEqual([], managed_object.names) self.assertEqual( enums.CryptographicAlgorithm.AES, managed_object.cryptographic_algorithm ) self.assertEqual(0, managed_object.cryptographic_length) self.assertEqual([], managed_object.cryptographic_usage_masks) e._set_attribute_on_managed_object( managed_object, ('Name', [name.attribute_value]) ) self.assertEqual(['Test Symmetric Key'], managed_object.names) e._set_attribute_on_managed_object( managed_object, ('Cryptographic Algorithm', algorithm.attribute_value) ) self.assertEqual( enums.CryptographicAlgorithm.AES, managed_object.cryptographic_algorithm ) e._set_attribute_on_managed_object( managed_object, ('Cryptographic Length', length.attribute_value) ) self.assertEqual(0, managed_object.cryptographic_length) e._set_attribute_on_managed_object( managed_object, ('Cryptographic Usage Mask', mask.attribute_value) ) self.assertEqual( [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ], managed_object.cryptographic_usage_masks ) def test_set_attribute_on_managed_object_unsupported_features(self): """ Test that the right errors are generated when unsupported features are referenced while setting managed object attributes. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 8, b'\x00' ) # Test that multiple duplicate names cannot be set on an object. name_a = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) name_b = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) args = ( managed_object, ('Name', [name_a.attribute_value, name_b.attribute_value]) ) regex = "Cannot set duplicate name values." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._set_attribute_on_managed_object, *args ) # Test that a multivalued, unsupported attribute cannot be set on an # object. name_a = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) name_b = attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) args = ( managed_object, ('Digest', [name_a.attribute_value, name_b.attribute_value]) ) regex = "The Digest attribute is unsupported." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._set_attribute_on_managed_object, *args ) # Test that a set attribute cannot be overwritten. length = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 128 ) args = ( managed_object, ('Cryptographic Length', length.attribute_value) ) regex = "Cannot overwrite the Cryptographic Length attribute." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._set_attribute_on_managed_object, *args ) # Test that an unsupported attribute cannot be set. object_group = attribute_factory.create_attribute( enums.AttributeType.OBJECT_GROUP, 'Test Group' ) args = ( managed_object, ('Object Group', object_group.attribute_value) ) regex = "The Object Group attribute is unsupported." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._set_attribute_on_managed_object, *args ) def test_is_allowed_by_operation_policy(self): """ Test that an allowed operation is correctly allowed by the operation policy. """ e = engine.KmipEngine() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: enums.Policy.ALLOW_OWNER } } } is_allowed = e._is_allowed_by_operation_policy( 'test', 'test', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertTrue(is_allowed) def test_is_allowed_by_operation_policy_blocked(self): """ Test that an unallowed operation is correctly blocked by the operation policy. """ e = engine.KmipEngine() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: enums.Policy.ALLOW_OWNER } } } is_allowed = e._is_allowed_by_operation_policy( 'test', 'random', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertFalse(is_allowed) def test_is_allowed_by_operation_public(self): """ Test that a public operation is allowed by the operation policy. """ e = engine.KmipEngine() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: enums.Policy.ALLOW_ALL } } } is_allowed = e._is_allowed_by_operation_policy( 'test', 'test', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertTrue(is_allowed) is_allowed = e._is_allowed_by_operation_policy( 'test', 'random', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertTrue(is_allowed) def test_is_allowed_by_operation_block_all(self): """ Test that a blocked operation is blocked by the operation policy. """ e = engine.KmipEngine() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: enums.Policy.DISALLOW_ALL } } } is_allowed = e._is_allowed_by_operation_policy( 'test', 'test', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertFalse(is_allowed) is_allowed = e._is_allowed_by_operation_policy( 'test', 'random', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertFalse(is_allowed) def test_is_allowed_by_operation_safety_check(self): """ Test that an unknown operation is blocked by the operation policy. """ e = engine.KmipEngine() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: 'unknown value' } } } is_allowed = e._is_allowed_by_operation_policy( 'test', 'test', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertFalse(is_allowed) is_allowed = e._is_allowed_by_operation_policy( 'test', 'random', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertFalse(is_allowed) def test_is_allowed_by_operation_policy_nonexistent_policy(self): """ Test that a check with a non-existent policy yields a logging warning and a blocked operation. """ e = engine.KmipEngine() e._logger = mock.MagicMock() policy = 'nonexistent-policy' is_allowed = e._is_allowed_by_operation_policy( policy, 'test', 'test', enums.ObjectType.SYMMETRIC_KEY, enums.Operation.GET ) self.assertFalse(is_allowed) e._logger.warning.assert_called_once_with( "The '{0}' policy does not exist.".format(policy) ) def test_is_allowed_by_operation_policy_not_object_applicable(self): """ Test that a check for an object with a non-applicable policy yields a logging warning and a blocked operation. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: enums.Policy.ALLOW_OWNER } } } policy = 'test' object_type = enums.ObjectType.PRIVATE_KEY is_allowed = e._is_allowed_by_operation_policy( policy, 'test', 'test', object_type, enums.Operation.GET ) self.assertFalse(is_allowed) e._logger.warning.assert_called_once_with( "The '{0}' policy does not apply to {1} objects.".format( policy, e._get_enum_string(object_type) ) ) def test_is_allowed_by_operation_policy_not_applicable(self): """ Test that a check with a non-applicable policy yields a logging warning and a blocked operation. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._operation_policies = { 'test': { enums.ObjectType.SYMMETRIC_KEY: { enums.Operation.GET: enums.Policy.ALLOW_OWNER } } } policy = 'test' object_type = enums.ObjectType.SYMMETRIC_KEY operation = enums.Operation.CREATE is_allowed = e._is_allowed_by_operation_policy( policy, 'test', 'test', object_type, operation ) self.assertFalse(is_allowed) e._logger.warning.assert_called_once_with( "The '{0}' policy does not apply to {1} operations on {2} " "objects.".format( policy, e._get_enum_string(operation), e._get_enum_string(object_type) ) ) def test_get_object_with_access_controls(self): """ Test that an unallowed object access request is handled correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) # Test by specifying the ID of the object to retrieve and the # operation context. args = [id_a, enums.Operation.GET] six.assertRaisesRegex( self, exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._get_object_with_access_controls, *args ) def test_create(self): """ Test that a Create request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Build Create request object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ), attribute_factory.create_attribute( enums.AttributeType.OPERATION_POLICY_NAME, 'test' ) ] ) payload = create.CreateRequestPayload( object_type, template_attribute ) response_payload = e._process_create(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Create" ) uid = response_payload.unique_identifier.value self.assertEqual('1', uid) # Retrieve the stored object and verify all attributes were set # appropriately. symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == uid ).one() self.assertEqual( enums.KeyFormatType.RAW, symmetric_key.key_format_type ) self.assertEqual(1, len(symmetric_key.names)) self.assertIn('Test Symmetric Key', symmetric_key.names) self.assertEqual(256, len(symmetric_key.value) * 8) self.assertEqual( enums.CryptographicAlgorithm.AES, symmetric_key.cryptographic_algorithm ) self.assertEqual(256, symmetric_key.cryptographic_length) self.assertEqual(2, len(symmetric_key.cryptographic_usage_masks)) self.assertIn( enums.CryptographicUsageMask.ENCRYPT, symmetric_key.cryptographic_usage_masks ) self.assertIn( enums.CryptographicUsageMask.DECRYPT, symmetric_key.cryptographic_usage_masks ) self.assertEqual('test', symmetric_key.operation_policy_name) self.assertIsNotNone(symmetric_key.initial_date) self.assertNotEqual(0, symmetric_key.initial_date) self.assertEqual(uid, e._id_placeholder) def test_create_unsupported_object_type(self): """ Test that an InvalidField error is generated when attempting to create an unsupported object type. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() object_type = attributes.ObjectType(enums.ObjectType.PUBLIC_KEY) payload = create.CreateRequestPayload( object_type ) args = (payload, ) regex = "Cannot create a PublicKey object with the Create operation." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create, *args ) e._logger.info.assert_any_call( "Processing operation: Create" ) def test_create_omitting_attributes(self): """ Test that InvalidField errors are generated when trying to create a symmetric key without required attributes. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Test the error for omitting the Cryptographic Algorithm object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create.CreateRequestPayload( object_type, template_attribute ) args = (payload, ) regex = ( "The cryptographic algorithm must be specified as an attribute." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create, *args ) e._logger.info.assert_any_call( "Processing operation: Create" ) e._logger.reset_mock() # Test the error for omitting the Cryptographic Length object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create.CreateRequestPayload( object_type, template_attribute ) args = (payload, ) regex = ( "The cryptographic length must be specified as an attribute." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create, *args ) e._logger.info.assert_any_call( "Processing operation: Create" ) e._logger.reset_mock() # Test the error for omitting the Cryptographic Usage Mask object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ) ] ) payload = create.CreateRequestPayload( object_type, template_attribute ) args = (payload, ) regex = ( "The cryptographic usage mask must be specified as an attribute." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create, *args ) e._logger.info.assert_any_call( "Processing operation: Create" ) e._logger.reset_mock() def test_create_key_pair(self): """ Test that a CreateKeyPair request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) response_payload = e._process_create_key_pair(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) public_id = response_payload.public_key_uuid.value self.assertEqual('1', public_id) private_id = response_payload.private_key_uuid.value self.assertEqual('2', private_id) # Retrieve the stored public key and verify all attributes were set # appropriately. public_key = e._data_session.query( pie_objects.PublicKey ).filter( pie_objects.ManagedObject.unique_identifier == public_id ).one() self.assertEqual( enums.KeyFormatType.PKCS_1, public_key.key_format_type ) self.assertEqual(1, len(public_key.names)) self.assertIn('Test Asymmetric Key', public_key.names) self.assertEqual( enums.CryptographicAlgorithm.RSA, public_key.cryptographic_algorithm ) self.assertEqual(2048, public_key.cryptographic_length) self.assertEqual(1, len(public_key.cryptographic_usage_masks)) self.assertIn( enums.CryptographicUsageMask.ENCRYPT, public_key.cryptographic_usage_masks ) self.assertEqual('default', public_key.operation_policy_name) self.assertIsNotNone(public_key.initial_date) self.assertNotEqual(0, public_key.initial_date) # Retrieve the stored private key and verify all attributes were set # appropriately. private_key = e._data_session.query( pie_objects.PrivateKey ).filter( pie_objects.ManagedObject.unique_identifier == private_id ).one() self.assertEqual( enums.KeyFormatType.PKCS_8, private_key.key_format_type ) self.assertEqual(1, len(private_key.names)) self.assertIn('Test Asymmetric Key', private_key.names) self.assertEqual( enums.CryptographicAlgorithm.RSA, private_key.cryptographic_algorithm ) self.assertEqual(2048, private_key.cryptographic_length) self.assertEqual(1, len(private_key.cryptographic_usage_masks)) self.assertIn( enums.CryptographicUsageMask.DECRYPT, private_key.cryptographic_usage_masks ) self.assertEqual('default', private_key.operation_policy_name) self.assertIsNotNone(private_key.initial_date) self.assertNotEqual(0, private_key.initial_date) self.assertEqual(private_id, e._id_placeholder) def test_create_key_pair_omitting_attributes(self): """ Test that the right errors are generated when required attributes are missing from a CreateKeyPair request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Test that a missing PublicKey CryptographicAlgorithm raises an error common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The cryptographic algorithm must be specified as an attribute " "for the public key." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() # Test that a missing PrivateKey CryptographicAlgorithm raises an error common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The cryptographic algorithm must be specified as an attribute " "for the private key." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() # Test that a missing PublicKey CryptographicLength raises an error common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The cryptographic length must be specified as an attribute for " "the public key." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() # Test that a missing PrivateKey CryptographicLength raises an error common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The cryptographic length must be specified as an attribute for " "the private key." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() # Test that a missing PublicKey CryptographicUsageMask raises an error common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The cryptographic usage mask must be specified as an attribute " "for the public key." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() # Test that a missing PrivateKey CryptographicUsageMask raises an error common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The cryptographic usage mask must be specified as an attribute " "for the private key." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() def test_create_key_pair_mismatched_attributes(self): """ Test that the right errors are generated when required attributes are mismatched in a CreateKeyPair request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Test that mismatched CryptographicAlgorithms raise an error. common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.DSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The public and private key algorithms must be the same." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() # Test that mismatched CryptographicAlgorithms raise an error. common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 4096 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) args = (payload, ) regex = ( "The public and private key lengths must be the same." ) six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_create_key_pair, *args ) e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) e._logger.reset_mock() def test_register(self): """ Test that a Register request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Build a SymmetricKey for registration. object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 128 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ), attribute_factory.create_attribute( enums.AttributeType.OPERATION_POLICY_NAME, 'test' ) ] ) key_bytes = ( b'\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00' ) secret = secrets.SymmetricKey( key_block=objects.KeyBlock( key_format_type=misc.KeyFormatType(enums.KeyFormatType.RAW), key_value=objects.KeyValue( key_material=objects.KeyMaterial(key_bytes) ), cryptographic_algorithm=attributes.CryptographicAlgorithm( enums.CryptographicAlgorithm.AES ), cryptographic_length=attributes.CryptographicLength(128) ) ) payload = register.RegisterRequestPayload( object_type=object_type, template_attribute=template_attribute, secret=secret ) response_payload = e._process_register(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Register" ) uid = response_payload.unique_identifier.value self.assertEqual('1', uid) # Retrieve the stored object and verify all attributes were set # appropriately. symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == uid ).one() self.assertEqual( enums.KeyFormatType.RAW, symmetric_key.key_format_type ) self.assertEqual(1, len(symmetric_key.names)) self.assertIn('Test Symmetric Key', symmetric_key.names) self.assertEqual(key_bytes, symmetric_key.value) self.assertEqual( enums.CryptographicAlgorithm.AES, symmetric_key.cryptographic_algorithm ) self.assertEqual(128, symmetric_key.cryptographic_length) self.assertEqual(2, len(symmetric_key.cryptographic_usage_masks)) self.assertIn( enums.CryptographicUsageMask.ENCRYPT, symmetric_key.cryptographic_usage_masks ) self.assertIn( enums.CryptographicUsageMask.DECRYPT, symmetric_key.cryptographic_usage_masks ) self.assertEqual('test', symmetric_key.operation_policy_name) self.assertIsNotNone(symmetric_key.initial_date) self.assertNotEqual(0, symmetric_key.initial_date) self.assertEqual(uid, e._id_placeholder) def test_register_unsupported_object_type(self): """ Test that an InvalidField error is generated when attempting to register an unsupported object type. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() object_type = attributes.ObjectType(enums.ObjectType.SPLIT_KEY) payload = register.RegisterRequestPayload(object_type=object_type) args = (payload, ) regex = "The SplitKey object type is not supported." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_register, *args ) def test_request_omitting_secret(self): """ Test that an InvalidField error is generate when trying to register a secret in absentia. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) payload = register.RegisterRequestPayload(object_type=object_type) args = (payload, ) regex = "Cannot register a secret in absentia." six.assertRaisesRegex( self, exceptions.InvalidField, regex, e._process_register, *args ) def test_derive_key(self): """ Test that a DeriveKey request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.HMAC_SHA256, length=176, value=( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() attribute_factory = factory.AttributeFactory() # Derive a SymmetricKey object. payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SYMMETRIC_KEY, unique_identifiers=[str(base_key.unique_identifier)], derivation_method=enums.DerivationMethod.HMAC, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( hashing_algorithm=enums.HashingAlgorithm.SHA_256 ), derivation_data=( b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7' b'\xf8\xf9' ), salt=( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0a\x0b\x0c' ) ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 336 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) ] ) ) response_payload = e._process_derive_key(payload) e._logger.info.assert_any_call("Processing operation: DeriveKey") e._logger.info.assert_any_call( "Object 1 will be used as the keying material for the derivation " "process." ) e._logger.info.assert_any_call("Created a SymmetricKey with ID: 2") self.assertEqual("2", response_payload.unique_identifier) managed_object = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.SymmetricKey.unique_identifier == 2 ).one() self.assertEqual( ( b'\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a' b'\x90\x43\x4f\x64\xd0\x36\x2f\x2a' b'\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c' b'\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf' b'\x34\x00\x72\x08\xd5\xb8\x87\x18' b'\x58\x65' ), managed_object.value ) self.assertEqual( enums.CryptographicAlgorithm.AES, managed_object.cryptographic_algorithm ) self.assertEqual( 336, managed_object.cryptographic_length ) self.assertIsNotNone(managed_object.initial_date) e._logger.reset_mock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.BLOWFISH, length=128, value=( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() # Derive a SecretData object. payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SECRET_DATA, unique_identifiers=[str(base_key.unique_identifier)], derivation_method=enums.DerivationMethod.ENCRYPT, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, hashing_algorithm=enums.HashingAlgorithm.SHA_256, cryptographic_algorithm=( enums.CryptographicAlgorithm.BLOWFISH ) ), initialization_vector=b'\xFE\xDC\xBA\x98\x76\x54\x32\x10', derivation_data=( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ), ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ) ] ) ) response_payload = e._process_derive_key(payload) e._logger.info.assert_any_call("Processing operation: DeriveKey") e._logger.info.assert_any_call( "Object 3 will be used as the keying material for the derivation " "process." ) e._logger.info.assert_any_call("Created a SecretData with ID: 4") self.assertEqual("4", response_payload.unique_identifier) managed_object = e._data_session.query( pie_objects.SecretData ).filter( pie_objects.SecretData.unique_identifier == 4 ).one() self.assertEqual( ( b'\x6B\x77\xB4\xD6\x30\x06\xDE\xE6' b'\x05\xB1\x56\xE2\x74\x03\x97\x93' b'\x58\xDE\xB9\xE7\x15\x46\x16\xD9' b'\x74\x9D\xEC\xBE\xC0\x5D\x26\x4B' ), managed_object.value ) self.assertEqual(enums.SecretDataType.SEED, managed_object.data_type) self.assertIsNotNone(managed_object.initial_date) def test_derive_key_invalid_derivation_type(self): """ Test that the right error is thrown when an invalid derivation type is provided with a DeriveKey request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.CERTIFICATE ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "Key derivation can only generate a SymmetricKey or SecretData " "object.", e._process_derive_key, *args ) def test_derive_key_invalid_base_key(self): """ Test that the right error is thrown when an object not suitable for key derivation is provided as the base key with a DeriveKey request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() invalid_key = pie_objects.OpaqueObject( b'\x01\x02\x04\x08\x10\x20\x40\x80', enums.OpaqueDataType.NONE ) e._data_session.add(invalid_key) e._data_session.commit() e._data_session = e._data_store_session_factory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SECRET_DATA, unique_identifiers=[str(invalid_key.unique_identifier)] ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "Object 1 is not a suitable type for key derivation. Please " "specify a key or secret data.", e._process_derive_key, *args ) def test_derive_key_non_derivable_base_key(self): """ Test that the right error is thrown when an object suitable for key derivation but not marked as such is provided as the base key with a DeriveKey request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SECRET_DATA, unique_identifiers=[str(base_key.unique_identifier)] ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "The DeriveKey bit must be set in the cryptographic usage mask " "for object 1 for it to be used in key derivation.", e._process_derive_key, *args ) def test_derive_key_alternate_derivation_data(self): """ Test that a DeriveKey request can be processed correctly by specifying multiple base objects and no derivation data. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.HMAC_SHA256, length=176, value=( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() base_data = pie_objects.SecretData( value=( b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7' b'\xf8\xf9' ), data_type=enums.SecretDataType.SEED, masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_data) e._data_session.commit() e._data_session = e._data_store_session_factory() attribute_factory = factory.AttributeFactory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SYMMETRIC_KEY, unique_identifiers=[ str(base_key.unique_identifier), str(base_data.unique_identifier) ], derivation_method=enums.DerivationMethod.HMAC, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( hashing_algorithm=enums.HashingAlgorithm.SHA_256 ), salt=( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0a\x0b\x0c' ) ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 336 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) ] ) ) response_payload = e._process_derive_key(payload) e._logger.info.assert_any_call("Processing operation: DeriveKey") e._logger.info.assert_any_call( "2 derivation objects specified with the DeriveKey request." ) e._logger.info.assert_any_call( "Object 1 will be used as the keying material for the derivation " "process." ) e._logger.info.assert_any_call( "Object 2 will be used as the derivation data for the derivation " "process." ) e._logger.info.assert_any_call("Created a SymmetricKey with ID: 3") self.assertEqual("3", response_payload.unique_identifier) managed_object = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.SymmetricKey.unique_identifier == 3 ).one() self.assertEqual( ( b'\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a' b'\x90\x43\x4f\x64\xd0\x36\x2f\x2a' b'\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c' b'\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf' b'\x34\x00\x72\x08\xd5\xb8\x87\x18' b'\x58\x65' ), managed_object.value ) self.assertEqual( enums.CryptographicAlgorithm.AES, managed_object.cryptographic_algorithm ) self.assertEqual( 336, managed_object.cryptographic_length ) self.assertIsNotNone(managed_object.initial_date) def test_derive_key_unspecified_iv(self): """ """ self.skip('') def test_derive_key_missing_cryptographic_length(self): """ Test that the right error is thrown when the cryptographic length is missing from a DeriveKey request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.HMAC_SHA256, length=160, value=( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() attribute_factory = factory.AttributeFactory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SYMMETRIC_KEY, unique_identifiers=[str(base_key.unique_identifier)], derivation_method=enums.DerivationMethod.HMAC, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( hashing_algorithm=enums.HashingAlgorithm.SHA_256 ), derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65', ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) ] ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "The cryptographic length must be provided in the template " "attribute.", e._process_derive_key, *args ) def test_derive_key_invalid_cryptographic_length(self): """ Test that the right error is thrown when an invalid cryptographic length is provided with a DeriveKey request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.HMAC_SHA256, length=160, value=( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() attribute_factory = factory.AttributeFactory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SYMMETRIC_KEY, unique_identifiers=[str(base_key.unique_identifier)], derivation_method=enums.DerivationMethod.HMAC, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( hashing_algorithm=enums.HashingAlgorithm.SHA_256 ), derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65', ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 123 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) ] ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "The cryptographic length must correspond to a valid number of " "bytes \(i.e., it must be a multiple of 8\).", e._process_derive_key, *args ) def test_derive_key_missing_cryptographic_algorithm(self): """ Test that the right error is thrown when the cryptographic algorithm is missing from a DeriveKey request when deriving a symmetric key. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.HMAC_SHA256, length=160, value=( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() attribute_factory = factory.AttributeFactory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SYMMETRIC_KEY, unique_identifiers=[str(base_key.unique_identifier)], derivation_method=enums.DerivationMethod.HMAC, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( hashing_algorithm=enums.HashingAlgorithm.SHA_256 ), derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65', ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ) ] ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "The cryptographic algorithm must be provided in the template " "attribute when deriving a symmetric key.", e._process_derive_key, *args ) def test_derive_key_oversized_cryptographic_length(self): """ Test that the right error is thrown when an invalid cryptographic length is provided with a DeriveKey request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() base_key = pie_objects.SymmetricKey( algorithm=enums.CryptographicAlgorithm.HMAC_SHA256, length=160, value=( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b' ), masks=[enums.CryptographicUsageMask.DERIVE_KEY] ) e._data_session.add(base_key) e._data_session.commit() e._data_session = e._data_store_session_factory() e._cryptography_engine = mock.MagicMock() e._cryptography_engine.derive_key.return_value = b'' attribute_factory = factory.AttributeFactory() payload = derive_key.DeriveKeyRequestPayload( object_type=enums.ObjectType.SYMMETRIC_KEY, unique_identifiers=[str(base_key.unique_identifier)], derivation_method=enums.DerivationMethod.HMAC, derivation_parameters=attributes.DerivationParameters( cryptographic_parameters=attributes.CryptographicParameters( hashing_algorithm=enums.HashingAlgorithm.SHA_256 ), derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65', ), template_attribute=objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) ] ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.CryptographicFailure, "The specified length exceeds the output of the derivation " "method.", e._process_derive_key, *args ) def test_locate(self): """ Test that a Locate request can be processed correctly. """ # TODO Need add more extensive tests after locate operaton is # fully supported e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) # locate should return nothing at beginning payload = locate.LocateRequestPayload() response_payload = e._process_locate(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Locate" ) self.assertEqual( len(response_payload.unique_identifiers), 0 ) # Add the first obj and test the locate e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) payload = locate.LocateRequestPayload() e._logger.reset_mock() response_payload = e._process_locate(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Locate" ) self.assertEqual( len(response_payload.unique_identifiers), 1 ) self.assertEqual( id_a, response_payload.unique_identifiers[0].value ) # Add the second obj and test the locate e._data_session.add(obj_b) e._data_session.commit() e._data_session = e._data_store_session_factory() id_b = str(obj_b.unique_identifier) payload = locate.LocateRequestPayload() e._logger.reset_mock() response_payload = e._process_locate(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Locate" ) self.assertEqual( len(response_payload.unique_identifiers), 2 ) self.assertIn( id_a, [uid.value for uid in response_payload.unique_identifiers] ) self.assertIn( id_b, [uid.value for uid in response_payload.unique_identifiers] ) def test_locate_with_name(self): """ Test locate operation when 'Name' attribute is given. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00') obj_a = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, key, name='name0') obj_b = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.DES, 128, key, name='name0') obj_c = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, key, name='name1') e._data_session.add(obj_a) e._data_session.add(obj_b) e._data_session.add(obj_c) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) id_b = str(obj_b.unique_identifier) id_c = str(obj_c.unique_identifier) attribute_factory = factory.AttributeFactory() # Locate the obj with name 'name0' attrs = [ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'name0', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), ] payload = locate.LocateRequestPayload(attributes=attrs) e._logger.reset_mock() response_payload = e._process_locate(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Locate" ) self.assertEqual( len(response_payload.unique_identifiers), 2 ) self.assertIn( id_a, [uid.value for uid in response_payload.unique_identifiers] ) self.assertIn( id_b, [uid.value for uid in response_payload.unique_identifiers] ) # Locate the obj with name 'name1' attrs = [ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'name1', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), ] payload = locate.LocateRequestPayload(attributes=attrs) e._logger.reset_mock() response_payload = e._process_locate(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Locate" ) self.assertEqual( len(response_payload.unique_identifiers), 1 ) self.assertIn( id_c, [uid.value for uid in response_payload.unique_identifiers] ) def test_get(self): """ Test that a Get request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) e._data_session.add(obj_a) e._data_session.add(obj_b) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) id_b = str(obj_b.unique_identifier) # Test by specifying the ID of the object to get. payload = get.GetRequestPayload(unique_identifier=id_a) response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertEqual( enums.ObjectType.OPAQUE_DATA, response_payload.object_type ) self.assertEqual(str(id_a), response_payload.unique_identifier) self.assertIsInstance(response_payload.secret, secrets.OpaqueObject) self.assertEqual( enums.OpaqueDataType.NONE, response_payload.secret.opaque_data_type.value ) self.assertEqual( b'', response_payload.secret.opaque_data_value.value ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() e._id_placeholder = str(id_b) # Test by using the ID placeholder to specify the object to get. payload = get.GetRequestPayload() response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertEqual( enums.ObjectType.OPAQUE_DATA, response_payload.object_type ) self.assertEqual(str(id_b), response_payload.unique_identifier) self.assertIsInstance(response_payload.secret, secrets.OpaqueObject) self.assertEqual( enums.OpaqueDataType.NONE, response_payload.secret.opaque_data_type.value ) self.assertEqual( b'', response_payload.secret.opaque_data_value.value ) e._data_session.commit() def test_get_unsupported_key_compression(self): """ Test that the right error is generated when key compression is provided in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() # Test that specifying the key compression type generates an error. k = enums.KeyCompressionType.EC_PUBLIC_KEY_TYPE_UNCOMPRESSED payload = get.GetRequestPayload(key_compression_type=k) args = (payload, ) regex = "Key compression is not supported." six.assertRaisesRegex( self, exceptions.KeyCompressionTypeNotSupported, regex, e._process_get, *args ) e._logger.info.assert_any_call( "Processing operation: Get" ) def test_get_with_key_format_type(self): """ Test that the key format type is handled properly in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() obj_a = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) # Test that a key can be retrieved with the right key format. payload = get.GetRequestPayload( unique_identifier=id_a, key_format_type=enums.KeyFormatType.RAW ) response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertIsInstance(response_payload.secret, secrets.SymmetricKey) self.assertEqual( enums.CryptographicAlgorithm.AES, response_payload.secret.key_block.cryptographic_algorithm.value ) self.assertEqual( 0, response_payload.secret.key_block.cryptographic_length.value ) self.assertEqual( b'', response_payload.secret.key_block.key_value.key_material.value ) self.assertEqual( enums.KeyFormatType.RAW, response_payload.secret.key_block.key_format_type.value ) # Test that an error is generated when a key format conversion is # required. e._logger.reset_mock() payload = get.GetRequestPayload( unique_identifier=id_a, key_format_type=enums.KeyFormatType.OPAQUE ) args = (payload, ) regex = "Key format conversion from RAW to OPAQUE is unsupported." six.assertRaisesRegex( self, exceptions.KeyFormatTypeNotSupported, regex, e._process_get, *args ) e._logger.info.assert_any_call( "Processing operation: Get" ) # Test that an error is generated when a key format is requested but # does not apply to the given managed object. e._data_session = e._data_store_session_factory() e._logger.reset_mock() obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) e._data_session.add(obj_b) e._data_session.commit() e._data_session = e._data_store_session_factory() id_b = str(obj_b.unique_identifier) payload = get.GetRequestPayload( unique_identifier=id_b, key_format_type=enums.KeyFormatType.RAW ) args = (payload, ) regex = "Key format is not applicable to the specified object." six.assertRaisesRegex( self, exceptions.KeyFormatTypeNotSupported, regex, e._process_get, *args ) e._logger.info.assert_any_call( "Processing operation: Get" ) def test_get_not_allowed_by_policy(self): """ Test that an unallowed request is handled correctly by Get. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) payload = get.GetRequestPayload(unique_identifier=id_a) # Test by specifying the ID of the object to get. args = [payload] six.assertRaisesRegex( self, exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._process_get, *args ) def test_get_wrapped_key(self): """ Test that a Get request for a wrapped key can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.WRAP_KEY] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) response_payload = e._process_get(payload) e._logger.info.assert_any_call("Processing operation: Get") e._logger.info.assert_any_call( "Wrapping SymmetricKey 2 with SymmetricKey 1." ) self.assertEqual( enums.ObjectType.SYMMETRIC_KEY, response_payload.object_type ) self.assertEqual( unwrapped_key_uuid, response_payload.unique_identifier ) self.assertIsInstance( response_payload.secret, secrets.SymmetricKey ) self.assertEqual( ( b'\x1F\xA6\x8B\x0A\x81\x12\xB4\x47' b'\xAE\xF3\x4B\xD8\xFB\x5A\x7B\x82' b'\x9D\x3E\x86\x23\x71\xD2\xCF\xE5' ), response_payload.secret.key_block.key_value.key_material.value ) self.assertIsInstance( response_payload.secret.key_block.key_wrapping_data, objects.KeyWrappingData ) k = response_payload.secret.key_block.key_wrapping_data self.assertEqual( enums.WrappingMethod.ENCRYPT, k.wrapping_method ) self.assertIsInstance( k.encryption_key_information, objects.EncryptionKeyInformation ) self.assertEqual( '1', k.encryption_key_information.unique_identifier ) self.assertIsInstance( k.encryption_key_information.cryptographic_parameters, attributes.CryptographicParameters ) c = k.encryption_key_information.cryptographic_parameters self.assertEqual( enums.BlockCipherMode.NIST_KEY_WRAP, c.block_cipher_mode ) self.assertEqual( enums.EncodingOption.NO_ENCODING, k.encoding_option ) def test_get_wrapped_key_unsupported_mac_sig(self): """ Test that the right error is thrown when key wrapping is requested via MAC/signing in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.WRAP_KEY] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.MAC_SIGN, mac_signature_key_information=objects. MACSignatureKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.OperationNotSupported, "Wrapping method '{0}' is not supported.".format( enums.WrappingMethod.MAC_SIGN ), e._process_get, *args ) def test_get_wrapped_key_unsupported_mac_sign_key_info(self): """ Test that the right error is thrown when key wrapping is requested with MAC/signing key information in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.WRAP_KEY] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, mac_signature_key_information=objects. MACSignatureKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.PermissionDenied, "Key wrapping with MAC/signing key information is not supported.", e._process_get, *args ) def test_get_wrapped_key_missing_key_information(self): """ Test that the right error is thrown when key wrapping is requested with no settings in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unwrapped_key_uuid = str(unwrapped_key.unique_identifier) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.PermissionDenied, "Either the encryption key information or the MAC/signature key " "information must be specified for key wrapping to be performed.", e._process_get, *args ) def test_get_wrapped_key_nonexistent_wrapping_key(self): """ Test that the right error is thrown when key wrapping is requested with a nonexistent wrapping key in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier='invalid', cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.ItemNotFound, "Wrapping key does not exist.", e._process_get, *args ) def test_get_wrapped_key_non_wrapping_key(self): """ Test that the right error is thrown when key wrapping is requested with a non-wrapping key in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SecretData( ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), enums.SecretDataType.SEED, masks=[enums.CryptographicUsageMask.WRAP_KEY] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.IllegalOperation, "The wrapping encryption key specified by the encryption key " "information is not a key.", e._process_get, *args ) def test_get_wrapped_key_inactive_wrapping_key(self): """ Test that the right error is thrown when key wrapping is requested with an inactive wrapping key in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.WRAP_KEY] ) unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.PermissionDenied, "Encryption key 1 must be activated to be used for key " "wrapping.", e._process_get, *args ) def test_get_wrapped_key_invalid_wrapping_key(self): """ Test that the right error is thrown when key wrapping is requested with a wrapping key not designated for key wrapping in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.ENCRYPT] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.PermissionDenied, "The WrapKey bit must be set in the cryptographic usage mask of " "encryption key 1 for it to be used for key wrapping.", e._process_get, *args ) def test_get_wrapped_key_unsupported_attribute_wrapping(self): """ Test that the right error is thrown when key wrapping is requested with attribute names in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.WRAP_KEY] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), attribute_names=['Cryptographic Algorithm'], encoding_option=enums.EncodingOption.NO_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.IllegalOperation, "Wrapping object attributes is not supported.", e._process_get, *args ) def test_get_wrapped_key_invalid_encoding(self): """ Test that the right error is thrown when key wrapping is requested with an unsupported encoding option in a Get request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() wrapping_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), [enums.CryptographicUsageMask.WRAP_KEY] ) wrapping_key.state = enums.State.ACTIVE unwrapped_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 128, ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(wrapping_key) e._data_session.add(unwrapped_key) e._data_session.commit() e._data_session = e._data_store_session_factory() wrapping_key_uuid = str(wrapping_key.unique_identifier) unwrapped_key_uuid = str(unwrapped_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP ) payload = get.GetRequestPayload( unique_identifier=unwrapped_key_uuid, key_wrapping_specification=objects.KeyWrappingSpecification( wrapping_method=enums.WrappingMethod.ENCRYPT, encryption_key_information=objects.EncryptionKeyInformation( unique_identifier=wrapping_key_uuid, cryptographic_parameters=cryptographic_parameters ), encoding_option=enums.EncodingOption.TTLV_ENCODING ) ) args = (payload, ) self.assertRaisesRegexp( exceptions.EncodingOptionError, "Encoding option '{0}' is not supported.".format( enums.EncodingOption.TTLV_ENCODING ), e._process_get, *args ) def test_get_attributes(self): """ Test that a GetAttributes request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() secret = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(secret) e._data_session.commit() e._data_session = e._data_store_session_factory() payload = get_attributes.GetAttributesRequestPayload( unique_identifier='1', attribute_names=['Object Type', 'Cryptographic Algorithm'] ) response_payload = e._process_get_attributes(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: GetAttributes" ) self.assertEqual( '1', response_payload.unique_identifier ) self.assertEqual( 2, len(response_payload.attributes) ) attribute_factory = factory.AttributeFactory() attribute = attribute_factory.create_attribute( enums.AttributeType.OBJECT_TYPE, enums.ObjectType.SYMMETRIC_KEY ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) self.assertIn(attribute, response_payload.attributes) def test_get_attributes_with_no_arguments(self): """ Test that a GetAttributes request with no arguments can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() secret = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(secret) e._data_session.commit() e._data_session = e._data_store_session_factory() e._id_placeholder = '1' payload = get_attributes.GetAttributesRequestPayload() response_payload = e._process_get_attributes(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: GetAttributes" ) self.assertEqual( '1', response_payload.unique_identifier ) self.assertEqual( 9, len(response_payload.attributes) ) attribute_factory = factory.AttributeFactory() attribute = attribute_factory.create_attribute( enums.AttributeType.OBJECT_TYPE, enums.ObjectType.SYMMETRIC_KEY ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 0 ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.OPERATION_POLICY_NAME, 'default' ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [] ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.STATE, enums.State.PRE_ACTIVE ) self.assertIn(attribute, response_payload.attributes) attribute = attribute_factory.create_attribute( enums.AttributeType.UNIQUE_IDENTIFIER, '1' ) self.assertIn(attribute, response_payload.attributes) def test_get_attributes_not_allowed_by_policy(self): """ Test that an unallowed request is handled correctly by GetAttributes. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) payload = get_attributes.GetAttributesRequestPayload( unique_identifier=id_a ) # Test by specifying the ID of the object whose attributes should # be retrieved. args = [payload] self.assertRaisesRegex( exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._process_get_attributes, *args ) def test_get_attribute_list(self): """ Test that a GetAttributeList request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() secret = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(secret) e._data_session.commit() e._data_session = e._data_store_session_factory() payload = get_attribute_list.GetAttributeListRequestPayload( unique_identifier='1' ) response_payload = e._process_get_attribute_list(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: GetAttributeList" ) self.assertEqual( '1', response_payload.unique_identifier ) self.assertEqual( 9, len(response_payload.attribute_names) ) self.assertIn( "Object Type", response_payload.attribute_names ) self.assertIn( "Name", response_payload.attribute_names ) self.assertIn( "Cryptographic Algorithm", response_payload.attribute_names ) self.assertIn( "Cryptographic Length", response_payload.attribute_names ) self.assertIn( "Operation Policy Name", response_payload.attribute_names ) self.assertIn( "Cryptographic Usage Mask", response_payload.attribute_names ) self.assertIn( "State", response_payload.attribute_names ) self.assertIn( "Unique Identifier", response_payload.attribute_names ) self.assertIn( "Initial Date", response_payload.attribute_names ) def test_get_attribute_list_with_no_arguments(self): """ Test that a GetAttributeList request with no arguments can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() secret = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(secret) e._data_session.commit() e._data_session = e._data_store_session_factory() e._id_placeholder = '1' payload = get_attribute_list.GetAttributeListRequestPayload() response_payload = e._process_get_attribute_list(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: GetAttributeList" ) self.assertEqual( '1', response_payload.unique_identifier ) self.assertEqual( 9, len(response_payload.attribute_names) ) self.assertIn( "Object Type", response_payload.attribute_names ) self.assertIn( "Name", response_payload.attribute_names ) self.assertIn( "Cryptographic Algorithm", response_payload.attribute_names ) self.assertIn( "Cryptographic Length", response_payload.attribute_names ) self.assertIn( "Operation Policy Name", response_payload.attribute_names ) self.assertIn( "Cryptographic Usage Mask", response_payload.attribute_names ) self.assertIn( "State", response_payload.attribute_names ) self.assertIn( "Unique Identifier", response_payload.attribute_names ) self.assertIn( "Initial Date", response_payload.attribute_names ) def test_get_attribute_list_not_allowed_by_policy(self): """ Test that an unallowed request is handled correctly by GetAttributeList. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) payload = get_attribute_list.GetAttributeListRequestPayload( unique_identifier=id_a ) # Test by specifying the ID of the object whose attributes should # be retrieved. args = [payload] self.assertRaisesRegex( exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._process_get_attribute_list, *args ) def test_activate(self): """ Test that an Activate request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() self.assertEqual(enums.State.PRE_ACTIVE, managed_object.state) object_id = str(managed_object.unique_identifier) # Test by specifying the ID of the object to activate. payload = activate.ActivateRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id) ) response_payload = e._process_activate(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Activate" ) self.assertEqual( str(object_id), response_payload.unique_identifier.value ) symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == object_id ).one() self.assertEqual(enums.State.ACTIVE, symmetric_key.state) args = (payload,) regex = "The object state is not pre-active and cannot be activated." self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_activate, *args ) # Test that the ID placeholder can also be used to specify activation. e._id_placeholder = str(object_id) payload = activate.ActivateRequestPayload() args = (payload,) regex = "The object state is not pre-active and cannot be activated." self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_activate, *args ) def test_activate_on_static_object(self): """ Test that the right error is generated when an activation request is received for an object that cannot be activated. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.OpaqueObject( b'', enums.OpaqueDataType.NONE ) e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() object_id = str(managed_object.unique_identifier) # Test by specifying the ID of the object to activate. payload = activate.ActivateRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id) ) args = (payload,) name = enums.ObjectType.OPAQUE_DATA.name regex = "An {0} object has no state and cannot be activated.".format( ''.join( [x.capitalize() for x in name.split('_')] ) ) self.assertRaisesRegexp( exceptions.IllegalOperation, regex, e._process_activate, *args ) def test_activate_on_active_object(self): """ Test that the right error is generated when an activation request is received for an object that is not pre-active. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) managed_object.state = enums.State.ACTIVE e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() object_id = str(managed_object.unique_identifier) # Test by specifying the ID of the object to activate. payload = activate.ActivateRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id) ) args = (payload,) regex = "The object state is not pre-active and cannot be activated." self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_activate, *args ) def test_activate_not_allowed_by_policy(self): """ Test that an unallowed request is handled correctly by Activate. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) payload = activate.ActivateRequestPayload( unique_identifier=attributes.UniqueIdentifier(id_a) ) # Test by specifying the ID of the object to activate. args = [payload] self.assertRaisesRegex( exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._process_activate, *args ) def test_revoke(self): """ Test that an Revoke request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) managed_object.state = enums.State.ACTIVE e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() object_id = str(managed_object.unique_identifier) reason_unspecified = objects.RevocationReason( code=enums.RevocationReasonCode.UNSPECIFIED) reason_compromise = objects.RevocationReason( code=enums.RevocationReasonCode.KEY_COMPROMISE) date = primitives.DateTime( tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6) # Test that reason UNSPECIFIED will put object into state # DEACTIVATED payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id), revocation_reason=reason_unspecified, compromise_occurrence_date=date) response_payload = e._process_revoke(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Revoke" ) self.assertEqual( str(object_id), response_payload.unique_identifier.value ) symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == object_id ).one() self.assertEqual(enums.State.DEACTIVATED, symmetric_key.state) # Test that reason KEY_COMPROMISE will put object not in DESTROYED # state into state COMPROMISED payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id), revocation_reason=reason_compromise, compromise_occurrence_date=date) e._logger.reset_mock() response_payload = e._process_revoke(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Revoke" ) self.assertEqual( str(object_id), response_payload.unique_identifier.value ) symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == object_id ).one() self.assertEqual(enums.State.COMPROMISED, symmetric_key.state) # Test that reason KEY_COMPROMISE will put object in DESTROYED # state into state DESTROYED_COMPROMISED symmetric_key.state = enums.State.DESTROYED e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.reset_mock() payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id), revocation_reason=reason_compromise, compromise_occurrence_date=date) response_payload = e._process_revoke(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Revoke" ) self.assertEqual( str(object_id), response_payload.unique_identifier.value ) symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == object_id ).one() self.assertEqual(enums.State.DESTROYED_COMPROMISED, symmetric_key.state) # Test that the ID placeholder can also be used to specify revocation. symmetric_key.state = enums.State.ACTIVE e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.reset_mock() e._id_placeholder = str(object_id) payload = revoke.RevokeRequestPayload( revocation_reason=reason_unspecified, compromise_occurrence_date=date) response_payload = e._process_revoke(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Revoke" ) self.assertEqual( str(object_id), response_payload.unique_identifier.value ) symmetric_key = e._data_session.query( pie_objects.SymmetricKey ).filter( pie_objects.ManagedObject.unique_identifier == object_id ).one() self.assertEqual(enums.State.DEACTIVATED, symmetric_key.state) def test_revoke_missing_revocation_reason(self): """ Test that the right error is generated when a revocation request is received with a missing revocation reason. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() self.assertEqual(enums.State.PRE_ACTIVE, managed_object.state) object_id = str(managed_object.unique_identifier) date = primitives.DateTime( tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6) payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id), revocation_reason=None, compromise_occurrence_date=date) payload.revocation_reason = None args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "revocation reason code must be specified", e._process_revoke, *args ) def test_revoke_on_not_active_object(self): """ Test that the right error is generated when an revocation request is received for an object that is not active with the reason other than KEY_COMPROMISE. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.AES, 0, b'' ) e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() self.assertEqual(enums.State.PRE_ACTIVE, managed_object.state) object_id = str(managed_object.unique_identifier) reason_unspecified = objects.RevocationReason( code=enums.RevocationReasonCode.UNSPECIFIED) date = primitives.DateTime( tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6) payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id), revocation_reason=reason_unspecified, compromise_occurrence_date=date) args = (payload, ) regex = "The object is not active and cannot be revoked with " \ "reason other than KEY_COMPROMISE" self.assertRaisesRegexp( exceptions.IllegalOperation, regex, e._process_revoke, *args ) def test_revoke_on_static_object(self): """ Test that the right error is generated when an revoke request is received for an object that cannot be revoked. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() managed_object = pie_objects.OpaqueObject( b'', enums.OpaqueDataType.NONE ) e._data_session.add(managed_object) e._data_session.commit() e._data_session = e._data_store_session_factory() object_id = str(managed_object.unique_identifier) reason_unspecified = objects.RevocationReason( code=enums.RevocationReasonCode.UNSPECIFIED) date = primitives.DateTime( tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6) payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(object_id), revocation_reason=reason_unspecified, compromise_occurrence_date=date) args = (payload,) name = enums.ObjectType.OPAQUE_DATA.name regex = "An {0} object has no state and cannot be revoked.".format( ''.join( [x.capitalize() for x in name.split('_')] ) ) self.assertRaisesRegexp( exceptions.IllegalOperation, regex, e._process_revoke, *args ) def test_revoke_not_allowed_by_policy(self): """ Test that an unallowed request is handled correctly by Revoke. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) reason_unspecified = objects.RevocationReason( code=enums.RevocationReasonCode.UNSPECIFIED) date = primitives.DateTime( tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6) payload = revoke.RevokeRequestPayload( unique_identifier=attributes.UniqueIdentifier(id_a), revocation_reason=reason_unspecified, compromise_occurrence_date=date) args = [payload] self.assertRaisesRegex( exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._process_revoke, *args ) def test_destroy(self): """ Test that a Destroy request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00') algorithm = enums.CryptographicAlgorithm.AES obj_c = pie_objects.SymmetricKey(algorithm, 128, key) obj_c.state = enums.State.COMPROMISED e._data_session.add(obj_a) e._data_session.add(obj_b) e._data_session.add(obj_c) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) id_b = str(obj_b.unique_identifier) id_c = str(obj_c.unique_identifier) # Test by specifying the ID of the object to destroy. payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(id_a) ) response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual(str(id_a), response_payload.unique_identifier.value) args = (payload, ) regex = "Could not locate object: {0}".format(id_a) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() e._id_placeholder = str(id_b) # Test by using the ID placeholder to specify the object to destroy. payload = destroy.DestroyRequestPayload() response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual(str(id_b), response_payload.unique_identifier.value) args = (payload, ) regex = "Could not locate object: {0}".format(id_b) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() # Test that compromised object can be destroyed properly payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(id_c) ) response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual(str(id_c), response_payload.unique_identifier.value) args = (payload, ) regex = "Could not locate object: {0}".format(id_c) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() def test_destroy_not_allowed_by_policy(self): """ Test that an unallowed request is handled correctly by Destroy. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._client_identity = 'test' obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_a._owner = 'admin' e._data_session.add(obj_a) e._data_session.commit() e._data_session = e._data_store_session_factory() id_a = str(obj_a.unique_identifier) payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(id_a) ) # Test by specifying the ID of the object to destroy. args = [payload] six.assertRaisesRegex( self, exceptions.ItemNotFound, "Could not locate object: {0}".format(id_a), e._process_destroy, *args ) def test_destroy_active_state(self): """ Test that the right error is generated when destroy request is received for an object that is in 'active' state. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00') algorithm = enums.CryptographicAlgorithm.AES obj = pie_objects.SymmetricKey(algorithm, 128, key) obj.state = enums.State.ACTIVE e._data_session.add(obj) e._data_session.commit() e._data_session = e._data_store_session_factory() id = str(obj.unique_identifier) # Test by specifying the ID of the object to destroy. payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(id) ) args = (payload, ) regex = "Object is active and cannot be destroyed." six.assertRaisesRegex( self, exceptions.PermissionDenied, regex, e._process_destroy, *args ) def test_query_1_0(self): """ Test that a Query request can be processed correctly, for KMIP 1.0. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._protocol_version = contents.ProtocolVersion.create(1, 0) payload = query.QueryRequestPayload([ misc.QueryFunction(enums.QueryFunction.QUERY_OPERATIONS), misc.QueryFunction(enums.QueryFunction.QUERY_OBJECTS), misc.QueryFunction( enums.QueryFunction.QUERY_SERVER_INFORMATION ), misc.QueryFunction( enums.QueryFunction.QUERY_APPLICATION_NAMESPACES ), misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_LIST), misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_MAP) ]) result = e._process_query(payload) e._logger.info.assert_called_once_with("Processing operation: Query") self.assertIsInstance(result, query.QueryResponsePayload) self.assertIsNotNone(result.operations) self.assertEqual(11, len(result.operations)) self.assertEqual( enums.Operation.CREATE, result.operations[0].value ) self.assertEqual( enums.Operation.CREATE_KEY_PAIR, result.operations[1].value ) self.assertEqual( enums.Operation.REGISTER, result.operations[2].value ) self.assertEqual( enums.Operation.DERIVE_KEY, result.operations[3].value ) self.assertEqual( enums.Operation.LOCATE, result.operations[4].value ) self.assertEqual( enums.Operation.GET, result.operations[5].value ) self.assertEqual( enums.Operation.GET_ATTRIBUTES, result.operations[6].value ) self.assertEqual( enums.Operation.GET_ATTRIBUTE_LIST, result.operations[7].value ) self.assertEqual( enums.Operation.ACTIVATE, result.operations[8].value ) self.assertEqual( enums.Operation.DESTROY, result.operations[9].value ) self.assertEqual( enums.Operation.QUERY, result.operations[10].value ) self.assertEqual(list(), result.object_types) self.assertIsNotNone(result.vendor_identification) self.assertEqual( "PyKMIP {0} Software Server".format(kmip.__version__), result.vendor_identification.value ) self.assertIsNone(result.server_information) self.assertEqual(list(), result.application_namespaces) self.assertEqual(list(), result.extension_information) def test_query_1_1(self): """ Test that a Query request can be processed correctly, for KMIP 1.1. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._protocol_version = contents.ProtocolVersion.create(1, 1) payload = query.QueryRequestPayload([ misc.QueryFunction(enums.QueryFunction.QUERY_OPERATIONS), misc.QueryFunction(enums.QueryFunction.QUERY_OBJECTS), misc.QueryFunction( enums.QueryFunction.QUERY_SERVER_INFORMATION ), misc.QueryFunction( enums.QueryFunction.QUERY_APPLICATION_NAMESPACES ), misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_LIST), misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_MAP) ]) result = e._process_query(payload) e._logger.info.assert_called_once_with("Processing operation: Query") self.assertIsInstance(result, query.QueryResponsePayload) self.assertIsNotNone(result.operations) self.assertEqual(12, len(result.operations)) self.assertEqual( enums.Operation.CREATE, result.operations[0].value ) self.assertEqual( enums.Operation.CREATE_KEY_PAIR, result.operations[1].value ) self.assertEqual( enums.Operation.REGISTER, result.operations[2].value ) self.assertEqual( enums.Operation.DERIVE_KEY, result.operations[3].value ) self.assertEqual( enums.Operation.LOCATE, result.operations[4].value ) self.assertEqual( enums.Operation.GET, result.operations[5].value ) self.assertEqual( enums.Operation.GET_ATTRIBUTES, result.operations[6].value ) self.assertEqual( enums.Operation.GET_ATTRIBUTE_LIST, result.operations[7].value ) self.assertEqual( enums.Operation.ACTIVATE, result.operations[8].value ) self.assertEqual( enums.Operation.DESTROY, result.operations[9].value ) self.assertEqual( enums.Operation.QUERY, result.operations[10].value ) self.assertEqual( enums.Operation.DISCOVER_VERSIONS, result.operations[11].value ) self.assertEqual(list(), result.object_types) self.assertIsNotNone(result.vendor_identification) self.assertEqual( "PyKMIP {0} Software Server".format(kmip.__version__), result.vendor_identification.value ) self.assertIsNone(result.server_information) self.assertEqual(list(), result.application_namespaces) self.assertEqual(list(), result.extension_information) def test_query_1_2(self): """ Test that a Query request can be processed correctly, for KMIP 1.2. """ e = engine.KmipEngine() e._logger = mock.MagicMock() e._protocol_version = contents.ProtocolVersion.create(1, 2) payload = query.QueryRequestPayload([ misc.QueryFunction(enums.QueryFunction.QUERY_OPERATIONS), misc.QueryFunction(enums.QueryFunction.QUERY_OBJECTS), misc.QueryFunction( enums.QueryFunction.QUERY_SERVER_INFORMATION ), misc.QueryFunction( enums.QueryFunction.QUERY_APPLICATION_NAMESPACES ), misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_LIST), misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_MAP) ]) result = e._process_query(payload) e._logger.info.assert_called_once_with("Processing operation: Query") self.assertIsInstance(result, query.QueryResponsePayload) self.assertIsNotNone(result.operations) self.assertEqual(14, len(result.operations)) self.assertEqual( enums.Operation.CREATE, result.operations[0].value ) self.assertEqual( enums.Operation.CREATE_KEY_PAIR, result.operations[1].value ) self.assertEqual( enums.Operation.REGISTER, result.operations[2].value ) self.assertEqual( enums.Operation.DERIVE_KEY, result.operations[3].value ) self.assertEqual( enums.Operation.LOCATE, result.operations[4].value ) self.assertEqual( enums.Operation.GET, result.operations[5].value ) self.assertEqual( enums.Operation.GET_ATTRIBUTES, result.operations[6].value ) self.assertEqual( enums.Operation.GET_ATTRIBUTE_LIST, result.operations[7].value ) self.assertEqual( enums.Operation.ACTIVATE, result.operations[8].value ) self.assertEqual( enums.Operation.DESTROY, result.operations[9].value ) self.assertEqual( enums.Operation.QUERY, result.operations[10].value ) self.assertEqual( enums.Operation.DISCOVER_VERSIONS, result.operations[11].value ) self.assertEqual( enums.Operation.ENCRYPT, result.operations[12].value ) self.assertEqual( enums.Operation.MAC, result.operations[13].value ) self.assertEqual(list(), result.object_types) self.assertIsNotNone(result.vendor_identification) self.assertEqual( "PyKMIP {0} Software Server".format(kmip.__version__), result.vendor_identification.value ) self.assertIsNone(result.server_information) self.assertEqual(list(), result.application_namespaces) self.assertEqual(list(), result.extension_information) def test_discover_versions(self): """ Test that a DiscoverVersions request can be processed correctly for different inputs. """ e = engine.KmipEngine() # Test default request. e._logger = mock.MagicMock() payload = discover_versions.DiscoverVersionsRequestPayload() result = e._process_discover_versions(payload) e._logger.info.assert_called_once_with( "Processing operation: DiscoverVersions" ) self.assertIsInstance( result, discover_versions.DiscoverVersionsResponsePayload ) self.assertIsNotNone(result.protocol_versions) self.assertEqual(3, len(result.protocol_versions)) self.assertEqual( contents.ProtocolVersion.create(1, 2), result.protocol_versions[0] ) self.assertEqual( contents.ProtocolVersion.create(1, 1), result.protocol_versions[1] ) self.assertEqual( contents.ProtocolVersion.create(1, 0), result.protocol_versions[2] ) # Test detailed request. e._logger = mock.MagicMock() payload = discover_versions.DiscoverVersionsRequestPayload([ contents.ProtocolVersion.create(1, 0) ]) result = e._process_discover_versions(payload) e._logger.info.assert_called_once_with( "Processing operation: DiscoverVersions" ) self.assertIsNotNone(result.protocol_versions) self.assertEqual(1, len(result.protocol_versions)) self.assertEqual( contents.ProtocolVersion.create(1, 0), result.protocol_versions[0] ) # Test disjoint request. e._logger = mock.MagicMock() payload = discover_versions.DiscoverVersionsRequestPayload([ contents.ProtocolVersion.create(0, 1) ]) result = e._process_discover_versions(payload) e._logger.info.assert_called_once_with( "Processing operation: DiscoverVersions" ) self.assertEqual([], result.protocol_versions) def test_encrypt(self): """ Test that an Encrypt request can be processed correctly. The test vectors used here come from Eric Young's test set for Blowfish, via https://www.di-mgt.com.au/cryptopad.html. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() encryption_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.TRIPLE_DES, 128, ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), [enums.CryptographicUsageMask.ENCRYPT] ) encryption_key.state = enums.State.ACTIVE e._data_session.add(encryption_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unique_identifier = str(encryption_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH ) data = ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ) iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10' payload = encrypt.EncryptRequestPayload( unique_identifier, cryptographic_parameters, data, iv_counter_nonce ) response_payload = e._process_encrypt(payload) e._logger.info.assert_any_call("Processing operation: Encrypt") self.assertEqual( unique_identifier, response_payload.unique_identifier ) self.assertEqual( ( b'\x6B\x77\xB4\xD6\x30\x06\xDE\xE6' b'\x05\xB1\x56\xE2\x74\x03\x97\x93' b'\x58\xDE\xB9\xE7\x15\x46\x16\xD9' b'\x74\x9D\xEC\xBE\xC0\x5D\x26\x4B' ), response_payload.data ) self.assertIsNone(response_payload.iv_counter_nonce) def test_encrypt_no_iv_counter_nonce(self): """ Test that an Encrypt request can be processed correctly when a specific IV/counter/nonce is not specified. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() encryption_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.TRIPLE_DES, 128, ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), [enums.CryptographicUsageMask.ENCRYPT] ) encryption_key.state = enums.State.ACTIVE e._data_session.add(encryption_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unique_identifier = str(encryption_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH ) data = ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ) iv_counter_nonce = None payload = encrypt.EncryptRequestPayload( unique_identifier, cryptographic_parameters, data, iv_counter_nonce ) response_payload = e._process_encrypt(payload) e._logger.info.assert_any_call("Processing operation: Encrypt") self.assertEqual( unique_identifier, response_payload.unique_identifier ) self.assertIsNotNone(response_payload.data) self.assertIsNotNone(response_payload.iv_counter_nonce) def test_encrypt_no_cryptographic_parameters(self): """ Test that the right error is thrown when cryptographic parameters are not provided with an Encrypt request. Note: once the cryptographic parameters can be obtained from the encryption key's attributes, this test should be updated to reflect that. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() encryption_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.TRIPLE_DES, 128, ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), [enums.CryptographicUsageMask.ENCRYPT] ) encryption_key.state = enums.State.ACTIVE e._data_session.add(encryption_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unique_identifier = str(encryption_key.unique_identifier) cryptographic_parameters = None data = ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ) iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10' payload = encrypt.EncryptRequestPayload( unique_identifier, cryptographic_parameters, data, iv_counter_nonce ) args = (payload, ) self.assertRaisesRegexp( exceptions.InvalidField, "The cryptographic parameters must be specified.", e._process_encrypt, *args ) def test_encrypt_invalid_encryption_key(self): """ Test that the right error is thrown when an invalid encryption key is specified with an Encrypt request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() encryption_key = pie_objects.OpaqueObject( b'\x01\x02\x03\x04', enums.OpaqueDataType.NONE ) e._data_session.add(encryption_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unique_identifier = str(encryption_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH ) data = ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ) iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10' payload = encrypt.EncryptRequestPayload( unique_identifier, cryptographic_parameters, data, iv_counter_nonce ) args = (payload, ) self.assertRaisesRegexp( exceptions.PermissionDenied, "The requested encryption key is not a symmetric key. " "Only symmetric encryption is currently supported.", e._process_encrypt, *args ) def test_encrypt_inactive_encryption_key(self): """ Test that the right error is thrown when an inactive encryption key is specified with an Encrypt request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() encryption_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.TRIPLE_DES, 128, ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), [enums.CryptographicUsageMask.ENCRYPT] ) e._data_session.add(encryption_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unique_identifier = str(encryption_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH ) data = ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ) iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10' payload = encrypt.EncryptRequestPayload( unique_identifier, cryptographic_parameters, data, iv_counter_nonce ) args = (payload,) self.assertRaisesRegexp( exceptions.PermissionDenied, "The encryption key must be in the Active state to be used " "for encryption.", e._process_encrypt, *args ) def test_encrypt_non_encryption_key(self): """ Test that the right error is thrown when a non-encryption key is specified with an Encrypt request. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() encryption_key = pie_objects.SymmetricKey( enums.CryptographicAlgorithm.TRIPLE_DES, 128, ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), [enums.CryptographicUsageMask.DECRYPT] ) encryption_key.state = enums.State.ACTIVE e._data_session.add(encryption_key) e._data_session.commit() e._data_session = e._data_store_session_factory() unique_identifier = str(encryption_key.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( block_cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH ) data = ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ) iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10' payload = encrypt.EncryptRequestPayload( unique_identifier, cryptographic_parameters, data, iv_counter_nonce ) args = (payload,) self.assertRaisesRegexp( exceptions.PermissionDenied, "The Encrypt bit must be set in the encryption key's " "cryptographic usage mask.", e._process_encrypt, *args ) def test_mac(self): """ Test that a MAC request can be processed correctly. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A' b'\x0B\x0C\x0D\x0E\x0F') algorithm_a = enums.CryptographicAlgorithm.AES algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512 obj = pie_objects.SymmetricKey( algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE]) obj.state = enums.State.ACTIVE e._data_session.add(obj) e._data_session.commit() e._data_session = e._data_store_session_factory() uuid = str(obj.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( cryptographic_algorithm=algorithm_b ) # Verify when cryptographic_parameters is specified in request payload = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid), cryptographic_parameters=cryptographic_parameters, data=objects.Data(data) ) response_payload = e._process_mac(payload) e._logger.info.assert_any_call( "Processing operation: MAC" ) e._cryptography_engine.logger.info.assert_any_call( "Generating a hash-based message authentication code using {0}". format(algorithm_b.name) ) e._cryptography_engine.logger.reset_mock() self.assertEqual(str(uuid), response_payload.unique_identifier.value) self.assertIsInstance(response_payload.mac_data, objects.MACData) # Verify when cryptographic_parameters is not specified in request payload = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid), cryptographic_parameters=None, data=objects.Data(data) ) response_payload = e._process_mac(payload) e._cryptography_engine.logger.info.assert_any_call( "Generating a cipher-based message authentication code using {0}". format(algorithm_a.name) ) self.assertEqual(str(uuid), response_payload.unique_identifier.value) self.assertIsInstance(response_payload.mac_data, objects.MACData) def test_mac_with_missing_fields(self): """ Test that the right errors are generated when required fields are missing. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B' b'\x0C\x0D\x0E\x0F') algorithm = enums.CryptographicAlgorithm.AES obj_no_key = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE) obj_no_algorithm = pie_objects.OpaqueObject( key, enums.OpaqueDataType.NONE) e._data_session.add(obj_no_key) e._data_session.add(obj_no_algorithm) e._data_session.commit() e._data_session = e._data_store_session_factory() uuid_no_key = str(obj_no_key.unique_identifier) uuid_no_algorithm = str(obj_no_algorithm.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( cryptographic_algorithm=algorithm ) payload_no_key = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid_no_key), cryptographic_parameters=cryptographic_parameters, data=objects.Data(data) ) args = (payload_no_key, ) regex = "A secret key value must be specified" self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_mac, *args ) payload_no_algorithm = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid_no_algorithm), cryptographic_parameters=None, data=objects.Data(data) ) args = (payload_no_algorithm, ) regex = "The cryptographic algorithm must be specified" self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_mac, *args ) payload_no_data = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid_no_algorithm), cryptographic_parameters=cryptographic_parameters, data=None ) args = (payload_no_data, ) regex = "No data to be MACed" self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_mac, *args ) def test_mac_not_active_state(self): """ Test that the right error is generated when an MAC request is received for an object that is not in 'active' state. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A' b'\x0B\x0C\x0D\x0E\x0F') algorithm_a = enums.CryptographicAlgorithm.AES algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512 obj = pie_objects.SymmetricKey( algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE]) obj.state = enums.State.PRE_ACTIVE e._data_session.add(obj) e._data_session.commit() e._data_session = e._data_store_session_factory() uuid = str(obj.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( cryptographic_algorithm=algorithm_b ) # Verify when cryptographic_parameters is specified in request payload = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid), cryptographic_parameters=cryptographic_parameters, data=objects.Data(data) ) args = (payload,) regex = "Object is not in a state that can be used for MACing." self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_mac, *args ) def test_mac_crypto_usage_mask_not_set(self): """ Test that the right error is generated when an MAC request is received for an object without proper crypto usage mask set. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() e._cryptography_engine.logger = mock.MagicMock() key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A' b'\x0B\x0C\x0D\x0E\x0F') algorithm_a = enums.CryptographicAlgorithm.AES algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512 obj = pie_objects.SymmetricKey( algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_VERIFY]) obj.state = enums.State.ACTIVE e._data_session.add(obj) e._data_session.commit() e._data_session = e._data_store_session_factory() uuid = str(obj.unique_identifier) cryptographic_parameters = attributes.CryptographicParameters( cryptographic_algorithm=algorithm_b ) # Verify when cryptographic_parameters is specified in request payload = mac.MACRequestPayload( unique_identifier=attributes.UniqueIdentifier(uuid), cryptographic_parameters=cryptographic_parameters, data=objects.Data(data) ) args = (payload,) regex = "MAC Generate must be set in the object's cryptographic " \ "usage mask" self.assertRaisesRegexp( exceptions.PermissionDenied, regex, e._process_mac, *args ) def test_create_get_destroy(self): """ Test that a managed object can be created, retrieved, and destroyed without error. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Build a SymmetricKey for registration. object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 256 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) ] ) # Create the symmetric key with the corresponding attributes payload = create.CreateRequestPayload( object_type=object_type, template_attribute=template_attribute ) response_payload = e._process_create(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Create" ) uid = response_payload.unique_identifier.value self.assertEqual('1', uid) e._logger.reset_mock() # Retrieve the created key using Get and verify all fields set payload = get.GetRequestPayload(unique_identifier=uid) response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertEqual( enums.ObjectType.SYMMETRIC_KEY, response_payload.object_type ) self.assertEqual(str(uid), response_payload.unique_identifier) self.assertIsInstance(response_payload.secret, secrets.SymmetricKey) key_block = response_payload.secret.key_block self.assertEqual( 256, len(key_block.key_value.key_material.value) * 8 ) self.assertEqual( enums.KeyFormatType.RAW, key_block.key_format_type.value ) self.assertEqual( enums.CryptographicAlgorithm.AES, key_block.cryptographic_algorithm.value ) self.assertEqual( 256, key_block.cryptographic_length.value ) e._logger.reset_mock() # Destroy the symmetric key and verify it cannot be accessed again payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(uid) ) response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual(str(uid), response_payload.unique_identifier.value) args = (payload, ) regex = "Could not locate object: {0}".format(uid) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() e._data_store_session_factory() def test_create_key_pair_get_destroy(self): """ Test that a key pair can be created, retrieved, and destroyed without error. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() common_template = objects.CommonTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Asymmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.RSA ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 2048 ) ] ) public_template = objects.PublicKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT ] ) ] ) private_template = objects.PrivateKeyTemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.DECRYPT ] ) ] ) payload = create_key_pair.CreateKeyPairRequestPayload( common_template, private_template, public_template ) response_payload = e._process_create_key_pair(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: CreateKeyPair" ) public_id = response_payload.public_key_uuid.value self.assertEqual('1', public_id) private_id = response_payload.private_key_uuid.value self.assertEqual('2', private_id) e._logger.reset_mock() # Retrieve the created public key using Get and verify all fields set payload = get.GetRequestPayload(unique_identifier=public_id) response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertEqual( enums.ObjectType.PUBLIC_KEY, response_payload.object_type ) self.assertEqual(str(public_id), response_payload.unique_identifier) self.assertIsInstance(response_payload.secret, secrets.PublicKey) key_block = response_payload.secret.key_block self.assertEqual( enums.KeyFormatType.PKCS_1, key_block.key_format_type.value ) self.assertEqual( enums.CryptographicAlgorithm.RSA, key_block.cryptographic_algorithm.value ) self.assertEqual( 2048, key_block.cryptographic_length.value ) e._logger.reset_mock() # Retrieve the created private key using Get and verify all fields set payload = get.GetRequestPayload(unique_identifier=private_id) response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertEqual( enums.ObjectType.PRIVATE_KEY, response_payload.object_type ) self.assertEqual(str(private_id), response_payload.unique_identifier) self.assertIsInstance(response_payload.secret, secrets.PrivateKey) key_block = response_payload.secret.key_block self.assertEqual( enums.KeyFormatType.PKCS_8, key_block.key_format_type.value ) self.assertEqual( enums.CryptographicAlgorithm.RSA, key_block.cryptographic_algorithm.value ) self.assertEqual( 2048, key_block.cryptographic_length.value ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() # Destroy the public key and verify it cannot be accessed again payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(public_id) ) response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual( str(public_id), response_payload.unique_identifier.value ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() args = (payload, ) regex = "Could not locate object: {0}".format(public_id) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() # Destroy the private key and verify it cannot be accessed again payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(private_id) ) response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual( str(private_id), response_payload.unique_identifier.value ) e._data_session.commit() e._data_store_session_factory() e._logger.reset_mock() args = (payload, ) regex = "Could not locate object: {0}".format(private_id) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() e._data_store_session_factory() def test_register_get_destroy(self): """ Test that a managed object can be registered, retrieved, and destroyed without error. """ e = engine.KmipEngine() e._data_store = self.engine e._data_store_session_factory = self.session_factory e._data_session = e._data_store_session_factory() e._logger = mock.MagicMock() attribute_factory = factory.AttributeFactory() # Build a SymmetricKey for registration. object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY) template_attribute = objects.TemplateAttribute( attributes=[ attribute_factory.create_attribute( enums.AttributeType.NAME, attributes.Name.create( 'Test Symmetric Key', enums.NameType.UNINTERPRETED_TEXT_STRING ) ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM, enums.CryptographicAlgorithm.AES ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_LENGTH, 128 ), attribute_factory.create_attribute( enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK, [ enums.CryptographicUsageMask.ENCRYPT, enums.CryptographicUsageMask.DECRYPT ] ) ] ) key_bytes = ( b'\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00' ) secret = secrets.SymmetricKey( key_block=objects.KeyBlock( key_format_type=misc.KeyFormatType(enums.KeyFormatType.RAW), key_value=objects.KeyValue( key_material=objects.KeyMaterial(key_bytes) ), cryptographic_algorithm=attributes.CryptographicAlgorithm( enums.CryptographicAlgorithm.AES ), cryptographic_length=attributes.CryptographicLength(128) ) ) # Register the symmetric key with the corresponding attributes payload = register.RegisterRequestPayload( object_type=object_type, template_attribute=template_attribute, secret=secret ) response_payload = e._process_register(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Register" ) uid = response_payload.unique_identifier.value self.assertEqual('1', uid) e._logger.reset_mock() # Retrieve the registered key using Get and verify all fields set payload = get.GetRequestPayload(unique_identifier=uid) response_payload = e._process_get(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Get" ) self.assertEqual( enums.ObjectType.SYMMETRIC_KEY, response_payload.object_type ) self.assertEqual(str(uid), response_payload.unique_identifier) self.assertIsInstance(response_payload.secret, secrets.SymmetricKey) self.assertEqual( key_bytes, response_payload.secret.key_block.key_value.key_material.value ) self.assertEqual( enums.KeyFormatType.RAW, response_payload.secret.key_block.key_format_type.value ) self.assertEqual( enums.CryptographicAlgorithm.AES, response_payload.secret.key_block.cryptographic_algorithm.value ) self.assertEqual( 128, response_payload.secret.key_block.cryptographic_length.value ) e._logger.reset_mock() # Destroy the symmetric key and verify it cannot be accessed again payload = destroy.DestroyRequestPayload( unique_identifier=attributes.UniqueIdentifier(uid) ) response_payload = e._process_destroy(payload) e._data_session.commit() e._data_session = e._data_store_session_factory() e._logger.info.assert_any_call( "Processing operation: Destroy" ) self.assertEqual(str(uid), response_payload.unique_identifier.value) args = (payload, ) regex = "Could not locate object: {0}".format(uid) six.assertRaisesRegex( self, exceptions.ItemNotFound, regex, e._process_destroy, *args ) e._data_session.commit() e._data_store_session_factory()