7617 lines
254 KiB
Python
7617 lines
254 KiB
Python
# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import six
|
|
import mock
|
|
import shutil
|
|
import sqlalchemy
|
|
|
|
from sqlalchemy.orm import exc
|
|
|
|
import tempfile
|
|
import testtools
|
|
import time
|
|
|
|
import kmip
|
|
|
|
from kmip.core import attributes
|
|
from kmip.core import enums
|
|
from kmip.core import exceptions
|
|
from kmip.core import misc
|
|
from kmip.core import objects
|
|
from kmip.core import primitives
|
|
from kmip.core import secrets
|
|
|
|
from kmip.core.factories import attributes as factory
|
|
|
|
from kmip.core.messages import contents
|
|
from kmip.core.messages import messages
|
|
|
|
from kmip.core.messages.payloads import activate
|
|
from kmip.core.messages.payloads import revoke
|
|
from kmip.core.messages.payloads import create
|
|
from kmip.core.messages.payloads import create_key_pair
|
|
from kmip.core.messages.payloads import derive_key
|
|
from kmip.core.messages.payloads import destroy
|
|
from kmip.core.messages.payloads import discover_versions
|
|
from kmip.core.messages.payloads import encrypt
|
|
from kmip.core.messages.payloads import get
|
|
from kmip.core.messages.payloads import get_attribute_list
|
|
from kmip.core.messages.payloads import get_attributes
|
|
from kmip.core.messages.payloads import query
|
|
from kmip.core.messages.payloads import register
|
|
from kmip.core.messages.payloads import mac
|
|
from kmip.core.messages.payloads import locate
|
|
|
|
from kmip.pie import objects as pie_objects
|
|
from kmip.pie import sqltypes
|
|
|
|
from kmip.services.server import engine
|
|
|
|
|
|
class MockRegexString(str):
|
|
"""
|
|
A comparator string for doing simple containment regex comparisons
|
|
for mock asserts.
|
|
"""
|
|
def __eq__(self, other):
|
|
return self in other
|
|
|
|
|
|
class TestKmipEngine(testtools.TestCase):
|
|
"""
|
|
A test suite for the KmipEngine.
|
|
"""
|
|
|
|
def setUp(self):
|
|
super(TestKmipEngine, self).setUp()
|
|
|
|
self.engine = sqlalchemy.create_engine(
|
|
'sqlite:///:memory:',
|
|
)
|
|
sqltypes.Base.metadata.create_all(self.engine)
|
|
self.session_factory = sqlalchemy.orm.sessionmaker(
|
|
bind=self.engine
|
|
)
|
|
|
|
self.temp_dir = tempfile.mkdtemp()
|
|
self.addCleanup(shutil.rmtree, self.temp_dir)
|
|
|
|
def tearDown(self):
|
|
super(TestKmipEngine, self).tearDown()
|
|
|
|
def _build_request(self):
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
batch = [
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
),
|
|
request_payload=payload
|
|
)
|
|
]
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 0)
|
|
max_size = contents.MaximumResponseSize(2 ** 20)
|
|
asynch = contents.AsynchronousIndicator(False)
|
|
|
|
# TODO (peterhamilton) Change this insanity in the substructs.
|
|
username = objects.Credential.UsernamePasswordCredential.Username(
|
|
"tester"
|
|
)
|
|
password = objects.Credential.UsernamePasswordCredential.Password(
|
|
"password"
|
|
)
|
|
creds = objects.Credential.UsernamePasswordCredential(
|
|
username=username,
|
|
password=password
|
|
)
|
|
auth = contents.Authentication(creds)
|
|
|
|
batch_error_option = contents.BatchErrorContinuationOption(
|
|
enums.BatchErrorContinuationOption.STOP
|
|
)
|
|
batch_order_option = contents.BatchOrderOption(True)
|
|
timestamp = contents.TimeStamp(int(time.time()))
|
|
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
maximum_response_size=max_size,
|
|
asynchronous_indicator=asynch,
|
|
authentication=auth,
|
|
batch_error_cont_option=batch_error_option,
|
|
batch_order_option=batch_order_option,
|
|
time_stamp=timestamp,
|
|
batch_count=contents.BatchCount(len(batch))
|
|
)
|
|
|
|
return messages.RequestMessage(
|
|
request_header=header,
|
|
batch_items=batch
|
|
)
|
|
|
|
def test_init(self):
|
|
"""
|
|
Test that a KmipEngine can be instantiated without any errors.
|
|
"""
|
|
engine.KmipEngine()
|
|
|
|
@mock.patch('sqlalchemy.create_engine')
|
|
def test_init_create_engine(self, create_engine_mock):
|
|
"""
|
|
Test that the right arguments are used to create the engine's SQLite
|
|
backend.
|
|
"""
|
|
engine.KmipEngine()
|
|
args = ("sqlite:////tmp/pykmip.database",)
|
|
fargs = {
|
|
'echo': False,
|
|
'connect_args': {'check_same_thread': False}
|
|
}
|
|
create_engine_mock.assert_called_once_with(*args, **fargs)
|
|
|
|
def test_load_operation_policies(self):
|
|
"""
|
|
Test that the KmipEngine can correctly load operation policies.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
|
|
)
|
|
|
|
self.assertEqual(2, len(e._operation_policies))
|
|
|
|
e._load_operation_policies(self.temp_dir)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policy files from: {0}".format(
|
|
self.temp_dir
|
|
)
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policies from file: {0}".format(
|
|
policy_file.name
|
|
)
|
|
)
|
|
|
|
self.assertEqual(3, len(e._operation_policies))
|
|
self.assertIn('test', e._operation_policies.keys())
|
|
|
|
test_policy = {
|
|
enums.ObjectType.CERTIFICATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
|
|
self.assertEqual(test_policy, e._operation_policies.get('test'))
|
|
|
|
def test_load_operation_policies_with_file_read_error(self):
|
|
"""
|
|
Test that the KmipEngine can correctly handle load errors.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {"INVALID": {"LOCATE": "ALLOW_ALL"}}}'
|
|
)
|
|
|
|
self.assertEqual(2, len(e._operation_policies))
|
|
|
|
e._load_operation_policies(self.temp_dir)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policy files from: {0}".format(
|
|
self.temp_dir
|
|
)
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policies from file: {0}".format(
|
|
policy_file.name
|
|
)
|
|
)
|
|
e._logger.error.assert_called_once_with(
|
|
"A failure occurred while loading policies."
|
|
)
|
|
e._logger.exception.assert_called_once()
|
|
|
|
self.assertEqual(2, len(e._operation_policies))
|
|
|
|
def test_load_operation_policies_with_reserved(self):
|
|
"""
|
|
Test that the KmipEngine can correctly load operation policies, even
|
|
when a policy attempts to overwrite a reserved one.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"public": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
|
|
)
|
|
|
|
self.assertEqual(2, len(e._operation_policies))
|
|
|
|
e._load_operation_policies(self.temp_dir)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policy files from: {0}".format(
|
|
self.temp_dir
|
|
)
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policies from file: {0}".format(
|
|
policy_file.name
|
|
)
|
|
)
|
|
e._logger.warning.assert_called_once_with(
|
|
"Loaded policy 'public' overwrites a reserved policy and will "
|
|
"be thrown out."
|
|
)
|
|
|
|
self.assertEqual(2, len(e._operation_policies))
|
|
|
|
def test_load_operation_policies_with_duplicate(self):
|
|
"""
|
|
Test that the KmipEngine can correctly load operation policies, even
|
|
when a policy is defined multiple times.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
policy_file_a = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir
|
|
)
|
|
with open(policy_file_a.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
|
|
)
|
|
|
|
policy_file_b = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir
|
|
)
|
|
with open(policy_file_b.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
|
|
)
|
|
|
|
self.assertEqual(2, len(e._operation_policies))
|
|
|
|
e._load_operation_policies(self.temp_dir)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policy files from: {0}".format(
|
|
self.temp_dir
|
|
)
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policies from file: {0}".format(
|
|
policy_file_a.name
|
|
)
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Loading user-defined operation policies from file: {0}".format(
|
|
policy_file_b.name
|
|
)
|
|
)
|
|
e._logger.warning.assert_called_once_with(
|
|
"Loaded policy 'test' overwrites a preexisting policy and will "
|
|
"be thrown out."
|
|
)
|
|
|
|
self.assertEqual(3, len(e._operation_policies))
|
|
self.assertIn('test', e._operation_policies.keys())
|
|
|
|
test_policy = {
|
|
enums.ObjectType.CERTIFICATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
|
|
self.assertEqual(test_policy, e._operation_policies.get('test'))
|
|
|
|
def test_version_operation_match(self):
|
|
"""
|
|
Test that a valid response is generated when trying to invoke an
|
|
operation supported by a specific version of KMIP.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
e._process_discover_versions(payload)
|
|
|
|
def test_version_operation_mismatch(self):
|
|
"""
|
|
Test that an OperationNotSupported error is generated when trying to
|
|
invoke an operation unsupported by a specific version of KMIP.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
e._protocol_version = contents.ProtocolVersion.create(1, 0)
|
|
|
|
args = (None, )
|
|
regex = "DiscoverVersions is not supported by KMIP {0}".format(
|
|
e._protocol_version
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.OperationNotSupported,
|
|
regex,
|
|
e._process_discover_versions,
|
|
*args
|
|
)
|
|
|
|
def test_process_request(self):
|
|
"""
|
|
Test that a basic request is processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 1)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
maximum_response_size=contents.MaximumResponseSize(2 ** 20),
|
|
authentication=contents.Authentication(),
|
|
batch_error_cont_option=contents.BatchErrorContinuationOption(
|
|
enums.BatchErrorContinuationOption.STOP
|
|
),
|
|
batch_order_option=contents.BatchOrderOption(True),
|
|
time_stamp=contents.TimeStamp(int(time.time())),
|
|
batch_count=contents.BatchCount(1)
|
|
)
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
batch = list([
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
),
|
|
request_payload=payload
|
|
)
|
|
])
|
|
request = messages.RequestMessage(
|
|
request_header=header,
|
|
batch_items=batch
|
|
)
|
|
|
|
response, max_size = e.process_request(request)
|
|
|
|
e._logger.info.assert_any_call(
|
|
MockRegexString("Received request at time:")
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: DiscoverVersions"
|
|
)
|
|
self.assertIsInstance(response, messages.ResponseMessage)
|
|
self.assertEqual(2 ** 20, max_size)
|
|
self.assertIsNotNone(response.response_header)
|
|
|
|
header = response.response_header
|
|
|
|
self.assertIsNotNone(header)
|
|
self.assertEqual(
|
|
contents.ProtocolVersion.create(1, 1),
|
|
header.protocol_version
|
|
)
|
|
self.assertIsInstance(header.time_stamp, contents.TimeStamp)
|
|
self.assertIsInstance(header.batch_count, contents.BatchCount)
|
|
self.assertEqual(1, header.batch_count.value)
|
|
|
|
batch = response.batch_items
|
|
|
|
self.assertNotEqual(list(), batch)
|
|
|
|
batch_item = batch[0]
|
|
|
|
self.assertIsInstance(batch_item.operation, contents.Operation)
|
|
self.assertEqual(
|
|
enums.Operation.DISCOVER_VERSIONS,
|
|
batch_item.operation.value
|
|
)
|
|
self.assertIsNone(batch_item.unique_batch_item_id)
|
|
self.assertEqual(
|
|
enums.ResultStatus.SUCCESS,
|
|
batch_item.result_status.value
|
|
)
|
|
self.assertIsNone(batch_item.result_reason)
|
|
self.assertIsNone(batch_item.result_message)
|
|
self.assertIsNone(batch_item.async_correlation_value)
|
|
self.assertIsInstance(
|
|
batch_item.response_payload,
|
|
discover_versions.DiscoverVersionsResponsePayload
|
|
)
|
|
self.assertIsNone(batch_item.message_extension)
|
|
|
|
def test_process_request_unsupported_version(self):
|
|
"""
|
|
Test that an InvalidMessage exception is raised when processing a
|
|
request using an unsupported KMIP version.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(0, 1)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol
|
|
)
|
|
request = messages.RequestMessage(
|
|
request_header=header
|
|
)
|
|
|
|
args = (request, )
|
|
regex = "KMIP {0} is not supported by the server.".format(
|
|
protocol
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidMessage,
|
|
regex,
|
|
e.process_request,
|
|
*args
|
|
)
|
|
|
|
def test_process_request_stale_timestamp(self):
|
|
"""
|
|
Test that an InvalidMessage exception is raised when processing a
|
|
request with a stale timestamp.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 0)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
time_stamp=contents.TimeStamp(0)
|
|
)
|
|
request = messages.RequestMessage(
|
|
request_header=header
|
|
)
|
|
|
|
args = (request, )
|
|
regex = "Stale request rejected by server."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidMessage,
|
|
regex,
|
|
e.process_request,
|
|
*args
|
|
)
|
|
|
|
e._logger.warning.assert_any_call(
|
|
MockRegexString(
|
|
"Received request with old timestamp. Possible replay attack."
|
|
)
|
|
)
|
|
|
|
def test_process_request_future_timestamp(self):
|
|
"""
|
|
Test that an InvalidMessage exception is raised when processing a
|
|
request with a future timestamp.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 0)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
time_stamp=contents.TimeStamp(10 ** 10)
|
|
)
|
|
request = messages.RequestMessage(
|
|
request_header=header
|
|
)
|
|
|
|
args = (request, )
|
|
regex = "Future request rejected by server."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidMessage,
|
|
regex,
|
|
e.process_request,
|
|
*args
|
|
)
|
|
|
|
e._logger.warning.assert_any_call(
|
|
MockRegexString(
|
|
"Received request with future timestamp."
|
|
)
|
|
)
|
|
|
|
def test_process_request_unsupported_async_indicator(self):
|
|
"""
|
|
Test than an InvalidMessage error is generated while processing a
|
|
batch with an unsupported asynchronous indicator option.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 1)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
asynchronous_indicator=contents.AsynchronousIndicator(True)
|
|
)
|
|
request = messages.RequestMessage(
|
|
request_header=header,
|
|
)
|
|
|
|
args = (request, )
|
|
regex = "Asynchronous operations are not supported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidMessage,
|
|
regex,
|
|
e.process_request,
|
|
*args
|
|
)
|
|
|
|
def test_process_request_unsupported_batch_option(self):
|
|
"""
|
|
Test that an InvalidMessage error is generated while processing a
|
|
batch with an unsupported batch error continuation option.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 1)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
authentication=contents.Authentication(),
|
|
batch_error_cont_option=contents.BatchErrorContinuationOption(
|
|
enums.BatchErrorContinuationOption.UNDO
|
|
)
|
|
)
|
|
request = messages.RequestMessage(
|
|
request_header=header,
|
|
)
|
|
|
|
args = (request, )
|
|
regex = "Undo option for batch handling is not supported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidMessage,
|
|
regex,
|
|
e.process_request,
|
|
*args
|
|
)
|
|
|
|
def test_process_request_missing_credential(self):
|
|
"""
|
|
Test that the engine does not immediately error out when retrieving
|
|
a non-existent credential from the request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
protocol = contents.ProtocolVersion.create(1, 1)
|
|
header = messages.RequestHeader(
|
|
protocol_version=protocol,
|
|
authentication=None,
|
|
batch_error_cont_option=contents.BatchErrorContinuationOption(
|
|
enums.BatchErrorContinuationOption.STOP
|
|
),
|
|
batch_order_option=contents.BatchOrderOption(True),
|
|
time_stamp=contents.TimeStamp(int(time.time())),
|
|
batch_count=contents.BatchCount(1)
|
|
)
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
batch = list([
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
),
|
|
request_payload=payload
|
|
)
|
|
])
|
|
request = messages.RequestMessage(
|
|
request_header=header,
|
|
batch_items=batch
|
|
)
|
|
|
|
e.process_request(request)
|
|
|
|
def test_build_error_response(self):
|
|
"""
|
|
Test that a bare bones response containing a single error result can
|
|
be constructed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
response = e.build_error_response(
|
|
contents.ProtocolVersion.create(1, 1),
|
|
enums.ResultReason.GENERAL_FAILURE,
|
|
"A general test failure occurred."
|
|
)
|
|
|
|
self.assertIsInstance(response, messages.ResponseMessage)
|
|
|
|
header = response.response_header
|
|
|
|
self.assertEqual(
|
|
contents.ProtocolVersion.create(1, 1),
|
|
header.protocol_version
|
|
)
|
|
self.assertIsNotNone(header.time_stamp)
|
|
self.assertIsNotNone(header.batch_count)
|
|
self.assertEqual(1, header.batch_count.value)
|
|
|
|
batch = response.batch_items
|
|
|
|
self.assertEqual(1, len(batch))
|
|
|
|
batch_item = batch[0]
|
|
|
|
self.assertIsNone(batch_item.operation)
|
|
self.assertIsNone(batch_item.unique_batch_item_id)
|
|
self.assertEqual(
|
|
enums.ResultStatus.OPERATION_FAILED,
|
|
batch_item.result_status.value
|
|
)
|
|
self.assertEqual(
|
|
enums.ResultReason.GENERAL_FAILURE,
|
|
batch_item.result_reason.value
|
|
)
|
|
self.assertEqual(
|
|
"A general test failure occurred.",
|
|
batch_item.result_message.value
|
|
)
|
|
self.assertIsNone(batch_item.async_correlation_value)
|
|
self.assertIsNone(batch_item.response_payload)
|
|
self.assertIsNone(batch_item.message_extension)
|
|
|
|
def test_process_batch(self):
|
|
"""
|
|
Test that a batch is processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
batch = list([
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
),
|
|
request_payload=payload
|
|
)
|
|
])
|
|
|
|
results = e._process_batch(
|
|
batch,
|
|
enums.BatchErrorContinuationOption.STOP,
|
|
True
|
|
)
|
|
|
|
self.assertIsNotNone(results)
|
|
self.assertEqual(1, len(results))
|
|
|
|
def test_process_multibatch(self):
|
|
"""
|
|
Test that a batch containing multiple operations is processed
|
|
correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
batch = list([
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
),
|
|
unique_batch_item_id=contents.UniqueBatchItemID(1),
|
|
request_payload=payload
|
|
),
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
),
|
|
unique_batch_item_id=contents.UniqueBatchItemID(2),
|
|
request_payload=payload
|
|
)
|
|
])
|
|
|
|
results = e._process_batch(
|
|
batch,
|
|
enums.BatchErrorContinuationOption.STOP,
|
|
True
|
|
)
|
|
|
|
self.assertIsNotNone(results)
|
|
self.assertEqual(2, len(results))
|
|
|
|
def test_process_batch_missing_batch_id(self):
|
|
"""
|
|
Test that an InvalidMessage error is generated while processing a
|
|
batch with missing batch IDs.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
batch = list([
|
|
messages.RequestBatchItem(),
|
|
messages.RequestBatchItem()
|
|
])
|
|
|
|
args = (batch, None, None)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidMessage,
|
|
"Batch item ID is undefined.",
|
|
e._process_batch,
|
|
*args
|
|
)
|
|
|
|
def test_process_batch_expected_error(self):
|
|
"""
|
|
Test than an expected KMIP error is handled appropriately while
|
|
processing a batch of operations.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
e._protocol_version = contents.ProtocolVersion.create(1, 0)
|
|
|
|
batch = list([
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
)
|
|
)
|
|
])
|
|
|
|
results = e._process_batch(
|
|
batch,
|
|
enums.BatchErrorContinuationOption.STOP,
|
|
True
|
|
)
|
|
|
|
self.assertIsNotNone(results)
|
|
self.assertEqual(1, len(results))
|
|
|
|
result = results[0]
|
|
|
|
self.assertIsInstance(result, messages.ResponseBatchItem)
|
|
self.assertIsNotNone(result.operation)
|
|
self.assertEqual(
|
|
enums.Operation.DISCOVER_VERSIONS,
|
|
result.operation.value
|
|
)
|
|
self.assertIsNone(result.unique_batch_item_id)
|
|
self.assertIsNotNone(result.result_status)
|
|
self.assertEqual(
|
|
enums.ResultStatus.OPERATION_FAILED,
|
|
result.result_status.value
|
|
)
|
|
self.assertIsNotNone(result.result_reason)
|
|
self.assertEqual(
|
|
enums.ResultReason.OPERATION_NOT_SUPPORTED,
|
|
result.result_reason.value
|
|
)
|
|
self.assertIsNotNone(result.result_message)
|
|
error_message = "DiscoverVersions is not supported by KMIP {0}".format(
|
|
e._protocol_version
|
|
)
|
|
self.assertEqual(error_message, result.result_message.value)
|
|
self.assertIsNone(result.async_correlation_value)
|
|
self.assertIsNone(result.response_payload)
|
|
self.assertIsNone(result.message_extension)
|
|
|
|
def test_process_batch_unexpected_error(self):
|
|
"""
|
|
Test that an unexpected, non-KMIP error is handled appropriately
|
|
while processing a batch of operations.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
test_exception = Exception("A general test failure occurred.")
|
|
e._process_operation = mock.MagicMock(side_effect=test_exception)
|
|
|
|
batch = list([
|
|
messages.RequestBatchItem(
|
|
operation=contents.Operation(
|
|
enums.Operation.DISCOVER_VERSIONS
|
|
)
|
|
)
|
|
])
|
|
|
|
results = e._process_batch(
|
|
batch,
|
|
enums.BatchErrorContinuationOption.STOP,
|
|
True
|
|
)
|
|
|
|
self.assertIsNotNone(results)
|
|
self.assertEqual(1, len(results))
|
|
|
|
result = results[0]
|
|
|
|
e._logger.warning.assert_called_with(
|
|
"Error occurred while processing operation."
|
|
)
|
|
e._logger.exception.assert_called_with(test_exception)
|
|
self.assertIsInstance(result, messages.ResponseBatchItem)
|
|
self.assertIsNotNone(result.operation)
|
|
self.assertEqual(
|
|
enums.Operation.DISCOVER_VERSIONS,
|
|
result.operation.value
|
|
)
|
|
self.assertIsNone(result.unique_batch_item_id)
|
|
self.assertIsNotNone(result.result_status)
|
|
self.assertEqual(
|
|
enums.ResultStatus.OPERATION_FAILED,
|
|
result.result_status.value
|
|
)
|
|
self.assertIsNotNone(result.result_reason)
|
|
self.assertEqual(
|
|
enums.ResultReason.GENERAL_FAILURE,
|
|
result.result_reason.value
|
|
)
|
|
self.assertIsNotNone(result.result_message)
|
|
self.assertEqual(
|
|
"Operation failed. See the server logs for more information.",
|
|
result.result_message.value
|
|
)
|
|
self.assertIsNone(result.async_correlation_value)
|
|
self.assertIsNone(result.response_payload)
|
|
self.assertIsNone(result.message_extension)
|
|
|
|
def test_process_operation(self):
|
|
"""
|
|
Test that the right subroutine is called when invoking operations
|
|
supported by the server.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
e._process_create = mock.MagicMock()
|
|
e._process_create_key_pair = mock.MagicMock()
|
|
e._process_register = mock.MagicMock()
|
|
e._process_locate = mock.MagicMock()
|
|
e._process_get = mock.MagicMock()
|
|
e._process_get_attributes = mock.MagicMock()
|
|
e._process_get_attribute_list = mock.MagicMock()
|
|
e._process_activate = mock.MagicMock()
|
|
e._process_revoke = mock.MagicMock()
|
|
e._process_destroy = mock.MagicMock()
|
|
e._process_query = mock.MagicMock()
|
|
e._process_discover_versions = mock.MagicMock()
|
|
e._process_encrypt = mock.MagicMock()
|
|
e._process_mac = mock.MagicMock()
|
|
|
|
e._process_operation(enums.Operation.CREATE, None)
|
|
e._process_operation(enums.Operation.CREATE_KEY_PAIR, None)
|
|
e._process_operation(enums.Operation.REGISTER, None)
|
|
e._process_operation(enums.Operation.LOCATE, None)
|
|
e._process_operation(enums.Operation.GET, None)
|
|
e._process_operation(enums.Operation.GET_ATTRIBUTES, None)
|
|
e._process_operation(enums.Operation.GET_ATTRIBUTE_LIST, None)
|
|
e._process_operation(enums.Operation.ACTIVATE, None)
|
|
e._process_operation(enums.Operation.REVOKE, None)
|
|
e._process_operation(enums.Operation.DESTROY, None)
|
|
e._process_operation(enums.Operation.QUERY, None)
|
|
e._process_operation(enums.Operation.DISCOVER_VERSIONS, None)
|
|
e._process_operation(enums.Operation.ENCRYPT, None)
|
|
e._process_operation(enums.Operation.MAC, None)
|
|
|
|
e._process_create.assert_called_with(None)
|
|
e._process_create_key_pair.assert_called_with(None)
|
|
e._process_register.assert_called_with(None)
|
|
e._process_locate.assert_called_with(None)
|
|
e._process_get.assert_called_with(None)
|
|
e._process_get_attributes.assert_called_with(None)
|
|
e._process_get_attribute_list.assert_called_with(None)
|
|
e._process_activate.assert_called_with(None)
|
|
e._process_revoke.assert_called_with(None)
|
|
e._process_destroy.assert_called_with(None)
|
|
e._process_query.assert_called_with(None)
|
|
e._process_discover_versions.assert_called_with(None)
|
|
e._process_encrypt.assert_called_with(None)
|
|
e._process_mac.assert_called_with(None)
|
|
|
|
def test_unsupported_operation(self):
|
|
"""
|
|
Test that an OperationNotSupported error is generated when invoking
|
|
an operation not supported by the server.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
args = (enums.Operation.POLL, None)
|
|
regex = "{0} operation is not supported by the server.".format(
|
|
args[0].name.title()
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.OperationNotSupported,
|
|
regex,
|
|
e._process_operation,
|
|
*args
|
|
)
|
|
|
|
def test_get_object_type(self):
|
|
"""
|
|
Test that the object type of a stored object can be retrieved
|
|
correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
|
|
object_type = e._get_object_type(id_a)
|
|
e._data_session.commit()
|
|
|
|
self.assertEqual(pie_objects.OpaqueObject, object_type)
|
|
|
|
def test_get_object_type_missing_object(self):
|
|
"""
|
|
Test that an ItemNotFound error is generated when attempting to
|
|
retrieve the object type of an object that does not exist.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
args = ('1', )
|
|
regex = "Could not locate object: 1"
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._get_object_type,
|
|
*args
|
|
)
|
|
e._data_session.commit()
|
|
e._logger.warning.assert_called_once_with(
|
|
"Could not identify object type for object: 1"
|
|
)
|
|
|
|
def test_get_object_type_multiple_objects(self):
|
|
"""
|
|
Test that a sqlalchemy.orm.exc.MultipleResultsFound error is generated
|
|
when getting the object type of multiple objects map to the same
|
|
object ID.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
test_exception = exc.MultipleResultsFound()
|
|
e._data_session.query = mock.MagicMock(side_effect=test_exception)
|
|
e._logger = mock.MagicMock()
|
|
|
|
args = ('1', )
|
|
self.assertRaises(
|
|
exc.MultipleResultsFound,
|
|
e._get_object_type,
|
|
*args
|
|
)
|
|
e._data_session.commit()
|
|
e._logger.warning.assert_called_once_with(
|
|
"Multiple objects found for ID: 1"
|
|
)
|
|
|
|
def test_get_object_type_unsupported_type(self):
|
|
"""
|
|
Test that an InvalidField error is generated when attempting to
|
|
get the object type of an object with an unsupported object type.
|
|
This should never happen by definition, but "Safety first!"
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._object_map = {enums.ObjectType.OPAQUE_DATA: None}
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
|
|
args = (id_a, )
|
|
name = enums.ObjectType.OPAQUE_DATA.name
|
|
regex = "The {0} object type is not supported.".format(
|
|
''.join(
|
|
[x.capitalize() for x in name.split('_')]
|
|
)
|
|
)
|
|
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._get_object_type,
|
|
*args
|
|
)
|
|
e._data_session.commit()
|
|
|
|
def test_build_core_object(self):
|
|
"""
|
|
Test that kmip.core objects can be built from simpler kmip.pie
|
|
objects.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
# Test building a Certificate.
|
|
managed_object = pie_objects.X509Certificate(value=b'')
|
|
core_object = e._build_core_object(managed_object)
|
|
|
|
self.assertIsInstance(core_object, secrets.Certificate)
|
|
self.assertEqual(
|
|
b'',
|
|
core_object.certificate_value.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CertificateTypeEnum.X_509,
|
|
core_object.certificate_type.value
|
|
)
|
|
|
|
# Test building a Symmetric Key.
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
core_object = e._build_core_object(managed_object)
|
|
|
|
self.assertIsInstance(core_object, secrets.SymmetricKey)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
core_object.key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
0,
|
|
core_object.key_block.cryptographic_length.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
core_object.key_block.key_value.key_material.value
|
|
)
|
|
|
|
# Test building a Public Key.
|
|
managed_object = pie_objects.PublicKey(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
0,
|
|
b''
|
|
)
|
|
core_object = e._build_core_object(managed_object)
|
|
|
|
self.assertIsInstance(core_object, secrets.PublicKey)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
core_object.key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
0,
|
|
core_object.key_block.cryptographic_length.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
core_object.key_block.key_value.key_material.value
|
|
)
|
|
|
|
# Test building a Private Key.
|
|
managed_object = pie_objects.PrivateKey(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
0,
|
|
b'',
|
|
enums.KeyFormatType.PKCS_8
|
|
)
|
|
core_object = e._build_core_object(managed_object)
|
|
|
|
self.assertIsInstance(core_object, secrets.PrivateKey)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
core_object.key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
0,
|
|
core_object.key_block.cryptographic_length.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
core_object.key_block.key_value.key_material.value
|
|
)
|
|
self.assertEqual(
|
|
enums.KeyFormatType.PKCS_8,
|
|
core_object.key_block.key_format_type.value
|
|
)
|
|
|
|
# Test building a Secret Data.
|
|
managed_object = pie_objects.SecretData(
|
|
b'',
|
|
enums.SecretDataType.PASSWORD
|
|
)
|
|
core_object = e._build_core_object(managed_object)
|
|
|
|
self.assertIsInstance(core_object, secrets.SecretData)
|
|
self.assertEqual(
|
|
enums.SecretDataType.PASSWORD,
|
|
core_object.secret_data_type.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
core_object.key_block.key_value.key_material.value
|
|
)
|
|
|
|
# Test building an Opaque Data.
|
|
managed_object = pie_objects.OpaqueObject(
|
|
b'',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
core_object = e._build_core_object(managed_object)
|
|
|
|
self.assertIsInstance(core_object, secrets.OpaqueObject)
|
|
self.assertEqual(
|
|
enums.OpaqueDataType.NONE,
|
|
core_object.opaque_data_type.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
core_object.opaque_data_value.value
|
|
)
|
|
|
|
def test_build_core_object_unsupported_type(self):
|
|
"""
|
|
Test that an InvalidField error is generated when building
|
|
kmip.core objects that are unsupported.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
args = (None, )
|
|
regex = "Cannot build an unsupported object type."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._build_core_object,
|
|
*args
|
|
)
|
|
|
|
class DummyObject:
|
|
def __init__(self):
|
|
self._object_type = enums.ObjectType.SPLIT_KEY
|
|
|
|
args = (DummyObject(), )
|
|
regex = "The SplitKey object type is not supported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._build_core_object,
|
|
*args
|
|
)
|
|
|
|
def test_process_template_attribute(self):
|
|
"""
|
|
Test that a template attribute structure can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
name = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
algorithm = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
length = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
128
|
|
)
|
|
mask = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[name, algorithm, length, mask]
|
|
)
|
|
|
|
result = e._process_template_attribute(template_attribute)
|
|
|
|
self.assertIsInstance(result, dict)
|
|
self.assertEqual(4, len(result.keys()))
|
|
self.assertIn('Name', result.keys())
|
|
self.assertIn('Cryptographic Algorithm', result.keys())
|
|
self.assertIn('Cryptographic Length', result.keys())
|
|
self.assertIn('Cryptographic Usage Mask', result.keys())
|
|
|
|
self.assertEqual([name.attribute_value], result.get('Name'))
|
|
self.assertEqual(
|
|
algorithm.attribute_value,
|
|
result.get('Cryptographic Algorithm')
|
|
)
|
|
self.assertEqual(
|
|
length.attribute_value,
|
|
result.get('Cryptographic Length')
|
|
)
|
|
self.assertEqual(
|
|
mask.attribute_value,
|
|
result.get('Cryptographic Usage Mask')
|
|
)
|
|
|
|
def test_process_template_attribute_unsupported_features(self):
|
|
"""
|
|
Test that the right errors are generated when unsupported features
|
|
are referenced while processing a template attribute.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Test that providing template names generates an InvalidField error.
|
|
template_attribute = objects.TemplateAttribute(
|
|
names=[
|
|
attributes.Name.create(
|
|
'invalid',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
]
|
|
)
|
|
|
|
args = (template_attribute, )
|
|
regex = "Attribute templates are not supported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_template_attribute,
|
|
*args
|
|
)
|
|
|
|
# Test that an unrecognized attribute generates an InvalidField error.
|
|
name = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
name.attribute_name.value = 'invalid'
|
|
template_attribute = objects.TemplateAttribute(attributes=[name])
|
|
|
|
args = (template_attribute, )
|
|
regex = "The invalid attribute is unsupported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_template_attribute,
|
|
*args
|
|
)
|
|
|
|
# Test that missing indices generate an InvalidField error.
|
|
name_a = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
name_b = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[name_a, name_b]
|
|
)
|
|
|
|
args = (template_attribute, )
|
|
regex = "Attribute index missing from multivalued attribute."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_template_attribute,
|
|
*args
|
|
)
|
|
|
|
# Test that a non-zero index generates an InvalidField error.
|
|
algorithm = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES,
|
|
1
|
|
)
|
|
template_attribute = objects.TemplateAttribute(attributes=[algorithm])
|
|
|
|
args = (template_attribute, )
|
|
regex = "Non-zero attribute index found for single-valued attribute."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_template_attribute,
|
|
*args
|
|
)
|
|
|
|
# Test that setting multiple values for a single-value attribute
|
|
# generates an InvalidField error.
|
|
algorithm_a = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
algorithm_b = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.TRIPLE_DES
|
|
)
|
|
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[algorithm_a, algorithm_b]
|
|
)
|
|
|
|
args = (template_attribute, )
|
|
regex = (
|
|
"Cannot set multiple instances of the Cryptographic Algorithm "
|
|
"attribute."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.IndexOutOfBounds,
|
|
regex,
|
|
e._process_template_attribute,
|
|
*args
|
|
)
|
|
|
|
def test_get_attributes_from_managed_object(self):
|
|
"""
|
|
Test that multiple attributes can be retrieved from a given managed
|
|
object.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
symmetric_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b'',
|
|
masks=[enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT]
|
|
)
|
|
symmetric_key.names = ['Name 1', 'Name 2']
|
|
|
|
e._data_session.add(symmetric_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
result = e._get_attributes_from_managed_object(
|
|
symmetric_key,
|
|
['Unique Identifier',
|
|
'Name',
|
|
'Cryptographic Algorithm',
|
|
'Cryptographic Length',
|
|
'Cryptographic Usage Mask',
|
|
'invalid']
|
|
)
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
self.assertEqual(6, len(result))
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.UNIQUE_IDENTIFIER,
|
|
'1'
|
|
)
|
|
self.assertIn(attribute, result)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
self.assertIn(attribute, result)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
0
|
|
)
|
|
self.assertIn(attribute, result)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT]
|
|
)
|
|
self.assertIn(attribute, result)
|
|
|
|
def test_get_attributes_from_managed_object_with_missing_attribute(self):
|
|
"""
|
|
Test that any exceptions are suppressed when attempting to retrieve
|
|
non-existent attributes from managed objects.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
symmetric_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b'',
|
|
masks=[enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT]
|
|
)
|
|
symmetric_key.names = ['Name 1', 'Name 2']
|
|
|
|
e._data_session.add(symmetric_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._get_attribute_from_managed_object = mock.Mock()
|
|
e._get_attribute_from_managed_object.side_effect = Exception
|
|
|
|
result = e._get_attributes_from_managed_object(
|
|
symmetric_key,
|
|
['Unique Identifier',
|
|
'Name',
|
|
'Cryptographic Algorithm',
|
|
'Cryptographic Length',
|
|
'Cryptographic Usage Mask',
|
|
'invalid']
|
|
)
|
|
|
|
self.assertEqual(0, len(result))
|
|
|
|
def test_get_attribute_from_managed_object(self):
|
|
"""
|
|
Test that an attribute can be retrieved from a given managed object.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
symmetric_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b'',
|
|
masks=[enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT]
|
|
)
|
|
certificate = pie_objects.X509Certificate(
|
|
b''
|
|
)
|
|
opaque_object = pie_objects.OpaqueObject(
|
|
b'',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
|
|
e._data_session.add(symmetric_key)
|
|
e._data_session.add(certificate)
|
|
e._data_session.add(opaque_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Unique Identifier'
|
|
)
|
|
self.assertEqual('1', result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Name'
|
|
)
|
|
self.assertEqual(
|
|
[attributes.Name(
|
|
attributes.Name.NameValue('Symmetric Key'),
|
|
attributes.Name.NameType(
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)],
|
|
result
|
|
)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Object Type'
|
|
)
|
|
self.assertEqual(enums.ObjectType.SYMMETRIC_KEY, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Cryptographic Algorithm'
|
|
)
|
|
self.assertEqual(enums.CryptographicAlgorithm.AES, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Cryptographic Length'
|
|
)
|
|
self.assertEqual(0, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Cryptographic Parameters'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Cryptographic Domain Parameters'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Certificate Type'
|
|
)
|
|
self.assertEqual(enums.CertificateTypeEnum.X_509, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Certificate Length'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'X.509 Certificate Identifier'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'X.509 Certificate Subject'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'X.509 Certificate Issuer'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Certificate Identifier'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Certificate Subject'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Certificate Issuer'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
certificate,
|
|
'Digital Signature Algorithm'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
opaque_object,
|
|
'Digest'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Operation Policy Name'
|
|
)
|
|
self.assertEqual('default', result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Cryptographic Usage Mask'
|
|
)
|
|
self.assertEqual(
|
|
[enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT],
|
|
result
|
|
)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Lease Time'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Usage Limits'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'State'
|
|
)
|
|
self.assertEqual(enums.State.PRE_ACTIVE, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Initial Date'
|
|
)
|
|
self.assertIsNotNone(result)
|
|
self.assertIsInstance(result, six.integer_types)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Activation Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Process Start Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Protect Stop Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Deactivation Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Destroy Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Compromise Occurrence Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Compromise Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Revocation Reason'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Archive Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Object Group'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Fresh'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Link'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Application Specific Information'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Contact Information'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'Last Change Date'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
result = e._get_attribute_from_managed_object(
|
|
symmetric_key,
|
|
'invalid'
|
|
)
|
|
self.assertEqual(None, result)
|
|
|
|
def test_set_attributes_on_managed_object(self):
|
|
"""
|
|
Test that multiple attributes can be set on a given managed object.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.SecretData(
|
|
b'',
|
|
enums.SecretDataType.PASSWORD
|
|
)
|
|
managed_object.names = []
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
name = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Secret Data',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
mask = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[name, mask]
|
|
)
|
|
object_attributes = e._process_template_attribute(template_attribute)
|
|
|
|
self.assertEqual([], managed_object.names)
|
|
self.assertEqual([], managed_object.cryptographic_usage_masks)
|
|
|
|
e._set_attributes_on_managed_object(
|
|
managed_object,
|
|
object_attributes
|
|
)
|
|
|
|
self.assertEqual(['Test Secret Data'], managed_object.names)
|
|
self.assertEqual(
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
],
|
|
managed_object.cryptographic_usage_masks
|
|
)
|
|
|
|
def test_set_attributes_on_managed_object_attribute_mismatch(self):
|
|
"""
|
|
Test that an InvalidField error is generated when attempting to set
|
|
an attribute that is not applicable for a given managed object.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.OpaqueObject(
|
|
b'',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
mask = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
template_attribute = objects.TemplateAttribute(attributes=[mask])
|
|
object_attributes = e._process_template_attribute(template_attribute)
|
|
|
|
args = (managed_object, object_attributes)
|
|
regex = (
|
|
"Cannot set Cryptographic Usage Mask attribute on OpaqueData "
|
|
"object."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._set_attributes_on_managed_object,
|
|
*args
|
|
)
|
|
|
|
def test_set_attribute_on_managed_object(self):
|
|
"""
|
|
Test that various attributes can be set correctly on a given
|
|
managed object.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
name = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
algorithm = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
length = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
0
|
|
)
|
|
mask = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
managed_object.names = []
|
|
|
|
self.assertEqual([], managed_object.names)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
managed_object.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(0, managed_object.cryptographic_length)
|
|
self.assertEqual([], managed_object.cryptographic_usage_masks)
|
|
|
|
e._set_attribute_on_managed_object(
|
|
managed_object,
|
|
('Name', [name.attribute_value])
|
|
)
|
|
|
|
self.assertEqual(['Test Symmetric Key'], managed_object.names)
|
|
|
|
e._set_attribute_on_managed_object(
|
|
managed_object,
|
|
('Cryptographic Algorithm', algorithm.attribute_value)
|
|
)
|
|
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
managed_object.cryptographic_algorithm
|
|
)
|
|
|
|
e._set_attribute_on_managed_object(
|
|
managed_object,
|
|
('Cryptographic Length', length.attribute_value)
|
|
)
|
|
|
|
self.assertEqual(0, managed_object.cryptographic_length)
|
|
|
|
e._set_attribute_on_managed_object(
|
|
managed_object,
|
|
('Cryptographic Usage Mask', mask.attribute_value)
|
|
)
|
|
|
|
self.assertEqual(
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
],
|
|
managed_object.cryptographic_usage_masks
|
|
)
|
|
|
|
def test_set_attribute_on_managed_object_unsupported_features(self):
|
|
"""
|
|
Test that the right errors are generated when unsupported features
|
|
are referenced while setting managed object attributes.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
8,
|
|
b'\x00'
|
|
)
|
|
|
|
# Test that multiple duplicate names cannot be set on an object.
|
|
name_a = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
name_b = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
|
|
args = (
|
|
managed_object,
|
|
('Name', [name_a.attribute_value, name_b.attribute_value])
|
|
)
|
|
regex = "Cannot set duplicate name values."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._set_attribute_on_managed_object,
|
|
*args
|
|
)
|
|
|
|
# Test that a multivalued, unsupported attribute cannot be set on an
|
|
# object.
|
|
name_a = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
name_b = attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
|
|
args = (
|
|
managed_object,
|
|
('Digest', [name_a.attribute_value, name_b.attribute_value])
|
|
)
|
|
regex = "The Digest attribute is unsupported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._set_attribute_on_managed_object,
|
|
*args
|
|
)
|
|
|
|
# Test that a set attribute cannot be overwritten.
|
|
length = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
128
|
|
)
|
|
|
|
args = (
|
|
managed_object,
|
|
('Cryptographic Length', length.attribute_value)
|
|
)
|
|
regex = "Cannot overwrite the Cryptographic Length attribute."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._set_attribute_on_managed_object,
|
|
*args
|
|
)
|
|
|
|
# Test that an unsupported attribute cannot be set.
|
|
object_group = attribute_factory.create_attribute(
|
|
enums.AttributeType.OBJECT_GROUP,
|
|
'Test Group'
|
|
)
|
|
|
|
args = (
|
|
managed_object,
|
|
('Object Group', object_group.attribute_value)
|
|
)
|
|
regex = "The Object Group attribute is unsupported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._set_attribute_on_managed_object,
|
|
*args
|
|
)
|
|
|
|
def test_is_allowed_by_operation_policy(self):
|
|
"""
|
|
Test that an allowed operation is correctly allowed by the operation
|
|
policy.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER
|
|
}
|
|
}
|
|
}
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'test',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertTrue(is_allowed)
|
|
|
|
def test_is_allowed_by_operation_policy_blocked(self):
|
|
"""
|
|
Test that an unallowed operation is correctly blocked by the operation
|
|
policy.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER
|
|
}
|
|
}
|
|
}
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'random',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
|
|
def test_is_allowed_by_operation_public(self):
|
|
"""
|
|
Test that a public operation is allowed by the operation policy.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'test',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertTrue(is_allowed)
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'random',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertTrue(is_allowed)
|
|
|
|
def test_is_allowed_by_operation_block_all(self):
|
|
"""
|
|
Test that a blocked operation is blocked by the operation policy.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: enums.Policy.DISALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'test',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'random',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
|
|
def test_is_allowed_by_operation_safety_check(self):
|
|
"""
|
|
Test that an unknown operation is blocked by the operation policy.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: 'unknown value'
|
|
}
|
|
}
|
|
}
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'test',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
'test',
|
|
'random',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
|
|
def test_is_allowed_by_operation_policy_nonexistent_policy(self):
|
|
"""
|
|
Test that a check with a non-existent policy yields a logging warning
|
|
and a blocked operation.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
|
|
policy = 'nonexistent-policy'
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
policy,
|
|
'test',
|
|
'test',
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
e._logger.warning.assert_called_once_with(
|
|
"The '{0}' policy does not exist.".format(policy)
|
|
)
|
|
|
|
def test_is_allowed_by_operation_policy_not_object_applicable(self):
|
|
"""
|
|
Test that a check for an object with a non-applicable policy yields
|
|
a logging warning and a blocked operation.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER
|
|
}
|
|
}
|
|
}
|
|
|
|
policy = 'test'
|
|
object_type = enums.ObjectType.PRIVATE_KEY
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
policy,
|
|
'test',
|
|
'test',
|
|
object_type,
|
|
enums.Operation.GET
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
e._logger.warning.assert_called_once_with(
|
|
"The '{0}' policy does not apply to {1} objects.".format(
|
|
policy,
|
|
e._get_enum_string(object_type)
|
|
)
|
|
)
|
|
|
|
def test_is_allowed_by_operation_policy_not_applicable(self):
|
|
"""
|
|
Test that a check with a non-applicable policy yields a logging
|
|
warning and a blocked operation.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._logger = mock.MagicMock()
|
|
e._operation_policies = {
|
|
'test': {
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER
|
|
}
|
|
}
|
|
}
|
|
|
|
policy = 'test'
|
|
object_type = enums.ObjectType.SYMMETRIC_KEY
|
|
operation = enums.Operation.CREATE
|
|
is_allowed = e._is_allowed_by_operation_policy(
|
|
policy,
|
|
'test',
|
|
'test',
|
|
object_type,
|
|
operation
|
|
)
|
|
|
|
self.assertFalse(is_allowed)
|
|
e._logger.warning.assert_called_once_with(
|
|
"The '{0}' policy does not apply to {1} operations on {2} "
|
|
"objects.".format(
|
|
policy,
|
|
e._get_enum_string(operation),
|
|
e._get_enum_string(object_type)
|
|
)
|
|
)
|
|
|
|
def test_get_object_with_access_controls(self):
|
|
"""
|
|
Test that an unallowed object access request is handled correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to retrieve and the
|
|
# operation context.
|
|
args = [id_a, enums.Operation.GET]
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._get_object_with_access_controls,
|
|
*args
|
|
)
|
|
|
|
def test_create(self):
|
|
"""
|
|
Test that a Create request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Build Create request
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.OPERATION_POLICY_NAME,
|
|
'test'
|
|
)
|
|
]
|
|
)
|
|
payload = create.CreateRequestPayload(
|
|
object_type,
|
|
template_attribute
|
|
)
|
|
|
|
response_payload = e._process_create(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Create"
|
|
)
|
|
|
|
uid = response_payload.unique_identifier.value
|
|
self.assertEqual('1', uid)
|
|
|
|
# Retrieve the stored object and verify all attributes were set
|
|
# appropriately.
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == uid
|
|
).one()
|
|
self.assertEqual(
|
|
enums.KeyFormatType.RAW,
|
|
symmetric_key.key_format_type
|
|
)
|
|
self.assertEqual(1, len(symmetric_key.names))
|
|
self.assertIn('Test Symmetric Key', symmetric_key.names)
|
|
self.assertEqual(256, len(symmetric_key.value) * 8)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
symmetric_key.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(256, symmetric_key.cryptographic_length)
|
|
self.assertEqual(2, len(symmetric_key.cryptographic_usage_masks))
|
|
self.assertIn(
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
symmetric_key.cryptographic_usage_masks
|
|
)
|
|
self.assertIn(
|
|
enums.CryptographicUsageMask.DECRYPT,
|
|
symmetric_key.cryptographic_usage_masks
|
|
)
|
|
self.assertEqual('test', symmetric_key.operation_policy_name)
|
|
self.assertIsNotNone(symmetric_key.initial_date)
|
|
self.assertNotEqual(0, symmetric_key.initial_date)
|
|
|
|
self.assertEqual(uid, e._id_placeholder)
|
|
|
|
def test_create_unsupported_object_type(self):
|
|
"""
|
|
Test that an InvalidField error is generated when attempting to
|
|
create an unsupported object type.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
object_type = attributes.ObjectType(enums.ObjectType.PUBLIC_KEY)
|
|
payload = create.CreateRequestPayload(
|
|
object_type
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = "Cannot create a PublicKey object with the Create operation."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create,
|
|
*args
|
|
)
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Create"
|
|
)
|
|
|
|
def test_create_omitting_attributes(self):
|
|
"""
|
|
Test that InvalidField errors are generated when trying to create
|
|
a symmetric key without required attributes.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Test the error for omitting the Cryptographic Algorithm
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create.CreateRequestPayload(
|
|
object_type,
|
|
template_attribute
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic algorithm must be specified as an attribute."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create,
|
|
*args
|
|
)
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Create"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test the error for omitting the Cryptographic Length
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create.CreateRequestPayload(
|
|
object_type,
|
|
template_attribute
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic length must be specified as an attribute."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create,
|
|
*args
|
|
)
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Create"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test the error for omitting the Cryptographic Usage Mask
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
)
|
|
]
|
|
)
|
|
payload = create.CreateRequestPayload(
|
|
object_type,
|
|
template_attribute
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic usage mask must be specified as an attribute."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create,
|
|
*args
|
|
)
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Create"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
def test_create_key_pair(self):
|
|
"""
|
|
Test that a CreateKeyPair request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
response_payload = e._process_create_key_pair(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
|
|
public_id = response_payload.public_key_uuid.value
|
|
self.assertEqual('1', public_id)
|
|
private_id = response_payload.private_key_uuid.value
|
|
self.assertEqual('2', private_id)
|
|
|
|
# Retrieve the stored public key and verify all attributes were set
|
|
# appropriately.
|
|
public_key = e._data_session.query(
|
|
pie_objects.PublicKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == public_id
|
|
).one()
|
|
self.assertEqual(
|
|
enums.KeyFormatType.PKCS_1,
|
|
public_key.key_format_type
|
|
)
|
|
self.assertEqual(1, len(public_key.names))
|
|
self.assertIn('Test Asymmetric Key', public_key.names)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
public_key.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(2048, public_key.cryptographic_length)
|
|
self.assertEqual(1, len(public_key.cryptographic_usage_masks))
|
|
self.assertIn(
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
public_key.cryptographic_usage_masks
|
|
)
|
|
self.assertEqual('default', public_key.operation_policy_name)
|
|
self.assertIsNotNone(public_key.initial_date)
|
|
self.assertNotEqual(0, public_key.initial_date)
|
|
|
|
# Retrieve the stored private key and verify all attributes were set
|
|
# appropriately.
|
|
private_key = e._data_session.query(
|
|
pie_objects.PrivateKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == private_id
|
|
).one()
|
|
self.assertEqual(
|
|
enums.KeyFormatType.PKCS_8,
|
|
private_key.key_format_type
|
|
)
|
|
self.assertEqual(1, len(private_key.names))
|
|
self.assertIn('Test Asymmetric Key', private_key.names)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
private_key.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(2048, private_key.cryptographic_length)
|
|
self.assertEqual(1, len(private_key.cryptographic_usage_masks))
|
|
self.assertIn(
|
|
enums.CryptographicUsageMask.DECRYPT,
|
|
private_key.cryptographic_usage_masks
|
|
)
|
|
self.assertEqual('default', private_key.operation_policy_name)
|
|
self.assertIsNotNone(private_key.initial_date)
|
|
self.assertNotEqual(0, private_key.initial_date)
|
|
|
|
self.assertEqual(private_id, e._id_placeholder)
|
|
|
|
def test_create_key_pair_omitting_attributes(self):
|
|
"""
|
|
Test that the right errors are generated when required attributes
|
|
are missing from a CreateKeyPair request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Test that a missing PublicKey CryptographicAlgorithm raises an error
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic algorithm must be specified as an attribute "
|
|
"for the public key."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test that a missing PrivateKey CryptographicAlgorithm raises an error
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic algorithm must be specified as an attribute "
|
|
"for the private key."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test that a missing PublicKey CryptographicLength raises an error
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic length must be specified as an attribute for "
|
|
"the public key."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test that a missing PrivateKey CryptographicLength raises an error
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic length must be specified as an attribute for "
|
|
"the private key."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test that a missing PublicKey CryptographicUsageMask raises an error
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic usage mask must be specified as an attribute "
|
|
"for the public key."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test that a missing PrivateKey CryptographicUsageMask raises an error
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The cryptographic usage mask must be specified as an attribute "
|
|
"for the private key."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
def test_create_key_pair_mismatched_attributes(self):
|
|
"""
|
|
Test that the right errors are generated when required attributes
|
|
are mismatched in a CreateKeyPair request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Test that mismatched CryptographicAlgorithms raise an error.
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.DSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The public and private key algorithms must be the same."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
# Test that mismatched CryptographicAlgorithms raise an error.
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
4096
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = (
|
|
"The public and private key lengths must be the same."
|
|
)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_create_key_pair,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
e._logger.reset_mock()
|
|
|
|
def test_register(self):
|
|
"""
|
|
Test that a Register request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Build a SymmetricKey for registration.
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
128
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.OPERATION_POLICY_NAME,
|
|
'test'
|
|
)
|
|
]
|
|
)
|
|
key_bytes = (
|
|
b'\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
)
|
|
secret = secrets.SymmetricKey(
|
|
key_block=objects.KeyBlock(
|
|
key_format_type=misc.KeyFormatType(enums.KeyFormatType.RAW),
|
|
key_value=objects.KeyValue(
|
|
key_material=objects.KeyMaterial(key_bytes)
|
|
),
|
|
cryptographic_algorithm=attributes.CryptographicAlgorithm(
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
cryptographic_length=attributes.CryptographicLength(128)
|
|
)
|
|
)
|
|
|
|
payload = register.RegisterRequestPayload(
|
|
object_type=object_type,
|
|
template_attribute=template_attribute,
|
|
secret=secret
|
|
)
|
|
|
|
response_payload = e._process_register(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Register"
|
|
)
|
|
|
|
uid = response_payload.unique_identifier.value
|
|
self.assertEqual('1', uid)
|
|
|
|
# Retrieve the stored object and verify all attributes were set
|
|
# appropriately.
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == uid
|
|
).one()
|
|
self.assertEqual(
|
|
enums.KeyFormatType.RAW,
|
|
symmetric_key.key_format_type
|
|
)
|
|
self.assertEqual(1, len(symmetric_key.names))
|
|
self.assertIn('Test Symmetric Key', symmetric_key.names)
|
|
self.assertEqual(key_bytes, symmetric_key.value)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
symmetric_key.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(128, symmetric_key.cryptographic_length)
|
|
self.assertEqual(2, len(symmetric_key.cryptographic_usage_masks))
|
|
self.assertIn(
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
symmetric_key.cryptographic_usage_masks
|
|
)
|
|
self.assertIn(
|
|
enums.CryptographicUsageMask.DECRYPT,
|
|
symmetric_key.cryptographic_usage_masks
|
|
)
|
|
self.assertEqual('test', symmetric_key.operation_policy_name)
|
|
self.assertIsNotNone(symmetric_key.initial_date)
|
|
self.assertNotEqual(0, symmetric_key.initial_date)
|
|
|
|
self.assertEqual(uid, e._id_placeholder)
|
|
|
|
def test_register_unsupported_object_type(self):
|
|
"""
|
|
Test that an InvalidField error is generated when attempting to
|
|
register an unsupported object type.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
object_type = attributes.ObjectType(enums.ObjectType.SPLIT_KEY)
|
|
payload = register.RegisterRequestPayload(object_type=object_type)
|
|
|
|
args = (payload, )
|
|
regex = "The SplitKey object type is not supported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_register,
|
|
*args
|
|
)
|
|
|
|
def test_request_omitting_secret(self):
|
|
"""
|
|
Test that an InvalidField error is generate when trying to register
|
|
a secret in absentia.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
payload = register.RegisterRequestPayload(object_type=object_type)
|
|
|
|
args = (payload, )
|
|
regex = "Cannot register a secret in absentia."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.InvalidField,
|
|
regex,
|
|
e._process_register,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key(self):
|
|
"""
|
|
Test that a DeriveKey request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.HMAC_SHA256,
|
|
length=176,
|
|
value=(
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Derive a SymmetricKey object.
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SYMMETRIC_KEY,
|
|
unique_identifiers=[str(base_key.unique_identifier)],
|
|
derivation_method=enums.DerivationMethod.HMAC,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256
|
|
),
|
|
derivation_data=(
|
|
b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7'
|
|
b'\xf8\xf9'
|
|
),
|
|
salt=(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0a\x0b\x0c'
|
|
)
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
336
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
response_payload = e._process_derive_key(payload)
|
|
|
|
e._logger.info.assert_any_call("Processing operation: DeriveKey")
|
|
e._logger.info.assert_any_call(
|
|
"Object 1 will be used as the keying material for the derivation "
|
|
"process."
|
|
)
|
|
e._logger.info.assert_any_call("Created a SymmetricKey with ID: 2")
|
|
|
|
self.assertEqual("2", response_payload.unique_identifier)
|
|
|
|
managed_object = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.SymmetricKey.unique_identifier == 2
|
|
).one()
|
|
|
|
self.assertEqual(
|
|
(
|
|
b'\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a'
|
|
b'\x90\x43\x4f\x64\xd0\x36\x2f\x2a'
|
|
b'\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c'
|
|
b'\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf'
|
|
b'\x34\x00\x72\x08\xd5\xb8\x87\x18'
|
|
b'\x58\x65'
|
|
),
|
|
managed_object.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
managed_object.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(
|
|
336,
|
|
managed_object.cryptographic_length
|
|
)
|
|
self.assertIsNotNone(managed_object.initial_date)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.BLOWFISH,
|
|
length=128,
|
|
value=(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
# Derive a SecretData object.
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SECRET_DATA,
|
|
unique_identifiers=[str(base_key.unique_identifier)],
|
|
derivation_method=enums.DerivationMethod.ENCRYPT,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.CBC,
|
|
padding_method=enums.PaddingMethod.PKCS5,
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256,
|
|
cryptographic_algorithm=(
|
|
enums.CryptographicAlgorithm.BLOWFISH
|
|
)
|
|
),
|
|
initialization_vector=b'\xFE\xDC\xBA\x98\x76\x54\x32\x10',
|
|
derivation_data=(
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
),
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
response_payload = e._process_derive_key(payload)
|
|
|
|
e._logger.info.assert_any_call("Processing operation: DeriveKey")
|
|
e._logger.info.assert_any_call(
|
|
"Object 3 will be used as the keying material for the derivation "
|
|
"process."
|
|
)
|
|
e._logger.info.assert_any_call("Created a SecretData with ID: 4")
|
|
|
|
self.assertEqual("4", response_payload.unique_identifier)
|
|
|
|
managed_object = e._data_session.query(
|
|
pie_objects.SecretData
|
|
).filter(
|
|
pie_objects.SecretData.unique_identifier == 4
|
|
).one()
|
|
|
|
self.assertEqual(
|
|
(
|
|
b'\x6B\x77\xB4\xD6\x30\x06\xDE\xE6'
|
|
b'\x05\xB1\x56\xE2\x74\x03\x97\x93'
|
|
b'\x58\xDE\xB9\xE7\x15\x46\x16\xD9'
|
|
b'\x74\x9D\xEC\xBE\xC0\x5D\x26\x4B'
|
|
),
|
|
managed_object.value
|
|
)
|
|
self.assertEqual(enums.SecretDataType.SEED, managed_object.data_type)
|
|
self.assertIsNotNone(managed_object.initial_date)
|
|
|
|
def test_derive_key_invalid_derivation_type(self):
|
|
"""
|
|
Test that the right error is thrown when an invalid derivation type
|
|
is provided with a DeriveKey request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.CERTIFICATE
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"Key derivation can only generate a SymmetricKey or SecretData "
|
|
"object.",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key_invalid_base_key(self):
|
|
"""
|
|
Test that the right error is thrown when an object not suitable for
|
|
key derivation is provided as the base key with a DeriveKey request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
invalid_key = pie_objects.OpaqueObject(
|
|
b'\x01\x02\x04\x08\x10\x20\x40\x80',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
e._data_session.add(invalid_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SECRET_DATA,
|
|
unique_identifiers=[str(invalid_key.unique_identifier)]
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"Object 1 is not a suitable type for key derivation. Please "
|
|
"specify a key or secret data.",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key_non_derivable_base_key(self):
|
|
"""
|
|
Test that the right error is thrown when an object suitable for
|
|
key derivation but not marked as such is provided as the base key
|
|
with a DeriveKey request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SECRET_DATA,
|
|
unique_identifiers=[str(base_key.unique_identifier)]
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"The DeriveKey bit must be set in the cryptographic usage mask "
|
|
"for object 1 for it to be used in key derivation.",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key_alternate_derivation_data(self):
|
|
"""
|
|
Test that a DeriveKey request can be processed correctly by
|
|
specifying multiple base objects and no derivation data.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.HMAC_SHA256,
|
|
length=176,
|
|
value=(
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
base_data = pie_objects.SecretData(
|
|
value=(
|
|
b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7'
|
|
b'\xf8\xf9'
|
|
),
|
|
data_type=enums.SecretDataType.SEED,
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_data)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SYMMETRIC_KEY,
|
|
unique_identifiers=[
|
|
str(base_key.unique_identifier),
|
|
str(base_data.unique_identifier)
|
|
],
|
|
derivation_method=enums.DerivationMethod.HMAC,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256
|
|
),
|
|
salt=(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0a\x0b\x0c'
|
|
)
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
336
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
response_payload = e._process_derive_key(payload)
|
|
|
|
e._logger.info.assert_any_call("Processing operation: DeriveKey")
|
|
e._logger.info.assert_any_call(
|
|
"2 derivation objects specified with the DeriveKey request."
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Object 1 will be used as the keying material for the derivation "
|
|
"process."
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Object 2 will be used as the derivation data for the derivation "
|
|
"process."
|
|
)
|
|
e._logger.info.assert_any_call("Created a SymmetricKey with ID: 3")
|
|
|
|
self.assertEqual("3", response_payload.unique_identifier)
|
|
|
|
managed_object = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.SymmetricKey.unique_identifier == 3
|
|
).one()
|
|
|
|
self.assertEqual(
|
|
(
|
|
b'\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a'
|
|
b'\x90\x43\x4f\x64\xd0\x36\x2f\x2a'
|
|
b'\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c'
|
|
b'\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf'
|
|
b'\x34\x00\x72\x08\xd5\xb8\x87\x18'
|
|
b'\x58\x65'
|
|
),
|
|
managed_object.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
managed_object.cryptographic_algorithm
|
|
)
|
|
self.assertEqual(
|
|
336,
|
|
managed_object.cryptographic_length
|
|
)
|
|
self.assertIsNotNone(managed_object.initial_date)
|
|
|
|
def test_derive_key_unspecified_iv(self):
|
|
"""
|
|
"""
|
|
self.skip('')
|
|
|
|
def test_derive_key_missing_cryptographic_length(self):
|
|
"""
|
|
Test that the right error is thrown when the cryptographic length is
|
|
missing from a DeriveKey request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.HMAC_SHA256,
|
|
length=160,
|
|
value=(
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SYMMETRIC_KEY,
|
|
unique_identifiers=[str(base_key.unique_identifier)],
|
|
derivation_method=enums.DerivationMethod.HMAC,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256
|
|
),
|
|
derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65',
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"The cryptographic length must be provided in the template "
|
|
"attribute.",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key_invalid_cryptographic_length(self):
|
|
"""
|
|
Test that the right error is thrown when an invalid cryptographic
|
|
length is provided with a DeriveKey request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.HMAC_SHA256,
|
|
length=160,
|
|
value=(
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SYMMETRIC_KEY,
|
|
unique_identifiers=[str(base_key.unique_identifier)],
|
|
derivation_method=enums.DerivationMethod.HMAC,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256
|
|
),
|
|
derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65',
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
123
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"The cryptographic length must correspond to a valid number of "
|
|
"bytes \(i.e., it must be a multiple of 8\).",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key_missing_cryptographic_algorithm(self):
|
|
"""
|
|
Test that the right error is thrown when the cryptographic algorithm
|
|
is missing from a DeriveKey request when deriving a symmetric key.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.HMAC_SHA256,
|
|
length=160,
|
|
value=(
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SYMMETRIC_KEY,
|
|
unique_identifiers=[str(base_key.unique_identifier)],
|
|
derivation_method=enums.DerivationMethod.HMAC,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256
|
|
),
|
|
derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65',
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"The cryptographic algorithm must be provided in the template "
|
|
"attribute when deriving a symmetric key.",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_derive_key_oversized_cryptographic_length(self):
|
|
"""
|
|
Test that the right error is thrown when an invalid cryptographic
|
|
length is provided with a DeriveKey request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
base_key = pie_objects.SymmetricKey(
|
|
algorithm=enums.CryptographicAlgorithm.HMAC_SHA256,
|
|
length=160,
|
|
value=(
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
|
|
b'\x0b\x0b\x0b\x0b'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
e._data_session.add(base_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._cryptography_engine = mock.MagicMock()
|
|
e._cryptography_engine.derive_key.return_value = b''
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
payload = derive_key.DeriveKeyRequestPayload(
|
|
object_type=enums.ObjectType.SYMMETRIC_KEY,
|
|
unique_identifiers=[str(base_key.unique_identifier)],
|
|
derivation_method=enums.DerivationMethod.HMAC,
|
|
derivation_parameters=attributes.DerivationParameters(
|
|
cryptographic_parameters=attributes.CryptographicParameters(
|
|
hashing_algorithm=enums.HashingAlgorithm.SHA_256
|
|
),
|
|
derivation_data=b'\x48\x69\x20\x54\x68\x65\x72\x65',
|
|
),
|
|
template_attribute=objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
]
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.CryptographicFailure,
|
|
"The specified length exceeds the output of the derivation "
|
|
"method.",
|
|
e._process_derive_key,
|
|
*args
|
|
)
|
|
|
|
def test_locate(self):
|
|
"""
|
|
Test that a Locate request can be processed correctly.
|
|
"""
|
|
# TODO Need add more extensive tests after locate operaton is
|
|
# fully supported
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
|
|
# locate should return nothing at beginning
|
|
payload = locate.LocateRequestPayload()
|
|
response_payload = e._process_locate(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Locate"
|
|
)
|
|
self.assertEqual(
|
|
len(response_payload.unique_identifiers),
|
|
0
|
|
)
|
|
|
|
# Add the first obj and test the locate
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
|
|
payload = locate.LocateRequestPayload()
|
|
e._logger.reset_mock()
|
|
response_payload = e._process_locate(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Locate"
|
|
)
|
|
|
|
self.assertEqual(
|
|
len(response_payload.unique_identifiers),
|
|
1
|
|
)
|
|
self.assertEqual(
|
|
id_a,
|
|
response_payload.unique_identifiers[0].value
|
|
)
|
|
|
|
# Add the second obj and test the locate
|
|
e._data_session.add(obj_b)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_b = str(obj_b.unique_identifier)
|
|
|
|
payload = locate.LocateRequestPayload()
|
|
e._logger.reset_mock()
|
|
response_payload = e._process_locate(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Locate"
|
|
)
|
|
|
|
self.assertEqual(
|
|
len(response_payload.unique_identifiers),
|
|
2
|
|
)
|
|
self.assertIn(
|
|
id_a,
|
|
[uid.value for uid in response_payload.unique_identifiers]
|
|
)
|
|
self.assertIn(
|
|
id_b,
|
|
[uid.value for uid in response_payload.unique_identifiers]
|
|
)
|
|
|
|
def test_locate_with_name(self):
|
|
"""
|
|
Test locate operation when 'Name' attribute is given.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00')
|
|
obj_a = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES, 128, key, name='name0')
|
|
obj_b = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.DES, 128, key, name='name0')
|
|
obj_c = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES, 128, key, name='name1')
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.add(obj_b)
|
|
e._data_session.add(obj_c)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
id_b = str(obj_b.unique_identifier)
|
|
id_c = str(obj_c.unique_identifier)
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Locate the obj with name 'name0'
|
|
attrs = [
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'name0',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
]
|
|
|
|
payload = locate.LocateRequestPayload(attributes=attrs)
|
|
e._logger.reset_mock()
|
|
response_payload = e._process_locate(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Locate"
|
|
)
|
|
|
|
self.assertEqual(
|
|
len(response_payload.unique_identifiers),
|
|
2
|
|
)
|
|
self.assertIn(
|
|
id_a,
|
|
[uid.value for uid in response_payload.unique_identifiers]
|
|
)
|
|
self.assertIn(
|
|
id_b,
|
|
[uid.value for uid in response_payload.unique_identifiers]
|
|
)
|
|
|
|
# Locate the obj with name 'name1'
|
|
attrs = [
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'name1',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
]
|
|
|
|
payload = locate.LocateRequestPayload(attributes=attrs)
|
|
e._logger.reset_mock()
|
|
response_payload = e._process_locate(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Locate"
|
|
)
|
|
|
|
self.assertEqual(
|
|
len(response_payload.unique_identifiers),
|
|
1
|
|
)
|
|
self.assertIn(
|
|
id_c,
|
|
[uid.value for uid in response_payload.unique_identifiers]
|
|
)
|
|
|
|
def test_get(self):
|
|
"""
|
|
Test that a Get request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.add(obj_b)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
id_b = str(obj_b.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to get.
|
|
payload = get.GetRequestPayload(unique_identifier=id_a)
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.OPAQUE_DATA,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(str(id_a), response_payload.unique_identifier)
|
|
self.assertIsInstance(response_payload.secret, secrets.OpaqueObject)
|
|
self.assertEqual(
|
|
enums.OpaqueDataType.NONE,
|
|
response_payload.secret.opaque_data_type.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
response_payload.secret.opaque_data_value.value
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
e._id_placeholder = str(id_b)
|
|
|
|
# Test by using the ID placeholder to specify the object to get.
|
|
payload = get.GetRequestPayload()
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.OPAQUE_DATA,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(str(id_b), response_payload.unique_identifier)
|
|
self.assertIsInstance(response_payload.secret, secrets.OpaqueObject)
|
|
self.assertEqual(
|
|
enums.OpaqueDataType.NONE,
|
|
response_payload.secret.opaque_data_type.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
response_payload.secret.opaque_data_value.value
|
|
)
|
|
|
|
e._data_session.commit()
|
|
|
|
def test_get_unsupported_key_compression(self):
|
|
"""
|
|
Test that the right error is generated when key compression is
|
|
provided in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
# Test that specifying the key compression type generates an error.
|
|
k = enums.KeyCompressionType.EC_PUBLIC_KEY_TYPE_UNCOMPRESSED
|
|
payload = get.GetRequestPayload(key_compression_type=k)
|
|
|
|
args = (payload, )
|
|
regex = "Key compression is not supported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.KeyCompressionTypeNotSupported,
|
|
regex,
|
|
e._process_get,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
|
|
def test_get_with_key_format_type(self):
|
|
"""
|
|
Test that the key format type is handled properly in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
obj_a = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
|
|
# Test that a key can be retrieved with the right key format.
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=id_a,
|
|
key_format_type=enums.KeyFormatType.RAW
|
|
)
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
|
|
self.assertIsInstance(response_payload.secret, secrets.SymmetricKey)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
response_payload.secret.key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
0,
|
|
response_payload.secret.key_block.cryptographic_length.value
|
|
)
|
|
self.assertEqual(
|
|
b'',
|
|
response_payload.secret.key_block.key_value.key_material.value
|
|
)
|
|
self.assertEqual(
|
|
enums.KeyFormatType.RAW,
|
|
response_payload.secret.key_block.key_format_type.value
|
|
)
|
|
|
|
# Test that an error is generated when a key format conversion is
|
|
# required.
|
|
e._logger.reset_mock()
|
|
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=id_a,
|
|
key_format_type=enums.KeyFormatType.OPAQUE
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = "Key format conversion from RAW to OPAQUE is unsupported."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.KeyFormatTypeNotSupported,
|
|
regex,
|
|
e._process_get,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
|
|
# Test that an error is generated when a key format is requested but
|
|
# does not apply to the given managed object.
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
|
|
e._data_session.add(obj_b)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_b = str(obj_b.unique_identifier)
|
|
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=id_b,
|
|
key_format_type=enums.KeyFormatType.RAW
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = "Key format is not applicable to the specified object."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.KeyFormatTypeNotSupported,
|
|
regex,
|
|
e._process_get,
|
|
*args
|
|
)
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
|
|
def test_get_not_allowed_by_policy(self):
|
|
"""
|
|
Test that an unallowed request is handled correctly by Get.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
payload = get.GetRequestPayload(unique_identifier=id_a)
|
|
|
|
# Test by specifying the ID of the object to get.
|
|
args = [payload]
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key(self):
|
|
"""
|
|
Test that a Get request for a wrapped key can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
response_payload = e._process_get(payload)
|
|
|
|
e._logger.info.assert_any_call("Processing operation: Get")
|
|
e._logger.info.assert_any_call(
|
|
"Wrapping SymmetricKey 2 with SymmetricKey 1."
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(
|
|
unwrapped_key_uuid,
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertIsInstance(
|
|
response_payload.secret,
|
|
secrets.SymmetricKey
|
|
)
|
|
self.assertEqual(
|
|
(
|
|
b'\x1F\xA6\x8B\x0A\x81\x12\xB4\x47'
|
|
b'\xAE\xF3\x4B\xD8\xFB\x5A\x7B\x82'
|
|
b'\x9D\x3E\x86\x23\x71\xD2\xCF\xE5'
|
|
),
|
|
response_payload.secret.key_block.key_value.key_material.value
|
|
)
|
|
self.assertIsInstance(
|
|
response_payload.secret.key_block.key_wrapping_data,
|
|
objects.KeyWrappingData
|
|
)
|
|
k = response_payload.secret.key_block.key_wrapping_data
|
|
self.assertEqual(
|
|
enums.WrappingMethod.ENCRYPT,
|
|
k.wrapping_method
|
|
)
|
|
self.assertIsInstance(
|
|
k.encryption_key_information,
|
|
objects.EncryptionKeyInformation
|
|
)
|
|
self.assertEqual(
|
|
'1',
|
|
k.encryption_key_information.unique_identifier
|
|
)
|
|
self.assertIsInstance(
|
|
k.encryption_key_information.cryptographic_parameters,
|
|
attributes.CryptographicParameters
|
|
)
|
|
c = k.encryption_key_information.cryptographic_parameters
|
|
self.assertEqual(
|
|
enums.BlockCipherMode.NIST_KEY_WRAP,
|
|
c.block_cipher_mode
|
|
)
|
|
self.assertEqual(
|
|
enums.EncodingOption.NO_ENCODING,
|
|
k.encoding_option
|
|
)
|
|
|
|
def test_get_wrapped_key_unsupported_mac_sig(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
via MAC/signing in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.MAC_SIGN,
|
|
mac_signature_key_information=objects.
|
|
MACSignatureKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.OperationNotSupported,
|
|
"Wrapping method '{0}' is not supported.".format(
|
|
enums.WrappingMethod.MAC_SIGN
|
|
),
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_unsupported_mac_sign_key_info(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with MAC/signing key information in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
mac_signature_key_information=objects.
|
|
MACSignatureKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"Key wrapping with MAC/signing key information is not supported.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_missing_key_information(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with no settings in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"Either the encryption key information or the MAC/signature key "
|
|
"information must be specified for key wrapping to be performed.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_nonexistent_wrapping_key(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with a nonexistent wrapping key in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier='invalid',
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.ItemNotFound,
|
|
"Wrapping key does not exist.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_non_wrapping_key(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with a non-wrapping key in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SecretData(
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
enums.SecretDataType.SEED,
|
|
masks=[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.IllegalOperation,
|
|
"The wrapping encryption key specified by the encryption key "
|
|
"information is not a key.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_inactive_wrapping_key(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with an inactive wrapping key in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"Encryption key 1 must be activated to be used for key "
|
|
"wrapping.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_invalid_wrapping_key(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with a wrapping key not designated for key wrapping in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"The WrapKey bit must be set in the cryptographic usage mask of "
|
|
"encryption key 1 for it to be used for key wrapping.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_unsupported_attribute_wrapping(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with attribute names in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
attribute_names=['Cryptographic Algorithm'],
|
|
encoding_option=enums.EncodingOption.NO_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.IllegalOperation,
|
|
"Wrapping object attributes is not supported.",
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_wrapped_key_invalid_encoding(self):
|
|
"""
|
|
Test that the right error is thrown when key wrapping is requested
|
|
with an unsupported encoding option in a Get request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
wrapping_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x01\x02\x03\x04\x05\x06\x07'
|
|
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
|
|
),
|
|
[enums.CryptographicUsageMask.WRAP_KEY]
|
|
)
|
|
wrapping_key.state = enums.State.ACTIVE
|
|
|
|
unwrapped_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(
|
|
b'\x00\x11\x22\x33\x44\x55\x66\x77'
|
|
b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(wrapping_key)
|
|
e._data_session.add(unwrapped_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
wrapping_key_uuid = str(wrapping_key.unique_identifier)
|
|
unwrapped_key_uuid = str(unwrapped_key.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.NIST_KEY_WRAP
|
|
)
|
|
payload = get.GetRequestPayload(
|
|
unique_identifier=unwrapped_key_uuid,
|
|
key_wrapping_specification=objects.KeyWrappingSpecification(
|
|
wrapping_method=enums.WrappingMethod.ENCRYPT,
|
|
encryption_key_information=objects.EncryptionKeyInformation(
|
|
unique_identifier=wrapping_key_uuid,
|
|
cryptographic_parameters=cryptographic_parameters
|
|
),
|
|
encoding_option=enums.EncodingOption.TTLV_ENCODING
|
|
)
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.EncodingOptionError,
|
|
"Encoding option '{0}' is not supported.".format(
|
|
enums.EncodingOption.TTLV_ENCODING
|
|
),
|
|
e._process_get,
|
|
*args
|
|
)
|
|
|
|
def test_get_attributes(self):
|
|
"""
|
|
Test that a GetAttributes request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
secret = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
|
|
e._data_session.add(secret)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
payload = get_attributes.GetAttributesRequestPayload(
|
|
unique_identifier='1',
|
|
attribute_names=['Object Type', 'Cryptographic Algorithm']
|
|
)
|
|
|
|
response_payload = e._process_get_attributes(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: GetAttributes"
|
|
)
|
|
self.assertEqual(
|
|
'1',
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertEqual(
|
|
2,
|
|
len(response_payload.attributes)
|
|
)
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.OBJECT_TYPE,
|
|
enums.ObjectType.SYMMETRIC_KEY
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
def test_get_attributes_with_no_arguments(self):
|
|
"""
|
|
Test that a GetAttributes request with no arguments can be processed
|
|
correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
secret = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
|
|
e._data_session.add(secret)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
e._id_placeholder = '1'
|
|
|
|
payload = get_attributes.GetAttributesRequestPayload()
|
|
|
|
response_payload = e._process_get_attributes(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: GetAttributes"
|
|
)
|
|
self.assertEqual(
|
|
'1',
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertEqual(
|
|
9,
|
|
len(response_payload.attributes)
|
|
)
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.OBJECT_TYPE,
|
|
enums.ObjectType.SYMMETRIC_KEY
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
0
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.OPERATION_POLICY_NAME,
|
|
'default'
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[]
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.STATE,
|
|
enums.State.PRE_ACTIVE
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
attribute = attribute_factory.create_attribute(
|
|
enums.AttributeType.UNIQUE_IDENTIFIER,
|
|
'1'
|
|
)
|
|
self.assertIn(attribute, response_payload.attributes)
|
|
|
|
def test_get_attributes_not_allowed_by_policy(self):
|
|
"""
|
|
Test that an unallowed request is handled correctly by GetAttributes.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
payload = get_attributes.GetAttributesRequestPayload(
|
|
unique_identifier=id_a
|
|
)
|
|
|
|
# Test by specifying the ID of the object whose attributes should
|
|
# be retrieved.
|
|
args = [payload]
|
|
self.assertRaisesRegex(
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._process_get_attributes,
|
|
*args
|
|
)
|
|
|
|
def test_get_attribute_list(self):
|
|
"""
|
|
Test that a GetAttributeList request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
secret = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
|
|
e._data_session.add(secret)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
payload = get_attribute_list.GetAttributeListRequestPayload(
|
|
unique_identifier='1'
|
|
)
|
|
|
|
response_payload = e._process_get_attribute_list(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: GetAttributeList"
|
|
)
|
|
self.assertEqual(
|
|
'1',
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertEqual(
|
|
9,
|
|
len(response_payload.attribute_names)
|
|
)
|
|
self.assertIn(
|
|
"Object Type",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Name",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Cryptographic Algorithm",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Cryptographic Length",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Operation Policy Name",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Cryptographic Usage Mask",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"State",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Unique Identifier",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Initial Date",
|
|
response_payload.attribute_names
|
|
)
|
|
|
|
def test_get_attribute_list_with_no_arguments(self):
|
|
"""
|
|
Test that a GetAttributeList request with no arguments can be
|
|
processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
secret = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
|
|
e._data_session.add(secret)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
e._id_placeholder = '1'
|
|
|
|
payload = get_attribute_list.GetAttributeListRequestPayload()
|
|
|
|
response_payload = e._process_get_attribute_list(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: GetAttributeList"
|
|
)
|
|
self.assertEqual(
|
|
'1',
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertEqual(
|
|
9,
|
|
len(response_payload.attribute_names)
|
|
)
|
|
self.assertIn(
|
|
"Object Type",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Name",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Cryptographic Algorithm",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Cryptographic Length",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Operation Policy Name",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Cryptographic Usage Mask",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"State",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Unique Identifier",
|
|
response_payload.attribute_names
|
|
)
|
|
self.assertIn(
|
|
"Initial Date",
|
|
response_payload.attribute_names
|
|
)
|
|
|
|
def test_get_attribute_list_not_allowed_by_policy(self):
|
|
"""
|
|
Test that an unallowed request is handled correctly by
|
|
GetAttributeList.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
payload = get_attribute_list.GetAttributeListRequestPayload(
|
|
unique_identifier=id_a
|
|
)
|
|
|
|
# Test by specifying the ID of the object whose attributes should
|
|
# be retrieved.
|
|
args = [payload]
|
|
self.assertRaisesRegex(
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._process_get_attribute_list,
|
|
*args
|
|
)
|
|
|
|
def test_activate(self):
|
|
"""
|
|
Test that an Activate request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
self.assertEqual(enums.State.PRE_ACTIVE, managed_object.state)
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to activate.
|
|
payload = activate.ActivateRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id)
|
|
)
|
|
|
|
response_payload = e._process_activate(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Activate"
|
|
)
|
|
self.assertEqual(
|
|
str(object_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == object_id
|
|
).one()
|
|
|
|
self.assertEqual(enums.State.ACTIVE, symmetric_key.state)
|
|
|
|
args = (payload,)
|
|
regex = "The object state is not pre-active and cannot be activated."
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_activate,
|
|
*args
|
|
)
|
|
|
|
# Test that the ID placeholder can also be used to specify activation.
|
|
e._id_placeholder = str(object_id)
|
|
payload = activate.ActivateRequestPayload()
|
|
args = (payload,)
|
|
regex = "The object state is not pre-active and cannot be activated."
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_activate,
|
|
*args
|
|
)
|
|
|
|
def test_activate_on_static_object(self):
|
|
"""
|
|
Test that the right error is generated when an activation request is
|
|
received for an object that cannot be activated.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.OpaqueObject(
|
|
b'',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to activate.
|
|
payload = activate.ActivateRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id)
|
|
)
|
|
|
|
args = (payload,)
|
|
name = enums.ObjectType.OPAQUE_DATA.name
|
|
regex = "An {0} object has no state and cannot be activated.".format(
|
|
''.join(
|
|
[x.capitalize() for x in name.split('_')]
|
|
)
|
|
)
|
|
self.assertRaisesRegexp(
|
|
exceptions.IllegalOperation,
|
|
regex,
|
|
e._process_activate,
|
|
*args
|
|
)
|
|
|
|
def test_activate_on_active_object(self):
|
|
"""
|
|
Test that the right error is generated when an activation request is
|
|
received for an object that is not pre-active.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
managed_object.state = enums.State.ACTIVE
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to activate.
|
|
payload = activate.ActivateRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id)
|
|
)
|
|
|
|
args = (payload,)
|
|
regex = "The object state is not pre-active and cannot be activated."
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_activate,
|
|
*args
|
|
)
|
|
|
|
def test_activate_not_allowed_by_policy(self):
|
|
"""
|
|
Test that an unallowed request is handled correctly by Activate.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
payload = activate.ActivateRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(id_a)
|
|
)
|
|
|
|
# Test by specifying the ID of the object to activate.
|
|
args = [payload]
|
|
self.assertRaisesRegex(
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._process_activate,
|
|
*args
|
|
)
|
|
|
|
def test_revoke(self):
|
|
"""
|
|
Test that an Revoke request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
managed_object.state = enums.State.ACTIVE
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
reason_unspecified = objects.RevocationReason(
|
|
code=enums.RevocationReasonCode.UNSPECIFIED)
|
|
reason_compromise = objects.RevocationReason(
|
|
code=enums.RevocationReasonCode.KEY_COMPROMISE)
|
|
date = primitives.DateTime(
|
|
tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6)
|
|
|
|
# Test that reason UNSPECIFIED will put object into state
|
|
# DEACTIVATED
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id),
|
|
revocation_reason=reason_unspecified,
|
|
compromise_occurrence_date=date)
|
|
|
|
response_payload = e._process_revoke(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Revoke"
|
|
)
|
|
self.assertEqual(
|
|
str(object_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == object_id
|
|
).one()
|
|
|
|
self.assertEqual(enums.State.DEACTIVATED, symmetric_key.state)
|
|
|
|
# Test that reason KEY_COMPROMISE will put object not in DESTROYED
|
|
# state into state COMPROMISED
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id),
|
|
revocation_reason=reason_compromise,
|
|
compromise_occurrence_date=date)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
response_payload = e._process_revoke(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Revoke"
|
|
)
|
|
self.assertEqual(
|
|
str(object_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == object_id
|
|
).one()
|
|
|
|
self.assertEqual(enums.State.COMPROMISED, symmetric_key.state)
|
|
|
|
# Test that reason KEY_COMPROMISE will put object in DESTROYED
|
|
# state into state DESTROYED_COMPROMISED
|
|
symmetric_key.state = enums.State.DESTROYED
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id),
|
|
revocation_reason=reason_compromise,
|
|
compromise_occurrence_date=date)
|
|
response_payload = e._process_revoke(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Revoke"
|
|
)
|
|
self.assertEqual(
|
|
str(object_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == object_id
|
|
).one()
|
|
|
|
self.assertEqual(enums.State.DESTROYED_COMPROMISED,
|
|
symmetric_key.state)
|
|
|
|
# Test that the ID placeholder can also be used to specify revocation.
|
|
symmetric_key.state = enums.State.ACTIVE
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
e._id_placeholder = str(object_id)
|
|
payload = revoke.RevokeRequestPayload(
|
|
revocation_reason=reason_unspecified,
|
|
compromise_occurrence_date=date)
|
|
|
|
response_payload = e._process_revoke(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Revoke"
|
|
)
|
|
self.assertEqual(
|
|
str(object_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
|
|
symmetric_key = e._data_session.query(
|
|
pie_objects.SymmetricKey
|
|
).filter(
|
|
pie_objects.ManagedObject.unique_identifier == object_id
|
|
).one()
|
|
|
|
self.assertEqual(enums.State.DEACTIVATED, symmetric_key.state)
|
|
|
|
def test_revoke_missing_revocation_reason(self):
|
|
"""
|
|
Test that the right error is generated when a revocation request is
|
|
received with a missing revocation reason.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
self.assertEqual(enums.State.PRE_ACTIVE, managed_object.state)
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
date = primitives.DateTime(
|
|
tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6)
|
|
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id),
|
|
revocation_reason=None,
|
|
compromise_occurrence_date=date)
|
|
payload.revocation_reason = None
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"revocation reason code must be specified",
|
|
e._process_revoke,
|
|
*args
|
|
)
|
|
|
|
def test_revoke_on_not_active_object(self):
|
|
"""
|
|
Test that the right error is generated when an revocation request is
|
|
received for an object that is not active with the reason other than
|
|
KEY_COMPROMISE.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
0,
|
|
b''
|
|
)
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
self.assertEqual(enums.State.PRE_ACTIVE, managed_object.state)
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
reason_unspecified = objects.RevocationReason(
|
|
code=enums.RevocationReasonCode.UNSPECIFIED)
|
|
date = primitives.DateTime(
|
|
tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6)
|
|
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id),
|
|
revocation_reason=reason_unspecified,
|
|
compromise_occurrence_date=date)
|
|
|
|
args = (payload, )
|
|
regex = "The object is not active and cannot be revoked with " \
|
|
"reason other than KEY_COMPROMISE"
|
|
self.assertRaisesRegexp(
|
|
exceptions.IllegalOperation,
|
|
regex,
|
|
e._process_revoke,
|
|
*args
|
|
)
|
|
|
|
def test_revoke_on_static_object(self):
|
|
"""
|
|
Test that the right error is generated when an revoke request is
|
|
received for an object that cannot be revoked.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
managed_object = pie_objects.OpaqueObject(
|
|
b'',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
e._data_session.add(managed_object)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
object_id = str(managed_object.unique_identifier)
|
|
|
|
reason_unspecified = objects.RevocationReason(
|
|
code=enums.RevocationReasonCode.UNSPECIFIED)
|
|
date = primitives.DateTime(
|
|
tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6)
|
|
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(object_id),
|
|
revocation_reason=reason_unspecified,
|
|
compromise_occurrence_date=date)
|
|
|
|
args = (payload,)
|
|
name = enums.ObjectType.OPAQUE_DATA.name
|
|
regex = "An {0} object has no state and cannot be revoked.".format(
|
|
''.join(
|
|
[x.capitalize() for x in name.split('_')]
|
|
)
|
|
)
|
|
self.assertRaisesRegexp(
|
|
exceptions.IllegalOperation,
|
|
regex,
|
|
e._process_revoke,
|
|
*args
|
|
)
|
|
|
|
def test_revoke_not_allowed_by_policy(self):
|
|
"""
|
|
Test that an unallowed request is handled correctly by Revoke.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
|
|
reason_unspecified = objects.RevocationReason(
|
|
code=enums.RevocationReasonCode.UNSPECIFIED)
|
|
date = primitives.DateTime(
|
|
tag=enums.Tags.COMPROMISE_OCCURRENCE_DATE, value=6)
|
|
|
|
payload = revoke.RevokeRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(id_a),
|
|
revocation_reason=reason_unspecified,
|
|
compromise_occurrence_date=date)
|
|
|
|
args = [payload]
|
|
self.assertRaisesRegex(
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._process_revoke,
|
|
*args
|
|
)
|
|
|
|
def test_destroy(self):
|
|
"""
|
|
Test that a Destroy request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_b = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00')
|
|
algorithm = enums.CryptographicAlgorithm.AES
|
|
obj_c = pie_objects.SymmetricKey(algorithm, 128, key)
|
|
obj_c.state = enums.State.COMPROMISED
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.add(obj_b)
|
|
e._data_session.add(obj_c)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
id_b = str(obj_b.unique_identifier)
|
|
id_c = str(obj_c.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to destroy.
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(id_a)
|
|
)
|
|
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(str(id_a), response_payload.unique_identifier.value)
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(id_a)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
e._id_placeholder = str(id_b)
|
|
|
|
# Test by using the ID placeholder to specify the object to destroy.
|
|
payload = destroy.DestroyRequestPayload()
|
|
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(str(id_b), response_payload.unique_identifier.value)
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(id_b)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
# Test that compromised object can be destroyed properly
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(id_c)
|
|
)
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(str(id_c), response_payload.unique_identifier.value)
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(id_c)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
|
|
def test_destroy_not_allowed_by_policy(self):
|
|
"""
|
|
Test that an unallowed request is handled correctly by Destroy.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._client_identity = 'test'
|
|
|
|
obj_a = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_a._owner = 'admin'
|
|
|
|
e._data_session.add(obj_a)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id_a = str(obj_a.unique_identifier)
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(id_a)
|
|
)
|
|
|
|
# Test by specifying the ID of the object to destroy.
|
|
args = [payload]
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
"Could not locate object: {0}".format(id_a),
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
def test_destroy_active_state(self):
|
|
"""
|
|
Test that the right error is generated when destroy request is
|
|
received for an object that is in 'active' state.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00')
|
|
algorithm = enums.CryptographicAlgorithm.AES
|
|
obj = pie_objects.SymmetricKey(algorithm, 128, key)
|
|
obj.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(obj)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
id = str(obj.unique_identifier)
|
|
|
|
# Test by specifying the ID of the object to destroy.
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(id)
|
|
)
|
|
|
|
args = (payload, )
|
|
regex = "Object is active and cannot be destroyed."
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
def test_query_1_0(self):
|
|
"""
|
|
Test that a Query request can be processed correctly, for KMIP 1.0.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
|
|
e._logger = mock.MagicMock()
|
|
e._protocol_version = contents.ProtocolVersion.create(1, 0)
|
|
|
|
payload = query.QueryRequestPayload([
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_OPERATIONS),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_OBJECTS),
|
|
misc.QueryFunction(
|
|
enums.QueryFunction.QUERY_SERVER_INFORMATION
|
|
),
|
|
misc.QueryFunction(
|
|
enums.QueryFunction.QUERY_APPLICATION_NAMESPACES
|
|
),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_LIST),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_MAP)
|
|
])
|
|
|
|
result = e._process_query(payload)
|
|
|
|
e._logger.info.assert_called_once_with("Processing operation: Query")
|
|
self.assertIsInstance(result, query.QueryResponsePayload)
|
|
self.assertIsNotNone(result.operations)
|
|
self.assertEqual(11, len(result.operations))
|
|
self.assertEqual(
|
|
enums.Operation.CREATE,
|
|
result.operations[0].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.CREATE_KEY_PAIR,
|
|
result.operations[1].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.REGISTER,
|
|
result.operations[2].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DERIVE_KEY,
|
|
result.operations[3].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.LOCATE,
|
|
result.operations[4].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET,
|
|
result.operations[5].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET_ATTRIBUTES,
|
|
result.operations[6].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET_ATTRIBUTE_LIST,
|
|
result.operations[7].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.ACTIVATE,
|
|
result.operations[8].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DESTROY,
|
|
result.operations[9].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.QUERY,
|
|
result.operations[10].value
|
|
)
|
|
self.assertEqual(list(), result.object_types)
|
|
self.assertIsNotNone(result.vendor_identification)
|
|
self.assertEqual(
|
|
"PyKMIP {0} Software Server".format(kmip.__version__),
|
|
result.vendor_identification.value
|
|
)
|
|
self.assertIsNone(result.server_information)
|
|
self.assertEqual(list(), result.application_namespaces)
|
|
self.assertEqual(list(), result.extension_information)
|
|
|
|
def test_query_1_1(self):
|
|
"""
|
|
Test that a Query request can be processed correctly, for KMIP 1.1.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
|
|
e._logger = mock.MagicMock()
|
|
e._protocol_version = contents.ProtocolVersion.create(1, 1)
|
|
|
|
payload = query.QueryRequestPayload([
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_OPERATIONS),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_OBJECTS),
|
|
misc.QueryFunction(
|
|
enums.QueryFunction.QUERY_SERVER_INFORMATION
|
|
),
|
|
misc.QueryFunction(
|
|
enums.QueryFunction.QUERY_APPLICATION_NAMESPACES
|
|
),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_LIST),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_MAP)
|
|
])
|
|
|
|
result = e._process_query(payload)
|
|
|
|
e._logger.info.assert_called_once_with("Processing operation: Query")
|
|
self.assertIsInstance(result, query.QueryResponsePayload)
|
|
self.assertIsNotNone(result.operations)
|
|
self.assertEqual(12, len(result.operations))
|
|
self.assertEqual(
|
|
enums.Operation.CREATE,
|
|
result.operations[0].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.CREATE_KEY_PAIR,
|
|
result.operations[1].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.REGISTER,
|
|
result.operations[2].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DERIVE_KEY,
|
|
result.operations[3].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.LOCATE,
|
|
result.operations[4].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET,
|
|
result.operations[5].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET_ATTRIBUTES,
|
|
result.operations[6].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET_ATTRIBUTE_LIST,
|
|
result.operations[7].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.ACTIVATE,
|
|
result.operations[8].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DESTROY,
|
|
result.operations[9].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.QUERY,
|
|
result.operations[10].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DISCOVER_VERSIONS,
|
|
result.operations[11].value
|
|
)
|
|
self.assertEqual(list(), result.object_types)
|
|
self.assertIsNotNone(result.vendor_identification)
|
|
self.assertEqual(
|
|
"PyKMIP {0} Software Server".format(kmip.__version__),
|
|
result.vendor_identification.value
|
|
)
|
|
self.assertIsNone(result.server_information)
|
|
self.assertEqual(list(), result.application_namespaces)
|
|
self.assertEqual(list(), result.extension_information)
|
|
|
|
def test_query_1_2(self):
|
|
"""
|
|
Test that a Query request can be processed correctly, for KMIP 1.2.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
|
|
e._logger = mock.MagicMock()
|
|
e._protocol_version = contents.ProtocolVersion.create(1, 2)
|
|
|
|
payload = query.QueryRequestPayload([
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_OPERATIONS),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_OBJECTS),
|
|
misc.QueryFunction(
|
|
enums.QueryFunction.QUERY_SERVER_INFORMATION
|
|
),
|
|
misc.QueryFunction(
|
|
enums.QueryFunction.QUERY_APPLICATION_NAMESPACES
|
|
),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_LIST),
|
|
misc.QueryFunction(enums.QueryFunction.QUERY_EXTENSION_MAP)
|
|
])
|
|
|
|
result = e._process_query(payload)
|
|
|
|
e._logger.info.assert_called_once_with("Processing operation: Query")
|
|
self.assertIsInstance(result, query.QueryResponsePayload)
|
|
self.assertIsNotNone(result.operations)
|
|
self.assertEqual(14, len(result.operations))
|
|
self.assertEqual(
|
|
enums.Operation.CREATE,
|
|
result.operations[0].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.CREATE_KEY_PAIR,
|
|
result.operations[1].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.REGISTER,
|
|
result.operations[2].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DERIVE_KEY,
|
|
result.operations[3].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.LOCATE,
|
|
result.operations[4].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET,
|
|
result.operations[5].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET_ATTRIBUTES,
|
|
result.operations[6].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.GET_ATTRIBUTE_LIST,
|
|
result.operations[7].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.ACTIVATE,
|
|
result.operations[8].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DESTROY,
|
|
result.operations[9].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.QUERY,
|
|
result.operations[10].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.DISCOVER_VERSIONS,
|
|
result.operations[11].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.ENCRYPT,
|
|
result.operations[12].value
|
|
)
|
|
self.assertEqual(
|
|
enums.Operation.MAC,
|
|
result.operations[13].value
|
|
)
|
|
self.assertEqual(list(), result.object_types)
|
|
self.assertIsNotNone(result.vendor_identification)
|
|
self.assertEqual(
|
|
"PyKMIP {0} Software Server".format(kmip.__version__),
|
|
result.vendor_identification.value
|
|
)
|
|
self.assertIsNone(result.server_information)
|
|
self.assertEqual(list(), result.application_namespaces)
|
|
self.assertEqual(list(), result.extension_information)
|
|
|
|
def test_discover_versions(self):
|
|
"""
|
|
Test that a DiscoverVersions request can be processed correctly for
|
|
different inputs.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
|
|
# Test default request.
|
|
e._logger = mock.MagicMock()
|
|
payload = discover_versions.DiscoverVersionsRequestPayload()
|
|
|
|
result = e._process_discover_versions(payload)
|
|
|
|
e._logger.info.assert_called_once_with(
|
|
"Processing operation: DiscoverVersions"
|
|
)
|
|
self.assertIsInstance(
|
|
result,
|
|
discover_versions.DiscoverVersionsResponsePayload
|
|
)
|
|
self.assertIsNotNone(result.protocol_versions)
|
|
self.assertEqual(3, len(result.protocol_versions))
|
|
self.assertEqual(
|
|
contents.ProtocolVersion.create(1, 2),
|
|
result.protocol_versions[0]
|
|
)
|
|
self.assertEqual(
|
|
contents.ProtocolVersion.create(1, 1),
|
|
result.protocol_versions[1]
|
|
)
|
|
self.assertEqual(
|
|
contents.ProtocolVersion.create(1, 0),
|
|
result.protocol_versions[2]
|
|
)
|
|
|
|
# Test detailed request.
|
|
e._logger = mock.MagicMock()
|
|
payload = discover_versions.DiscoverVersionsRequestPayload([
|
|
contents.ProtocolVersion.create(1, 0)
|
|
])
|
|
|
|
result = e._process_discover_versions(payload)
|
|
|
|
e._logger.info.assert_called_once_with(
|
|
"Processing operation: DiscoverVersions"
|
|
)
|
|
self.assertIsNotNone(result.protocol_versions)
|
|
self.assertEqual(1, len(result.protocol_versions))
|
|
self.assertEqual(
|
|
contents.ProtocolVersion.create(1, 0),
|
|
result.protocol_versions[0]
|
|
)
|
|
|
|
# Test disjoint request.
|
|
e._logger = mock.MagicMock()
|
|
payload = discover_versions.DiscoverVersionsRequestPayload([
|
|
contents.ProtocolVersion.create(0, 1)
|
|
])
|
|
|
|
result = e._process_discover_versions(payload)
|
|
|
|
e._logger.info.assert_called_once_with(
|
|
"Processing operation: DiscoverVersions"
|
|
)
|
|
self.assertEqual([], result.protocol_versions)
|
|
|
|
def test_encrypt(self):
|
|
"""
|
|
Test that an Encrypt request can be processed correctly.
|
|
|
|
The test vectors used here come from Eric Young's test set for
|
|
Blowfish, via https://www.di-mgt.com.au/cryptopad.html.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
encryption_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.TRIPLE_DES,
|
|
128,
|
|
(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
encryption_key.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(encryption_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unique_identifier = str(encryption_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.CBC,
|
|
padding_method=enums.PaddingMethod.PKCS5,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH
|
|
)
|
|
data = (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10'
|
|
|
|
payload = encrypt.EncryptRequestPayload(
|
|
unique_identifier,
|
|
cryptographic_parameters,
|
|
data,
|
|
iv_counter_nonce
|
|
)
|
|
|
|
response_payload = e._process_encrypt(payload)
|
|
|
|
e._logger.info.assert_any_call("Processing operation: Encrypt")
|
|
self.assertEqual(
|
|
unique_identifier,
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertEqual(
|
|
(
|
|
b'\x6B\x77\xB4\xD6\x30\x06\xDE\xE6'
|
|
b'\x05\xB1\x56\xE2\x74\x03\x97\x93'
|
|
b'\x58\xDE\xB9\xE7\x15\x46\x16\xD9'
|
|
b'\x74\x9D\xEC\xBE\xC0\x5D\x26\x4B'
|
|
),
|
|
response_payload.data
|
|
)
|
|
self.assertIsNone(response_payload.iv_counter_nonce)
|
|
|
|
def test_encrypt_no_iv_counter_nonce(self):
|
|
"""
|
|
Test that an Encrypt request can be processed correctly when a
|
|
specific IV/counter/nonce is not specified.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
encryption_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.TRIPLE_DES,
|
|
128,
|
|
(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
encryption_key.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(encryption_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unique_identifier = str(encryption_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.CBC,
|
|
padding_method=enums.PaddingMethod.PKCS5,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH
|
|
)
|
|
data = (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
iv_counter_nonce = None
|
|
|
|
payload = encrypt.EncryptRequestPayload(
|
|
unique_identifier,
|
|
cryptographic_parameters,
|
|
data,
|
|
iv_counter_nonce
|
|
)
|
|
|
|
response_payload = e._process_encrypt(payload)
|
|
|
|
e._logger.info.assert_any_call("Processing operation: Encrypt")
|
|
self.assertEqual(
|
|
unique_identifier,
|
|
response_payload.unique_identifier
|
|
)
|
|
self.assertIsNotNone(response_payload.data)
|
|
self.assertIsNotNone(response_payload.iv_counter_nonce)
|
|
|
|
def test_encrypt_no_cryptographic_parameters(self):
|
|
"""
|
|
Test that the right error is thrown when cryptographic parameters
|
|
are not provided with an Encrypt request.
|
|
|
|
Note: once the cryptographic parameters can be obtained from the
|
|
encryption key's attributes, this test should be updated to
|
|
reflect that.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
encryption_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.TRIPLE_DES,
|
|
128,
|
|
(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
encryption_key.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(encryption_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unique_identifier = str(encryption_key.unique_identifier)
|
|
cryptographic_parameters = None
|
|
data = (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10'
|
|
|
|
payload = encrypt.EncryptRequestPayload(
|
|
unique_identifier,
|
|
cryptographic_parameters,
|
|
data,
|
|
iv_counter_nonce
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.InvalidField,
|
|
"The cryptographic parameters must be specified.",
|
|
e._process_encrypt,
|
|
*args
|
|
)
|
|
|
|
def test_encrypt_invalid_encryption_key(self):
|
|
"""
|
|
Test that the right error is thrown when an invalid encryption key
|
|
is specified with an Encrypt request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
encryption_key = pie_objects.OpaqueObject(
|
|
b'\x01\x02\x03\x04',
|
|
enums.OpaqueDataType.NONE
|
|
)
|
|
|
|
e._data_session.add(encryption_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unique_identifier = str(encryption_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.CBC,
|
|
padding_method=enums.PaddingMethod.PKCS5,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH
|
|
)
|
|
data = (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10'
|
|
|
|
payload = encrypt.EncryptRequestPayload(
|
|
unique_identifier,
|
|
cryptographic_parameters,
|
|
data,
|
|
iv_counter_nonce
|
|
)
|
|
|
|
args = (payload, )
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"The requested encryption key is not a symmetric key. "
|
|
"Only symmetric encryption is currently supported.",
|
|
e._process_encrypt,
|
|
*args
|
|
)
|
|
|
|
def test_encrypt_inactive_encryption_key(self):
|
|
"""
|
|
Test that the right error is thrown when an inactive encryption key
|
|
is specified with an Encrypt request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
encryption_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.TRIPLE_DES,
|
|
128,
|
|
(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
[enums.CryptographicUsageMask.ENCRYPT]
|
|
)
|
|
|
|
e._data_session.add(encryption_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unique_identifier = str(encryption_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.CBC,
|
|
padding_method=enums.PaddingMethod.PKCS5,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH
|
|
)
|
|
data = (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10'
|
|
|
|
payload = encrypt.EncryptRequestPayload(
|
|
unique_identifier,
|
|
cryptographic_parameters,
|
|
data,
|
|
iv_counter_nonce
|
|
)
|
|
|
|
args = (payload,)
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"The encryption key must be in the Active state to be used "
|
|
"for encryption.",
|
|
e._process_encrypt,
|
|
*args
|
|
)
|
|
|
|
def test_encrypt_non_encryption_key(self):
|
|
"""
|
|
Test that the right error is thrown when a non-encryption key
|
|
is specified with an Encrypt request.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
encryption_key = pie_objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.TRIPLE_DES,
|
|
128,
|
|
(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
[enums.CryptographicUsageMask.DECRYPT]
|
|
)
|
|
encryption_key.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(encryption_key)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
unique_identifier = str(encryption_key.unique_identifier)
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
block_cipher_mode=enums.BlockCipherMode.CBC,
|
|
padding_method=enums.PaddingMethod.PKCS5,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.BLOWFISH
|
|
)
|
|
data = (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
iv_counter_nonce = b'\xFE\xDC\xBA\x98\x76\x54\x32\x10'
|
|
|
|
payload = encrypt.EncryptRequestPayload(
|
|
unique_identifier,
|
|
cryptographic_parameters,
|
|
data,
|
|
iv_counter_nonce
|
|
)
|
|
|
|
args = (payload,)
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
"The Encrypt bit must be set in the encryption key's "
|
|
"cryptographic usage mask.",
|
|
e._process_encrypt,
|
|
*args
|
|
)
|
|
|
|
def test_mac(self):
|
|
"""
|
|
Test that a MAC request can be processed correctly.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00')
|
|
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
|
|
b'\x0B\x0C\x0D\x0E\x0F')
|
|
algorithm_a = enums.CryptographicAlgorithm.AES
|
|
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
|
|
obj = pie_objects.SymmetricKey(
|
|
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
|
|
obj.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(obj)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
uuid = str(obj.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
cryptographic_algorithm=algorithm_b
|
|
)
|
|
|
|
# Verify when cryptographic_parameters is specified in request
|
|
payload = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid),
|
|
cryptographic_parameters=cryptographic_parameters,
|
|
data=objects.Data(data)
|
|
)
|
|
|
|
response_payload = e._process_mac(payload)
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: MAC"
|
|
)
|
|
e._cryptography_engine.logger.info.assert_any_call(
|
|
"Generating a hash-based message authentication code using {0}".
|
|
format(algorithm_b.name)
|
|
)
|
|
e._cryptography_engine.logger.reset_mock()
|
|
self.assertEqual(str(uuid), response_payload.unique_identifier.value)
|
|
self.assertIsInstance(response_payload.mac_data, objects.MACData)
|
|
|
|
# Verify when cryptographic_parameters is not specified in request
|
|
payload = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid),
|
|
cryptographic_parameters=None,
|
|
data=objects.Data(data)
|
|
)
|
|
|
|
response_payload = e._process_mac(payload)
|
|
|
|
e._cryptography_engine.logger.info.assert_any_call(
|
|
"Generating a cipher-based message authentication code using {0}".
|
|
format(algorithm_a.name)
|
|
)
|
|
self.assertEqual(str(uuid), response_payload.unique_identifier.value)
|
|
self.assertIsInstance(response_payload.mac_data, objects.MACData)
|
|
|
|
def test_mac_with_missing_fields(self):
|
|
"""
|
|
Test that the right errors are generated when required fields
|
|
are missing.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00')
|
|
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B'
|
|
b'\x0C\x0D\x0E\x0F')
|
|
algorithm = enums.CryptographicAlgorithm.AES
|
|
obj_no_key = pie_objects.OpaqueObject(b'', enums.OpaqueDataType.NONE)
|
|
obj_no_algorithm = pie_objects.OpaqueObject(
|
|
key, enums.OpaqueDataType.NONE)
|
|
|
|
e._data_session.add(obj_no_key)
|
|
e._data_session.add(obj_no_algorithm)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
uuid_no_key = str(obj_no_key.unique_identifier)
|
|
uuid_no_algorithm = str(obj_no_algorithm.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
cryptographic_algorithm=algorithm
|
|
)
|
|
|
|
payload_no_key = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid_no_key),
|
|
cryptographic_parameters=cryptographic_parameters,
|
|
data=objects.Data(data)
|
|
)
|
|
|
|
args = (payload_no_key, )
|
|
regex = "A secret key value must be specified"
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_mac,
|
|
*args
|
|
)
|
|
|
|
payload_no_algorithm = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid_no_algorithm),
|
|
cryptographic_parameters=None,
|
|
data=objects.Data(data)
|
|
)
|
|
|
|
args = (payload_no_algorithm, )
|
|
regex = "The cryptographic algorithm must be specified"
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_mac,
|
|
*args
|
|
)
|
|
|
|
payload_no_data = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid_no_algorithm),
|
|
cryptographic_parameters=cryptographic_parameters,
|
|
data=None
|
|
)
|
|
|
|
args = (payload_no_data, )
|
|
regex = "No data to be MACed"
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_mac,
|
|
*args
|
|
)
|
|
|
|
def test_mac_not_active_state(self):
|
|
"""
|
|
Test that the right error is generated when an MAC request is
|
|
received for an object that is not in 'active' state.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00')
|
|
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
|
|
b'\x0B\x0C\x0D\x0E\x0F')
|
|
algorithm_a = enums.CryptographicAlgorithm.AES
|
|
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
|
|
obj = pie_objects.SymmetricKey(
|
|
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
|
|
obj.state = enums.State.PRE_ACTIVE
|
|
|
|
e._data_session.add(obj)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
uuid = str(obj.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
cryptographic_algorithm=algorithm_b
|
|
)
|
|
|
|
# Verify when cryptographic_parameters is specified in request
|
|
payload = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid),
|
|
cryptographic_parameters=cryptographic_parameters,
|
|
data=objects.Data(data)
|
|
)
|
|
|
|
args = (payload,)
|
|
regex = "Object is not in a state that can be used for MACing."
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_mac,
|
|
*args
|
|
)
|
|
|
|
def test_mac_crypto_usage_mask_not_set(self):
|
|
"""
|
|
Test that the right error is generated when an MAC request is
|
|
received for an object without proper crypto usage mask set.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
e._cryptography_engine.logger = mock.MagicMock()
|
|
|
|
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00')
|
|
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
|
|
b'\x0B\x0C\x0D\x0E\x0F')
|
|
algorithm_a = enums.CryptographicAlgorithm.AES
|
|
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
|
|
obj = pie_objects.SymmetricKey(
|
|
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_VERIFY])
|
|
obj.state = enums.State.ACTIVE
|
|
|
|
e._data_session.add(obj)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
uuid = str(obj.unique_identifier)
|
|
|
|
cryptographic_parameters = attributes.CryptographicParameters(
|
|
cryptographic_algorithm=algorithm_b
|
|
)
|
|
|
|
# Verify when cryptographic_parameters is specified in request
|
|
payload = mac.MACRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uuid),
|
|
cryptographic_parameters=cryptographic_parameters,
|
|
data=objects.Data(data)
|
|
)
|
|
|
|
args = (payload,)
|
|
regex = "MAC Generate must be set in the object's cryptographic " \
|
|
"usage mask"
|
|
self.assertRaisesRegexp(
|
|
exceptions.PermissionDenied,
|
|
regex,
|
|
e._process_mac,
|
|
*args
|
|
)
|
|
|
|
def test_create_get_destroy(self):
|
|
"""
|
|
Test that a managed object can be created, retrieved, and destroyed
|
|
without error.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Build a SymmetricKey for registration.
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
256
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
|
|
# Create the symmetric key with the corresponding attributes
|
|
payload = create.CreateRequestPayload(
|
|
object_type=object_type,
|
|
template_attribute=template_attribute
|
|
)
|
|
|
|
response_payload = e._process_create(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Create"
|
|
)
|
|
|
|
uid = response_payload.unique_identifier.value
|
|
self.assertEqual('1', uid)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
# Retrieve the created key using Get and verify all fields set
|
|
payload = get.GetRequestPayload(unique_identifier=uid)
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(str(uid), response_payload.unique_identifier)
|
|
self.assertIsInstance(response_payload.secret, secrets.SymmetricKey)
|
|
|
|
key_block = response_payload.secret.key_block
|
|
self.assertEqual(
|
|
256,
|
|
len(key_block.key_value.key_material.value) * 8
|
|
)
|
|
self.assertEqual(
|
|
enums.KeyFormatType.RAW,
|
|
key_block.key_format_type.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
256,
|
|
key_block.cryptographic_length.value
|
|
)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
# Destroy the symmetric key and verify it cannot be accessed again
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uid)
|
|
)
|
|
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(str(uid), response_payload.unique_identifier.value)
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(uid)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
|
|
def test_create_key_pair_get_destroy(self):
|
|
"""
|
|
Test that a key pair can be created, retrieved, and destroyed without
|
|
error.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
common_template = objects.CommonTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Asymmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.RSA
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
2048
|
|
)
|
|
]
|
|
)
|
|
public_template = objects.PublicKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
private_template = objects.PrivateKeyTemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
payload = create_key_pair.CreateKeyPairRequestPayload(
|
|
common_template,
|
|
private_template,
|
|
public_template
|
|
)
|
|
|
|
response_payload = e._process_create_key_pair(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: CreateKeyPair"
|
|
)
|
|
|
|
public_id = response_payload.public_key_uuid.value
|
|
self.assertEqual('1', public_id)
|
|
private_id = response_payload.private_key_uuid.value
|
|
self.assertEqual('2', private_id)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
# Retrieve the created public key using Get and verify all fields set
|
|
payload = get.GetRequestPayload(unique_identifier=public_id)
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.PUBLIC_KEY,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(str(public_id), response_payload.unique_identifier)
|
|
self.assertIsInstance(response_payload.secret, secrets.PublicKey)
|
|
|
|
key_block = response_payload.secret.key_block
|
|
self.assertEqual(
|
|
enums.KeyFormatType.PKCS_1,
|
|
key_block.key_format_type.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
2048,
|
|
key_block.cryptographic_length.value
|
|
)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
# Retrieve the created private key using Get and verify all fields set
|
|
payload = get.GetRequestPayload(unique_identifier=private_id)
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.PRIVATE_KEY,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(str(private_id), response_payload.unique_identifier)
|
|
self.assertIsInstance(response_payload.secret, secrets.PrivateKey)
|
|
|
|
key_block = response_payload.secret.key_block
|
|
self.assertEqual(
|
|
enums.KeyFormatType.PKCS_8,
|
|
key_block.key_format_type.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
2048,
|
|
key_block.cryptographic_length.value
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
# Destroy the public key and verify it cannot be accessed again
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(public_id)
|
|
)
|
|
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(
|
|
str(public_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(public_id)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
# Destroy the private key and verify it cannot be accessed again
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(private_id)
|
|
)
|
|
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(
|
|
str(private_id),
|
|
response_payload.unique_identifier.value
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
e._logger.reset_mock()
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(private_id)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|
|
|
|
def test_register_get_destroy(self):
|
|
"""
|
|
Test that a managed object can be registered, retrieved, and destroyed
|
|
without error.
|
|
"""
|
|
e = engine.KmipEngine()
|
|
e._data_store = self.engine
|
|
e._data_store_session_factory = self.session_factory
|
|
e._data_session = e._data_store_session_factory()
|
|
e._logger = mock.MagicMock()
|
|
|
|
attribute_factory = factory.AttributeFactory()
|
|
|
|
# Build a SymmetricKey for registration.
|
|
object_type = attributes.ObjectType(enums.ObjectType.SYMMETRIC_KEY)
|
|
template_attribute = objects.TemplateAttribute(
|
|
attributes=[
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.NAME,
|
|
attributes.Name.create(
|
|
'Test Symmetric Key',
|
|
enums.NameType.UNINTERPRETED_TEXT_STRING
|
|
)
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM,
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_LENGTH,
|
|
128
|
|
),
|
|
attribute_factory.create_attribute(
|
|
enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK,
|
|
[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
]
|
|
)
|
|
key_bytes = (
|
|
b'\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
b'\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
)
|
|
secret = secrets.SymmetricKey(
|
|
key_block=objects.KeyBlock(
|
|
key_format_type=misc.KeyFormatType(enums.KeyFormatType.RAW),
|
|
key_value=objects.KeyValue(
|
|
key_material=objects.KeyMaterial(key_bytes)
|
|
),
|
|
cryptographic_algorithm=attributes.CryptographicAlgorithm(
|
|
enums.CryptographicAlgorithm.AES
|
|
),
|
|
cryptographic_length=attributes.CryptographicLength(128)
|
|
)
|
|
)
|
|
|
|
# Register the symmetric key with the corresponding attributes
|
|
payload = register.RegisterRequestPayload(
|
|
object_type=object_type,
|
|
template_attribute=template_attribute,
|
|
secret=secret
|
|
)
|
|
|
|
response_payload = e._process_register(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Register"
|
|
)
|
|
|
|
uid = response_payload.unique_identifier.value
|
|
self.assertEqual('1', uid)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
# Retrieve the registered key using Get and verify all fields set
|
|
payload = get.GetRequestPayload(unique_identifier=uid)
|
|
|
|
response_payload = e._process_get(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Get"
|
|
)
|
|
self.assertEqual(
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
response_payload.object_type
|
|
)
|
|
self.assertEqual(str(uid), response_payload.unique_identifier)
|
|
self.assertIsInstance(response_payload.secret, secrets.SymmetricKey)
|
|
self.assertEqual(
|
|
key_bytes,
|
|
response_payload.secret.key_block.key_value.key_material.value
|
|
)
|
|
self.assertEqual(
|
|
enums.KeyFormatType.RAW,
|
|
response_payload.secret.key_block.key_format_type.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
response_payload.secret.key_block.cryptographic_algorithm.value
|
|
)
|
|
self.assertEqual(
|
|
128,
|
|
response_payload.secret.key_block.cryptographic_length.value
|
|
)
|
|
|
|
e._logger.reset_mock()
|
|
|
|
# Destroy the symmetric key and verify it cannot be accessed again
|
|
payload = destroy.DestroyRequestPayload(
|
|
unique_identifier=attributes.UniqueIdentifier(uid)
|
|
)
|
|
|
|
response_payload = e._process_destroy(payload)
|
|
e._data_session.commit()
|
|
e._data_session = e._data_store_session_factory()
|
|
|
|
e._logger.info.assert_any_call(
|
|
"Processing operation: Destroy"
|
|
)
|
|
self.assertEqual(str(uid), response_payload.unique_identifier.value)
|
|
|
|
args = (payload, )
|
|
regex = "Could not locate object: {0}".format(uid)
|
|
six.assertRaisesRegex(
|
|
self,
|
|
exceptions.ItemNotFound,
|
|
regex,
|
|
e._process_destroy,
|
|
*args
|
|
)
|
|
|
|
e._data_session.commit()
|
|
e._data_store_session_factory()
|