summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTin Lam <tin@irrational.io>2019-02-03 00:28:51 -0600
committerTin Lam <tin@irrational.io>2019-02-22 16:14:25 -0600
commitaa241081c9eb846c8ab2efe0afbf1ef9ec05f8c0 (patch)
treea4e1ee7758ec8ff4d0a3f28f3c092ce59f11ad90
parent1aa46d77af8b9eb0af42b2f6a4acf04ab64ec071 (diff)
Fix exception handling and add tests
Per [0], fernet decrypt can never throw an InvalidSignature exception as that is re-raised as InvalidToken. This patch set corrects the handling of the exception, and added additional unit tests for coverage. [0] https://cryptography.io/en/latest/fernet/#cryptography.fernet.Fernet.decrypt Co-Authored-By: Drew Walters <drewwalters96@gmail.com> Change-Id: Ic5ee7ef451a5657519c5397fc4b903b5adcb1d18 Signed-off-by: Tin Lam <tin@irrational.io>
Notes
Notes (review): Code-Review+2: Felipe Monteiro <felipe.monteiro@att.com> Code-Review+1: Drew Walters <drewwalters96@gmail.com> Code-Review+1: Vladyslav Drok <vdrok@mirantis.com> Code-Review+2: Scott Hussey <sthussey@att.com> Workflow+1: Scott Hussey <sthussey@att.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 28 Feb 2019 21:53:33 +0000 Reviewed-on: https://review.openstack.org/634593 Project: openstack/airship-pegleg Branch: refs/heads/master
-rw-r--r--pegleg/engine/util/encryption.py15
-rw-r--r--test-requirements.txt1
-rw-r--r--tests/unit/engine/test_generate_cryptostring.py24
-rw-r--r--tests/unit/test_exceptions.py26
-rw-r--r--tox.ini2
5 files changed, 59 insertions, 9 deletions
diff --git a/pegleg/engine/util/encryption.py b/pegleg/engine/util/encryption.py
index c822cbc..bd575f5 100644
--- a/pegleg/engine/util/encryption.py
+++ b/pegleg/engine/util/encryption.py
@@ -15,8 +15,7 @@
15import base64 15import base64
16import logging 16import logging
17 17
18from cryptography.exceptions import InvalidSignature 18from cryptography import fernet
19from cryptography.fernet import Fernet
20from cryptography.hazmat.backends import default_backend 19from cryptography.hazmat.backends import default_backend
21from cryptography.hazmat.primitives import hashes 20from cryptography.hazmat.primitives import hashes
22from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC 21from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
@@ -57,8 +56,8 @@ def encrypt(unencrypted_data,
57 :rtype: bytes 56 :rtype: bytes
58 """ 57 """
59 58
60 return Fernet(_generate_key(passphrase, salt, key_length, 59 return fernet.Fernet(_generate_key(
61 iterations)).encrypt(unencrypted_data) 60 passphrase, salt, key_length, iterations)).encrypt(unencrypted_data)
62 61
63 62
64def decrypt(encrypted_data, 63def decrypt(encrypted_data,
@@ -88,14 +87,14 @@ def decrypt(encrypted_data,
88 :type iterations: positive integer. 87 :type iterations: positive integer.
89 :return: Decrypted secret data 88 :return: Decrypted secret data
90 :rtype: bytes 89 :rtype: bytes
91 :raises InvalidSignature: If the provided passphrase, and/or 90 :raises InvalidToken: If the provided passphrase, and/or
92 salt does not match the values used to encrypt the data. 91 salt does not match the values used to encrypt the data.
93 """ 92 """
94 93
95 try: 94 try:
96 return Fernet(_generate_key(passphrase, salt, key_length, 95 return fernet.Fernet(_generate_key(
97 iterations)).decrypt(encrypted_data) 96 passphrase, salt, key_length, iterations)).decrypt(encrypted_data)
98 except InvalidSignature: 97 except fernet.InvalidToken:
99 LOG.error('Signature verification to decrypt secrets failed. Please ' 98 LOG.error('Signature verification to decrypt secrets failed. Please '
100 'check your provided passphrase and salt and try again.') 99 'check your provided passphrase and salt and try again.')
101 raise 100 raise
diff --git a/test-requirements.txt b/test-requirements.txt
index 1f28230..5a16574 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,6 +1,7 @@
1# Testing 1# Testing
2pytest==3.2.1 2pytest==3.2.1
3pytest-cov==2.5.1 3pytest-cov==2.5.1
4testfixtures
4mock==2.0.0 5mock==2.0.0
5 6
6# Formatting 7# Formatting
diff --git a/tests/unit/engine/test_generate_cryptostring.py b/tests/unit/engine/test_generate_cryptostring.py
index 2797e8f..c05bb8b 100644
--- a/tests/unit/engine/test_generate_cryptostring.py
+++ b/tests/unit/engine/test_generate_cryptostring.py
@@ -14,9 +14,13 @@
14 14
15import os 15import os
16import tempfile 16import tempfile
17import uuid
17 18
19from cryptography import fernet
18import mock 20import mock
21import pytest
19import string 22import string
23from testfixtures import log_capture
20import yaml 24import yaml
21 25
22from pegleg.engine.util.cryptostring import CryptoString 26from pegleg.engine.util.cryptostring import CryptoString
@@ -176,3 +180,23 @@ def test_generate_passphrases(*_):
176 assert len(decrypted_passphrase) == 25 180 assert len(decrypted_passphrase) == 25
177 else: 181 else:
178 assert len(decrypted_passphrase) == 24 182 assert len(decrypted_passphrase) == 24
183
184
185@log_capture()
186def test_generate_passphrases_exception(capture):
187 unenc_data = uuid.uuid4().bytes
188 passphrase1 = uuid.uuid4().bytes
189 passphrase2 = uuid.uuid4().bytes
190 salt1 = uuid.uuid4().bytes
191 salt2 = uuid.uuid4().bytes
192
193 # Generate random data and encrypt it
194 enc_data = encryption.encrypt(unenc_data, passphrase1, salt1)
195
196 # Decrypt using the wrong key to see to see the InvalidToken error
197 with pytest.raises(fernet.InvalidToken):
198 encryption.decrypt(enc_data, passphrase2, salt2)
199 capture.check(('pegleg.engine.util.encryption', 'ERROR',
200 ('Signature verification to decrypt secrets failed. '
201 'Please check your provided passphrase and salt and '
202 'try again.')))
diff --git a/tests/unit/test_exceptions.py b/tests/unit/test_exceptions.py
new file mode 100644
index 0000000..2d5774f
--- /dev/null
+++ b/tests/unit/test_exceptions.py
@@ -0,0 +1,26 @@
1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13import logging
14
15import pytest
16from testfixtures import log_capture
17
18from pegleg.engine import exceptions as exc
19
20
21@log_capture()
22def test_exception_with_missing_kwargs(capture):
23 message = 'Testing missing kwargs exception with {text}'
24 with pytest.raises(exc.PeglegBaseException):
25 raise exc.PeglegBaseException(message=message, key="value")
26 capture.check(('pegleg.engine.exceptions', 'WARNING', 'Missing kwargs'))
diff --git a/tox.ini b/tox.ini
index 50e498c..46dcedd 100644
--- a/tox.ini
+++ b/tox.ini
@@ -60,7 +60,7 @@ commands =
60 {toxinidir}/tools/install-cfssl.sh 60 {toxinidir}/tools/install-cfssl.sh
61 bash -c 'PATH=$PATH:~/.local/bin; pytest --cov=pegleg --cov-report \ 61 bash -c 'PATH=$PATH:~/.local/bin; pytest --cov=pegleg --cov-report \
62 html:cover --cov-report xml:cover/coverage.xml --cov-report term \ 62 html:cover --cov-report xml:cover/coverage.xml --cov-report term \
63 --cov-fail-under 84 tests/' 63 --cov-fail-under 86 tests/'
64whitelist_externals = 64whitelist_externals =
65 bash 65 bash
66 66