|
|
590d18 |
From d3271ee9de63d9c6275184875d05762666ba9088 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
590d18 |
Date: Fri, 31 Jul 2015 07:53:15 +0200
|
|
|
590d18 |
Subject: [PATCH] Added support for changing vault encryption.
|
|
|
590d18 |
|
|
|
590d18 |
The vault-mod command has been modified to support changing vault
|
|
|
590d18 |
encryption attributes (i.e. type, password, public/private keys)
|
|
|
590d18 |
in addition to normal attributes (i.e. description). Changing the
|
|
|
590d18 |
encryption requires retrieving the stored secret with the old
|
|
|
590d18 |
attributes and rearchiving it with the new attributes.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5176
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
API.txt | 27 +++-
|
|
|
590d18 |
VERSION | 4 +-
|
|
|
590d18 |
ipalib/plugins/vault.py | 233 ++++++++++++++++++++++++++--
|
|
|
590d18 |
ipatests/test_xmlrpc/test_vault_plugin.py | 249 ++++++++++++++++++++++++++++++
|
|
|
590d18 |
4 files changed, 498 insertions(+), 15 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/API.txt b/API.txt
|
|
|
590d18 |
index b0f456e725a6c3d24c1071b282de5a28c3b5a671..8105cfb5ba61cabcf5c0f7e1c6e44dfc0cacc9cb 100644
|
|
|
590d18 |
--- a/API.txt
|
|
|
590d18 |
+++ b/API.txt
|
|
|
590d18 |
@@ -5474,11 +5474,12 @@ output: Output('completed', <type 'int'>, None)
|
|
|
590d18 |
output: Output('failed', <type 'dict'>, None)
|
|
|
590d18 |
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
|
|
|
590d18 |
command: vault_archive
|
|
|
590d18 |
-args: 1,10,3
|
|
|
590d18 |
+args: 1,11,3
|
|
|
590d18 |
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
|
|
|
590d18 |
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
|
|
590d18 |
option: Bytes('data?')
|
|
|
590d18 |
option: Str('in?')
|
|
|
590d18 |
+option: Flag('override_password?', autofill=True, default=False)
|
|
|
590d18 |
option: Str('password?', cli_name='password')
|
|
|
590d18 |
option: Str('password_file?', cli_name='password_file')
|
|
|
590d18 |
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
|
|
|
590d18 |
@@ -5538,6 +5539,30 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
|
|
|
590d18 |
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
|
|
590d18 |
output: Output('truncated', <type 'bool'>, None)
|
|
|
590d18 |
command: vault_mod
|
|
|
590d18 |
+args: 1,18,3
|
|
|
590d18 |
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
|
|
|
590d18 |
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
|
|
590d18 |
+option: Flag('change_password?', autofill=True, default=False)
|
|
|
590d18 |
+option: Str('description?', cli_name='desc')
|
|
|
590d18 |
+option: Bytes('ipavaultpublickey?', cli_name='public_key')
|
|
|
590d18 |
+option: Bytes('ipavaultsalt?', cli_name='salt')
|
|
|
590d18 |
+option: Str('ipavaulttype?', cli_name='type')
|
|
|
590d18 |
+option: Str('new_password?', cli_name='new_password')
|
|
|
590d18 |
+option: Str('new_password_file?', cli_name='new_password_file')
|
|
|
590d18 |
+option: Str('old_password?', cli_name='old_password')
|
|
|
590d18 |
+option: Str('old_password_file?', cli_name='old_password_file')
|
|
|
590d18 |
+option: Bytes('private_key?', cli_name='private_key')
|
|
|
590d18 |
+option: Str('private_key_file?', cli_name='private_key_file')
|
|
|
590d18 |
+option: Str('public_key_file?', cli_name='public_key_file')
|
|
|
590d18 |
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
|
|
|
590d18 |
+option: Str('service?')
|
|
|
590d18 |
+option: Flag('shared?', autofill=True, default=False)
|
|
|
590d18 |
+option: Str('username?', cli_name='user')
|
|
|
590d18 |
+option: Str('version?', exclude='webui')
|
|
|
590d18 |
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
|
|
|
590d18 |
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
|
|
590d18 |
+output: PrimaryKey('value', None, None)
|
|
|
590d18 |
+command: vault_mod_internal
|
|
|
590d18 |
args: 1,15,3
|
|
|
590d18 |
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
|
|
|
590d18 |
option: Str('addattr*', cli_name='addattr', exclude='webui')
|
|
|
590d18 |
diff --git a/VERSION b/VERSION
|
|
|
590d18 |
index 9fe2f4d4f9ff6ffd42c2ee7493c385b0a432a6a0..3fdd2db88a7b2b6d3bd36ba0d7257c9994bc06af 100644
|
|
|
590d18 |
--- a/VERSION
|
|
|
590d18 |
+++ b/VERSION
|
|
|
590d18 |
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
|
|
|
590d18 |
# #
|
|
|
590d18 |
########################################################
|
|
|
590d18 |
IPA_API_VERSION_MAJOR=2
|
|
|
590d18 |
-IPA_API_VERSION_MINOR=152
|
|
|
590d18 |
-# Last change: mbasti - add 'user-stage' command
|
|
|
590d18 |
+IPA_API_VERSION_MINOR=153
|
|
|
590d18 |
+# Last change: edewata - Added support for changing vault encryption.
|
|
|
590d18 |
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
|
|
|
590d18 |
index 4b2c8a518e5c9a93e5490841a3d2177536c905b1..6a07a76b5b85680536b27fd147d8ec1583bb0bc7 100644
|
|
|
590d18 |
--- a/ipalib/plugins/vault.py
|
|
|
590d18 |
+++ b/ipalib/plugins/vault.py
|
|
|
590d18 |
@@ -116,11 +116,37 @@ EXAMPLES:
|
|
|
590d18 |
ipa vault-show <name>
|
|
|
590d18 |
[--user <user>|--service <service>|--shared]
|
|
|
590d18 |
""") + _("""
|
|
|
590d18 |
- Modify a vault:
|
|
|
590d18 |
+ Modify vault description:
|
|
|
590d18 |
ipa vault-mod <name>
|
|
|
590d18 |
[--user <user>|--service <service>|--shared]
|
|
|
590d18 |
--desc <description>
|
|
|
590d18 |
""") + _("""
|
|
|
590d18 |
+ Modify vault type:
|
|
|
590d18 |
+ ipa vault-mod <name>
|
|
|
590d18 |
+ [--user <user>|--service <service>|--shared]
|
|
|
590d18 |
+ --type <type>
|
|
|
590d18 |
+ [old password/private key]
|
|
|
590d18 |
+ [new password/public key]
|
|
|
590d18 |
+""") + _("""
|
|
|
590d18 |
+ Modify symmetric vault password:
|
|
|
590d18 |
+ ipa vault-mod <name>
|
|
|
590d18 |
+ [--user <user>|--service <service>|--shared]
|
|
|
590d18 |
+ --change-password
|
|
|
590d18 |
+ ipa vault-mod <name>
|
|
|
590d18 |
+ [--user <user>|--service <service>|--shared]
|
|
|
590d18 |
+ --old-password <old password>
|
|
|
590d18 |
+ --new-password <new password>
|
|
|
590d18 |
+ ipa vault-mod <name>
|
|
|
590d18 |
+ [--user <user>|--service <service>|--shared]
|
|
|
590d18 |
+ --old-password-file <old password file>
|
|
|
590d18 |
+ --new-password-file <new password file>
|
|
|
590d18 |
+""") + _("""
|
|
|
590d18 |
+ Modify asymmetric vault keys:
|
|
|
590d18 |
+ ipa vault-mod <name>
|
|
|
590d18 |
+ [--user <user>|--service <service>|--shared]
|
|
|
590d18 |
+ --private-key-file <old private key file>
|
|
|
590d18 |
+ --public-key-file <new public key file>
|
|
|
590d18 |
+""") + _("""
|
|
|
590d18 |
Delete a vault:
|
|
|
590d18 |
ipa vault-del <name>
|
|
|
590d18 |
[--user <user>|--service <service>|--shared]
|
|
|
590d18 |
@@ -457,7 +483,7 @@ class vault(LDAPObject):
|
|
|
590d18 |
|
|
|
590d18 |
print ' ** Passwords do not match! **'
|
|
|
590d18 |
|
|
|
590d18 |
- def get_existing_password(self, new=False):
|
|
|
590d18 |
+ def get_existing_password(self):
|
|
|
590d18 |
"""
|
|
|
590d18 |
Gets existing password from user.
|
|
|
590d18 |
"""
|
|
|
590d18 |
@@ -871,9 +897,182 @@ class vault_find(LDAPSearch):
|
|
|
590d18 |
|
|
|
590d18 |
|
|
|
590d18 |
@register()
|
|
|
590d18 |
-class vault_mod(LDAPUpdate):
|
|
|
590d18 |
+class vault_mod(PKQuery, Local):
|
|
|
590d18 |
__doc__ = _('Modify a vault.')
|
|
|
590d18 |
|
|
|
590d18 |
+ takes_options = vault_options + (
|
|
|
590d18 |
+ Str(
|
|
|
590d18 |
+ 'description?',
|
|
|
590d18 |
+ cli_name='desc',
|
|
|
590d18 |
+ doc=_('Vault description'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str(
|
|
|
590d18 |
+ 'ipavaulttype?',
|
|
|
590d18 |
+ cli_name='type',
|
|
|
590d18 |
+ doc=_('Vault type'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Bytes(
|
|
|
590d18 |
+ 'ipavaultsalt?',
|
|
|
590d18 |
+ cli_name='salt',
|
|
|
590d18 |
+ doc=_('Vault salt'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Flag(
|
|
|
590d18 |
+ 'change_password?',
|
|
|
590d18 |
+ doc=_('Change password'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str(
|
|
|
590d18 |
+ 'old_password?',
|
|
|
590d18 |
+ cli_name='old_password',
|
|
|
590d18 |
+ doc=_('Old vault password'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str( # TODO: use File parameter
|
|
|
590d18 |
+ 'old_password_file?',
|
|
|
590d18 |
+ cli_name='old_password_file',
|
|
|
590d18 |
+ doc=_('File containing the old vault password'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str(
|
|
|
590d18 |
+ 'new_password?',
|
|
|
590d18 |
+ cli_name='new_password',
|
|
|
590d18 |
+ doc=_('New vault password'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str( # TODO: use File parameter
|
|
|
590d18 |
+ 'new_password_file?',
|
|
|
590d18 |
+ cli_name='new_password_file',
|
|
|
590d18 |
+ doc=_('File containing the new vault password'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Bytes(
|
|
|
590d18 |
+ 'private_key?',
|
|
|
590d18 |
+ cli_name='private_key',
|
|
|
590d18 |
+ doc=_('Old vault private key'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str( # TODO: use File parameter
|
|
|
590d18 |
+ 'private_key_file?',
|
|
|
590d18 |
+ cli_name='private_key_file',
|
|
|
590d18 |
+ doc=_('File containing the old vault private key'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Bytes(
|
|
|
590d18 |
+ 'ipavaultpublickey?',
|
|
|
590d18 |
+ cli_name='public_key',
|
|
|
590d18 |
+ doc=_('New vault public key'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ Str( # TODO: use File parameter
|
|
|
590d18 |
+ 'public_key_file?',
|
|
|
590d18 |
+ cli_name='public_key_file',
|
|
|
590d18 |
+ doc=_('File containing the new vault public key'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ )
|
|
|
590d18 |
+
|
|
|
590d18 |
+ has_output = output.standard_entry
|
|
|
590d18 |
+
|
|
|
590d18 |
+ def forward(self, *args, **options):
|
|
|
590d18 |
+
|
|
|
590d18 |
+ vault_type = options.pop('ipavaulttype', False)
|
|
|
590d18 |
+ salt = options.pop('ipavaultsalt', False)
|
|
|
590d18 |
+ change_password = options.pop('change_password', False)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ old_password = options.pop('old_password', None)
|
|
|
590d18 |
+ old_password_file = options.pop('old_password_file', None)
|
|
|
590d18 |
+ new_password = options.pop('new_password', None)
|
|
|
590d18 |
+ new_password_file = options.pop('new_password_file', None)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ old_private_key = options.pop('private_key', None)
|
|
|
590d18 |
+ old_private_key_file = options.pop('private_key_file', None)
|
|
|
590d18 |
+ new_public_key = options.pop('ipavaultpublickey', None)
|
|
|
590d18 |
+ new_public_key_file = options.pop('public_key_file', None)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if self.api.env.in_server:
|
|
|
590d18 |
+ backend = self.api.Backend.ldap2
|
|
|
590d18 |
+ else:
|
|
|
590d18 |
+ backend = self.api.Backend.rpcclient
|
|
|
590d18 |
+ if not backend.isconnected():
|
|
|
590d18 |
+ backend.connect(ccache=krbV.default_context().default_ccache())
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # determine the vault type based on parameters specified
|
|
|
590d18 |
+ if vault_type:
|
|
|
590d18 |
+ pass
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif change_password or new_password or new_password_file or salt:
|
|
|
590d18 |
+ vault_type = u'symmetric'
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif new_public_key or new_public_key_file:
|
|
|
590d18 |
+ vault_type = u'asymmetric'
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # if vault type is specified, retrieve existing secret
|
|
|
590d18 |
+ if vault_type:
|
|
|
590d18 |
+ opts = options.copy()
|
|
|
590d18 |
+ opts.pop('description', None)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ opts['password'] = old_password
|
|
|
590d18 |
+ opts['password_file'] = old_password_file
|
|
|
590d18 |
+ opts['private_key'] = old_private_key
|
|
|
590d18 |
+ opts['private_key_file'] = old_private_key_file
|
|
|
590d18 |
+
|
|
|
590d18 |
+ response = self.api.Command.vault_retrieve(*args, **opts)
|
|
|
590d18 |
+ data = response['result']['data']
|
|
|
590d18 |
+
|
|
|
590d18 |
+ opts = options.copy()
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # if vault type is specified, update crypto attributes
|
|
|
590d18 |
+ if vault_type:
|
|
|
590d18 |
+ opts['ipavaulttype'] = vault_type
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if vault_type == u'standard':
|
|
|
590d18 |
+ opts['ipavaultsalt'] = None
|
|
|
590d18 |
+ opts['ipavaultpublickey'] = None
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif vault_type == u'symmetric':
|
|
|
590d18 |
+ if salt:
|
|
|
590d18 |
+ opts['ipavaultsalt'] = salt
|
|
|
590d18 |
+ else:
|
|
|
590d18 |
+ opts['ipavaultsalt'] = os.urandom(16)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ opts['ipavaultpublickey'] = None
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif vault_type == u'asymmetric':
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # get new vault public key
|
|
|
590d18 |
+ if new_public_key and new_public_key_file:
|
|
|
590d18 |
+ raise errors.MutuallyExclusiveError(
|
|
|
590d18 |
+ reason=_('New public key specified multiple times'))
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif new_public_key:
|
|
|
590d18 |
+ pass
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif new_public_key_file:
|
|
|
590d18 |
+ new_public_key = validated_read('public_key_file',
|
|
|
590d18 |
+ new_public_key_file,
|
|
|
590d18 |
+ mode='rb')
|
|
|
590d18 |
+
|
|
|
590d18 |
+ else:
|
|
|
590d18 |
+ raise errors.ValidationError(
|
|
|
590d18 |
+ name='ipavaultpublickey',
|
|
|
590d18 |
+ error=_('Missing new vault public key'))
|
|
|
590d18 |
+
|
|
|
590d18 |
+ opts['ipavaultsalt'] = None
|
|
|
590d18 |
+ opts['ipavaultpublickey'] = new_public_key
|
|
|
590d18 |
+
|
|
|
590d18 |
+ response = self.api.Command.vault_mod_internal(*args, **opts)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # if vault type is specified, rearchive existing secret
|
|
|
590d18 |
+ if vault_type:
|
|
|
590d18 |
+ opts = options.copy()
|
|
|
590d18 |
+ opts.pop('description', None)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ opts['data'] = data
|
|
|
590d18 |
+ opts['password'] = new_password
|
|
|
590d18 |
+ opts['password_file'] = new_password_file
|
|
|
590d18 |
+ opts['override_password'] = True
|
|
|
590d18 |
+
|
|
|
590d18 |
+ self.api.Command.vault_archive(*args, **opts)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ return response
|
|
|
590d18 |
+
|
|
|
590d18 |
+
|
|
|
590d18 |
+@register()
|
|
|
590d18 |
+class vault_mod_internal(LDAPUpdate):
|
|
|
590d18 |
+
|
|
|
590d18 |
+ NO_CLI = True
|
|
|
590d18 |
+
|
|
|
590d18 |
takes_options = LDAPUpdate.takes_options + vault_options
|
|
|
590d18 |
|
|
|
590d18 |
msg_summary = _('Modified vault "%(value)s"')
|
|
|
590d18 |
@@ -994,6 +1193,10 @@ class vault_archive(PKQuery, Local):
|
|
|
590d18 |
cli_name='password_file',
|
|
|
590d18 |
doc=_('File containing the vault password'),
|
|
|
590d18 |
),
|
|
|
590d18 |
+ Flag(
|
|
|
590d18 |
+ 'override_password?',
|
|
|
590d18 |
+ doc=_('Override existing password'),
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
has_output = output.standard_entry
|
|
|
590d18 |
@@ -1008,6 +1211,8 @@ class vault_archive(PKQuery, Local):
|
|
|
590d18 |
password = options.get('password')
|
|
|
590d18 |
password_file = options.get('password_file')
|
|
|
590d18 |
|
|
|
590d18 |
+ override_password = options.pop('override_password', False)
|
|
|
590d18 |
+
|
|
|
590d18 |
# don't send these parameters to server
|
|
|
590d18 |
if 'data' in options:
|
|
|
590d18 |
del options['data']
|
|
|
590d18 |
@@ -1062,15 +1267,19 @@ class vault_archive(PKQuery, Local):
|
|
|
590d18 |
password = password.rstrip('\n')
|
|
|
590d18 |
|
|
|
590d18 |
else:
|
|
|
590d18 |
- password = self.obj.get_existing_password()
|
|
|
590d18 |
-
|
|
|
590d18 |
- # verify password by retrieving existing data
|
|
|
590d18 |
- opts = options.copy()
|
|
|
590d18 |
- opts['password'] = password
|
|
|
590d18 |
- try:
|
|
|
590d18 |
- self.api.Command.vault_retrieve(*args, **opts)
|
|
|
590d18 |
- except errors.NotFound:
|
|
|
590d18 |
- pass
|
|
|
590d18 |
+ if override_password:
|
|
|
590d18 |
+ password = self.obj.get_new_password()
|
|
|
590d18 |
+ else:
|
|
|
590d18 |
+ password = self.obj.get_existing_password()
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if not override_password:
|
|
|
590d18 |
+ # verify password by retrieving existing data
|
|
|
590d18 |
+ opts = options.copy()
|
|
|
590d18 |
+ opts['password'] = password
|
|
|
590d18 |
+ try:
|
|
|
590d18 |
+ self.api.Command.vault_retrieve(*args, **opts)
|
|
|
590d18 |
+ except errors.NotFound:
|
|
|
590d18 |
+ pass
|
|
|
590d18 |
|
|
|
590d18 |
salt = vault['ipavaultsalt'][0]
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py
|
|
|
590d18 |
index fe2f2f67d664e0640fdda99fd3e2f068ee61cb01..40ce46406702740ef5a781c3d3569b4f2e088b92 100644
|
|
|
590d18 |
--- a/ipatests/test_xmlrpc/test_vault_plugin.py
|
|
|
590d18 |
+++ b/ipatests/test_xmlrpc/test_vault_plugin.py
|
|
|
590d18 |
@@ -36,6 +36,7 @@ asymmetric_vault_name = u'asymmetric_test_vault'
|
|
|
590d18 |
secret = ''.join(map(chr, xrange(0, 256)))
|
|
|
590d18 |
|
|
|
590d18 |
password = u'password'
|
|
|
590d18 |
+other_password = u'other_password'
|
|
|
590d18 |
|
|
|
590d18 |
public_key = """
|
|
|
590d18 |
-----BEGIN PUBLIC KEY-----
|
|
|
590d18 |
@@ -79,6 +80,48 @@ kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw==
|
|
|
590d18 |
-----END RSA PRIVATE KEY-----
|
|
|
590d18 |
"""
|
|
|
590d18 |
|
|
|
590d18 |
+other_public_key = """
|
|
|
590d18 |
+-----BEGIN PUBLIC KEY-----
|
|
|
590d18 |
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7E/QLVyKjrgDctZ50U7
|
|
|
590d18 |
+rmtL7Ks1QLoccp9WvZJ6WI1rYd0fX5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkk
|
|
|
590d18 |
+Rl/3wK7fWNLenH/+VHOaTQc20exg7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLH
|
|
|
590d18 |
+w3zrmrO5SIZ8njxMoDcQJa2vu/t281U/I7ti8ue09FSitIECU05vgmPS+MnXR8HK
|
|
|
590d18 |
+PxXqrNkjl29mXNbPiByWwlse3Prwved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1
|
|
|
590d18 |
+O8gRaRg1r+ENVpmMSvXo4+8+bR3rEYddD5zU7nKXafeuthXlXplae/8uZmCiSI63
|
|
|
590d18 |
+TwIDAQAB
|
|
|
590d18 |
+-----END PUBLIC KEY-----
|
|
|
590d18 |
+"""
|
|
|
590d18 |
+
|
|
|
590d18 |
+other_private_key = """
|
|
|
590d18 |
+-----BEGIN RSA PRIVATE KEY-----
|
|
|
590d18 |
+MIIEpgIBAAKCAQEAv7E/QLVyKjrgDctZ50U7rmtL7Ks1QLoccp9WvZJ6WI1rYd0f
|
|
|
590d18 |
+X5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkkRl/3wK7fWNLenH/+VHOaTQc20exg
|
|
|
590d18 |
+7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLHw3zrmrO5SIZ8njxMoDcQJa2vu/t2
|
|
|
590d18 |
+81U/I7ti8ue09FSitIECU05vgmPS+MnXR8HKPxXqrNkjl29mXNbPiByWwlse3Prw
|
|
|
590d18 |
+ved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1O8gRaRg1r+ENVpmMSvXo4+8+bR3r
|
|
|
590d18 |
+EYddD5zU7nKXafeuthXlXplae/8uZmCiSI63TwIDAQABAoIBAQCA+0GFR9F+isjx
|
|
|
590d18 |
+Xy+qBpKmxLl8kKKvX8r+cSpLOkEqTlW/rqqKgnI0vVuL/L2UJKKsLvpghBxoBZyC
|
|
|
590d18 |
+RCvtatBGrhIlS0UrHg/9m73Ek1hylfUUAQokTn4PrkwWJSgmm/xOATmZSs5ymNTn
|
|
|
590d18 |
+yFCmXl69sdNR77YvD5bQXeBtOT+bKXy7yQ1TmYPwwSjL+WSlMV6ZfE3HNVmxPTpk
|
|
|
590d18 |
+CTFS638cJblWk9MUIy8HIlhu6If2P4RnHr7ZGGivhREayvs0zXcAfqhIyFHruxSE
|
|
|
590d18 |
+yYnmqH9paWjv5mP3YyLoKr+NUvvxnBr/9wCTt0TKgG8G6rpkHuPDLQni9wUGnew8
|
|
|
590d18 |
+QdMgFEohAoGBAPH4vaVB5gDVfvIqwJBsBLHpPq72GvxjrM/exD0jIIpXZxz9gCql
|
|
|
590d18 |
+CmC5b1RS1uy8PMoc/RO4CE7UTLaTesciP6LjTD1RhH3rLLJO8/iVC1RXgMrCLHLm
|
|
|
590d18 |
+ZQnDhIQGGNQxpvBjQy5ZOWat2dFxYhHN630IFPOtrWsOmJ5HsL1JrjzxAoGBAMrO
|
|
|
590d18 |
+R1zNwQ42VbJS6AFshZVjmUV2h3REGh4zG/9IqL0Hz493hyCTGoDPLLXIbtkqNqzQ
|
|
|
590d18 |
+XibSZ9RMVPKKTiNQTx91DTgh4Anz8xUr84tA2iAf3ayNWKi3Y3GhmP2EWp1qYeom
|
|
|
590d18 |
+kV8Uq0lt4dHZuEo3LuqvbtbzlF9qUXqKS5qy6Tg/AoGBAKCp02o2HjzxhS/QeTmr
|
|
|
590d18 |
+r1ZeE7PiTzrECAuh01TwzPtuW1XhcEdgfEqK9cPcmT5pIkflBZkhOcr1pdYYiI5O
|
|
|
590d18 |
+TEigeY/BX6KoE251hALLG9GtpCN82DyWhAH+oy9ySOwj5793eTT+I2HtD1LE4SQH
|
|
|
590d18 |
+QVQsmJTP/fS2pVl7KnwUvy9RAoGBAKzo2qchNewsHzx+uxgbsnkABfnXaP2T4sDE
|
|
|
590d18 |
+yqYJCPTB6BFl02vOf9Y6zN/gF8JH333P2bY3xhaXTgXMLXqmSg+D+NVW7HEP8Lyo
|
|
|
590d18 |
+UGj1zgN9p74qdODEGqETKiFb6vYzcW/1mhP6x18/tDz658k+611kXZge7O288+MK
|
|
|
590d18 |
+bhNjXrx5AoGBAMox25PcxVgOjCd9+LdUcIOG6LQ971eCH1NKL9YAekICnwMrStbK
|
|
|
590d18 |
+veCYju6ok4ZWnMiH8MR1jgC39RWtjJZwynCuPXUP2/vZkoVf1tCZyz7dSm8TdS/2
|
|
|
590d18 |
+5NdOHVy7+NQcEPSm7/FmXdpcR9ZSGAuxMBfnEUibdyz5LdJGnFUN/+HS
|
|
|
590d18 |
+-----END RSA PRIVATE KEY-----
|
|
|
590d18 |
+"""
|
|
|
590d18 |
+
|
|
|
590d18 |
|
|
|
590d18 |
class test_vault_plugin(Declarative):
|
|
|
590d18 |
|
|
|
590d18 |
@@ -580,6 +623,48 @@ class test_vault_plugin(Declarative):
|
|
|
590d18 |
},
|
|
|
590d18 |
|
|
|
590d18 |
{
|
|
|
590d18 |
+ 'desc': 'Change standard vault to symmetric vault',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_mod',
|
|
|
590d18 |
+ [standard_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'ipavaulttype': u'symmetric',
|
|
|
590d18 |
+ 'new_password': password,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': standard_vault_name,
|
|
|
590d18 |
+ 'summary': u'Modified vault "%s"' % standard_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'cn': [standard_vault_name],
|
|
|
590d18 |
+ 'ipavaulttype': [u'symmetric'],
|
|
|
590d18 |
+ 'ipavaultsalt': [fuzzy_string],
|
|
|
590d18 |
+ 'owner_user': [u'admin'],
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Retrieve secret from standard vault converted to '
|
|
|
590d18 |
+ 'symmetric vault',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_retrieve',
|
|
|
590d18 |
+ [standard_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'password': password,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': standard_vault_name,
|
|
|
590d18 |
+ 'summary': 'Retrieved data from vault "%s"'
|
|
|
590d18 |
+ % standard_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'data': secret,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
'desc': 'Create symmetric vault',
|
|
|
590d18 |
'command': (
|
|
|
590d18 |
'vault_add',
|
|
|
590d18 |
@@ -642,6 +727,90 @@ class test_vault_plugin(Declarative):
|
|
|
590d18 |
},
|
|
|
590d18 |
|
|
|
590d18 |
{
|
|
|
590d18 |
+ 'desc': 'Change symmetric vault password',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_mod',
|
|
|
590d18 |
+ [symmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'old_password': password,
|
|
|
590d18 |
+ 'new_password': other_password,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': symmetric_vault_name,
|
|
|
590d18 |
+ 'summary': u'Modified vault "%s"' % symmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'cn': [symmetric_vault_name],
|
|
|
590d18 |
+ 'ipavaulttype': [u'symmetric'],
|
|
|
590d18 |
+ 'ipavaultsalt': [fuzzy_string],
|
|
|
590d18 |
+ 'owner_user': [u'admin'],
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Retrieve secret from symmetric vault with new password',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_retrieve',
|
|
|
590d18 |
+ [symmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'password': other_password,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': symmetric_vault_name,
|
|
|
590d18 |
+ 'summary': 'Retrieved data from vault "%s"'
|
|
|
590d18 |
+ % symmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'data': secret,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Change symmetric vault to asymmetric vault',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_mod',
|
|
|
590d18 |
+ [symmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'ipavaulttype': u'asymmetric',
|
|
|
590d18 |
+ 'old_password': other_password,
|
|
|
590d18 |
+ 'ipavaultpublickey': public_key,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': symmetric_vault_name,
|
|
|
590d18 |
+ 'summary': u'Modified vault "%s"' % symmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'cn': [symmetric_vault_name],
|
|
|
590d18 |
+ 'ipavaulttype': [u'asymmetric'],
|
|
|
590d18 |
+ 'ipavaultpublickey': [public_key],
|
|
|
590d18 |
+ 'owner_user': [u'admin'],
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Retrieve secret from symmetric vault converted to '
|
|
|
590d18 |
+ 'asymmetric vault',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_retrieve',
|
|
|
590d18 |
+ [symmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'private_key': private_key,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': symmetric_vault_name,
|
|
|
590d18 |
+ 'summary': 'Retrieved data from vault "%s"'
|
|
|
590d18 |
+ % symmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'data': secret,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
'desc': 'Create asymmetric vault',
|
|
|
590d18 |
'command': (
|
|
|
590d18 |
'vault_add',
|
|
|
590d18 |
@@ -702,4 +871,84 @@ class test_vault_plugin(Declarative):
|
|
|
590d18 |
},
|
|
|
590d18 |
},
|
|
|
590d18 |
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Change asymmetric vault keys',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_mod',
|
|
|
590d18 |
+ [asymmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'private_key': private_key,
|
|
|
590d18 |
+ 'ipavaultpublickey': other_public_key,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': asymmetric_vault_name,
|
|
|
590d18 |
+ 'summary': u'Modified vault "%s"' % asymmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'cn': [asymmetric_vault_name],
|
|
|
590d18 |
+ 'ipavaulttype': [u'asymmetric'],
|
|
|
590d18 |
+ 'ipavaultpublickey': [other_public_key],
|
|
|
590d18 |
+ 'owner_user': [u'admin'],
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Retrieve secret from asymmetric vault with new keys',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_retrieve',
|
|
|
590d18 |
+ [asymmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'private_key': other_private_key,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': asymmetric_vault_name,
|
|
|
590d18 |
+ 'summary': 'Retrieved data from vault "%s"'
|
|
|
590d18 |
+ % asymmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'data': secret,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Change asymmetric vault to standard vault',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_mod',
|
|
|
590d18 |
+ [asymmetric_vault_name],
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'ipavaulttype': u'standard',
|
|
|
590d18 |
+ 'private_key': other_private_key,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': asymmetric_vault_name,
|
|
|
590d18 |
+ 'summary': u'Modified vault "%s"' % asymmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'cn': [asymmetric_vault_name],
|
|
|
590d18 |
+ 'ipavaulttype': [u'standard'],
|
|
|
590d18 |
+ 'owner_user': [u'admin'],
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
+ {
|
|
|
590d18 |
+ 'desc': 'Retrieve secret from asymmetric vault converted to '
|
|
|
590d18 |
+ 'standard vault',
|
|
|
590d18 |
+ 'command': (
|
|
|
590d18 |
+ 'vault_retrieve',
|
|
|
590d18 |
+ [asymmetric_vault_name],
|
|
|
590d18 |
+ {},
|
|
|
590d18 |
+ ),
|
|
|
590d18 |
+ 'expected': {
|
|
|
590d18 |
+ 'value': asymmetric_vault_name,
|
|
|
590d18 |
+ 'summary': 'Retrieved data from vault "%s"'
|
|
|
590d18 |
+ % asymmetric_vault_name,
|
|
|
590d18 |
+ 'result': {
|
|
|
590d18 |
+ 'data': secret,
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+
|
|
|
590d18 |
]
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|