davbo/cred-swap.py

## cred-swap.py
import unittest
import boto3
import credstash


MY_SERVICE = 'my-service'
VALUABLE_SERVICE = 'valuable-service'
class TestCredentialSwap(unittest.TestCase):

    def tearDown(self):
        credstash.deleteSecrets(MY_SERVICE)
        credstash.deleteSecrets(VALUABLE_SERVICE)

    def test_swapping_credential_raises_kms_error(self):
        valuable_secret = 'valuable-secret'
        credstash.putSecret(MY_SERVICE, 'credential-i-dont-care-about')
        credstash.putSecret(VALUABLE_SERVICE, valuable_secret)

        session = boto3.Session()
        dynamodb = session.resource('dynamodb')
        secrets = dynamodb.Table('credential-store')

        known_secret = secrets.query(Limit=1, ScanIndexForward=False, ConsistentRead=True,
                                     KeyConditionExpression=boto3.dynamodb.conditions.Key('name').eq(MY_SERVICE))['Items'][0]
        unknown_secret = secrets.query(Limit=1, ScanIndexForward=False, ConsistentRead=True,
                                       KeyConditionExpression=boto3.dynamodb.conditions.Key('name').eq(VALUABLE_SERVICE))['Items'][0]
        secrets.update_item(
            Key={'name': known_secret['name'], 'version': known_secret['version']},
            UpdateExpression="SET #C = :c, #K = :k, #H = :h",
            ExpressionAttributeNames={"#C": "contents", "#K": "key", "#H": "hmac"},
            ExpressionAttributeValues={
                ":c": unknown_secret['contents'],
                ":k": unknown_secret['key'],
                ":h": unknown_secret['hmac']
            }
        )

        with self.assertRaises(credstash.KmsError):
            credstash.getSecret(MY_SERVICE)

if __name__ == '__main__':
    unittest.main()
	import unittest
	import boto3
	import credstash


	MY_SERVICE = 'my-service'
	VALUABLE_SERVICE = 'valuable-service'
	class TestCredentialSwap(unittest.TestCase):

	def tearDown(self):
	credstash.deleteSecrets(MY_SERVICE)
	credstash.deleteSecrets(VALUABLE_SERVICE)

	def test_swapping_credential_raises_kms_error(self):
	valuable_secret = 'valuable-secret'
	credstash.putSecret(MY_SERVICE, 'credential-i-dont-care-about')
	credstash.putSecret(VALUABLE_SERVICE, valuable_secret)

	session = boto3.Session()
	dynamodb = session.resource('dynamodb')
	secrets = dynamodb.Table('credential-store')

	known_secret = secrets.query(Limit=1, ScanIndexForward=False, ConsistentRead=True,
	KeyConditionExpression=boto3.dynamodb.conditions.Key('name').eq(MY_SERVICE))['Items'][0]
	unknown_secret = secrets.query(Limit=1, ScanIndexForward=False, ConsistentRead=True,
	KeyConditionExpression=boto3.dynamodb.conditions.Key('name').eq(VALUABLE_SERVICE))['Items'][0]
	secrets.update_item(
	Key={'name': known_secret['name'], 'version': known_secret['version']},
	UpdateExpression="SET #C = :c, #K = :k, #H = :h",
	ExpressionAttributeNames={"#C": "contents", "#K": "key", "#H": "hmac"},
	ExpressionAttributeValues={
	":c": unknown_secret['contents'],
	":k": unknown_secret['key'],
	":h": unknown_secret['hmac']
	}
	)

	with self.assertRaises(credstash.KmsError):
	credstash.getSecret(MY_SERVICE)

	if __name__ == '__main__':
	unittest.main()