From 3c65f3168245740f8fe7722ca8cc0244e008117d Mon Sep 17 00:00:00 2001 From: Ross Richardson Date: Fri, 9 Sep 2022 15:28:23 +1000 Subject: [PATCH] remove entropy check, and minimum bits option --- bless/aws_lambda/bless_lambda_common.py | 32 ++++------ bless/aws_lambda/bless_lambda_host.py | 10 ++-- bless/aws_lambda/bless_lambda_user.py | 12 ++-- bless/config/bless_config.py | 4 -- tests/aws_lambda/test_bless_lambda_host.py | 6 +- tests/aws_lambda/test_bless_lambda_user.py | 68 +++++++++++----------- tests/config/test_bless_config.py | 3 +- 7 files changed, 60 insertions(+), 75 deletions(-) diff --git a/bless/aws_lambda/bless_lambda_common.py b/bless/aws_lambda/bless_lambda_common.py index 07a89749..2d62b607 100644 --- a/bless/aws_lambda/bless_lambda_common.py +++ b/bless/aws_lambda/bless_lambda_common.py @@ -8,8 +8,7 @@ import boto3 from bless.cache.bless_lambda_cache import BlessLambdaCache -from bless.config.bless_config import BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION, ENTROPY_MINIMUM_BITS_OPTION, \ - RANDOM_SEED_BYTES_OPTION +from bless.config.bless_config import BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION, RANDOM_SEED_BYTES_OPTION global_bless_cache = None @@ -38,32 +37,23 @@ def set_logger(config): return logger -def check_entropy(config, logger): - """ - Check the entropy pool and seed it with KMS if desired - """ +def seed_entropy(config): + """ Seed randomness using KMS """ + region = os.environ['AWS_REGION'] kms_client = boto3.client('kms', region_name=region) - entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) + random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) + response = kms_client.generate_random(NumberOfBytes=random_seed_bytes) + random_seed = response['Plaintext'] - with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: - entropy = int(f.read()) - logger.debug(entropy) - if entropy < entropy_minimum_bits: - logger.info( - 'System entropy was {}, which is lower than the entropy_' - 'minimum {}. Using KMS to seed /dev/urandom'.format( - entropy, entropy_minimum_bits)) - response = kms_client.generate_random( - NumberOfBytes=random_seed_bytes) - random_seed = response['Plaintext'] - with open('/dev/urandom', 'wb') as urandom: - urandom.write(random_seed) + with open('/dev/urandom', 'wb') as urandom: + urandom.write(random_seed) def setup_lambda_cache(ca_private_key_password, config_file): - # For testing, ignore the static bless_cache, otherwise fill the cache one time. + """ For testing, ignore the static bless_cache, otherwise fill the cache one time. """ + global global_bless_cache if ca_private_key_password is not None or config_file is not None: bless_cache = BlessLambdaCache(ca_private_key_password, config_file) diff --git a/bless/aws_lambda/bless_lambda_host.py b/bless/aws_lambda/bless_lambda_host.py index 91ff1abe..3af69e92 100644 --- a/bless/aws_lambda/bless_lambda_host.py +++ b/bless/aws_lambda/bless_lambda_host.py @@ -5,7 +5,7 @@ """ import time -from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, check_entropy, \ +from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, seed_entropy, \ setup_lambda_cache from bless.config.bless_config import BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION, \ SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION, HOSTNAME_VALIDATION_OPTION @@ -18,7 +18,7 @@ def lambda_handler_host( event, context=None, ca_private_key_password=None, - entropy_check=True, + entropy_seeding=True, config_file=None): """ This is the function that will be called when the lambda function starts. @@ -27,7 +27,7 @@ def lambda_handler_host( http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. - :param entropy_check: For local testing, if set to false, it will skip checking entropy and + :param entropy_seeding: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS. :param config_file: The config file to load the SSH CA private key from, and additional settings. :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. @@ -66,8 +66,8 @@ def lambda_handler_host( ca_private_key_password = bless_cache.ca_private_key_password # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired - if entropy_check: - check_entropy(config, logger) + if entropy_seeding: + seed_entropy(config, logger) # cert values determined only by lambda and its configs current_time = int(time.time()) diff --git a/bless/aws_lambda/bless_lambda_user.py b/bless/aws_lambda/bless_lambda_user.py index 166bec9b..ee2d6bce 100644 --- a/bless/aws_lambda/bless_lambda_user.py +++ b/bless/aws_lambda/bless_lambda_user.py @@ -6,7 +6,7 @@ import time import boto3 -from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, check_entropy, \ +from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, seed_entropy, \ setup_lambda_cache from bless.config.bless_config import BLESS_OPTIONS_SECTION, \ CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION, \ @@ -33,7 +33,7 @@ def lambda_handler_user( event, context=None, ca_private_key_password=None, - entropy_check=True, + entropy_seeding=True, config_file=None): """ This is the function that will be called when the lambda function starts. @@ -42,7 +42,7 @@ def lambda_handler_user( http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. - :param entropy_check: For local testing, if set to false, it will skip checking entropy and + :param entropy_seeding: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS. :param config_file: The config file to load the SSH CA private key from, and additional settings. :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. @@ -89,9 +89,9 @@ def lambda_handler_user( else: ca_private_key_password = bless_cache.ca_private_key_password - # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired - if entropy_check: - check_entropy(config, logger) + # if running as a Lambda, we can seed more entropy with KMS + if entropy_seeding: + seed_entropy(config) # cert values determined only by lambda and its configs current_time = int(time.time()) diff --git a/bless/config/bless_config.py b/bless/config/bless_config.py index e5cf4a90..766b2458 100644 --- a/bless/config/bless_config.py +++ b/bless/config/bless_config.py @@ -19,9 +19,6 @@ SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION = 'server_certificate_validity_after_seconds' SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_DEFAULT = 31536000 -ENTROPY_MINIMUM_BITS_OPTION = 'entropy_minimum_bits' -ENTROPY_MINIMUM_BITS_DEFAULT = 2048 - RANDOM_SEED_BYTES_OPTION = 'random_seed_bytes' RANDOM_SEED_BYTES_DEFAULT = 256 @@ -94,7 +91,6 @@ def __init__(self, aws_region, config_file): self.aws_region = aws_region defaults = {CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION: CERTIFICATE_VALIDITY_SEC_DEFAULT, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION: CERTIFICATE_VALIDITY_SEC_DEFAULT, - ENTROPY_MINIMUM_BITS_OPTION: ENTROPY_MINIMUM_BITS_DEFAULT, RANDOM_SEED_BYTES_OPTION: RANDOM_SEED_BYTES_DEFAULT, LOGGING_LEVEL_OPTION: LOGGING_LEVEL_DEFAULT, TEST_USER_OPTION: TEST_USER_DEFAULT, diff --git a/tests/aws_lambda/test_bless_lambda_host.py b/tests/aws_lambda/test_bless_lambda_host.py index 9797f179..3507dd60 100644 --- a/tests/aws_lambda/test_bless_lambda_host.py +++ b/tests/aws_lambda/test_bless_lambda_host.py @@ -30,7 +30,7 @@ class Context(object): def test_basic_local_request(): output = lambda_handler_host(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) print(output) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -39,7 +39,7 @@ def test_basic_local_request(): def test_basic_local_request_with_multiple_hosts(): output = lambda_handler_host(VALID_TEST_REQUEST_MULTIPLE_HOSTS, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) print(output) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -48,6 +48,6 @@ def test_basic_local_request_with_multiple_hosts(): def test_invalid_request(): output = lambda_handler_host(INVALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' diff --git a/tests/aws_lambda/test_bless_lambda_user.py b/tests/aws_lambda/test_bless_lambda_user.py index 40dce14f..29f48f3e 100644 --- a/tests/aws_lambda/test_bless_lambda_user.py +++ b/tests/aws_lambda/test_bless_lambda_user.py @@ -166,7 +166,7 @@ class Context(object): def test_basic_local_request_with_wrapper(): output = lambda_handler(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -174,7 +174,7 @@ def test_basic_local_request_with_wrapper(): def test_basic_local_request(): output = lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -182,7 +182,7 @@ def test_basic_local_request(): def test_basic_local_request_ed2551(): output = lambda_handler_user(VALID_TEST_REQUEST_ED2551, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['certificate'].startswith('ssh-ed25519-cert-v01@openssh.com ') @@ -190,7 +190,7 @@ def test_basic_local_request_ed2551(): def test_basic_local_unused_kmsauth_request(): output = lambda_handler_user(VALID_TEST_REQUEST_KMSAUTH, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -198,7 +198,7 @@ def test_basic_local_unused_kmsauth_request(): def test_basic_local_missing_kmsauth_request(): output = lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth.cfg')) assert output['errorType'] == 'InputValidationError' @@ -217,7 +217,7 @@ def test_basic_local_username_validation_disabled(monkeypatch): output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_DISABLED, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -235,7 +235,7 @@ def test_basic_local_username_validation_email_remote_usernames_useradd(monkeypa output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -254,7 +254,7 @@ def test_basic_ca_private_key_file_bz2(monkeypatch): output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -273,7 +273,7 @@ def test_basic_ca_private_key_env_bz2(monkeypatch): output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -292,7 +292,7 @@ def test_basic_ca_private_key_file_zlib(monkeypatch): output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -311,7 +311,7 @@ def test_basic_ca_private_key_env_zlib(monkeypatch): output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -330,7 +330,7 @@ def test_basic_ca_private_key_file_none_compression(monkeypatch): output = lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -350,7 +350,7 @@ def test_invalid_uncompressed_with_zlib(monkeypatch): with pytest.raises(zlib.error): lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) @@ -369,14 +369,14 @@ def test_invalid_uncompressed_with_bz2(monkeypatch): with pytest.raises(OSError): lambda_handler_user(VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), '')) def test_invalid_username_request(): output = lambda_handler_user(INVALID_TEST_REQUEST_USERNAME_INVALID, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' @@ -385,7 +385,7 @@ def test_invalid_username_request(): def test_invalid_kmsauth_request(): output = lambda_handler_user(VALID_TEST_REQUEST_KMSAUTH, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth.cfg')) assert output['errorType'] == 'KMSAuthValidationError' @@ -394,7 +394,7 @@ def test_invalid_kmsauth_request(): def test_invalid_request(): output = lambda_handler_user(INVALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' @@ -403,7 +403,7 @@ def test_local_request_key_not_found(): with pytest.raises(IOError): lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-broken.cfg')) @@ -411,14 +411,14 @@ def test_local_request_config_not_found(): with pytest.raises(ValueError): lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'none')) def test_local_request_invalid_pub_key(): output = lambda_handler_user(INVALID_TEST_REQUEST_KEY_TYPE, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' @@ -426,7 +426,7 @@ def test_local_request_invalid_pub_key(): def test_local_request_extra_field(): output = lambda_handler_user(INVALID_TEST_REQUEST_EXTRA_FIELD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' @@ -434,7 +434,7 @@ def test_local_request_extra_field(): def test_local_request_missing_field(): output = lambda_handler_user(INVALID_TEST_REQUEST_MISSING_FIELD, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' @@ -442,7 +442,7 @@ def test_local_request_missing_field(): def test_local_request_with_test_user(): output = lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-with-test-user.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -450,7 +450,7 @@ def test_local_request_with_test_user(): def test_local_request_with_custom_certificate_extensions(): output = lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-with-certificate-extensions.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -459,7 +459,7 @@ def test_local_request_with_custom_certificate_extensions(): def test_local_request_with_empty_certificate_extensions(): output = lambda_handler_user(VALID_TEST_REQUEST, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-with-certificate-extensions-empty.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -468,7 +468,7 @@ def test_local_request_with_empty_certificate_extensions(): def test_local_request_with_multiple_principals(): output = lambda_handler_user(VALID_TEST_REQUEST_MULTIPLE_PRINCIPALS, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -477,7 +477,7 @@ def test_local_request_with_multiple_principals(): def test_invalid_request_with_multiple_principals(): output = lambda_handler_user(INVALID_TEST_REQUEST_MULTIPLE_PRINCIPALS, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' @@ -486,11 +486,11 @@ def test_invalid_request_with_multiple_principals(): def test_invalid_request_with_mismatched_bastion_and_remote(): ''' Test default kmsauth behavior, that a bastion_user and remote_usernames must match - :return: + :return: ''' output = lambda_handler_user(INVALID_TEST_KMSAUTH_REQUEST_USERNAME_DOESNT_MATCH_REMOTE, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth.cfg')) assert output['errorType'] == 'KMSAuthValidationError' @@ -499,7 +499,7 @@ def test_invalid_request_with_mismatched_bastion_and_remote(): def test_invalid_request_with_unallowed_remote(): output = lambda_handler_user(INVALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth-different-remote.cfg')) assert output['errorType'] == 'KMSAuthValidationError' @@ -509,7 +509,7 @@ def test_valid_request_with_allowed_remote(mocker): mocker.patch("kmsauth.KMSTokenValidator.decrypt_token") output = lambda_handler_user(VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth-different-remote.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -523,7 +523,7 @@ def test_valid_request_with_allowed_remote_and_allowed_iam_group(mocker): botomock.return_value = clientmock output = lambda_handler_user(VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth-iam-group-validation.cfg')) assert output['certificate'].startswith('ssh-rsa-cert-v01@openssh.com ') @@ -537,7 +537,7 @@ def test_invalid_request_with_allowed_remote_and_not_allowed_iam_group(mocker): botomock.return_value = clientmock output = lambda_handler_user(VALID_TEST_KMSAUTH_REQUEST_DIFFERENT_REMOTE_USER, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test-kmsauth-iam-group-validation.cfg')) assert output['errorType'] == 'KMSAuthValidationError' @@ -553,6 +553,6 @@ def test_basic_local_request_blacklisted(monkeypatch): output = lambda_handler_user(INVALID_TEST_REQUEST_BLACKLISTED_REMOTE_USERNAME, context=Context, ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD, - entropy_check=False, + entropy_seeding=False, config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg')) assert output['errorType'] == 'InputValidationError' diff --git a/tests/config/test_bless_config.py b/tests/config/test_bless_config.py index 70e907c6..1ba0f986 100644 --- a/tests/config/test_bless_config.py +++ b/tests/config/test_bless_config.py @@ -10,7 +10,6 @@ ENTROPY_MINIMUM_BITS_OPTION, \ RANDOM_SEED_BYTES_OPTION, \ CERTIFICATE_VALIDITY_SEC_DEFAULT, \ - ENTROPY_MINIMUM_BITS_DEFAULT, \ RANDOM_SEED_BYTES_DEFAULT, \ LOGGING_LEVEL_DEFAULT, \ LOGGING_LEVEL_OPTION, \ @@ -182,7 +181,7 @@ def test_config_environment_override(monkeypatch): [ ((os.path.join(os.path.dirname(__file__), 'minimal.cfg')), 'us-west-2', CERTIFICATE_VALIDITY_SEC_DEFAULT, - ENTROPY_MINIMUM_BITS_DEFAULT, RANDOM_SEED_BYTES_DEFAULT, + RANDOM_SEED_BYTES_DEFAULT, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_DEFAULT, SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_DEFAULT, LOGGING_LEVEL_DEFAULT,