From a0673dc111e9c983f0bbd2bb48fa49603c0aebd6 Mon Sep 17 00:00:00 2001
From: Hao Shen <hshen@purestorage.com>
Date: Fri, 31 Mar 2017 17:08:20 -0700
Subject: [PATCH] Add state/crypto usage mask checks for MAC operation

---
 kmip/services/server/engine.py                |  18 ++-
 .../tests/unit/services/server/test_engine.py | 109 +++++++++++++++++-
 2 files changed, 120 insertions(+), 7 deletions(-)

diff --git a/kmip/services/server/engine.py b/kmip/services/server/engine.py
index edd3cc1..fb31be1 100644
--- a/kmip/services/server/engine.py
+++ b/kmip/services/server/engine.py
@@ -1634,7 +1634,7 @@ class KmipEngine(object):
               managed_object.cryptographic_algorithm):
             algorithm = managed_object.cryptographic_algorithm
         else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                 "The cryptographic algorithm must be specified "
                 "for the MAC operation"
             )
@@ -1643,7 +1643,7 @@ class KmipEngine(object):
         if managed_object.value:
             key = managed_object.value
         else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                 "A secret key value must be specified "
                 "for the MAC operation"
             )
@@ -1652,10 +1652,22 @@ class KmipEngine(object):
         if payload.data:
             data = payload.data.value
         else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                 "No data to be MACed"
             )
 
+        if managed_object.state != enums.State.ACTIVE:
+            raise exceptions.PermissionDenied(
+                "Object is not in a state that can be used for MACing."
+            )
+
+        if enums.CryptographicUsageMask.MAC_GENERATE not in \
+           managed_object.cryptographic_usage_masks:
+                raise exceptions.PermissionDenied(
+                    "MAC Generate must be set in the object's cryptographic "
+                    "usage mask"
+                )
+
         result = self._cryptography_engine.mac(
             algorithm,
             key,
diff --git a/kmip/tests/unit/services/server/test_engine.py b/kmip/tests/unit/services/server/test_engine.py
index 3125122..1847e1b 100644
--- a/kmip/tests/unit/services/server/test_engine.py
+++ b/kmip/tests/unit/services/server/test_engine.py
@@ -4641,7 +4641,9 @@ class TestKmipEngine(testtools.TestCase):
                 b'\x0B\x0C\x0D\x0E\x0F')
         algorithm_a = enums.CryptographicAlgorithm.AES
         algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
-        obj = pie_objects.SymmetricKey(algorithm_a, 128, key)
+        obj = pie_objects.SymmetricKey(
+            algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
+        obj.state = enums.State.ACTIVE
 
         e._data_session.add(obj)
         e._data_session.commit()
@@ -4731,7 +4733,7 @@ class TestKmipEngine(testtools.TestCase):
         args = (payload_no_key, )
         regex = "A secret key value must be specified"
         self.assertRaisesRegexp(
-            exceptions.InvalidField,
+            exceptions.PermissionDenied,
             regex,
             e._process_mac,
             *args
@@ -4746,7 +4748,7 @@ class TestKmipEngine(testtools.TestCase):
         args = (payload_no_algorithm, )
         regex = "The cryptographic algorithm must be specified"
         self.assertRaisesRegexp(
-            exceptions.InvalidField,
+            exceptions.PermissionDenied,
             regex,
             e._process_mac,
             *args
@@ -4761,7 +4763,106 @@ class TestKmipEngine(testtools.TestCase):
         args = (payload_no_data, )
         regex = "No data to be MACed"
         self.assertRaisesRegexp(
-            exceptions.InvalidField,
+            exceptions.PermissionDenied,
+            regex,
+            e._process_mac,
+            *args
+        )
+
+    def test_mac_not_active_state(self):
+        """
+        Test that the right error is generated when an MAC request is
+        received for an object that is not in 'active' state.
+        """
+        e = engine.KmipEngine()
+        e._data_store = self.engine
+        e._data_store_session_factory = self.session_factory
+        e._data_session = e._data_store_session_factory()
+        e._logger = mock.MagicMock()
+        e._cryptography_engine.logger = mock.MagicMock()
+
+        key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+               b'\x00\x00\x00\x00\x00')
+        data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
+                b'\x0B\x0C\x0D\x0E\x0F')
+        algorithm_a = enums.CryptographicAlgorithm.AES
+        algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
+        obj = pie_objects.SymmetricKey(
+            algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
+        obj.state = enums.State.PRE_ACTIVE
+
+        e._data_session.add(obj)
+        e._data_session.commit()
+        e._data_session = e._data_store_session_factory()
+
+        uuid = str(obj.unique_identifier)
+
+        cryptographic_parameters = attributes.CryptographicParameters(
+            cryptographic_algorithm=attributes.
+            CryptographicAlgorithm(algorithm_b)
+        )
+
+        # Verify when cryptographic_parameters is specified in request
+        payload = mac.MACRequestPayload(
+            unique_identifier=attributes.UniqueIdentifier(uuid),
+            cryptographic_parameters=cryptographic_parameters,
+            data=objects.Data(data)
+        )
+
+        args = (payload,)
+        regex = "Object is not in a state that can be used for MACing."
+        self.assertRaisesRegexp(
+            exceptions.PermissionDenied,
+            regex,
+            e._process_mac,
+            *args
+        )
+
+    def test_mac_crypto_usage_mask_not_set(self):
+        """
+        Test that the right error is generated when an MAC request is
+        received for an object without proper crypto usage mask set.
+        """
+        e = engine.KmipEngine()
+        e._data_store = self.engine
+        e._data_store_session_factory = self.session_factory
+        e._data_session = e._data_store_session_factory()
+        e._logger = mock.MagicMock()
+        e._cryptography_engine.logger = mock.MagicMock()
+
+        key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+               b'\x00\x00\x00\x00\x00')
+        data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
+                b'\x0B\x0C\x0D\x0E\x0F')
+        algorithm_a = enums.CryptographicAlgorithm.AES
+        algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
+        obj = pie_objects.SymmetricKey(
+            algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_VERIFY])
+        obj.state = enums.State.ACTIVE
+
+        e._data_session.add(obj)
+        e._data_session.commit()
+        e._data_session = e._data_store_session_factory()
+
+        uuid = str(obj.unique_identifier)
+
+        cryptographic_parameters = attributes.CryptographicParameters(
+            cryptographic_algorithm=attributes.
+            CryptographicAlgorithm(algorithm_b)
+        )
+
+        # Verify when cryptographic_parameters is specified in request
+        payload = mac.MACRequestPayload(
+            unique_identifier=attributes.UniqueIdentifier(uuid),
+            cryptographic_parameters=cryptographic_parameters,
+            data=objects.Data(data)
+        )
+
+        args = (payload,)
+        regex = "MAC Generate must be set in the object's cryptographic " \
+                "usage mask"
+        self.assertRaisesRegexp(
+            exceptions.PermissionDenied,
             regex,
             e._process_mac,
             *args