def get_secret(requesting_content_type, secret_model, project_model,
twsk=None, transport_key=None, pem_needed=False):
tr.analyze_before_decryption(requesting_content_type)
secret_metadata = _get_secret_meta(secret_model)
if twsk is not None:
secret_metadata['trans_wrapped_session_key'] = twsk
secret_metadata['transport_key'] = transport_key
# Locate a suitable plugin to store the secret.
plugin_manager = secret_store.get_manager()
retrieve_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
# Retrieve the secret.
secret_dto = _get_secret(
retrieve_plugin, secret_metadata, secret_model, project_model)
if twsk is not None:
del secret_metadata['transport_key']
del secret_metadata['trans_wrapped_session_key']
# Denormalize the secret.
return tr.denormalize_after_decryption(secret_dto.secret,
requesting_content_type,
pem_needed,
secret_model.secret_type)
def get_secret(requesting_content_type, secret_model, project_model,
twsk=None, transport_key=None):
secret_metadata = _get_secret_meta(secret_model)
# NOTE: */* is the pecan default meaning no content type sent in. In this
# case we should use the mime type stored in the metadata.
if requesting_content_type == '*/*':
requesting_content_type = secret_metadata['content_type']
tr.analyze_before_decryption(requesting_content_type)
if twsk is not None:
secret_metadata['trans_wrapped_session_key'] = twsk
secret_metadata['transport_key'] = transport_key
# Locate a suitable plugin to store the secret.
plugin_manager = secret_store.get_manager()
retrieve_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
# Retrieve the secret.
secret_dto = _get_secret(
retrieve_plugin, secret_metadata, secret_model, project_model)
if twsk is not None:
del secret_metadata['transport_key']
del secret_metadata['trans_wrapped_session_key']
# Denormalize the secret.
return tr.denormalize_after_decryption(secret_dto.secret,
requesting_content_type)
def generate_secret(spec, content_type, project_model):
"""Generate a secret and store into a secure backend."""
# Locate a suitable plugin to store the secret.
key_spec = secret_store.KeySpec(alg=spec.get('algorithm'),
bit_length=spec.get('bit_length'),
mode=spec.get('mode'))
plugin_manager = secret_store.get_manager()
generate_plugin = plugin_manager.get_plugin_generate(key_spec)
# Create secret model to eventually save metadata to.
secret_model = models.Secret(spec)
secret_model['secret_type'] = secret_store.SecretType.SYMMETRIC
# Generate the secret.
secret_metadata = _generate_symmetric_key(
generate_plugin, key_spec, secret_model, project_model, content_type)
# Save secret and metadata.
_save_secret_in_repo(secret_model, project_model)
_save_secret_metadata_in_repo(secret_model, secret_metadata,
generate_plugin, content_type)
return secret_model
def get_secret(requesting_content_type, secret_model, project_model,
twsk=None, transport_key=None):
secret_metadata = _get_secret_meta(secret_model)
# NOTE: */* is the pecan default meaning no content type sent in. In this
# case we should use the mime type stored in the metadata.
if requesting_content_type == '*/*':
requesting_content_type = secret_metadata['content_type']
tr.analyze_before_decryption(requesting_content_type)
if twsk is not None:
secret_metadata['trans_wrapped_session_key'] = twsk
secret_metadata['transport_key'] = transport_key
# Locate a suitable plugin to store the secret.
plugin_manager = secret_store.get_manager()
retrieve_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
# Retrieve the secret.
secret_dto = _get_secret(
retrieve_plugin, secret_metadata, secret_model, project_model)
if twsk is not None:
del secret_metadata['transport_key']
del secret_metadata['trans_wrapped_session_key']
# Denormalize the secret.
return tr.denormalize_after_decryption(secret_dto.secret,
requesting_content_type)
def get_secret(requesting_content_type,
secret_model,
project_model,
twsk=None,
transport_key=None):
tr.analyze_before_decryption(requesting_content_type)
secret_metadata = _get_secret_meta(secret_model)
if twsk is not None:
secret_metadata['trans_wrapped_session_key'] = twsk
secret_metadata['transport_key'] = transport_key
# Locate a suitable plugin to store the secret.
plugin_manager = secret_store.get_manager()
retrieve_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
# Retrieve the secret.
secret_dto = _get_secret(retrieve_plugin, secret_metadata, secret_model,
project_model)
if twsk is not None:
del secret_metadata['transport_key']
del secret_metadata['trans_wrapped_session_key']
# Denormalize the secret.
return tr.denormalize_after_decryption(secret_dto.secret,
requesting_content_type)
def generate_secret(spec, content_type, project_model):
"""Generate a secret and store into a secure backend."""
# Locate a suitable plugin to store the secret.
key_spec = secret_store.KeySpec(alg=spec.get('algorithm'),
bit_length=spec.get('bit_length'),
mode=spec.get('mode'))
plugin_manager = secret_store.get_manager()
generate_plugin = plugin_manager.get_plugin_generate(
key_spec, project_id=project_model.id)
# Create secret model to eventually save metadata to.
secret_model = models.Secret(spec)
secret_model['secret_type'] = secret_store.SecretType.SYMMETRIC
# Generate the secret.
secret_metadata = _generate_symmetric_key(
generate_plugin, key_spec, secret_model, project_model, content_type)
# Save secret and metadata.
_save_secret_in_repo(secret_model, project_model)
_save_secret_metadata_in_repo(secret_model, secret_metadata,
generate_plugin, content_type)
return secret_model
def generate_asymmetric_secret(spec, content_type, project_model):
"""Generate an asymmetric secret and store into a secure backend."""
# Locate a suitable plugin to store the secret.
key_spec = secret_store.KeySpec(alg=spec.get('algorithm'),
bit_length=spec.get('bit_length'),
passphrase=spec.get('passphrase'))
plugin_manager = secret_store.get_manager()
generate_plugin = plugin_manager.get_plugin_generate(key_spec)
# Create secret models to eventually save metadata to.
private_secret_model = models.Secret(spec)
private_secret_model['secret_type'] = secret_store.SecretType.PRIVATE
public_secret_model = models.Secret(spec)
public_secret_model['secret_type'] = secret_store.SecretType.PUBLIC
passphrase_secret_model = (models.Secret(spec)
if spec.get('passphrase') else None)
if passphrase_secret_model:
passphrase_type = secret_store.SecretType.PASSPHRASE
passphrase_secret_model['secret_type'] = passphrase_type
# Generate the secret.
asymmetric_meta_dto = _generate_asymmetric_key(
generate_plugin,
key_spec,
private_secret_model,
public_secret_model,
passphrase_secret_model,
project_model,
content_type
)
# Save secret and metadata.
_save_secret(private_secret_model, project_model)
_save_secret_metadata(private_secret_model,
asymmetric_meta_dto.private_key_meta,
generate_plugin,
content_type)
_save_secret(public_secret_model, project_model)
_save_secret_metadata(public_secret_model,
asymmetric_meta_dto.public_key_meta,
generate_plugin,
content_type)
if spec.get('passphrase'):
_save_secret(passphrase_secret_model, project_model)
_save_secret_metadata(passphrase_secret_model,
asymmetric_meta_dto.passphrase_meta,
generate_plugin,
content_type)
# Now create container
container_model = _save_container(spec, project_model,
private_secret_model,
public_secret_model,
passphrase_secret_model)
return container_model
def store_secret(unencrypted_raw, content_type_raw, content_encoding,
spec, secret_model, project_model,
transport_key_needed=False,
transport_key_id=None):
"""Store a provided secret into secure backend."""
# Create a secret model is one isn't provided.
# Note: For one-step secret stores, the model is not provided. For
# two-step secrets, the secret entity is already created and should then
# be passed into this function.
if not secret_model:
secret_model = models.Secret(spec)
elif _secret_already_has_stored_data(secret_model):
raise ValueError('Secret already has encrypted data stored for it.')
# Create a KeySpec to find a plugin that will support storing the secret
key_spec = None
if spec:
key_spec = secret_store.KeySpec(alg=spec.get('algorithm'),
bit_length=spec.get('bit_length'),
mode=spec.get('mode'))
# If there is no secret data to store, then just create Secret entity and
# leave. A subsequent call to this method should provide both the Secret
# entity created here *and* the secret data to store into it.
if not unencrypted_raw:
key_model = _get_transport_key_model(key_spec, transport_key_needed)
_save_secret(secret_model, project_model)
return secret_model, key_model
plugin_name, transport_key = _get_plugin_name_and_transport_key(
transport_key_id)
# Locate a suitable plugin to store the secret.
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(
key_spec=key_spec, plugin_name=plugin_name)
# Normalize inputs prior to storage.
unencrypted, content_type = tr.normalize_before_encryption(
unencrypted_raw, content_type_raw, content_encoding,
secret_model.secret_type, enforce_text_only=True)
# Store the secret securely.
secret_dto = secret_store.SecretDTO(type=secret_model.secret_type,
secret=unencrypted,
key_spec=key_spec,
content_type=content_type,
transport_key=transport_key)
secret_metadata = _store_secret(
store_plugin, secret_dto, secret_model, project_model)
# Save secret and metadata.
_save_secret(secret_model, project_model)
_save_secret_metadata(secret_model, secret_metadata, store_plugin,
content_type)
return secret_model, None
def generate_asymmetric_secret(spec, content_type, project_model):
"""Generate an asymmetric secret and store into a secure backend."""
# Locate a suitable plugin to store the secret.
key_spec = secret_store.KeySpec(alg=spec.get('algorithm'),
bit_length=spec.get('bit_length'),
passphrase=spec.get('passphrase'))
plugin_manager = secret_store.get_manager()
generate_plugin = plugin_manager.get_plugin_generate(key_spec)
# Create secret models to eventually save metadata to.
private_secret_model = models.Secret(spec)
private_secret_model['secret_type'] = secret_store.SecretType.PRIVATE
public_secret_model = models.Secret(spec)
public_secret_model['secret_type'] = secret_store.SecretType.PUBLIC
passphrase_secret_model = (models.Secret(spec)
if spec.get('passphrase') else None)
if passphrase_secret_model:
passphrase_type = secret_store.SecretType.PASSPHRASE
passphrase_secret_model['secret_type'] = passphrase_type
asymmetric_meta_dto = _generate_asymmetric_key(
generate_plugin,
key_spec,
private_secret_model,
public_secret_model,
passphrase_secret_model,
project_model,
content_type
)
_save_secret_in_repo(private_secret_model, project_model)
_save_secret_metadata_in_repo(private_secret_model,
asymmetric_meta_dto.private_key_meta,
generate_plugin,
content_type)
_save_secret_in_repo(public_secret_model, project_model)
_save_secret_metadata_in_repo(public_secret_model,
asymmetric_meta_dto.public_key_meta,
generate_plugin,
content_type)
if passphrase_secret_model:
_save_secret_in_repo(passphrase_secret_model, project_model)
_save_secret_metadata_in_repo(passphrase_secret_model,
asymmetric_meta_dto.passphrase_meta,
generate_plugin,
content_type)
container_model = _create_container_for_asymmetric_secret(spec,
project_model)
_save_asymmetric_secret_in_repo(
container_model, private_secret_model, public_secret_model,
passphrase_secret_model)
return container_model
def store_secret(unencrypted_raw,
content_type_raw,
content_encoding,
secret_model,
project_model,
transport_key_needed=False,
transport_key_id=None):
"""Store a provided secret into secure backend."""
if _secret_already_has_stored_data(secret_model):
raise ValueError('Secret already has encrypted data stored for it.')
# Create a KeySpec to find a plugin that will support storing the secret
key_spec = secret_store.KeySpec(alg=secret_model.algorithm,
bit_length=secret_model.bit_length,
mode=secret_model.mode)
# If there is no secret data to store, then just create Secret entity and
# leave. A subsequent call to this method should provide both the Secret
# entity created here *and* the secret data to store into it.
if not unencrypted_raw:
key_model = _get_transport_key_model(key_spec,
transport_key_needed,
project_id=project_model.id)
_save_secret_in_repo(secret_model, project_model)
return secret_model, key_model
plugin_name, transport_key = _get_plugin_name_and_transport_key(
transport_key_id)
unencrypted, content_type = tr.normalize_before_encryption(
unencrypted_raw,
content_type_raw,
content_encoding,
secret_model.secret_type,
enforce_text_only=True)
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(key_spec=key_spec,
plugin_name=plugin_name,
project_id=project_model.id)
secret_dto = secret_store.SecretDTO(type=secret_model.secret_type,
secret=unencrypted,
key_spec=key_spec,
content_type=content_type,
transport_key=transport_key)
secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
secret_model, project_model)
_save_secret_in_repo(secret_model, project_model)
_save_secret_metadata_in_repo(secret_model, secret_metadata, store_plugin,
content_type)
return secret_model, None
def get_transport_key_id_for_retrieval(secret_model):
"""Return a transport key ID for retrieval if the plugin supports it."""
secret_metadata = _get_secret_meta(secret_model)
plugin_manager = secret_store.get_manager()
retrieve_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
transport_key_id = retrieve_plugin.get_transport_key()
return transport_key_id
def get_transport_key_id_for_retrieval(secret_model):
"""Return a transport key ID for retrieval if the plugin supports it."""
secret_metadata = _get_secret_meta(secret_model)
plugin_manager = secret_store.get_manager()
retrieve_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
transport_key_id = retrieve_plugin.get_transport_key()
return transport_key_id
def store_secret(unencrypted_raw, content_type_raw, content_encoding,
secret_model, project_model,
transport_key_needed=False,
transport_key_id=None):
"""Store a provided secret into secure backend."""
if _secret_already_has_stored_data(secret_model):
raise ValueError('Secret already has encrypted data stored for it.')
# Create a KeySpec to find a plugin that will support storing the secret
key_spec = secret_store.KeySpec(alg=secret_model.algorithm,
bit_length=secret_model.bit_length,
mode=secret_model.mode)
# If there is no secret data to store, then just create Secret entity and
# leave. A subsequent call to this method should provide both the Secret
# entity created here *and* the secret data to store into it.
if not unencrypted_raw:
key_model = _get_transport_key_model(key_spec, transport_key_needed,
project_id=project_model.id)
_save_secret_in_repo(secret_model, project_model)
return secret_model, key_model
plugin_name, transport_key = _get_plugin_name_and_transport_key(
transport_key_id)
unencrypted, content_type = tr.normalize_before_encryption(
unencrypted_raw, content_type_raw, content_encoding,
secret_model.secret_type, enforce_text_only=True)
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(key_spec=key_spec,
plugin_name=plugin_name,
project_id=project_model.id)
secret_dto = secret_store.SecretDTO(type=secret_model.secret_type,
secret=unencrypted,
key_spec=key_spec,
content_type=content_type,
transport_key=transport_key)
secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
secret_model, project_model)
_save_secret_in_repo(secret_model, project_model)
_save_secret_metadata_in_repo(secret_model, secret_metadata, store_plugin,
content_type)
return secret_model, None
def delete_secret(secret_model, project_id):
"""Remove a secret from secure backend."""
secret_metadata = _get_secret_meta(secret_model)
# We should only try to delete a secret using the plugin interface if
# there's the metadata available. This addresses bug/1377330.
if secret_metadata:
# Locate a suitable plugin to delete the secret from.
plugin_manager = secret_store.get_manager()
delete_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
# Delete the secret from plugin storage.
delete_plugin.delete_secret(secret_metadata)
# Delete the secret from data model.
secret_repo = repos.get_secret_repository()
secret_repo.delete_entity_by_id(entity_id=secret_model.id,
external_project_id=project_id)
def delete_secret(secret_model, project_id):
"""Remove a secret from secure backend."""
secret_metadata = _get_secret_meta(secret_model)
# We should only try to delete a secret using the plugin interface if
# there's the metadata available. This addresses bug/1377330.
if secret_metadata:
# Locate a suitable plugin to delete the secret from.
plugin_manager = secret_store.get_manager()
delete_plugin = plugin_manager.get_plugin_retrieve_delete(
secret_metadata.get('plugin_name'))
# Delete the secret from plugin storage.
delete_plugin.delete_secret(secret_metadata)
# Delete the secret from data model.
secret_repo = repos.get_secret_repository()
secret_repo.delete_entity_by_id(entity_id=secret_model.id,
external_project_id=project_id)
def _get_transport_key_model(key_spec, transport_key_needed):
key_model = None
if transport_key_needed:
# get_plugin_store() will throw an exception if no suitable
# plugin with transport key is found
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(
key_spec=key_spec, transport_key_needed=True)
plugin_name = utils.generate_fullname_for(store_plugin)
key_repo = repos.get_transport_key_repository()
key_model = key_repo.get_latest_transport_key(plugin_name)
if not key_model or not store_plugin.is_transport_key_current(
key_model.transport_key):
# transport key does not exist or is not current.
# need to get a new transport key
transport_key = store_plugin.get_transport_key()
new_key_model = models.TransportKey(plugin_name, transport_key)
key_model = key_repo.create_from(new_key_model)
return key_model
def _get_transport_key_model(key_spec, transport_key_needed):
key_model = None
if transport_key_needed:
# get_plugin_store() will throw an exception if no suitable
# plugin with transport key is found
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(
key_spec=key_spec, transport_key_needed=True)
plugin_name = utils.generate_fullname_for(store_plugin)
key_repo = repos.get_transport_key_repository()
key_model = key_repo.get_latest_transport_key(plugin_name)
if not key_model or not store_plugin.is_transport_key_current(
key_model.transport_key):
# transport key does not exist or is not current.
# need to get a new transport key
transport_key = store_plugin.get_transport_key()
new_key_model = models.TransportKey(plugin_name, transport_key)
key_model = key_repo.create_from(new_key_model)
return key_model
def do_provision_kek(data, external_project_id):
plugin_manager = secret_store.get_manager()
#This parameter can be None Just for custom sgx plugin
store_plugin = plugin_manager.get_plugin_store(None)
return store_plugin.do_provision_kek(data, external_project_id)
def do_attestation(data, external_project_id, is_mutual=False, context=None):
plugin_manager = secret_store.get_manager()
#This parameter can be None Just for custom sgx plugin
store_plugin = plugin_manager.get_plugin_store(None)
return store_plugin.do_attestation(data, external_project_id, is_mutual, context)
def get_policy(external_project_id):
plugin_manager = secret_store.get_manager()
#This parameter can be None Just for custom sgx plugin
store_plugin = plugin_manager.get_plugin_store(None)
return store_plugin.get_policy(external_project_id)
