def test_create_tenant_rabbitmq_password_encrypted(self):
self.client.tenants.create('tenant_1')
password_encrypted = self._select(
"SELECT rabbitmq_password FROM tenants WHERE name='tenant_1'"
)[0][0]
security_conf = self.read_manager_file(SECURITY_FILE_LOCATION)
security_conf = json.loads(security_conf)
# Validate the rabbitmq_password is being stored encrypted in the DB
decrypt(password_encrypted, security_conf['encryption_key'])
assert len(password_encrypted) > 32
def create_tenant_vhost_and_user(self, tenant):
"""
Create a new RabbitMQ vhost and user, and grant the user permissions
on the vhost
:param tenant: An SQLAlchemy Tenant object
:return: The updated tenant object
"""
vhost = tenant.rabbitmq_vhost or \
self.VHOST_NAME_PATTERN.format(tenant.name)
username = tenant.rabbitmq_username or \
self.USERNAME_PATTERN.format(tenant.name)
# The password is being stored encrypted in the DB
new_password = AMQPManager._generate_user_password()
password = decrypt(tenant.rabbitmq_password) \
if tenant.rabbitmq_password else new_password
encrypted_password = tenant.rabbitmq_password or encrypt(new_password)
self._client.create_vhost(vhost)
self._client.create_user(username, password)
self._client.set_vhost_permissions(vhost, username, '.*', '.*', '.*')
# Gives configure and write permissions to the specific exchanges of
# events, logs and monitoring
allowed_resources = '^cloudify-(events|logs|monitoring)$'
self._client.set_vhost_permissions('/',
username,
configure=allowed_resources,
write=allowed_resources)
tenant.rabbitmq_vhost = vhost
tenant.rabbitmq_username = username
tenant.rabbitmq_password = encrypted_password
return tenant
def _get_tenant_dict():
tenant_dict = utils.current_tenant.to_dict()
tenant_dict['rabbitmq_password'] = decrypt(
tenant_dict['rabbitmq_password'])
for to_remove in ['id', 'users', 'groups']:
tenant_dict.pop(to_remove)
return tenant_dict
def _encrypt_value(valid_value, valid_encrypt, encrypted, key,
secret_errors, secret):
if valid_value and valid_encrypt:
if encrypted and key:
secret['value'] = decrypt(secret['value'], key)
elif encrypted and not key:
secret_errors['No passphrase'] = 'The secret is encrypted ' \
'but no passphrase was given'
def _get_tenant_dict():
tenant_dict = utils.current_tenant.to_dict()
tenant_dict['rabbitmq_password'] = decrypt(
tenant_dict['rabbitmq_password']
)
for to_remove in ['id', 'users', 'groups']:
tenant_dict.pop(to_remove)
return tenant_dict
def get(self, name):
"""
Get agent by name
"""
validate_inputs({'name': name})
agent = get_storage_manager().get(models.Agent, name)
agent_dict = agent.to_dict()
if agent.rabbitmq_password:
agent_dict['rabbitmq_password'] = decrypt(agent.rabbitmq_password)
return agent_dict
def get(self, name):
"""
Get agent by name
"""
validate_inputs({'name': name})
agent = get_storage_manager().get(models.Agent, name)
agent_dict = agent.to_dict()
if agent.rabbitmq_password:
agent_dict['rabbitmq_password'] = decrypt(agent.rabbitmq_password)
return agent_dict
def _create_rabbitmq_user(self, resource):
username = resource.rabbitmq_username or \
USERNAME_PATTERN.format(resource.name)
# The password is being stored encrypted in the DB
new_password = generate_user_password()
password = decrypt(resource.rabbitmq_password) \
if resource.rabbitmq_password else new_password
encrypted_password = resource.rabbitmq_password or \
encrypt(new_password)
self._client.create_user(username, password)
return username, encrypted_password
def get(self, key):
"""
Get secret by key
"""
rest_utils.validate_inputs({'key': key})
secret = get_storage_manager().get(models.Secret, key)
secret_dict = secret.to_dict()
if secret_dict['is_hidden_value'] and not \
self._is_hidden_value_permitted(secret):
# Hide the value of the secret
secret_dict['value'] = ''
else:
# Returns the decrypted value
secret_dict['value'] = decrypt(secret.value)
return secret_dict
def get(self, key):
"""
Get secret by key
"""
rest_utils.validate_inputs({'key': key})
secret = get_storage_manager().get(models.Secret, key)
secret_dict = secret.to_dict()
if secret_dict['is_hidden_value'] and not \
self._is_hidden_value_permitted(secret):
# Hide the value of the secret
secret_dict['value'] = ''
else:
# Returns the decrypted value
secret_dict['value'] = decrypt(secret.value)
return secret_dict
def _create_export_response(self, secrets, password):
secrets_list = []
for secret in secrets.items:
if secret.is_hidden_value and not \
rest_utils.is_hidden_value_permitted(secret):
continue
new_secret = {'key': secret.key,
'value': decrypt(secret.value),
'visibility': secret.visibility,
'tenant_name': secret.tenant_name,
'is_hidden_value': secret.is_hidden_value,
'encrypted': False}
secrets_list.append(new_secret)
if password:
self._encrypt_values(secrets_list, password)
return secrets_list
def get(self, tenant_name, multi_tenancy=None):
"""Get details for a single tenant
On community, only getting the default tenant is allowed.
"""
if multi_tenancy:
rest_utils.validate_inputs({'tenant_name': tenant_name})
return multi_tenancy.get_tenant(tenant_name)
else:
if tenant_name != constants.DEFAULT_TENANT_NAME:
raise MissingPremiumPackage()
tenant = get_storage_manager().get(models.Tenant,
None,
filters={'name': tenant_name})
if is_user_action_allowed('tenant_rabbitmq_credentials',
tenant_name):
tenant.rabbitmq_password = decrypt(tenant.rabbitmq_password)
else:
tenant.rabbitmq_username = None
tenant.rabbitmq_password = None
tenant.rabbitmq_vhost = None
return tenant
def get_secret_method(secret_key):
sm = get_storage_manager()
secret = sm.get(Secret, secret_key)
decrypted_value = cryptography_utils.decrypt(secret.value)
return SecretType(secret_key, decrypted_value)
def _decrypt_value(secret, encryption_key, secret_errors):
if encryption_key:
secret['value'] = decrypt(secret['value'], encryption_key)
else:
secret_errors['No passphrase'] = 'The secret is encrypted ' \
'but no passphrase was given'
def get_secret(secret_key):
secret = storage_manager.get(Secret, secret_key)
decrypted_value = cryptography_utils.decrypt(secret.value)
return SecretType(secret_key, decrypted_value)
def get_secret(secret_key):
secret = storage_manager.get(Secret, secret_key)
decrypted_value = cryptography_utils.decrypt(secret.value)
return SecretType(secret_key, decrypted_value)
def get_secret(self, secret_key):
secret = self.sm.get(Secret, secret_key)
decrypted_value = cryptography_utils.decrypt(secret.value)
return SecretType(secret_key, decrypted_value)
