def test_decrypt_datakey_with_encryption(self, dmd_mock, dd_mock): app.config['USE_ENCRYPTION'] = True context = {'from': 'confidant-development', 'to': 'confidant-development'} keymanager.decrypt_datakey('encrypted', context) # Assert that decrypt_datakey was called and decrypt_mock_datakey was # not called. self.assertTrue(dd_mock.called) self.assertFalse(dmd_mock.called)
def test_decrypt_datakey_with_encryption(self, dmd_mock, dd_mock): app.config['USE_ENCRYPTION'] = True context = { 'from': 'confidant-development', 'to': 'confidant-development' } keymanager.decrypt_datakey('encrypted', context) # Assert that decrypt_datakey was called and decrypt_mock_datakey was # not called. self.assertTrue(dd_mock.called) self.assertFalse(dmd_mock.called)
def get_credential(id): try: cred = Credential.get(id) except Credential.DoesNotExist: return jsonify({}), 404 if (cred.data_type != 'credential' and cred.data_type != 'archive-credential'): return jsonify({}), 404 services = [] for service in Service.data_type_date_index.query('service'): services.append(service.id) if cred.data_type == 'credential': context = id else: context = id.split('-')[0] data_key = keymanager.decrypt_datakey( cred.data_key, encryption_context={'id': context} ) cipher_version = cred.cipher_version cipher = CipherManager(data_key, cipher_version) _credential_pairs = cipher.decrypt(cred.credential_pairs) _credential_pairs = json.loads(_credential_pairs) return jsonify({ 'id': id, 'name': cred.name, 'credential_pairs': _credential_pairs, 'metadata': cred.metadata, 'services': services, 'revision': cred.revision, 'enabled': cred.enabled, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by })
def get_credential(id): try: cred = Credential.get(id) except DoesNotExist: logging.warning('Item with id {0} does not exist.'.format(id)) return jsonify({}), 404 if (cred.data_type != 'credential' and cred.data_type != 'archive-credential'): return jsonify({}), 404 services = [] for service in Service.data_type_date_index.query('service'): services.append(service.id) if cred.data_type == 'credential': context = id else: context = id.split('-')[0] data_key = keymanager.decrypt_datakey(cred.data_key, encryption_context={'id': context}) cipher_version = cred.cipher_version cipher = CipherManager(data_key, cipher_version) _credential_pairs = cipher.decrypt(cred.credential_pairs) _credential_pairs = json.loads(_credential_pairs) return jsonify({ 'id': id, 'name': cred.name, 'credential_pairs': _credential_pairs, 'metadata': cred.metadata, 'services': services, 'revision': cred.revision, 'enabled': cred.enabled, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation })
def _get_credentials(credential_ids): credentials = [] with stats.timer('service_batch_get_credentials'): for cred in Credential.batch_get(copy.deepcopy(credential_ids)): data_key = keymanager.decrypt_datakey( cred.data_key, encryption_context={'id': cred.id}) cipher_version = cred.cipher_version cipher = CipherManager(data_key, cipher_version) _credential_pairs = cipher.decrypt(cred.credential_pairs) _credential_pairs = json.loads(_credential_pairs) credentials.append({ 'id': cred.id, 'data_type': 'credential', 'name': cred.name, 'enabled': cred.enabled, 'revision': cred.revision, 'credential_pairs': _credential_pairs, 'metadata': cred.metadata }) return credentials
def _get_credentials(credential_ids): credentials = [] with stats.timer('service_batch_get_credentials'): for cred in Credential.batch_get(copy.deepcopy(credential_ids)): data_key = keymanager.decrypt_datakey( cred.data_key, encryption_context={'id': cred.id} ) cipher_version = cred.cipher_version cipher = CipherManager(data_key, cipher_version) _credential_pairs = cipher.decrypt(cred.credential_pairs) _credential_pairs = json.loads(_credential_pairs) credentials.append({ 'id': cred.id, 'data_type': 'credential', 'name': cred.name, 'enabled': cred.enabled, 'revision': cred.revision, 'credential_pairs': _credential_pairs, 'metadata': cred.metadata }) return credentials
def test_decrypt_datakey_mocked(self): app.config['USE_ENCRYPTION'] = False ret = keymanager.decrypt_datakey('mocked_fernet_key') # Ensure we get the same value out that we sent in. self.assertEquals(ret, 'mocked_fernet_key')
def update_credential(id): try: _cred = Credential.get(id) except Credential.DoesNotExist: return jsonify({'error': 'Credential not found.'}), 404 if _cred.data_type != 'credential': msg = 'id provided is not a credential.' return jsonify({'error': msg}), 400 data = request.get_json() update = {} revision = _get_latest_credential_revision(id, _cred.revision) update['name'] = data.get('name', _cred.name) if 'enabled' in data: if not isinstance(data['enabled'], bool): return jsonify({'error': 'Enabled must be a boolean.'}), 400 update['enabled'] = data['enabled'] else: update['enabled'] = _cred.enabled if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 services = _get_services_for_credential(id) if 'credential_pairs' in data: # Ensure credential pair keys are lowercase credential_pairs = _lowercase_credential_pairs( data['credential_pairs'] ) _check, ret = _check_credential_pair_values(credential_pairs) if not _check: return jsonify(ret), 400 # Ensure credential pairs don't conflicts with pairs from other # services conflicts = _pair_key_conflicts_for_services( id, credential_pairs.keys(), services ) if conflicts: ret = { 'error': 'Conflicting key pairs in mapped service.', 'conflicts': conflicts } return jsonify(ret), 400 update['credential_pairs'] = json.dumps(credential_pairs) else: data_key = keymanager.decrypt_datakey( _cred.data_key, encryption_context={'id': id} ) cipher_version = _cred.cipher_version cipher = CipherManager(data_key, cipher_version) update['credential_pairs'] = cipher.decrypt(_cred.credential_pairs) data_key = keymanager.create_datakey(encryption_context={'id': id}) cipher = CipherManager(data_key['plaintext'], version=2) credential_pairs = cipher.encrypt(update['credential_pairs']) update['metadata'] = data.get('metadata', _cred.metadata) # Try to save to the archive try: Credential( id='{0}-{1}'.format(id, revision), name=update['name'], data_type='archive-credential', credential_pairs=credential_pairs, metadata=update['metadata'], enabled=update['enabled'], revision=revision, data_key=data_key['ciphertext'], cipher_version=2, modified_by=authnz.get_logged_in_user() ).save(id__null=True) except PutError as e: logging.error(e) return jsonify({'error': 'Failed to add credential to archive.'}), 500 try: cred = Credential( id=id, name=update['name'], data_type='credential', credential_pairs=credential_pairs, metadata=update['metadata'], enabled=update['enabled'], revision=revision, data_key=data_key['ciphertext'], cipher_version=2, modified_by=authnz.get_logged_in_user() ) cred.save() except PutError as e: logging.error(e) return jsonify({'error': 'Failed to update active credential.'}), 500 if services: service_names = [x.id for x in services] msg = 'Updated credential "{0}" ({1}); Revision {2}' msg = msg.format(cred.name, cred.id, cred.revision) graphite.send_event(service_names, msg) webhook.send_event('credential_update', service_names, [cred.id]) return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': json.loads(cipher.decrypt(cred.credential_pairs)), 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by })
def update_credential(id): try: _cred = Credential.get(id) except DoesNotExist: return jsonify({'error': 'Credential not found.'}), 404 if _cred.data_type != 'credential': msg = 'id provided is not a credential.' return jsonify({'error': msg}), 400 data = request.get_json() update = {} revision = _get_latest_credential_revision(id, _cred.revision) update['name'] = data.get('name', _cred.name) if 'enabled' in data: if not isinstance(data['enabled'], bool): return jsonify({'error': 'Enabled must be a boolean.'}), 400 update['enabled'] = data['enabled'] else: update['enabled'] = _cred.enabled if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 services = _get_services_for_credential(id) if 'credential_pairs' in data: # Ensure credential pair keys are lowercase credential_pairs = _lowercase_credential_pairs( data['credential_pairs']) _check, ret = _check_credential_pair_values(credential_pairs) if not _check: return jsonify(ret), 400 # Ensure credential pairs don't conflicts with pairs from other # services conflicts = _pair_key_conflicts_for_services( id, list(credential_pairs.keys()), services) if conflicts: ret = { 'error': 'Conflicting key pairs in mapped service.', 'conflicts': conflicts } return jsonify(ret), 400 update['credential_pairs'] = json.dumps(credential_pairs) else: data_key = keymanager.decrypt_datakey(_cred.data_key, encryption_context={'id': id}) cipher_version = _cred.cipher_version cipher = CipherManager(data_key, cipher_version) update['credential_pairs'] = cipher.decrypt(_cred.credential_pairs) data_key = keymanager.create_datakey(encryption_context={'id': id}) cipher = CipherManager(data_key['plaintext'], version=2) credential_pairs = cipher.encrypt(update['credential_pairs']) update['metadata'] = data.get('metadata', _cred.metadata) update['documentation'] = data.get('documentation', _cred.documentation) # Enforce documentation, EXCEPT if we are restoring an old revision if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION') and not data.get('revision')): return jsonify({'error': 'documentation is a required field'}), 400 # Try to save to the archive try: Credential(id='{0}-{1}'.format(id, revision), name=update['name'], data_type='archive-credential', credential_pairs=credential_pairs, metadata=update['metadata'], enabled=update['enabled'], revision=revision, data_key=data_key['ciphertext'], cipher_version=2, modified_by=authnz.get_logged_in_user(), documentation=update['documentation']).save(id__null=True) except PutError as e: logging.error(e) return jsonify({'error': 'Failed to add credential to archive.'}), 500 try: cred = Credential(id=id, name=update['name'], data_type='credential', credential_pairs=credential_pairs, metadata=update['metadata'], enabled=update['enabled'], revision=revision, data_key=data_key['ciphertext'], cipher_version=2, modified_by=authnz.get_logged_in_user(), documentation=update['documentation']) cred.save() except PutError as e: logging.error(e) return jsonify({'error': 'Failed to update active credential.'}), 500 if services: service_names = [x.id for x in services] msg = 'Updated credential "{0}" ({1}); Revision {2}' msg = msg.format(cred.name, cred.id, cred.revision) graphite.send_event(service_names, msg) webhook.send_event('credential_update', service_names, [cred.id]) return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': json.loads(cipher.decrypt(cred.credential_pairs)), 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation })
def update_credential(id): #credentialid가져오는 중 없을 경우 error발생 예외처리 try: _cred = Credential.get(id) except DoesNotExist: return jsonify({'error': 'Credential not found.'}), 404 #자료의 종류가 credential인지 아닌지 check 아닐 경우 error msg와 함께 리턴 if _cred.data_type != 'credential': msg = 'id provided is not a credential.' return jsonify({'error': msg}), 400 #데이터 갖고온다 data = request.get_json() #update라는 dictionary생성 update = {} #가장 최근의 revision을 가져온다 revision = _get_latest_credential_revision(id, _cred.revision) #이름 업데이트 update['name'] = data.get('name', _cred.name) #data에 'enabled'이 있을 경우 제어문 안으로 if 'enabled' in data: #허용 안되는 부분이 bool 인스턴스가 아니라면 error발생 if not isinstance(data['enabled'], bool): return jsonify({'error': 'Enabled must be a boolean.'}), 400 #'enabled'data 대입 update['enabled'] = data['enabled'] else: #data에 없다면 _cred에서 대입 update['enabled'] = _cred.enabled #metadata가 dictionary타입이 아닌 경우 error발생 if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 #credential의 서비스 가져오기 services = _get_services_for_credential(id) #data에 credential_pairs가 있다면 제어문 안으로 if 'credential_pairs' in data: # Ensure credential pair keys are lowercase # credential pair key가 소문자인지 확실하게 하기 위해 소문자로 만드는 함수를 사용해 credential_pairs가져오기 credential_pairs = _lowercase_credential_pairs( data['credential_pairs'] ) #확인하기 위해 확인 값 가져오기 _check, ret = _check_credential_pair_values(credential_pairs) #확인 if not _check: return jsonify(ret), 400 # Ensure credential pairs don't conflicts with pairs from other services # 다른 서비스와 충돌하지 않는지 확인 conflicts = _pair_key_conflicts_for_services( id, credential_pairs.keys(), services ) # 충돌한다면 error발생 if conflicts: ret = { 'error': 'Conflicting key pairs in mapped service.', 'conflicts': conflicts } return jsonify(ret), 400 update['credential_pairs'] = json.dumps(credential_pairs) #data에 credential_pairs가 없다면 제어문 안으로 else: #key생성 data_key = keymanager.decrypt_datakey( _cred.data_key, encryption_context={'id': id} ) cipher_version = _cred.cipher_version cipher = CipherManager(data_key, cipher_version) update['credential_pairs'] = cipher.decrypt(_cred.credential_pairs) data_key = keymanager.create_datakey(encryption_context={'id': id}) cipher = CipherManager(data_key['plaintext'], version=2) credential_pairs = cipher.encrypt(update['credential_pairs']) update['metadata'] = data.get('metadata', _cred.metadata) update['documentation'] = data.get('documentation', _cred.documentation) # Enforce documentation, EXCEPT if we are restoring an old revision #오래된 버전을 복원 중이지 않는 이상 문서 실행 if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION') and not data.get('revision')): return jsonify({'error': 'documentation is a required field'}), 400 # Try to save to the archive # 아카이브 저장을 위한 try문 try: Credential( id='{0}-{1}'.format(id, revision), name=update['name'], data_type='archive-credential', credential_pairs=credential_pairs, metadata=update['metadata'], enabled=update['enabled'], revision=revision, data_key=data_key['ciphertext'], cipher_version=2, modified_by=authnz.get_logged_in_user(), documentation=update['documentation'] ).save(id__null=True) except PutError as e: logging.error(e) return jsonify({'error': 'Failed to add credential to archive.'}), 500 try: cred = Credential( id=id, name=update['name'], data_type='credential', credential_pairs=credential_pairs, metadata=update['metadata'], enabled=update['enabled'], revision=revision, data_key=data_key['ciphertext'], cipher_version=2, modified_by=authnz.get_logged_in_user(), documentation=update['documentation'] ) cred.save() except PutError as e: logging.error(e) return jsonify({'error': 'Failed to update active credential.'}), 500 if services: service_names = [x.id for x in services] msg = 'Updated credential "{0}" ({1}); Revision {2}' msg = msg.format(cred.name, cred.id, cred.revision) graphite.send_event(service_names, msg) webhook.send_event('credential_update', service_names, [cred.id]) #update된 내용 리턴 return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': json.loads(cipher.decrypt(cred.credential_pairs)), 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation })
def test_decrypt_datakey_mocked(self): app.config['USE_ENCRYPTION'] = False ret = keymanager.decrypt_datakey('mocked_fernet_key') # Ensure we get the same value out that we sent in. self.assertEquals(ret, 'mocked_fernet_key')