def _get_decrypted_credential_pairs(self):
if self.data_type == 'credential':
context = self.id
else:
context = self.id.split('-')[0]
data_key = keymanager.decrypt_datakey(
self.data_key, encryption_context={'id': context})
cipher_version = self.cipher_version
cipher = CipherManager(data_key, cipher_version)
_credential_pairs = cipher.decrypt(self.credential_pairs)
_credential_pairs = json.loads(_credential_pairs)
return _credential_pairs
def test_cipher_version_3():
key = Fernet.generate_key()
cipher = CipherManager(key, 3)
with pytest.raises(CipherManagerError):
cipher.encrypt('testdata')
with pytest.raises(CipherManagerError):
cipher.decrypt('random_text')
def test_cipher_version_2():
key = Fernet.generate_key()
cipher = CipherManager(key, 2)
ciphertext = cipher.encrypt('testdata')
# Assert we're getting back some form of altered data
assert ciphertext != 'testdata'
cipher = CipherManager(key, 2)
plaintext = cipher.decrypt(ciphertext).decode('UTF-8')
# Assert that decrypting using a new cipher object with the same key
# and version give back the same plaintext.
assert plaintext == 'testdata'
def update_credential(id):
'''
Update the provided credential using the data provided in the POST body.
.. :quickref: Credential; Update the provided credential using the data
provided in the post body.
**Example request**:
.. sourcecode:: http
PUT /v1/credentials/abcd12345bf4f1cafe8e722d3860404
:param id: The credential ID to update.
:type id: str
:<json string name: The friendly name for the credential.
:<json Dictionary{string: string} credential_pairs: A dictionary of
arbitrary key/value pairs to be encrypted at rest.
:<json Dictionary{string: string} metadata: A dictionary of arbitrary key/
value pairs for custom per-credential end-user extensions. This is not
encrypted at rest.
:<json boolean enabled: Whether or not this credential is enabled.
:<json string documentation: End-user provided documentation for this
credential.
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "abcd12345bf4f1cafe8e722d3860404",
"name": "Example Credential",
"credential_keys": ["example_credential_key"],
"credential_pairs": {
"example_credential_key": "example_credential_value"
},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 400: Invalid input; either the data provided was not in the
correct format, or the update would create conflicting
credential keys in a mapped service.
:statuscode 403: Client does not have access to update the provided
credential ID.
'''
if not acl_module_check(
resource_type='credential', action='update', resource_id=id):
msg = "{} does not have access to update credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
_cred = Credential.get(id)
except DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if _cred.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
update = {
'name': data.get('name', _cred.name),
'last_rotation_date': _cred.last_rotation_date,
'credential_pairs': _cred.credential_pairs,
'enabled': _cred.enabled,
'metadata': data.get('metadata', _cred.metadata),
'documentation': data.get('documentation', _cred.documentation),
'tags': data.get('tags', _cred.tags),
}
# Enforce documentation, EXCEPT if we are restoring an old revision
if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION')
and not data.get('revision')):
return jsonify({'error': 'documentation is a required field'}), 400
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
services = servicemanager.get_services_for_credential(id)
revision = credentialmanager.get_latest_credential_revision(
id, _cred.revision)
if 'credential_pairs' in data:
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id, list(credential_pairs.keys()), services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# If the credential pair passed in the update is different from the
# decrypted credential pair of the most recent revision, assume that
# this is a new credential pair and update last_rotation_date
if credential_pairs != _cred.decrypted_credential_pairs:
update['last_rotation_date'] = misc.utcnow()
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
update['credential_pairs'] = cipher.encrypt(
json.dumps(credential_pairs))
# Try to save to the archive
try:
Credential(
id='{0}-{1}'.format(id, revision),
name=update['name'],
data_type='archive-credential',
credential_pairs=update['credential_pairs'],
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'],
tags=update['tags'],
last_rotation_date=update['last_rotation_date'],
).save(id__null=True)
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(
id=id,
name=update['name'],
data_type='credential',
credential_pairs=update['credential_pairs'],
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'],
tags=update['tags'],
last_rotation_date=update['last_rotation_date'],
)
cred.save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('credential_update', service_names, [cred.id])
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def create_credential():
'''
Create a credential using the data provided in the POST body.
.. :quickref: Credential; Create a credential using the data provided in
the post body.
**Example request**:
.. sourcecode:: http
POST /v1/credentials
:<json string name: The friendly name for the credential. (required)
:<json Dictionary{string: string} credential_pairs: A dictionary of
arbitrary key/value pairs to be encrypted at rest. (required)
:<json Dictionary{string: string} metadata: A dictionary of arbitrary key/
value pairs for custom per-credential end-user extensions. This is not
encrypted at rest.
:<json boolean enabled: Whether or not this credential is enabled.
(default: true)
:<json string documentation: End-user provided documentation for this
credential. (required)
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "abcd12345bf4f1cafe8e722d3860404",
"name": "Example Credential",
"credential_keys": ["example_credential_key"],
"credential_pairs": {
"example_credential_key": "example_credential_value"
},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 400: Invalid input; either the data provided was not in the
correct format, or a required field was not provided.
:statuscode 403: Client does not have access to create credentials.
'''
if not acl_module_check(resource_type='credential', action='create'):
msg = "{} does not have access to create credentials".format(
authnz.get_logged_in_user())
error_msg = {'error': msg}
return jsonify(error_msg), 403
data = request.get_json()
if not data.get('documentation') and settings.get('ENFORCE_DOCUMENTATION'):
return jsonify({'error': 'documentation is a required field'}), 400
if not data.get('credential_pairs'):
return jsonify({'error': 'credential_pairs is a required field'}), 400
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query('credential',
name__eq=data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
last_rotation_date = misc.utcnow()
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation'),
tags=data.get('tags', []),
last_rotation_date=last_rotation_date,
).save(id__null=True)
# Make this the current revision
cred = Credential(
id=id,
data_type='credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation'),
tags=data.get('tags', []),
last_rotation_date=last_rotation_date,
)
cred.save()
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def update_credential(id):
if not acl_module_check(
resource_type='credential', action='update', resource_id=id):
msg = "{} does not have access to update credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
_cred = Credential.get(id)
except DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if _cred.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
update = {}
revision = credentialmanager.get_latest_credential_revision(
id, _cred.revision)
update['name'] = data.get('name', _cred.name)
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
else:
update['enabled'] = _cred.enabled
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
services = servicemanager.get_services_for_credential(id)
if 'credential_pairs' in data:
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id, list(credential_pairs.keys()), services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
update['credential_pairs'] = json.dumps(credential_pairs)
else:
update['credential_pairs'] = _cred.decrypted_credential_pairs
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(update['credential_pairs'])
update['metadata'] = data.get('metadata', _cred.metadata)
update['documentation'] = data.get('documentation', _cred.documentation)
# Enforce documentation, EXCEPT if we are restoring an old revision
if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION')
and not data.get('revision')):
return jsonify({'error': 'documentation is a required field'}), 400
# Try to save to the archive
try:
Credential(id='{0}-{1}'.format(id, revision),
name=update['name'],
data_type='archive-credential',
credential_pairs=credential_pairs,
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation']).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(id=id,
name=update['name'],
data_type='credential',
credential_pairs=credential_pairs,
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'])
cred.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('credential_update', service_names, [cred.id])
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def create_credential():
if not acl_module_check(resource_type='credential', action='create'):
msg = "{} does not have access to create credentials".format(
authnz.get_logged_in_user())
error_msg = {'error': msg}
return jsonify(error_msg), 403
data = request.get_json()
if not data.get('documentation') and settings.get('ENFORCE_DOCUMENTATION'):
return jsonify({'error': 'documentation is a required field'}), 400
if not data.get('credential_pairs'):
return jsonify({'error': 'credential_pairs is a required field'}), 400
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query('credential',
name__eq=data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation')).save(id__null=True)
# Make this the current revision
cred = Credential(id=id,
data_type='credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation'))
cred.save()
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)