def from_config(cls, reactor, logger, queue, config_path):
with open(config_path) as f:
config = yaml.safe_load(f)
# TODO: bump this once alchimia properly handles pinning
thread_pool = ThreadPool(minthreads=1, maxthreads=1)
thread_pool.start()
reactor.addSystemEventTrigger('during', 'shutdown', thread_pool.stop)
return cls(
logger,
DownloadDatabase(reactor, thread_pool, config["db"]["uri"]),
FilePath(config["storage"]["filesystem"]),
fernet.MultiFernet(
[fernet.Fernet(key) for key in config["encryption_keys"]]),
VBMSClient(
reactor,
connect_vbms_path=config["connect_vbms"]["path"],
bundle_path=config["connect_vbms"]["bundle_path"],
endpoint_url=config["vbms"]["endpoint_url"],
keyfile=config["vbms"]["keyfile"],
samlfile=config["vbms"]["samlfile"],
key=config["vbms"].get("key"),
keypass=config["vbms"]["keypass"],
ca_cert=config["vbms"].get("ca_cert"),
client_cert=config["vbms"].get("client_cert"),
),
queue,
config["env"],
)
def configure_fernet():
keys = list(getattr(settings, 'ENCRYPTED_COOKIE_KEYS', None) or [])
if not len(keys):
raise ImproperlyConfigured(
'The ENCRYPTED_COOKIE_KEYS settings cannot be empty.')
return fernet.MultiFernet([fernet.Fernet(k) for k in keys])
def unpack_token(fernet_token, fernet_keys):
"""Attempt to unpack a token using the supplied Fernet keys.
:param fernet_token: token to unpack
:type fernet_token: string
:param fernet_token: a list consisting of keys in the repository
:type fernet_token: string
:returns: the token payload
:raises: Exception in the event the token can't be unpacked
"""
# create a list of fernet instances
fernet_instances = [fernet.Fernet(key) for key in fernet_keys]
# create a encryption/decryption object from the fernet keys
crypt = fernet.MultiFernet(fernet_instances)
# attempt to decode the token
token = _restore_padding(six.binary_type(fernet_token))
serialized_payload = crypt.decrypt(token)
payload = msgpack.unpackb(serialized_payload)
translated_payload = []
for item in payload:
if isinstance(item, list):
translated_item = []
for i in item:
translated_item.append(i)
translated_payload.append(translated_item)
else:
translated_payload.append(item)
# present token values
return translated_payload
def crypto():
"""
Return a cryptography instance.
"""
keys = load_keys()
fernet_instances = [fernet.Fernet(key) for key in keys]
return fernet.MultiFernet(fernet_instances)
def _crypto(self):
keys = load_keys(self.key_repository, self.max_active_keys)
if not keys:
raise exceptions.FernetKeysNotFound()
fernet_instances = [fernet.Fernet(key) for key in keys]
return fernet.MultiFernet(fernet_instances)
def get_multi_fernet_keys():
key_utils = fernet_utils.FernetUtils(CONF.credential.key_repository,
MAX_ACTIVE_KEYS)
keys = key_utils.load_keys()
fernet_keys = [fernet.Fernet(key) for key in keys]
crypto = fernet.MultiFernet(fernet_keys)
return crypto, keys
def get_multi_fernet_keys():
key_utils = token_utils.TokenUtils(CONF.credential.key_repository,
MAX_ACTIVE_KEYS, 'credential')
keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys]
crypto = fernet.MultiFernet(fernet_keys)
return crypto, keys
def crypto(self):
"""Return a cryptography instance.
You can extend this class with a custom crypto @property to provide
your own token encoding / decoding. For example, using a different
cryptography library (e.g. ``python-keyczar``) or to meet arbitrary
security requirements.
This @property just needs to return an object that implements
``encrypt(plaintext)`` and ``decrypt(ciphertext)``.
"""
return fernet.MultiFernet([fernet.Fernet(key) for key in self.keys])
def crypto(self):
"""Return a cryptography instance.
You can extend this class with a custom crypto @property to provide
your own token encoding / decoding. For example, using a different
cryptography library (e.g. ``python-keyczar``) or to meet arbitrary
security requirements.
This @property just needs to return an object that implements
``encrypt(plaintext)`` and ``decrypt(ciphertext)``.
"""
keys = utils.load_keys()
if not keys:
raise exception.KeysNotFound()
fernet_instances = [fernet.Fernet(key) for key in keys]
return fernet.MultiFernet(fernet_instances)
def decrypt(self, credential):
"""Attempt to decrypt a credential.
:param credential: an encrypted credential string
:returns: a decrypted credential
"""
key_utils = fernet_utils.FernetUtils(CONF.credential.key_repository,
MAX_ACTIVE_KEYS)
keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys]
crypto = fernet.MultiFernet(fernet_keys)
try:
if isinstance(credential, six.text_type):
credential = credential.encode('utf-8')
return crypto.decrypt(credential).decode('utf-8')
except (fernet.InvalidToken, TypeError, ValueError):
msg = _('Credential could not be decrypted. Please contact the'
' administrator')
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)
def crypto(self):
keys = [fernet.Fernet(key) for key in self._get_encryption_keys()]
return fernet.MultiFernet(keys)
def setUp(self):
# some key values to use for testing
self.fernet_keys = [fernet.Fernet.generate_key()]
# build a Fernet crypto object to test with
fernet_instances = [fernet.Fernet(key) for key in self.fernet_keys]
self.crypto = fernet.MultiFernet(fernet_instances)
