Ejemplo n.º 1
0
Archivo: encrypt.py Proyecto: gilt/nova
    def __init__(self, stash_key, value, manager_provider, aws_profile=None, aws_region=None, aws_bucket=None, kms_key='alias/novastash'):
        check_latest_version()

        self._aws_manager = manager_provider.aws_manager(aws_profile, aws_region or 'us-east-1')

        if aws_bucket is None:
            deployment_bucket_name = 'novastash_%s' % self._aws_manager.account_alias
        else:
            deployment_bucket_name = aws_bucket

        if not self._aws_manager.kms_key_exists(kms_key):
            raise NovaError("Please setup the novastash KMS key.")

        self._aws_manager.create_bucket(deployment_bucket_name, "Creating novastash bucket '%s'" % deployment_bucket_name)

        # generate a a 64 byte key.
        # Half will be for data encryption, the other half for HMAC
        kms_response = self._aws_manager.kms_generate_data_key(kms_key, {})

        data_key = tobytes(kms_response['Plaintext'][:32])
        hmac_key = tobytes(kms_response['Plaintext'][32:])
        wrapped_key = tobytes(kms_response['CiphertextBlob'])

        enc_ctr = Counter.new(128)
        encryptor = AES.new(data_key, AES.MODE_CTR, counter=enc_ctr)

        c_text = encryptor.encrypt(tobytes(value))
        # compute an HMAC using the hmac key and the ciphertext
        hmac = HMAC(hmac_key, msg=c_text, digestmod=SHA256)
        b64hmac = hmac.hexdigest()

        key = "%s.txt.enc" % stash_key
        existing_stash = self._aws_manager.s3_head(deployment_bucket_name, key)

        if existing_stash is None:
            print(colored("Stashing '%s'" % stash_key))
            self._aws_manager.s3_put(
                deployment_bucket_name,
                b64encode(c_text).decode('utf-8'),
                key,
                {'encryption-key': b64encode(wrapped_key).decode('utf-8'), 'hmac': b64hmac}
            )
        else:
            perform_overwrite = query_yes_no("Stash '%s' already exists, want to overwrite?" % stash_key, default="no")
            if perform_overwrite:
                self._aws_manager.s3_put(
                    deployment_bucket_name,
                    b64encode(c_text).decode('utf-8'),
                    key,
                    {'encryption-key': b64encode(wrapped_key).decode('utf-8'), 'hmac': b64hmac}
                )
            else:
                print(colored("Not stashing anything for key '%s'" % stash_key))
Ejemplo n.º 2
0
    def update_stack(self, service_name, cloudformation_template, changeset_id,
                     cf_stack):
        try:
            cs_response = self.cloudformation_client.create_change_set(
                StackName=cf_stack.stack_name,
                TemplateBody=cloudformation_template,
                Capabilities=["CAPABILITY_IAM"],
                ChangeSetName=changeset_id)
            cs_id = cs_response['Id']
            changes = self.cloudformation_client.describe_change_set(
                StackName=cf_stack.stack_name, ChangeSetName=cs_id)

            # delay for 2 seconds while waiting for changeset to create
            time.sleep(2)

            print(
                colored("The following stack update changes to be applied:",
                        'cyan'))
            print(
                colored(
                    "================================================================================",
                    'cyan'))
            print(colored(changes, 'yellow'))
            print(
                colored(
                    "================================================================================",
                    'cyan'))
            perform_update = query_yes_no("Perform changes?")
            if perform_update:
                self.cloudformation_client.execute_change_set(
                    ChangeSetName=changeset_id, StackName=cf_stack.stack_name)

                waiter = CloudformationWaiter(self.cloudformation)
                print(
                    colored(
                        'Cloudformation stack update in progress. Please check the AWS console!',
                        color='green'))
                print(colored('Waiting on stack update...', color='magenta'))
                waiter.waiter.wait(StackName=service_name)
                print(colored('Stack update finished!', color='green'))
            else:
                self.cloudformation_client.delete_change_set(
                    StackName=cf_stack.stack_name, ChangeSetName=cs_id)
        except ClientError as e:
            raise NovaError(str(e))
        except WaiterError as e:
            raise NovaError(str(e))
Ejemplo n.º 3
0
    def update_stack(self, service_name, cloudformation_template, changeset_id, cf_stack):
        try:
            cs_response = self.cloudformation_client.create_change_set(
                StackName=cf_stack.stack_name,
                TemplateBody=cloudformation_template,
                Capabilities=["CAPABILITY_IAM"],
                ChangeSetName=changeset_id
            )
            cs_id = cs_response['Id']
            changes = self.cloudformation_client.describe_change_set(StackName=cf_stack.stack_name, ChangeSetName=cs_id)

            # delay for 2 seconds while waiting for changeset to create
            time.sleep(2)

            print(colored("The following stack update changes to be applied:", 'cyan'))
            print(colored("================================================================================", 'cyan'))
            print(colored(changes, 'yellow'))
            print(colored("================================================================================", 'cyan'))
            perform_update = query_yes_no("Perform changes?")
            if perform_update:
                self.cloudformation_client.execute_change_set(
                    ChangeSetName=changeset_id,
                    StackName=cf_stack.stack_name
                )

                waiter = CloudformationWaiter(self.cloudformation)
                print(colored('Cloudformation stack update in progress. Please check the AWS console!', color='green'))
                print(colored('Waiting on stack update...', color='magenta'))
                waiter.waiter.wait(StackName=service_name)
                print(colored('Stack update finished!', color='green'))
            else:
                self.cloudformation_client.delete_change_set(StackName=cf_stack.stack_name, ChangeSetName=cs_id)
        except ClientError as e:
            raise NovaError(str(e))
        except WaiterError as e:
            raise NovaError(str(e))
Ejemplo n.º 4
0
    def __init__(self,
                 stash_key,
                 value,
                 manager_provider,
                 aws_profile=None,
                 aws_region=None,
                 aws_bucket=None,
                 kms_key='alias/novastash'):
        check_latest_version()

        self._aws_manager = manager_provider.aws_manager(
            aws_profile, aws_region or 'us-east-1')

        if aws_bucket is None:
            deployment_bucket_name = 'novastash_%s' % self._aws_manager.account_alias
        else:
            deployment_bucket_name = aws_bucket

        if not self._aws_manager.kms_key_exists(kms_key):
            raise NovaError("Please setup the novastash KMS key.")

        self._aws_manager.create_bucket(
            deployment_bucket_name,
            "Creating novastash bucket '%s'" % deployment_bucket_name)

        # generate a a 64 byte key.
        # Half will be for data encryption, the other half for HMAC
        kms_response = self._aws_manager.kms_generate_data_key(kms_key, {})

        data_key = tobytes(kms_response['Plaintext'][:32])
        hmac_key = tobytes(kms_response['Plaintext'][32:])
        wrapped_key = tobytes(kms_response['CiphertextBlob'])

        enc_ctr = Counter.new(128)
        encryptor = AES.new(data_key, AES.MODE_CTR, counter=enc_ctr)

        c_text = encryptor.encrypt(tobytes(value))
        # compute an HMAC using the hmac key and the ciphertext
        hmac = HMAC(hmac_key, msg=c_text, digestmod=SHA256)
        b64hmac = hmac.hexdigest()

        key = "%s.txt.enc" % stash_key
        existing_stash = self._aws_manager.s3_head(deployment_bucket_name, key)

        if existing_stash is None:
            print(colored("Stashing '%s'" % stash_key))
            self._aws_manager.s3_put(
                deployment_bucket_name,
                b64encode(c_text).decode('utf-8'), key, {
                    'encryption-key': b64encode(wrapped_key).decode('utf-8'),
                    'hmac': b64hmac
                })
        else:
            perform_overwrite = query_yes_no(
                "Stash '%s' already exists, want to overwrite?" % stash_key,
                default="no")
            if perform_overwrite:
                self._aws_manager.s3_put(
                    deployment_bucket_name,
                    b64encode(c_text).decode('utf-8'), key, {
                        'encryption-key':
                        b64encode(wrapped_key).decode('utf-8'),
                        'hmac': b64hmac
                    })
            else:
                print(colored("Not stashing anything for key '%s'" %
                              stash_key))