Example #1
0
    def encrypt(self, unencrypted, secret, tenant):
        """Delegates encryption to active plugins."""
        if secret.mime_type == 'text/plain':
            unencrypted = unencrypted.encode('utf-8')

        for ext in self.extensions:
            if ext.obj.supports(secret.mime_type):
                datum = EncryptedDatum(secret)
                datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
                    unencrypted, tenant)
                return datum
        else:
            raise CryptoMimeTypeNotSupportedException(secret.mime_type)
Example #2
0
    def encrypt(self, unencrypted, secret, tenant):
        """Delegates encryption to active plugins."""
        if secret.mime_type == 'text/plain':
            unencrypted = unencrypted.encode('utf-8')

        for ext in self.extensions:
            if ext.obj.supports(secret.mime_type):
                datum = EncryptedDatum(secret)
                datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
                    unencrypted, tenant
                )
                return datum
        else:
            raise CryptoMimeTypeNotSupportedException(secret.mime_type)
Example #3
0
def create_secret(data, tenant_id, tenant_repo,
                  secret_repo, tenant_secret_repo,
                  datum_repo, ok_to_generate=False):
    # Create a Secret and a single EncryptedDatum for that Secret. Create
    #   a Tenant if one doesn't already exist.
    tenant = tenant_repo.get(tenant_id, suppress_exception=True)
    if not tenant:
        LOG.debug('Creating tenant for {0}'.format(tenant_id))
        tenant = Tenant()
        tenant.keystone_id = tenant_id
        tenant.status = States.ACTIVE
        tenant_repo.create_from(tenant)

    # TODO: What if any criteria to restrict new secrets vs existing ones?
    # Verify secret doesn't already exist.
    #
    #name = data['name']
    #LOG.debug('Secret name is {0}'.format(name))
    #secret = secret_repo.find_by_name(name=name,
    #                                       suppress_exception=True)
    #if secret:
    #    abort(falcon.HTTP_400, 'Secret with name {0} '
    #                           'already exists'.format(name))

    # Encrypt fields.
    encrypt(data, ok_to_generate)
    LOG.debug('Post-encrypted fields...{0}'.format(data))
    secret_value = data['cypher_text'] if 'cypher_text' in data else None
    LOG.debug('Encrypted secret is {0}'.format(secret_value))

    # Create Secret entity.
    new_secret = Secret()
    new_secret.name = data['name']
    new_secret.expiration = data.get('expiration', None)
    new_secret.algorithm = data.get('algorithm', None)
    new_secret.bit_length = data.get('bit_length', None)
    new_secret.cypher_type = data.get('cypher_type', None)
    new_secret.mime_type = data['mime_type']
    new_secret.status = States.ACTIVE
    secret_repo.create_from(new_secret)

    # Create Tenant/Secret entity.
    new_assoc = TenantSecret()
    new_assoc.tenant_id = tenant.id
    new_assoc.secret_id = new_secret.id
    new_assoc.role = "admin"
    new_assoc.status = States.ACTIVE
    tenant_secret_repo.create_from(new_assoc)

    # Create EncryptedDatum entity if plain-text provided with secret request.
    if secret_value:
        new_datum = EncryptedDatum()
        new_datum.secret_id = new_secret.id
        new_datum.mime_type = data['mime_type']
        new_datum.cypher_text = secret_value
        new_datum.kek_metadata = data['kek_metadata']
        new_datum.status = States.ACTIVE
        datum_repo.create_from(new_datum)

    return new_secret
Example #4
0
    def generate_data_encryption_key(self, secret, tenant):
        """
        Delegates generating a data-encryption key to active plugins.

        Note that this key can be used by clients for their encryption
        processes. This generated key is then be encrypted via
        the plug-in key encryption process, and that encrypted datum
        is then returned from this method.
        """
        for ext in self.extensions:
            if ext.obj.supports(secret.mime_type):
                # TODO: Call plugin's key generation processes.
                #   Note: It could be the *data* key to generate (for the
                #   secret algo type) uses a different plug in than that
                #   used to encrypted the key.
                data_key = ext.obj.create(secret.algorithm, secret.bit_length)
                datum = EncryptedDatum(secret)
                datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
                    data_key, tenant)
                return datum
        else:
            raise CryptoMimeTypeNotSupportedException(secret.mime_type)
Example #5
0
    def generate_data_encryption_key(self, secret, tenant):
        """
        Delegates generating a data-encryption key to active plugins.

        Note that this key can be used by clients for their encryption
        processes. This generated key is then be encrypted via
        the plug-in key encryption process, and that encrypted datum
        is then returned from this method.
        """
        for ext in self.extensions:
            if ext.obj.supports(secret.mime_type):
                # TODO: Call plugin's key generation processes.
                #   Note: It could be the *data* key to generate (for the
                #   secret algo type) uses a different plug in than that
                #   used to encrypted the key.
                data_key = ext.obj.create(secret.algorithm, secret.bit_length)
                datum = EncryptedDatum(secret)
                datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
                    data_key, tenant
                )
                return datum
        else:
            raise CryptoMimeTypeNotSupportedException(secret.mime_type)
Example #6
0
def create_encrypted_datum(secret, plain_text,
                           tenant_id, tenant_secret_repo, datum_repo):
    """
    Modifies the secret to add the plain_text secret information.

    :param secret: the secret entity to associate the secret data to
    :param plain_text: plain-text of the secret data to store
    :param tenant_id: the tenant's id
    :param tenant_secret_repo: the tenant/secret association repository
    :param datum_repo: the encrypted datum repository
    :retval The response body, None if N/A
    """
    if not plain_text:
        raise ValueError('Must provide plain-text to encrypt.')

    if secret.encrypted_data:
        raise ValueError('Secret already has encrypted data stored for it.')

    fields = secret.to_dict_fields()
    fields['plain_text'] = plain_text

    # Encrypt fields.
    encrypt(fields)
    LOG.debug('Post-encrypted fields...{0}'.format(fields))
    if 'cypher_text' not in fields:
        raise ValueError('Could not encrypt information '
                         'and store in Barbican')
    secret_value = fields['cypher_text']
    LOG.debug('Encrypted secret is {0}'.format(secret_value))

    # Create Tenant/Secret entity.
    new_assoc = TenantSecret()
    new_assoc.tenant_id = tenant_id
    new_assoc.secret_id = secret.id
    new_assoc.role = "admin"
    new_assoc.status = States.ACTIVE
    tenant_secret_repo.create_from(new_assoc)

    # Create EncryptedDatum entity.
    new_datum = EncryptedDatum()
    new_datum.secret_id = secret.id
    new_datum.mime_type = fields['mime_type']
    new_datum.cypher_text = secret_value
    new_datum.kek_metadata = fields['kek_metadata']
    new_datum.status = States.ACTIVE
    datum_repo.create_from(new_datum)

    return new_datum
Example #7
0
 def encrypt(self, unencrypted, secret, tenant):
     encrypted_datum = EncryptedDatum()
     encrypted_datum.cypher_text = 'encrypted-data'
     return encrypted_datum
Example #8
0
 def encrypt(self, unencrypted, secret, tenant):
     datum = EncryptedDatum()
     datum.cypher_text = 'cypher_text'
     datum.mime_type = 'text/plain'
     datum.kek_metadata = json.dumps({'plugin': 'TestCryptoPlugin'})
     return datum