def create_credential():
data = request.get_json()
if not data.get('credential_pairs'):
return jsonify({'error': 'credential_pairs is a required field'}), 400
# Ensure credential pair keys are lowercase
credential_pairs = _lowercase_credential_pairs(data['credential_pairs'])
if not _check_credential_pair_uniqueness(credential_pairs):
ret = {'error': 'credential pairs must be key: value'}
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query('credential',
name__eq=data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
credential_pairs=credential_pairs,
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email()).save(id__null=True)
# Make this the current revision
cred = Credential(id=id,
data_type='credential',
name=data['name'],
credential_pairs=credential_pairs,
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email())
cred.save()
return jsonify({
'id':
cred.id,
'name':
cred.name,
'credential_pairs':
json.loads(cipher.decrypt(cred.credential_pairs)),
'revision':
cred.revision,
'enabled':
cred.enabled,
'modified_date':
cred.modified_date,
'modified_by':
cred.modified_by
})
def create_credential():
data = request.get_json()
if not data.get('credential_pairs'):
return jsonify({'error': 'credential_pairs is a required field'}), 400
# Ensure credential pair keys are lowercase
credential_pairs = _lowercase_credential_pairs(data['credential_pairs'])
if not _check_credential_pair_uniqueness(credential_pairs):
ret = {'error': 'credential pairs must be key: value'}
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query(
'credential', name__eq=data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
credential_pairs=credential_pairs,
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email()
).save(id__null=True)
# Make this the current revision
cred = Credential(
id=id,
data_type='credential',
name=data['name'],
credential_pairs=credential_pairs,
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email()
)
cred.save()
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': json.loads(cipher.decrypt(cred.credential_pairs)),
'revision': cred.revision,
'enabled': cred.enabled,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by
})
def get_user_info():
'''
Get the email address of the currently logged-in user.
'''
response = jsonify({'email': authnz.get_logged_in_user_email()})
response.set_cookie('XSRF-TOKEN', authnz.get_csrf_token())
return response
def get_user_info():
'''
Get the email address of the currently logged-in user.
'''
response = jsonify({'email': authnz.get_logged_in_user_email()})
response.set_cookie('XSRF-TOKEN', authnz.get_csrf_token())
return response
def update_credential(id):
try:
_cred = Credential.get(id)
except Credential.DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if _cred.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
update = {}
revision = _cred.revision + 1
update['name'] = data.get('name', _cred.name)
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
else:
update['enabled'] = _cred.enabled
services = _get_services_for_credential(id)
if 'credential_pairs' in data:
# Ensure credential pair keys are lowercase
credential_pairs = _lowercase_credential_pairs(
data['credential_pairs']
)
if not _check_credential_pair_uniqueness(credential_pairs):
ret = {'error': 'credential pairs must be key: value'}
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = _pair_key_conflicts_for_services(
id,
credential_pairs,
services
)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
update['credential_pairs'] = json.dumps(credential_pairs)
else:
data_key = keymanager.decrypt_key(
_cred.data_key,
encryption_context={'id': id}
)
cipher_version = _cred.cipher_version
cipher = CipherManager(data_key, cipher_version)
update['credential_pairs'] = cipher.decrypt(_cred.credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(update['credential_pairs'])
# Try to save to the archive
try:
Credential(
id='{0}-{1}'.format(id, revision),
name=update['name'],
data_type='archive-credential',
credential_pairs=credential_pairs,
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email()
).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(
id=id,
name=update['name'],
data_type='credential',
credential_pairs=credential_pairs,
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email()
)
cred.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': json.loads(cipher.decrypt(cred.credential_pairs)),
'revision': cred.revision,
'enabled': cred.enabled,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by
})
def map_service_credentials(id):
data = request.get_json()
try:
_service = Service.get(id)
if _service.data_type != 'service':
msg = 'id provided is not a service.'
return jsonify({'error': msg}), 400
revision = _service.revision + 1
_service_credential_ids = _service.credentials
except Service.DoesNotExist:
revision = 1
_service_credential_ids = []
if data.get('credentials'):
conflicts = _pair_key_conflicts_for_credentials(
copy.deepcopy(data['credentials'])
)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# If this is the first revision, we should attempt to create a grant for
# this service.
if revision == 1:
try:
keymanager.ensure_grants(id)
except keymanager.ServiceCreateGrantError:
msg = 'Failed to add grants for {0}.'.format(id)
logging.error(msg)
# Try to save to the archive
try:
Service(
id='{0}-{1}'.format(id, revision),
data_type='archive-service',
credentials=data.get('credentials'),
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user_email()
).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add service to archive.'}), 500
try:
service = Service(
id=id,
data_type='service',
credentials=data['credentials'],
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user_email()
)
service.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active service.'}), 500
added = list(set(service.credentials) - set(_service_credential_ids))
removed = list(set(_service_credential_ids) - set(service.credentials))
msg = 'Added credentials: {0}; Removed credentials {1}; Revision {2}'
msg = msg.format(added, removed, service.revision)
graphite.send_event([id], msg)
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
return jsonify({
'id': service.id,
'credentials': credentials,
'revision': service.revision,
'enabled': service.enabled,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def update_credential(id):
try:
_cred = Credential.get(id)
except Credential.DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if _cred.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
update = {}
revision = _cred.revision + 1
update['name'] = data.get('name', _cred.name)
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
else:
update['enabled'] = _cred.enabled
services = _get_services_for_credential(id)
if 'credential_pairs' in data:
# Ensure credential pair keys are lowercase
credential_pairs = _lowercase_credential_pairs(
data['credential_pairs'])
if not _check_credential_pair_uniqueness(credential_pairs):
ret = {'error': 'credential pairs must be key: value'}
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = _pair_key_conflicts_for_services(id, credential_pairs,
services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
update['credential_pairs'] = json.dumps(credential_pairs)
else:
data_key = keymanager.decrypt_key(_cred.data_key,
encryption_context={'id': id})
cipher_version = _cred.cipher_version
cipher = CipherManager(data_key, cipher_version)
update['credential_pairs'] = cipher.decrypt(_cred.credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(update['credential_pairs'])
# Try to save to the archive
try:
Credential(
id='{0}-{1}'.format(id, revision),
name=update['name'],
data_type='archive-credential',
credential_pairs=credential_pairs,
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email()).save(id__null=True)
except PutError as e:
log.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(id=id,
name=update['name'],
data_type='credential',
credential_pairs=credential_pairs,
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user_email())
cred.save()
except PutError as e:
log.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
return jsonify({
'id':
cred.id,
'name':
cred.name,
'credential_pairs':
json.loads(cipher.decrypt(cred.credential_pairs)),
'revision':
cred.revision,
'enabled':
cred.enabled,
'modified_date':
cred.modified_date,
'modified_by':
cred.modified_by
})
def map_service_credentials(id):
data = request.get_json()
try:
_service = Service.get(id)
if _service.data_type != 'service':
msg = 'id provided is not a service.'
return jsonify({'error': msg}), 400
revision = _service.revision + 1
_service_credential_ids = _service.credentials
except Service.DoesNotExist:
revision = 1
_service_credential_ids = []
if data.get('credentials'):
conflicts = _pair_key_conflicts_for_credentials(
copy.deepcopy(data['credentials']))
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# If this is the first revision, we should attempt to create a grant for
# this service.
if revision == 1:
try:
keymanager.ensure_grants(id)
except keymanager.ServiceCreateGrantError:
msg = 'Failed to add grants for {0}.'.format(id)
log.error(msg)
# Try to save to the archive
try:
Service(
id='{0}-{1}'.format(id, revision),
data_type='archive-service',
credentials=data.get('credentials'),
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user_email()).save(id__null=True)
except PutError as e:
log.error(e)
return jsonify({'error': 'Failed to add service to archive.'}), 500
try:
service = Service(id=id,
data_type='service',
credentials=data['credentials'],
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user_email())
service.save()
except PutError as e:
log.error(e)
return jsonify({'error': 'Failed to update active service.'}), 500
added = list(set(service.credentials) - set(_service_credential_ids))
removed = list(set(_service_credential_ids) - set(service.credentials))
msg = 'Added credentials: {0}; Removed credentials {1}; Revision {2}'
msg = msg.format(added, removed, service.revision)
graphite.send_event([id], msg)
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
return jsonify({
'id': service.id,
'credentials': credentials,
'revision': service.revision,
'enabled': service.enabled,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
