def ensure_grants(id):
try:
_service = Service.get(id)
if _service.data_type != 'service':
msg = 'id provided is not a service.'
return jsonify({'error': msg}), 400
except DoesNotExist:
msg = 'id provided does not exist.'
return jsonify({'error': msg}), 400
try:
keymanager.ensure_grants(id)
except keymanager.ServiceCreateGrantError:
msg = 'Failed to add grants for service.'
logging.error(msg)
return jsonify({'error': msg}), 400
try:
grants = keymanager.grants_exist(id)
except keymanager.ServiceGetGrantError:
msg = 'Failed to get grants.'
return jsonify({'error': msg}), 500
return jsonify({'id': id, 'grants': grants})
def ensure_grants(id):
try:
_service = Service.get(id)
if _service.data_type != 'service':
msg = 'id provided is not a service.'
return jsonify({'error': msg}), 400
except Service.DoesNotExist:
msg = 'id provided does not exist.'
return jsonify({'error': msg}), 400
try:
keymanager.ensure_grants(id)
except keymanager.ServiceCreateGrantError:
msg = 'Failed to add grants for service.'
logging.error(msg)
return jsonify({'error': msg}), 400
try:
grants = keymanager.grants_exist(id)
except keymanager.ServiceGetGrantError:
msg = 'Failed to get grants.'
return jsonify({'error': msg}), 500
return jsonify({
'id': id,
'grants': grants
})
def map_service_credentials(id):
data = request.get_json()
try:
_service = Service.get(id)
if _service.data_type != 'service':
msg = 'id provided is not a service.'
return jsonify({'error': msg}), 400
revision = _service.revision + 1
_service_credential_ids = _service.credentials
except Service.DoesNotExist:
revision = 1
_service_credential_ids = []
if data.get('credentials'):
conflicts = _pair_key_conflicts_for_credentials(
copy.deepcopy(data['credentials'])
)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# If this is the first revision, we should attempt to create a grant for
# this service.
if revision == 1:
try:
keymanager.ensure_grants(id)
except keymanager.ServiceCreateGrantError:
msg = 'Failed to add grants for {0}.'.format(id)
logging.error(msg)
# Try to save to the archive
try:
Service(
id='{0}-{1}'.format(id, revision),
data_type='archive-service',
credentials=data.get('credentials'),
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user_email()
).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add service to archive.'}), 500
try:
service = Service(
id=id,
data_type='service',
credentials=data['credentials'],
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user_email()
)
service.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active service.'}), 500
added = list(set(service.credentials) - set(_service_credential_ids))
removed = list(set(_service_credential_ids) - set(service.credentials))
msg = 'Added credentials: {0}; Removed credentials {1}; Revision {2}'
msg = msg.format(added, removed, service.revision)
graphite.send_event([id], msg)
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
return jsonify({
'id': service.id,
'credentials': credentials,
'revision': service.revision,
'enabled': service.enabled,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def map_service_credentials(id):
data = request.get_json()
try:
_service = Service.get(id)
if _service.data_type != 'service':
msg = 'id provided is not a service.'
return jsonify({'error': msg}), 400
revision = _service.revision + 1
_service_credential_ids = _service.credentials
except DoesNotExist:
revision = 1
_service_credential_ids = []
if data.get('credentials') or data.get('blind_credentials'):
conflicts = _pair_key_conflicts_for_credentials(
data.get('credentials', []),
data.get('blind_credentials', []),
)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
accounts = list(app.config['SCOPED_AUTH_KEYS'].values())
if data.get('account') and data['account'] not in accounts:
ret = {'error': '{0} is not a valid account.'}
return jsonify(ret), 400
# If this is the first revision, we should attempt to create a grant for
# this service.
if revision == 1:
try:
keymanager.ensure_grants(id)
except keymanager.ServiceCreateGrantError:
msg = 'Failed to add grants for {0}.'.format(id)
logging.error(msg)
# Try to save to the archive
try:
Service(id='{0}-{1}'.format(id, revision),
data_type='archive-service',
credentials=data.get('credentials'),
blind_credentials=data.get('blind_credentials'),
account=data.get('account'),
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user()).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add service to archive.'}), 500
try:
service = Service(id=id,
data_type='service',
credentials=data.get('credentials'),
blind_credentials=data.get('blind_credentials'),
account=data.get('account'),
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user())
service.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active service.'}), 500
added = list(set(service.credentials) - set(_service_credential_ids))
removed = list(set(_service_credential_ids) - set(service.credentials))
msg = 'Added credentials: {0}; Removed credentials {1}; Revision {2}'
msg = msg.format(added, removed, service.revision)
graphite.send_event([id], msg)
webhook.send_event('service_update', [service.id], service.credentials)
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
blind_credentials = _get_blind_credentials(service.blind_credentials)
return jsonify({
'id': service.id,
'account': service.account,
'credentials': credentials,
'blind_credentials': blind_credentials,
'revision': service.revision,
'enabled': service.enabled,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
