def _get_latest_blind_credential_revision(id, revision):
i = revision + 1
while True:
_id = '{0}-{1}'.format(id, i)
try:
BlindCredential.get(_id)
except DoesNotExist:
return i
i = i + 1
def _get_latest_blind_credential_revision(id, revision):
i = revision + 1
while True:
_id = '{0}-{1}'.format(id, i)
try:
BlindCredential.get(_id)
except BlindCredential.DoesNotExist:
return i
i = i + 1
def get_archive_blind_credential_revisions(id):
try:
cred = BlindCredential.get(id)
except BlindCredential.DoesNotExist:
return jsonify({}), 404
if (cred.data_type != 'blind-credential' and
cred.data_type != 'archive-blind-credential'):
return jsonify({}), 404
revisions = []
_range = range(1, cred.revision + 1)
ids = []
for i in _range:
ids.append("{0}-{1}".format(id, i))
for revision in BlindCredential.batch_get(ids):
revisions.append({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by
})
return jsonify({
'revisions': sorted(
revisions,
key=lambda k: k['revision'],
reverse=True
)
})
def get_archive_blind_credential_revisions(id):
try:
cred = BlindCredential.get(id)
except DoesNotExist:
return jsonify({}), 404
if (cred.data_type != 'blind-credential'
and cred.data_type != 'archive-blind-credential'):
logging.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
revisions = []
_range = range(1, cred.revision + 1)
ids = []
for i in _range:
ids.append("{0}-{1}".format(id, i))
for revision in BlindCredential.batch_get(ids):
revisions.append({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by,
'documentation': cred.documentation
})
return jsonify({
'revisions':
sorted(revisions, key=lambda k: k['revision'], reverse=True)
})
def get_blind_credential(id):
try:
cred = BlindCredential.get(id)
except DoesNotExist:
logger.warning(
'Item with id {0} does not exist.'.format(id)
)
return jsonify({}), 404
if (cred.data_type != 'blind-credential' and
cred.data_type != 'archive-blind-credential'):
return jsonify({}), 404
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by,
'documentation': cred.documentation
})
def get_blind_credential(id):
try:
cred = BlindCredential.get(id)
except BlindCredential.DoesNotExist:
return jsonify({}), 404
if (cred.data_type != 'blind-credential' and
cred.data_type != 'archive-blind-credential'):
return jsonify({}), 404
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by
})
def get_blind_credential(id):
try:
cred = BlindCredential.get(id)
except BlindCredential.DoesNotExist:
return jsonify({}), 404
if (cred.data_type != 'blind-credential'
and cred.data_type != 'archive-blind-credential'):
return jsonify({}), 404
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by
})
def update_blind_credential(id):
try:
_cred = BlindCredential.get(id)
except Credential.DoesNotExist:
return jsonify({'error': 'Blind credential not found.'}), 404
if _cred.data_type != 'blind-credential':
msg = 'id provided is not a blind-credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
update = {}
revision = _get_latest_blind_credential_revision(id, _cred.revision)
update['name'] = data.get('name', _cred.name)
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
else:
update['enabled'] = _cred.enabled
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
services = _get_services_for_blind_credential(id)
if 'credential_pairs' in data:
for key in ['data_key', 'cipher_type', 'cipher_version']:
if key not in data:
msg = '{0} required when updating credential_pairs.'
msg = msg.format(key)
return jsonify({'error': msg}), 400
update['credential_pairs'] = data['credential_pairs']
update['credential_keys'] = data.get('credential_keys', [])
if not isinstance(update['credential_keys'], list):
return jsonify({
'error': 'credential_keys must be a list.'
}), 400
# Ensure credential keys don't conflicts with pairs from other
# services
conflicts = _pair_key_conflicts_for_services(
id,
data['credential_keys'],
services
)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
if not isinstance(data['data_key'], dict):
return jsonify({
'error': 'data_key must be a dict with a region/key mapping.'
}), 400
update['data_key'] = data['data_key']
update['cipher_type'] = data['cipher_type']
update['cipher_version'] = data['cipher_version']
else:
update['credential_pairs'] = _cred.credential_pairs
update['credential_keys'] = _cred.credential_keys
update['data_key'] = _cred.data_key
update['cipher_type'] = _cred.cipher_type
update['cipher_version'] = _cred.cipher_version
update['metadata'] = data.get('metadata', _cred.metadata)
# Try to save to the archive
try:
BlindCredential(
id='{0}-{1}'.format(id, revision),
data_type='archive-blind-credential',
name=update['name'],
credential_pairs=update['credential_pairs'],
credential_keys=update['credential_keys'],
metadata=update['metadata'],
revision=revision,
enabled=update['enabled'],
data_key=update['data_key'],
cipher_type=update['cipher_type'],
cipher_version=update['cipher_version'],
modified_by=authnz.get_logged_in_user()
).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify(
{'error': 'Failed to add blind-credential to archive.'}
), 500
try:
cred = BlindCredential(
id=id,
data_type='blind-credential',
name=update['name'],
credential_pairs=update['credential_pairs'],
credential_keys=update['credential_keys'],
metadata=update['metadata'],
revision=revision,
enabled=update['enabled'],
data_key=update['data_key'],
cipher_type=update['cipher_type'],
cipher_version=update['cipher_version'],
modified_by=authnz.get_logged_in_user()
)
cred.save()
except PutError as e:
logging.error(e)
return jsonify(
{'error': 'Failed to update active blind-credential.'}
), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('blind_credential_update', service_names, [cred.id])
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by
})
def update_blind_credential(id):
try:
_cred = BlindCredential.get(id)
except DoesNotExist:
return jsonify({'error': 'Blind credential not found.'}), 404
if _cred.data_type != 'blind-credential':
msg = 'id provided is not a blind-credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
update = {}
revision = _get_latest_blind_credential_revision(id, _cred.revision)
update['name'] = data.get('name', _cred.name)
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
else:
update['enabled'] = _cred.enabled
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
services = _get_services_for_blind_credential(id)
if 'credential_pairs' in data:
for key in ['data_key', 'cipher_type', 'cipher_version']:
if key not in data:
msg = '{0} required when updating credential_pairs.'
msg = msg.format(key)
return jsonify({'error': msg}), 400
update['credential_pairs'] = data['credential_pairs']
update['credential_keys'] = data.get('credential_keys', [])
if not isinstance(update['credential_keys'], list):
return jsonify({'error': 'credential_keys must be a list.'}), 400
# Ensure credential keys don't conflicts with pairs from other
# services
conflicts = _pair_key_conflicts_for_services(id,
data['credential_keys'],
services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
if not isinstance(data['data_key'], dict):
return jsonify({
'error':
'data_key must be a dict with a region/key mapping.'
}), 400
update['data_key'] = data['data_key']
update['cipher_type'] = data['cipher_type']
update['cipher_version'] = data['cipher_version']
else:
update['credential_pairs'] = _cred.credential_pairs
update['credential_keys'] = _cred.credential_keys
update['data_key'] = _cred.data_key
update['cipher_type'] = _cred.cipher_type
update['cipher_version'] = _cred.cipher_version
update['metadata'] = data.get('metadata', _cred.metadata)
update['documentation'] = data.get('documentation', _cred.documentation)
# Enforce documentation, EXCEPT if we are restoring an old revision
if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION')
and not data.get('revision')):
return jsonify({'error': 'documentation is a required field'}), 400
# Try to save to the archive
try:
BlindCredential(
id='{0}-{1}'.format(id, revision),
data_type='archive-blind-credential',
name=update['name'],
credential_pairs=update['credential_pairs'],
credential_keys=update['credential_keys'],
metadata=update['metadata'],
revision=revision,
enabled=update['enabled'],
data_key=update['data_key'],
cipher_type=update['cipher_type'],
cipher_version=update['cipher_version'],
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation']).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error':
'Failed to add blind-credential to archive.'}), 500
try:
cred = BlindCredential(id=id,
data_type='blind-credential',
name=update['name'],
credential_pairs=update['credential_pairs'],
credential_keys=update['credential_keys'],
metadata=update['metadata'],
revision=revision,
enabled=update['enabled'],
data_key=update['data_key'],
cipher_type=update['cipher_type'],
cipher_version=update['cipher_version'],
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'])
cred.save()
except PutError as e:
logging.error(e)
return jsonify({'error':
'Failed to update active blind-credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('blind_credential_update', service_names, [cred.id])
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by,
'documentation': cred.documentation
})
def revert_blind_credential_to_revision(id, to_revision):
try:
current_credential = BlindCredential.get(id)
except DoesNotExist:
return jsonify({'error': 'Blind credential not found.'}), 404
if current_credential.data_type != 'blind-credential':
msg = 'id provided is not a blind-credential.'
return jsonify({'error': msg}), 400
new_revision = credentialmanager.get_latest_blind_credential_revision(
id,
current_credential.revision
)
try:
revert_credential = BlindCredential.get('{}-{}'.format(id, to_revision))
except DoesNotExist:
return jsonify({'error': 'Blind credential not found.'}), 404
if revert_credential.data_type != 'archive-blind-credential':
msg = 'id provided is not an archive-blind-credential.'
return jsonify({'error': msg}), 400
if revert_credential.equals(current_credential):
ret = {
'error': 'No difference between old and new blind credential.'
}
return jsonify(ret), 400
services = servicemanager.get_services_for_blind_credential(id)
if revert_credential.credential_keys:
# Ensure credential keys don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id,
revert_credential.credential_keys,
services
)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# Try to save to the archive
try:
BlindCredential(
id='{}-{}'.format(id, new_revision),
data_type='archive-blind-credential',
name=revert_credential.name,
credential_pairs=revert_credential.credential_pairs,
credential_keys=revert_credential.credential_keys,
metadata=revert_credential.metadata,
revision=new_revision,
enabled=revert_credential.enabled,
data_key=revert_credential.data_key,
cipher_type=revert_credential.cipher_type,
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation
).save(id__null=True)
except PutError as e:
logger.error(e)
return jsonify(
{'error': 'Failed to add blind-credential to archive.'}
), 500
try:
cred = BlindCredential(
id=id,
data_type='blind-credential',
name=revert_credential.name,
credential_pairs=revert_credential.credential_pairs,
credential_keys=revert_credential.credential_keys,
metadata=revert_credential.metadata,
revision=new_revision,
enabled=revert_credential.enabled,
data_key=revert_credential.data_key,
cipher_type=revert_credential.cipher_type,
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation
)
cred.save()
except PutError as e:
logger.error(e)
return jsonify(
{'error': 'Failed to update active blind-credential.'}
), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('blind_credential_update', service_names, [cred.id])
return jsonify({
'id': cred.id,
'name': cred.name,
'credential_pairs': cred.credential_pairs,
'credential_keys': list(cred.credential_keys),
'cipher_type': cred.cipher_type,
'cipher_version': cred.cipher_version,
'metadata': cred.metadata,
'revision': cred.revision,
'enabled': cred.enabled,
'data_key': cred.data_key,
'modified_date': cred.modified_date,
'modified_by': cred.modified_by,
'documentation': cred.documentation
})
