def migrate_credentials(self):
crypto, keys = credential_fernet.get_multi_fernet_keys()
primary_key_hash = credential_fernet.primary_key_hash(keys)
# FIXME(lbragstad): We *should* be able to use Hints() to ask only for
# credentials that have a key_hash equal to a secondary key hash or
# None, but Hints() doesn't seem to honor None values. See
# https://bugs.launchpad.net/keystone/+bug/1614154. As a workaround -
# we have to ask for *all* credentials and filter them ourselves.
credentials = self.credential_api.driver.list_credentials(
driver_hints.Hints()
)
for credential in credentials:
if credential['key_hash'] != primary_key_hash:
# If the key_hash isn't None but doesn't match the
# primary_key_hash, then we know the credential was encrypted
# with a secondary key. Let's decrypt it, and send it through
# the update path to re-encrypt it with the new primary key.
decrypted_blob = self.credential_provider_api.decrypt(
credential['encrypted_blob']
)
cred = {'blob': decrypted_blob}
self.credential_api.update_credential(
credential['id'],
cred
)
def migrate_credentials(self):
crypto, keys = credential_fernet.get_multi_fernet_keys()
primary_key_hash = credential_fernet.primary_key_hash(keys)
# FIXME(lbragstad): We *should* be able to use Hints() to ask only for
# credentials that have a key_hash equal to a secondary key hash or
# None, but Hints() doesn't seem to honor None values. See
# https://bugs.launchpad.net/keystone/+bug/1614154. As a workaround -
# we have to ask for *all* credentials and filter them ourselves.
credentials = self.credential_api.driver.list_credentials(
driver_hints.Hints()
)
for credential in credentials:
if credential['key_hash'] != primary_key_hash:
# If the key_hash isn't None but doesn't match the
# primary_key_hash, then we know the credential was encrypted
# with a secondary key. Let's decrypt it, and send it through
# the update path to re-encrypt it with the new primary key.
decrypted_blob = self.credential_provider_api.decrypt(
credential['encrypted_blob']
)
cred = {'blob': decrypted_blob}
self.credential_api.update_credential(
credential['id'],
cred
)
def validate_primary_key(self):
crypto, keys = credential_fernet.get_multi_fernet_keys()
primary_key_hash = credential_fernet.primary_key_hash(keys)
credentials = self.credential_api.driver.list_credentials(
driver_hints.Hints())
for credential in credentials:
if credential['key_hash'] != primary_key_hash:
msg = _('Unable to rotate credential keys because not all '
'credentials are encrypted with the primary key. '
'Please make sure all credentials have been encrypted '
'with the primary key using `keystone-manage '
'credential_migrate`.')
raise SystemExit(msg)
def validate_primary_key(self):
crypto, keys = credential_fernet.get_multi_fernet_keys()
primary_key_hash = credential_fernet.primary_key_hash(keys)
credentials = self.credential_api.driver.list_credentials(
driver_hints.Hints()
)
for credential in credentials:
if credential['key_hash'] != primary_key_hash:
msg = _('Unable to rotate credential keys because not all '
'credentials are encrypted with the primary key. '
'Please make sure all credentials have been encrypted '
'with the primary key using `keystone-manage '
'credential_migrate`.')
raise SystemExit(msg)
def upgrade(migrate_engine):
meta = sql.MetaData()
meta.bind = migrate_engine
session = sql.orm.sessionmaker(bind=migrate_engine)()
credential_table = sql.Table('credential', meta, autoload=True)
credentials = list(credential_table.select().execute())
for credential in credentials:
crypto, keys = credential_fernet.get_multi_fernet_keys()
primary_key_hash = credential_fernet.primary_key_hash(keys)
encrypted_blob = crypto.encrypt(credential['blob'].encode('utf-8'))
values = {
'encrypted_blob': encrypted_blob,
'key_hash': primary_key_hash
}
update = credential_table.update().where(
credential_table.c.id == credential.id).values(values)
session.execute(update)
session.commit()
session.close()
def upgrade(migrate_engine):
meta = sql.MetaData()
meta.bind = migrate_engine
session = sql.orm.sessionmaker(bind=migrate_engine)()
credential_table = sql.Table('credential', meta, autoload=True)
credentials = list(credential_table.select().execute())
for credential in credentials:
crypto, keys = credential_fernet.get_multi_fernet_keys()
primary_key_hash = credential_fernet.primary_key_hash(keys)
encrypted_blob = crypto.encrypt(credential['blob'].encode('utf-8'))
values = {
'encrypted_blob': encrypted_blob,
'key_hash': primary_key_hash
}
update = credential_table.update().where(
credential_table.c.id == credential.id
).values(values)
session.execute(update)
session.commit()
session.close()
