def _init_memory_db_setup(self):
        # using in-memory sqlalchemy database, sqlite, instead of simulating
        # data via mocks to verify transaction behavior (like rollback when
        # error occurs in middle of delete project entities logic). This also
        # helps in verifying that project_entities related query is defined
        # correctly.
        self.opt_in_group(None, sql_connection=self.IN_MEM_DB_CONN_STRING)

        self.project_id1 = uuid.uuid4().hex
        self.project_id2 = uuid.uuid4().hex

        rep._MAKER = None
        rep._ENGINE = None

        rep.configure_db()
        self.repos = rep.Repositories(
            tenant_repo=None, tenant_secret_repo=None, secret_repo=None,
            datum_repo=None, kek_repo=None, secret_meta_repo=None,
            order_repo=None, order_plugin_meta_repo=None,
            transport_key_repo=None, container_repo=None,
            container_secret_repo=None)

        self.project1_data = c_resources.get_or_create_tenant(
            self.project_id1, self.repos.tenant_repo)
        self.assertIsNotNone(self.project1_data)

        self.engine = rep.get_engine()

        self.project2_data = c_resources.get_or_create_tenant(
            self.project_id2, self.repos.tenant_repo)
        self.assertIsNotNone(self.project2_data)
Exemple #2
0
    def on_post(self, req, resp, keystone_id):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        body = api.load_body(req, resp, self.validator)
        LOG.debug('Start on_post...{0}'.format(body))

        if 'secret' not in body:
            _secret_not_in_order(req, resp)
        secret_info = body['secret']
        name = secret_info['name']
        LOG.debug('Secret to create is {0}'.format(name))

        new_order = models.Order()
        new_order.secret_name = secret_info['name']
        new_order.secret_algorithm = secret_info.get('algorithm', None)
        new_order.secret_bit_length = secret_info.get('bit_length', None)
        new_order.secret_cypher_type = secret_info.get('cypher_type', None)
        new_order.secret_mime_type = secret_info['mime_type']
        new_order.secret_expiration = secret_info.get('expiration', None)
        new_order.tenant_id = tenant.id
        self.order_repo.create_from(new_order)

        # Send to workers to process.
        self.queue.process_order(order_id=new_order.id,
                                 keystone_id=keystone_id)

        resp.status = falcon.HTTP_202
        resp.set_header('Location',
                        '/{0}/orders/{1}'.format(keystone_id, new_order.id))
        url = convert_order_to_href(keystone_id, new_order.id)
        resp.body = json.dumps({'order_ref': url})
Exemple #3
0
    def on_post(self, req, resp, keystone_id):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(req, resp, self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        try:
            new_secret = res.create_secret(data, tenant, self.crypto_manager,
                                           self.secret_repo,
                                           self.tenant_secret_repo,
                                           self.datum_repo)
        except em.CryptoMimeTypeNotSupportedException as cmtnse:
            LOG.exception('Secret creation failed - mime-type not supported')
            _secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
        except exception.NoDataToProcess:
            LOG.exception('No secret data to process')
            _secret_plain_text_empty(req, resp)
        except exception.LimitExceeded:
            LOG.exception('Secret data too big to process')
            _secret_data_too_large(req, resp)
        except Exception as e:
            LOG.exception('Secret creation failed - unknown')
            _general_failure('Secret creation failed - unknown', req, resp)

        resp.status = falcon.HTTP_201
        resp.set_header('Location', '/{0}/secrets/{1}'.format(keystone_id,
                                                              new_secret.id))
        url = convert_secret_to_href(keystone_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        resp.body = json.dumps({'secret_ref': url})
Exemple #4
0
    def on_get(self, req, resp, keystone_id, secret_id):

        secret = self.repo.get(entity_id=secret_id,
                               keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)

        resp.status = falcon.HTTP_200

        if not req.accept or req.accept == 'application/json' \
           or req.accept == '*/*':
            # Metadata-only response, no decryption necessary.
            resp.set_header('Content-Type', 'application/json')
            secret_fields = augment_fields_with_content_types(secret)
            resp.body = json.dumps(convert_to_hrefs(keystone_id,
                                                    secret_fields),
                                   default=json_handler)
        else:
            tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
            resp.set_header('Content-Type', req.accept)
            try:
                resp.body = self.crypto_manager.decrypt(
                    req.accept, secret, tenant)
            except em.CryptoAcceptNotSupportedException as canse:
                LOG.exception('Secret decryption failed - '
                              'accept not supported')
                _get_accept_not_supported(canse.accept, req, resp)
            except em.CryptoNoSecretOrDataException as cnsode:
                LOG.exception('Secret information of type {0} not '
                              'found for decryption.'.format(cnsode.mime_type))
                _get_secret_info_not_found(cnsode.mime_type, req, resp)
            except Exception as e:
                LOG.exception('Secret decryption failed - unknown')
                _failed_to_decrypt_data(req, resp)
Exemple #5
0
    def on_post(self, req, resp, keystone_id):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(req, resp, self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        try:
            new_secret = res.create_secret(data, tenant, self.crypto_manager,
                                           self.secret_repo,
                                           self.tenant_secret_repo,
                                           self.datum_repo)
        except em.CryptoMimeTypeNotSupportedException as cmtnse:
            LOG.exception('Secret creation failed - mime-type not supported')
            _secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
        except exception.NoDataToProcess:
            LOG.exception('No secret data to process')
            _secret_plain_text_empty(req, resp)
        except exception.LimitExceeded:
            LOG.exception('Secret data too big to process')
            _secret_data_too_large(req, resp)
        except Exception as e:
            LOG.exception('Secret creation failed - unknown')
            _general_failure('Secret creation failed - unknown', req, resp)

        resp.status = falcon.HTTP_201
        resp.set_header('Location',
                        '/{0}/secrets/{1}'.format(keystone_id, new_secret.id))
        url = convert_secret_to_href(keystone_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        resp.body = json.dumps({'secret_ref': url})
Exemple #6
0
    def on_post(self, keystone_id, **kwargs):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        body = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...{0}'.format(body))

        if 'secret' not in body:
            _secret_not_in_order()
        secret_info = body['secret']
        name = secret_info.get('name')
        LOG.debug('Secret to create is {0}'.format(name))

        new_order = models.Order()
        new_order.secret_name = secret_info.get('name')
        new_order.secret_algorithm = secret_info.get('algorithm')
        new_order.secret_bit_length = secret_info.get('bit_length', 0)
        new_order.secret_mode = secret_info.get('mode')
        new_order.secret_payload_content_type = secret_info.get(
            'payload_content_type')

        new_order.secret_expiration = secret_info.get('expiration')
        new_order.tenant_id = tenant.id
        self.order_repo.create_from(new_order)

        # Send to workers to process.
        self.queue.process_order(order_id=new_order.id,
                                 keystone_id=keystone_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
            keystone_id, new_order.id
        )
        url = hrefs.convert_order_to_href(keystone_id, new_order.id)
        return {'order_ref': url}
Exemple #7
0
    def on_post(self, req, resp, keystone_id):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        data = api.load_body(req, resp, self.validator)
        LOG.debug('Start on_post...{0}'.format(data))

        new_container = models.Container(data)
        new_container.tenant_id = tenant.id

        #TODO: (hgedikli) performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
                                          keystone_id=keystone_id,
                                          suppress_exception=True)
            if not secret:
                api.abort(falcon.HTTP_404,
                          u._("Secret provided for '%s'"
                              " doesn't exist." % secret_ref.name),
                          req, resp)

        self.container_repo.create_from(new_container)

        resp.status = falcon.HTTP_202
        resp.set_header('Location',
                        '/{0}/containers/{1}'.format(keystone_id,
                                                     new_container.id))
        url = convert_container_to_href(keystone_id, new_container.id)
        resp.body = json.dumps({'container_ref': url})
Exemple #8
0
    def on_put(self, req, resp, keystone_id, secret_id):

        if not req.content_type or req.content_type == 'application/json':
            _put_accept_incorrect(req.content_type, req, resp)

        secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)

        if secret.encrypted_data:
            _secret_already_has_data(req, resp)

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
        payload = None
        content_type = req.content_type
        content_encoding = req.get_header('Content-Encoding')

        try:
            payload = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
        except IOError:
            api.abort(falcon.HTTP_500, 'Read Error')

        res.create_encrypted_datum(secret,
                                   payload,
                                   content_type,
                                   content_encoding,
                                   tenant,
                                   self.crypto_manager,
                                   self.datum_repo,
                                   self.kek_repo)

        resp.status = falcon.HTTP_200
Exemple #9
0
    def on_get(self, req, resp, keystone_id, secret_id):

        secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)

        resp.status = falcon.HTTP_200

        if is_json_request_accept(req):
            # Metadata-only response, no decryption necessary.
            resp.set_header('Content-Type', 'application/json')
            secret_fields = mime_types.augment_fields_with_content_types(
                secret)
            resp.body = json.dumps(convert_to_hrefs(keystone_id,
                                                    secret_fields),
                                   default=json_handler)
        else:
            tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
            resp.set_header('Content-Type', req.accept)

            resp.body = self.crypto_manager \
                            .decrypt(req.accept,
                                     secret,
                                     tenant)
Exemple #10
0
    def on_get(self, req, resp, keystone_id, secret_id):

        secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)

        resp.status = falcon.HTTP_200

        if is_json_request_accept(req):
            # Metadata-only response, no decryption necessary.
            resp.set_header('Content-Type', 'application/json')
            secret_fields = mime_types.augment_fields_with_content_types(
                secret)
            resp.body = json.dumps(convert_to_hrefs(keystone_id,
                                                    secret_fields),
                                   default=json_handler)
        else:
            tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
            resp.set_header('Content-Type', req.accept)

            resp.body = self.crypto_manager \
                            .decrypt(req.accept,
                                     secret,
                                     tenant)
Exemple #11
0
    def on_put(self, keystone_id, **kwargs):

        if not pecan.request.content_type or \
                pecan.request.content_type == 'application/json':
            pecan.abort(
                415,
                u._("Content-Type of '{0}' is not supported for PUT.").format(
                    pecan.request.content_type
                )
            )

        payload = pecan.request.body
        if not payload:
            raise exception.NoDataToProcess()
        if validators.secret_too_big(payload):
            raise exception.LimitExceeded()

        secret_model = self.repos.secret_repo.get(entity_id=self.secret_id,
                                                  keystone_id=keystone_id,
                                                  suppress_exception=True)
        if not secret_model:
            _secret_not_found()

        if secret_model.encrypted_data:
            _secret_already_has_data()

        tenant_model = res.get_or_create_tenant(keystone_id,
                                                self.repos.tenant_repo)
        content_type = pecan.request.content_type
        content_encoding = pecan.request.headers.get('Content-Encoding')

        plugin.store_secret(payload, content_type,
                            content_encoding, secret_model.to_dict_fields,
                            secret_model, tenant_model, self.repos)
Exemple #12
0
    def on_post(self, keystone_id):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...{0}'.format(data))

        new_container = models.Container(data)
        new_container.tenant_id = tenant.id

        #TODO(hgedikli): performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
                                          keystone_id=keystone_id,
                                          suppress_exception=True)
            if not secret:
                # This only partially localizes the error message and
                # doesn't localize secret_ref.name.
                pecan.abort(
                    404,
                    u._("Secret provided for '{0}' doesn't"
                        " exist.").format(secret_ref.name))

        self.container_repo.create_from(new_container)

        pecan.response.status = 202
        pecan.response.headers['Location'] = '/{0}/containers/{1}'.format(
            keystone_id, new_container.id)
        url = controllers.hrefs.convert_container_to_href(
            keystone_id, new_container.id)
        return {'container_ref': url}
Exemple #13
0
    def on_post(self, req, resp, keystone_id):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        data = api.load_body(req, resp, self.validator)
        LOG.debug('Start on_post...{0}'.format(data))

        new_container = models.Container(data)
        new_container.tenant_id = tenant.id

        #TODO: (hgedikli) performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
                                          keystone_id=keystone_id,
                                          suppress_exception=True)
            if not secret:
                api.abort(falcon.HTTP_404,
                          u._("Secret provided for '%s'"
                              " doesn't exist." % secret_ref.name),
                          req, resp)

        self.container_repo.create_from(new_container)

        resp.status = falcon.HTTP_202
        resp.set_header('Location',
                        '/{0}/containers/{1}'.format(keystone_id,
                                                     new_container.id))
        url = convert_container_to_href(keystone_id, new_container.id)
        resp.body = json.dumps({'container_ref': url})
Exemple #14
0
    def on_put(self, req, resp, keystone_id, secret_id):

        if not req.content_type or req.content_type == 'application/json':
            _put_accept_incorrect(req.content_type, req, resp)

        secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)

        if secret.encrypted_data:
            _secret_already_has_data(req, resp)

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
        payload = None
        content_type = req.content_type
        content_encoding = req.get_header('Content-Encoding')

        try:
            payload = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
        except IOError:
            api.abort(falcon.HTTP_500, 'Read Error')

        res.create_encrypted_datum(secret,
                                   payload,
                                   content_type,
                                   content_encoding,
                                   tenant,
                                   self.crypto_manager,
                                   self.datum_repo,
                                   self.kek_repo)

        resp.status = falcon.HTTP_200
Exemple #15
0
    def on_post(self, keystone_id):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        body = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...{0}'.format(body))

        if 'secret' not in body:
            _secret_not_in_order()
        secret_info = body['secret']
        name = secret_info.get('name')
        LOG.debug('Secret to create is {0}'.format(name))

        new_order = models.Order()
        new_order.secret_name = secret_info.get('name')
        new_order.secret_algorithm = secret_info.get('algorithm')
        new_order.secret_bit_length = secret_info.get('bit_length', 0)
        new_order.secret_mode = secret_info.get('mode')
        new_order.secret_payload_content_type = secret_info.get(
            'payload_content_type')

        new_order.secret_expiration = secret_info.get('expiration')
        new_order.tenant_id = tenant.id
        self.order_repo.create_from(new_order)

        # Send to workers to process.
        self.queue.process_order(order_id=new_order.id,
                                 keystone_id=keystone_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
            keystone_id, new_order.id)
        url = hrefs.convert_order_to_href(keystone_id, new_order.id)
        return {'order_ref': url}
Exemple #16
0
    def on_post(self, keystone_id, **kwargs):
        LOG.debug('Start on_post for tenant-ID %s:...', keystone_id)

        data = api.load_body(pecan.request, validator=self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.repos.tenant_repo)

        transport_key_needed = data.get('transport_key_needed',
                                        'false').lower() == 'true'

        new_secret, transport_key_model = plugin.store_secret(
            data.get('payload'),
            data.get('payload_content_type',
                     'application/octet-stream'),
            data.get('payload_content_encoding'),
            data, None, tenant,
            self.repos,
            transport_key_needed=transport_key_needed,
            transport_key_id=data.get('transport_key_id'))

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/secrets/{0}'.format(
            new_secret.id
        )
        url = hrefs.convert_secret_to_href(new_secret.id)
        LOG.debug('URI to secret is %s', url)
        if transport_key_model is not None:
            tkey_url = hrefs.convert_transport_key_to_href(
                transport_key_model.id)
            return {'secret_ref': url, 'transport_key_ref': tkey_url}
        else:
            return {'secret_ref': url}
Exemple #17
0
    def on_get(self, req, resp, keystone_id, secret_id):

        secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)

        resp.status = falcon.HTTP_200

        if not req.accept or req.accept == 'application/json' \
                or req.accept == '*/*':
            # Metadata-only response, no decryption necessary.
            resp.set_header('Content-Type', 'application/json')
            secret_fields = augment_fields_with_content_types(secret)
            resp.body = json.dumps(convert_to_hrefs(keystone_id,
                                                    secret_fields),
                                   default=json_handler)
        else:
            tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
            resp.set_header('Content-Type', req.accept)
            try:
                resp.body = self.crypto_manager.decrypt(req.accept, secret,
                                                        tenant)
            except em.CryptoAcceptNotSupportedException as canse:
                LOG.exception('Secret decryption failed - '
                              'accept not supported')
                _get_accept_not_supported(canse.accept, req, resp)
            except em.CryptoNoSecretOrDataException as cnsode:
                LOG.exception('Secret information of type {0} not '
                              'found for decryption.'.format(cnsode.mime_type))
                _get_secret_info_not_found(cnsode.mime_type, req, resp)
            except Exception as e:
                LOG.exception('Secret decryption failed - unknown')
                _failed_to_decrypt_data(req, resp)
Exemple #18
0
    def on_put(self, keystone_id):

        if not pecan.request.content_type or \
                pecan.request.content_type == 'application/json':
            pecan.abort(
                415,
                u._("Content-Type of '{0}' is not supported for PUT.").format(
                    pecan.request.content_type
                )
            )

        secret = self.repo.get(entity_id=self.secret_id,
                               keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found()

        if secret.encrypted_data:
            _secret_already_has_data()

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
        content_type = pecan.request.content_type
        content_encoding = pecan.request.headers.get('Content-Encoding')

        res.create_encrypted_datum(secret,
                                   pecan.request.body,
                                   content_type,
                                   content_encoding,
                                   tenant,
                                   self.crypto_manager,
                                   self.datum_repo,
                                   self.kek_repo)
Exemple #19
0
    def on_post(self, req, resp, keystone_id):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        body = api.load_body(req, resp, self.validator)
        LOG.debug('Start on_post...{0}'.format(body))

        if 'secret' not in body:
            _secret_not_in_order(req, resp)
        secret_info = body['secret']
        name = secret_info.get('name')
        LOG.debug('Secret to create is {0}'.format(name))

        new_order = models.Order()
        new_order.secret_name = secret_info.get('name')
        new_order.secret_algorithm = secret_info.get('algorithm')
        new_order.secret_bit_length = secret_info.get('bit_length', 0)
        new_order.secret_mode = secret_info.get('mode')
        new_order.secret_payload_content_type = secret_info.get(
            'payload_content_type')

        new_order.secret_expiration = secret_info.get('expiration')
        new_order.tenant_id = tenant.id
        self.order_repo.create_from(new_order)

        # Send to workers to process.
        self.queue.process_order(order_id=new_order.id,
                                 keystone_id=keystone_id)

        resp.status = falcon.HTTP_202
        resp.set_header('Location', '/{0}/orders/{1}'.format(keystone_id,
                                                             new_order.id))
        url = convert_order_to_href(keystone_id, new_order.id)
        resp.body = json.dumps({'order_ref': url})
Exemple #20
0
    def on_post(self, keystone_id, **kwargs):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...%s', data)

        new_container = models.Container(data)
        new_container.tenant_id = tenant.id

        #TODO(hgedikli): performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
                                          keystone_id=keystone_id,
                                          suppress_exception=True)
            if not secret:
                # This only partially localizes the error message and
                # doesn't localize secret_ref.name.
                pecan.abort(404, u._("Secret provided for '{0}' doesn't"
                                     " exist.").format(secret_ref.name))

        self.container_repo.create_from(new_container)

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/{0}/containers/{1}'.format(
            keystone_id, new_container.id
        )
        url = controllers.hrefs.convert_container_to_href(new_container.id)
        return {'container_ref': url}
Exemple #21
0
    def on_put(self, keystone_id, **kwargs):

        if not pecan.request.content_type or \
                pecan.request.content_type == 'application/json':
            pecan.abort(
                415,
                u._("Content-Type of '{0}' is not supported for PUT.").format(
                    pecan.request.content_type
                )
            )

        secret = self.repo.get(entity_id=self.secret_id,
                               keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found()

        if secret.encrypted_data:
            _secret_already_has_data()

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
        content_type = pecan.request.content_type
        content_encoding = pecan.request.headers.get('Content-Encoding')

        res.create_encrypted_datum(secret,
                                   pecan.request.body,
                                   content_type,
                                   content_encoding,
                                   tenant,
                                   self.crypto_manager,
                                   self.datum_repo,
                                   self.kek_repo)
Exemple #22
0
    def on_post(self, req, resp, tenant_id):
        LOG.debug('Start on_post for tenant-ID {0}:'.format(tenant_id))

        data = load_body(req)
        tenant = get_or_create_tenant(tenant_id, self.tenant_repo)

        new_secret = create_secret(data, tenant, self.crypto_manager,
                                   self.secret_repo, self.tenant_secret_repo,
                                   self.datum_repo)

        resp.status = falcon.HTTP_202
        resp.set_header('Location', '/{0}/secrets/{1}'.format(tenant_id,
                                                              new_secret.id))
        url = convert_secret_to_href(tenant_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        resp.body = json.dumps({'secret_ref': url})
Exemple #23
0
    def on_get(self, req, resp, tenant_id, secret_id):

        secret = self.repo.get(entity_id=secret_id, suppress_exception=True)
        if not secret:
            _secret_not_found()

        resp.status = falcon.HTTP_200

        if not req.accept or req.accept == 'application/json':
            # Metadata-only response, no decryption necessary.
            resp.set_header('Content-Type', 'application/json')
            resp.body = json.dumps(augment_fields_with_content_types(secret),
                                   default=json_handler)
        else:
            tenant = get_or_create_tenant(tenant_id, self.tenant_repo)
            resp.set_header('Content-Type', req.accept)
            resp.body = self.crypto_manager.decrypt(req.accept, secret, tenant)
Exemple #24
0
    def on_post(self, req, resp, keystone_id):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(req, resp, self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        new_secret = res.create_secret(data, tenant, self.crypto_manager,
                                       self.secret_repo,
                                       self.tenant_secret_repo,
                                       self.datum_repo,
                                       self.kek_repo)

        resp.status = falcon.HTTP_201
        resp.set_header('Location', '/{0}/secrets/{1}'.format(keystone_id,
                                                              new_secret.id))
        url = convert_secret_to_href(keystone_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        resp.body = json.dumps({'secret_ref': url})
Exemple #25
0
    def on_post(self, keystone_id, **kwargs):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(pecan.request, validator=self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        new_secret = res.create_secret(data, tenant, self.crypto_manager,
                                       self.secret_repo,
                                       self.tenant_secret_repo,
                                       self.datum_repo,
                                       self.kek_repo)

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/{0}/secrets/{1}'.format(
            keystone_id, new_secret.id
        )
        url = hrefs.convert_secret_to_href(keystone_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        return {'secret_ref': url}
Exemple #26
0
    def on_post(self, keystone_id):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(pecan.request, validator=self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        new_secret = res.create_secret(data, tenant, self.crypto_manager,
                                       self.secret_repo,
                                       self.tenant_secret_repo,
                                       self.datum_repo,
                                       self.kek_repo)

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/{0}/secrets/{1}'.format(
            keystone_id, new_secret.id
        )
        url = hrefs.convert_secret_to_href(keystone_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        return {'secret_ref': url}
Exemple #27
0
    def on_put(self, req, resp, keystone_id, secret_id):

        if not req.content_type or req.content_type == 'application/json':
            _put_accept_incorrect(req.content_type, req, resp)

        secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)
        if secret.mime_type != req.content_type:
            _client_content_mismatch_to_secret(secret.mime_type,
                                               req.content_type, req, resp)
        if secret.encrypted_data:
            _secret_already_has_data(req, resp)

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        try:
            plain_text = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
        except IOError:
            api.abort(falcon.HTTP_500, 'Read Error')

        resp.status = falcon.HTTP_200

        try:
            res.create_encrypted_datum(secret,
                                       plain_text,
                                       tenant,
                                       self.crypto_manager,
                                       self.tenant_secret_repo,
                                       self.datum_repo)
        except em.CryptoMimeTypeNotSupportedException as cmtnse:
            LOG.exception('Secret creation failed - mime-type not supported')
            _secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
        except exception.NoDataToProcess:
            LOG.exception('No secret data to process')
            _secret_plain_text_empty(req, resp)
        except exception.LimitExceeded:
            LOG.exception('Secret data too big to process')
            _secret_data_too_large(req, resp)
        except Exception as e:
            LOG.exception('Secret creation failed - unknown')
            _failed_to_create_encrypted_datum(req, resp)
Exemple #28
0
    def on_put(self, req, resp, keystone_id, secret_id):

        if not req.content_type or req.content_type == 'application/json':
            _put_accept_incorrect(req.content_type, req, resp)

        secret = self.repo.get(entity_id=secret_id,
                               keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found(req, resp)
        if secret.mime_type != req.content_type:
            _client_content_mismatch_to_secret(secret.mime_type,
                                               req.content_type, req, resp)
        if secret.encrypted_data:
            _secret_already_has_data(req, resp)

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        try:
            plain_text = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
        except IOError:
            api.abort(falcon.HTTP_500, 'Read Error')

        resp.status = falcon.HTTP_200

        try:
            res.create_encrypted_datum(secret, plain_text, tenant,
                                       self.crypto_manager,
                                       self.tenant_secret_repo,
                                       self.datum_repo)
        except em.CryptoMimeTypeNotSupportedException as cmtnse:
            LOG.exception('Secret creation failed - mime-type not supported')
            _secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
        except exception.NoDataToProcess:
            LOG.exception('No secret data to process')
            _secret_plain_text_empty(req, resp)
        except exception.LimitExceeded:
            LOG.exception('Secret data too big to process')
            _secret_data_too_large(req, resp)
        except Exception as e:
            LOG.exception('Secret creation failed - unknown')
            _failed_to_create_encrypted_datum(req, resp)
Exemple #29
0
    def index(self, keystone_id, **kwargs):

        secret = self.repos.secret_repo.get(entity_id=self.secret_id,
                                            keystone_id=keystone_id,
                                            suppress_exception=True)
        if not secret:
            _secret_not_found()

        if controllers.is_json_request_accept(pecan.request):
            # Metadata-only response, no secret retrieval is necessary.
            pecan.override_template('json', 'application/json')
            secret_fields = putil.mime_types.augment_fields_with_content_types(
                secret)
            transport_key_needed = kwargs.get('transport_key_needed',
                                              'false').lower() == 'true'
            if transport_key_needed:
                transport_key_id = plugin.get_transport_key_id_for_retrieval(
                    secret)
                if transport_key_id is not None:
                    secret_fields['transport_key_id'] = transport_key_id
            return hrefs.convert_to_hrefs(secret_fields)
        else:
            tenant = res.get_or_create_tenant(keystone_id,
                                              self.repos.tenant_repo)
            pecan.override_template('', pecan.request.accept.header_value)
            transport_key = None
            twsk = kwargs.get('trans_wrapped_session_key', None)
            if twsk is not None:
                transport_key_id = kwargs.get('transport_key_id', None)
                if transport_key_id is None:
                    _request_has_twsk_but_no_transport_key_id()
                transport_key_model = self.repos.transport_key_repo.get(
                    entity_id=transport_key_id,
                    suppress_exception=True)
                transport_key = transport_key_model.transport_key

            return plugin.get_secret(pecan.request.accept.header_value,
                                     secret,
                                     tenant,
                                     self.repos,
                                     twsk,
                                     transport_key)
Exemple #30
0
    def on_post(self, keystone_id, **kwargs):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(pecan.request, validator=self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.repos.tenant_repo)

        new_secret = plugin.store_secret(data.get('payload'),
                                         data.get('payload_content_type',
                                                  'application/octet-stream'),
                                         data.get('payload_content_encoding'),
                                         data, None, tenant,
                                         self.repos)

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/{0}/secrets/{1}'.format(
            keystone_id, new_secret.id
        )
        url = hrefs.convert_secret_to_href(keystone_id, new_secret.id)
        LOG.debug('URI to secret is {0}'.format(url))
        return {'secret_ref': url}
Exemple #31
0
    def on_post(self, keystone_id, **kwargs):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...%s', data)

        try:
            self.container_repo.get(self.container_id, keystone_id)
        except exception.NotFound:
            controllers.containers.container_not_found()

        new_consumer = models.ContainerConsumerMetadatum(self.container_id,
                                                         data)
        new_consumer.tenant_id = tenant.id
        self.consumer_repo.create_from(new_consumer)

        pecan.response.headers['Location'] = '/{0}/containers/{1}/consumers' \
            .format(keystone_id, new_consumer.container_id)

        return self._return_container_data(self.container_id, keystone_id)
Exemple #32
0
    def on_post(self, req, resp, keystone_id):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(req, resp, self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        new_verification = models.Verification(data)
        new_verification.tenant_id = tenant.id
        self.verification_repo.create_from(new_verification)

        # Send to workers to process.
        self.queue.process_verification(verification_id=new_verification.id,
                                        keystone_id=keystone_id)

        resp.status = falcon.HTTP_202
        resp.set_header('Location',
                        '/{0}/verifications/{1}'.format(keystone_id,
                                                        new_verification.id))
        url = convert_verification_to_href(keystone_id, new_verification.id)
        LOG.debug('URI to verification is {0}'.format(url))
        resp.body = json.dumps({'verification_ref': url})
Exemple #33
0
    def _handle_order(self, order):
        """
        Either creates a secret item here, or else begins the extended
        process of creating a secret (such as for SSL certificate
        generation.
        """
        LOG.debug("Handling order for secret type of {0}..."
                  .format(order.secret_mime_type))

        order_info = order.to_dict_fields()
        secret_info = order_info['secret']

        # Create Secret
        tenant = get_or_create_tenant(order.tenant_id, self.tenant_repo)
        new_secret = create_secret(secret_info, tenant,
                                   self.crypto_manager, self.secret_repo,
                                   self.tenant_secret_repo, self.datum_repo,
                                   ok_to_generate=True)
        order.secret_id = new_secret.id

        LOG.debug("...done creating order's secret.")
Exemple #34
0
    def on_post(self, req, resp, keystone_id):
        LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))

        data = api.load_body(req, resp, self.validator)
        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        new_verification = models.Verification(data)
        new_verification.tenant_id = tenant.id
        self.verification_repo.create_from(new_verification)

        # Send to workers to process.
        self.queue.process_verification(verification_id=new_verification.id,
                                        keystone_id=keystone_id)

        resp.status = falcon.HTTP_202
        resp.set_header('Location',
                        '/{0}/verifications/{1}'.format(keystone_id,
                                                        new_verification.id))
        url = convert_verification_to_href(keystone_id, new_verification.id)
        LOG.debug('URI to verification is {0}'.format(url))
        resp.body = json.dumps({'verification_ref': url})
Exemple #35
0
    def index(self, keystone_id):

        secret = self.repo.get(entity_id=self.secret_id,
                               keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found()

        if controllers.is_json_request_accept(pecan.request):
            # Metadata-only response, no decryption necessary.
            pecan.override_template('json', 'application/json')
            secret_fields = mime_types.augment_fields_with_content_types(
                secret)
            return hrefs.convert_to_hrefs(keystone_id, secret_fields)
        else:
            tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
            pecan.override_template('', pecan.request.accept.header_value)
            return self.crypto_manager.decrypt(
                pecan.request.accept.header_value,
                secret,
                tenant
            )
Exemple #36
0
    def index(self, keystone_id):

        secret = self.repo.get(entity_id=self.secret_id,
                               keystone_id=keystone_id,
                               suppress_exception=True)
        if not secret:
            _secret_not_found()

        if controllers.is_json_request_accept(pecan.request):
            # Metadata-only response, no decryption necessary.
            pecan.override_template('json', 'application/json')
            secret_fields = mime_types.augment_fields_with_content_types(
                secret)
            return hrefs.convert_to_hrefs(keystone_id, secret_fields)
        else:
            tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
            pecan.override_template('', pecan.request.accept.header_value)
            return self.crypto_manager.decrypt(
                pecan.request.accept.header_value,
                secret,
                tenant
            )
Exemple #37
0
    def on_post(self, keystone_id, **kwargs):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)
        order_type = body.get('type')
        LOG.debug('Processing order type %s', order_type)
        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type

        new_order.tenant_id = tenant.id
        self.order_repo.create_from(new_order)

        self.queue.process_type_order(order_id=new_order.id,
                                      keystone_id=keystone_id)
        pecan.response.status = 202
        pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
            keystone_id, new_order.id
        )
        url = hrefs.convert_order_to_href(new_order.id)
        return {'order_ref': url}
Exemple #38
0
    def on_post(self, keystone_id, **kwargs):

        tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)

        #Note(atiwari): trying to preserve backward compatibility
        #This will be removed as part of bug1335171
        raw_body = pecan.request.body
        order_type = None
        if raw_body:
            order_type = json.loads(raw_body).get('type')

        if order_type:
            body = api.load_body(pecan.request,
                                 validator=self.type_order_validator)
            LOG.debug('Processing order type %s', order_type)
            new_order = models.Order()
            new_order.meta = body.get('meta')
            new_order.type = order_type

            #TODO(john-wood-w) These are required attributes currently, but
            #   will eventually be removed once we drop the legacy orders
            #   request.
            new_order.secret_name = 'N/A'
            new_order.secret_algorithm = 'N/A'
            new_order.secret_bit_length = 0
            new_order.secret_mode = 'N/A'
            new_order.secret_payload_content_type = 'N/A'
        else:
            body = api.load_body(pecan.request, validator=self.validator)
            LOG.debug('Start on_post...%s', body)

            if 'secret' not in body:
                _secret_not_in_order()
            secret_info = body['secret']
            name = secret_info.get('name')
            LOG.debug('Secret to create is %s', name)

            new_order = models.Order()
            new_order.secret_name = secret_info.get('name')
            new_order.secret_algorithm = secret_info.get('algorithm')
            new_order.secret_bit_length = secret_info.get('bit_length', 0)
            new_order.secret_mode = secret_info.get('mode')
            new_order.secret_payload_content_type = secret_info.get(
                'payload_content_type')

            new_order.secret_expiration = secret_info.get('expiration')

        new_order.tenant_id = tenant.id
        self.order_repo.create_from(new_order)

        # Send to workers to process.
        #TODO(atiwari) - bug 1335171
        if order_type:
            self.queue.process_type_order(order_id=new_order.id,
                                          keystone_id=keystone_id)
        else:
            self.queue.process_order(order_id=new_order.id,
                                     keystone_id=keystone_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
            keystone_id, new_order.id
        )
        url = hrefs.convert_order_to_href(new_order.id)
        return {'order_ref': url}