def encrypt(self, unencrypted, secret, tenant):
"""Delegates encryption to active plugins."""
if secret.mime_type == 'text/plain':
unencrypted = unencrypted.encode('utf-8')
for ext in self.extensions:
if ext.obj.supports(secret.mime_type):
datum = EncryptedDatum(secret)
datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
unencrypted, tenant)
return datum
else:
raise CryptoMimeTypeNotSupportedException(secret.mime_type)
def encrypt(self, unencrypted, secret, tenant):
"""Delegates encryption to active plugins."""
if secret.mime_type == 'text/plain':
unencrypted = unencrypted.encode('utf-8')
for ext in self.extensions:
if ext.obj.supports(secret.mime_type):
datum = EncryptedDatum(secret)
datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
unencrypted, tenant
)
return datum
else:
raise CryptoMimeTypeNotSupportedException(secret.mime_type)
def create_secret(data, tenant_id, tenant_repo,
secret_repo, tenant_secret_repo,
datum_repo, ok_to_generate=False):
# Create a Secret and a single EncryptedDatum for that Secret. Create
# a Tenant if one doesn't already exist.
tenant = tenant_repo.get(tenant_id, suppress_exception=True)
if not tenant:
LOG.debug('Creating tenant for {0}'.format(tenant_id))
tenant = Tenant()
tenant.keystone_id = tenant_id
tenant.status = States.ACTIVE
tenant_repo.create_from(tenant)
# TODO: What if any criteria to restrict new secrets vs existing ones?
# Verify secret doesn't already exist.
#
#name = data['name']
#LOG.debug('Secret name is {0}'.format(name))
#secret = secret_repo.find_by_name(name=name,
# suppress_exception=True)
#if secret:
# abort(falcon.HTTP_400, 'Secret with name {0} '
# 'already exists'.format(name))
# Encrypt fields.
encrypt(data, ok_to_generate)
LOG.debug('Post-encrypted fields...{0}'.format(data))
secret_value = data['cypher_text'] if 'cypher_text' in data else None
LOG.debug('Encrypted secret is {0}'.format(secret_value))
# Create Secret entity.
new_secret = Secret()
new_secret.name = data['name']
new_secret.expiration = data.get('expiration', None)
new_secret.algorithm = data.get('algorithm', None)
new_secret.bit_length = data.get('bit_length', None)
new_secret.cypher_type = data.get('cypher_type', None)
new_secret.mime_type = data['mime_type']
new_secret.status = States.ACTIVE
secret_repo.create_from(new_secret)
# Create Tenant/Secret entity.
new_assoc = TenantSecret()
new_assoc.tenant_id = tenant.id
new_assoc.secret_id = new_secret.id
new_assoc.role = "admin"
new_assoc.status = States.ACTIVE
tenant_secret_repo.create_from(new_assoc)
# Create EncryptedDatum entity if plain-text provided with secret request.
if secret_value:
new_datum = EncryptedDatum()
new_datum.secret_id = new_secret.id
new_datum.mime_type = data['mime_type']
new_datum.cypher_text = secret_value
new_datum.kek_metadata = data['kek_metadata']
new_datum.status = States.ACTIVE
datum_repo.create_from(new_datum)
return new_secret
def generate_data_encryption_key(self, secret, tenant):
"""
Delegates generating a data-encryption key to active plugins.
Note that this key can be used by clients for their encryption
processes. This generated key is then be encrypted via
the plug-in key encryption process, and that encrypted datum
is then returned from this method.
"""
for ext in self.extensions:
if ext.obj.supports(secret.mime_type):
# TODO: Call plugin's key generation processes.
# Note: It could be the *data* key to generate (for the
# secret algo type) uses a different plug in than that
# used to encrypted the key.
data_key = ext.obj.create(secret.algorithm, secret.bit_length)
datum = EncryptedDatum(secret)
datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
data_key, tenant)
return datum
else:
raise CryptoMimeTypeNotSupportedException(secret.mime_type)
def generate_data_encryption_key(self, secret, tenant):
"""
Delegates generating a data-encryption key to active plugins.
Note that this key can be used by clients for their encryption
processes. This generated key is then be encrypted via
the plug-in key encryption process, and that encrypted datum
is then returned from this method.
"""
for ext in self.extensions:
if ext.obj.supports(secret.mime_type):
# TODO: Call plugin's key generation processes.
# Note: It could be the *data* key to generate (for the
# secret algo type) uses a different plug in than that
# used to encrypted the key.
data_key = ext.obj.create(secret.algorithm, secret.bit_length)
datum = EncryptedDatum(secret)
datum.cypher_text, datum.kek_metadata = ext.obj.encrypt(
data_key, tenant
)
return datum
else:
raise CryptoMimeTypeNotSupportedException(secret.mime_type)
def create_encrypted_datum(secret, plain_text,
tenant_id, tenant_secret_repo, datum_repo):
"""
Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param plain_text: plain-text of the secret data to store
:param tenant_id: the tenant's id
:param tenant_secret_repo: the tenant/secret association repository
:param datum_repo: the encrypted datum repository
:retval The response body, None if N/A
"""
if not plain_text:
raise ValueError('Must provide plain-text to encrypt.')
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
fields = secret.to_dict_fields()
fields['plain_text'] = plain_text
# Encrypt fields.
encrypt(fields)
LOG.debug('Post-encrypted fields...{0}'.format(fields))
if 'cypher_text' not in fields:
raise ValueError('Could not encrypt information '
'and store in Barbican')
secret_value = fields['cypher_text']
LOG.debug('Encrypted secret is {0}'.format(secret_value))
# Create Tenant/Secret entity.
new_assoc = TenantSecret()
new_assoc.tenant_id = tenant_id
new_assoc.secret_id = secret.id
new_assoc.role = "admin"
new_assoc.status = States.ACTIVE
tenant_secret_repo.create_from(new_assoc)
# Create EncryptedDatum entity.
new_datum = EncryptedDatum()
new_datum.secret_id = secret.id
new_datum.mime_type = fields['mime_type']
new_datum.cypher_text = secret_value
new_datum.kek_metadata = fields['kek_metadata']
new_datum.status = States.ACTIVE
datum_repo.create_from(new_datum)
return new_datum
def encrypt(self, unencrypted, secret, tenant):
encrypted_datum = EncryptedDatum()
encrypted_datum.cypher_text = 'encrypted-data'
return encrypted_datum
def encrypt(self, unencrypted, secret, tenant):
datum = EncryptedDatum()
datum.cypher_text = 'cypher_text'
datum.mime_type = 'text/plain'
datum.kek_metadata = json.dumps({'plugin': 'TestCryptoPlugin'})
return datum