def encrypt_values(self,
encryption_key,
table_name,
column_name,
primary_key='_storage_id'):
"""Encrypt the values of one column in a table
"""
values = self.run_query("SELECT {0}, {1} FROM {2}".format(
primary_key, column_name, table_name))
# There is no relevant data in the snapshot
if len(values['all']) < 1:
return
encrypted_values = []
for value in values['all']:
encrypted_value = encrypt(value[1], encryption_key)
encrypted_values.append((value[0], encrypted_value))
update_query = """UPDATE {0}
SET {1} = encrypted_values.value
FROM (VALUES %s) AS encrypted_values ({2}, value)
WHERE {0}.{2} = encrypted_values.{2}""" \
.format(table_name, column_name, primary_key)
self.run_query(update_query, vars=encrypted_values, bulk_query=True)
def _create_agent(self, name, state, request_dict):
timestamp = utils.get_formatted_timestamp()
rabbitmq_password = request_dict.get('rabbitmq_password')
rabbitmq_password = encrypt(rabbitmq_password) if rabbitmq_password \
else rabbitmq_password
# TODO: remove these fields from the runtime properties
new_agent = models.Agent(
id=name,
name=name,
ip=request_dict.get('ip'),
install_method=request_dict.get('install_method'),
system=request_dict.get('system'),
state=state,
version=request_dict.get('version'),
rabbitmq_username=request_dict.get('rabbitmq_username'),
rabbitmq_password=rabbitmq_password,
rabbitmq_exchange=request_dict.get('rabbitmq_exchange'),
created_at=timestamp,
updated_at=timestamp,
)
storage_manager = get_storage_manager()
node_instance = storage_manager.get(
models.NodeInstance, request_dict.get('node_instance_id'))
new_agent.node_instance = node_instance
return storage_manager.put(new_agent)
def put(self, key, **kwargs):
"""
Create a new secret or update an existing secret if the flag
update_if_exists is set to true
"""
secret_params = self._get_secret_params(key)
encrypted_value = encrypt(secret_params['value'])
sm = get_storage_manager()
timestamp = utils.get_formatted_timestamp()
try:
new_secret = models.Secret(
id=key,
value=encrypted_value,
created_at=timestamp,
updated_at=timestamp,
visibility=secret_params['visibility'],
is_hidden_value=secret_params['is_hidden_value']
)
return sm.put(new_secret)
except ConflictError:
secret = sm.get(models.Secret, key)
if secret and secret_params['update_if_exists']:
secret.value = encrypted_value
secret.updated_at = timestamp
return sm.update(secret, validate_global=True)
raise
def encrypt_values(self, encryption_key, table_name, column_name):
"""Encrypt the values of one column in a table
"""
# try to work with _storage_id, if does not exists, try with id
key = '_storage_id'
values = self.run_query("SELECT {0}, {1} FROM {2}".format(
key, column_name, table_name))
if values['all'] is None:
key = 'id'
values = self.run_query("SELECT {0}, {1} FROM {2}".format(
key, column_name, table_name))
# There is no relevant data in the snapshot
if len(values['all']) < 1:
return
encrypted_values = []
for value in values['all']:
encrypted_value = encrypt(bytes(value[1]), encryption_key)
encrypted_values.append((value[0], encrypted_value))
update_query = """
UPDATE {0}
SET {1} = encrypted_values.value
FROM (VALUES %s) AS encrypted_values ({2}, value)
WHERE {0}.{2} = encrypted_values.{2}""".format(table_name, column_name, key)
self.run_query(update_query, vars=encrypted_values, bulk_query=True)
def _update_value(self, secret):
request_dict = rest_utils.get_json_and_verify_params({
'value': {'type': text_type, 'optional': True}
})
value = request_dict.get('value')
if value:
secret.value = encrypt(value)
def create_tenant_vhost_and_user(self, tenant):
"""
Create a new RabbitMQ vhost and user, and grant the user permissions
on the vhost
:param tenant: An SQLAlchemy Tenant object
:return: The updated tenant object
"""
vhost = tenant.rabbitmq_vhost or \
self.VHOST_NAME_PATTERN.format(tenant.name)
username = tenant.rabbitmq_username or \
self.USERNAME_PATTERN.format(tenant.name)
# The password is being stored encrypted in the DB
new_password = AMQPManager._generate_user_password()
password = decrypt(tenant.rabbitmq_password) \
if tenant.rabbitmq_password else new_password
encrypted_password = tenant.rabbitmq_password or encrypt(new_password)
self._client.create_vhost(vhost)
self._client.create_user(username, password)
self._client.set_vhost_permissions(vhost, username, '.*', '.*', '.*')
# Gives configure and write permissions to the specific exchanges of
# events, logs and monitoring
allowed_resources = '^cloudify-(events|logs|monitoring)$'
self._client.set_vhost_permissions('/',
username,
configure=allowed_resources,
write=allowed_resources)
tenant.rabbitmq_vhost = vhost
tenant.rabbitmq_username = username
tenant.rabbitmq_password = encrypted_password
return tenant
def put(self, key, **kwargs):
"""
Create a new secret or update an existing secret if the flag
update_if_exists is set to true
"""
secret_params = self._get_secret_params(key)
encrypted_value = encrypt(secret_params['value'])
sm = get_storage_manager()
timestamp = utils.get_formatted_timestamp()
try:
new_secret = models.Secret(
id=key,
value=encrypted_value,
created_at=timestamp,
updated_at=timestamp,
visibility=secret_params['visibility'],
is_hidden_value=secret_params['is_hidden_value']
)
return sm.put(new_secret)
except ConflictError:
secret = sm.get(models.Secret, key)
if secret and secret_params['update_if_exists']:
get_resource_manager().validate_modification_permitted(
secret)
secret.value = encrypted_value
secret.updated_at = timestamp
return sm.update(secret)
raise
def _create_agent(self, name, state, request_dict):
timestamp = utils.get_formatted_timestamp()
rabbitmq_password = request_dict.get('rabbitmq_password')
rabbitmq_password = encrypt(rabbitmq_password) if rabbitmq_password \
else rabbitmq_password
# TODO: remove these fields from the runtime properties
new_agent = models.Agent(
id=name,
name=name,
ip=request_dict.get('ip'),
install_method=request_dict.get('install_method'),
system=request_dict.get('system'),
state=state,
version=request_dict.get('version'),
rabbitmq_username=request_dict.get('rabbitmq_username'),
rabbitmq_password=rabbitmq_password,
rabbitmq_exchange=request_dict.get('rabbitmq_exchange'),
created_at=timestamp,
updated_at=timestamp,
)
storage_manager = get_storage_manager()
node_instance = storage_manager.get(
models.NodeInstance,
request_dict.get('node_instance_id')
)
new_agent.node_instance = node_instance
return storage_manager.put(new_agent)
def _update_value(self, secret):
request_dict = rest_utils.get_json_and_verify_params({
'value': {'type': unicode, 'optional': True}
})
value = request_dict.get('value')
if value:
secret.value = encrypt(value)
def _create_rabbitmq_user(self, resource):
username = resource.rabbitmq_username or \
USERNAME_PATTERN.format(resource.name)
# The password is being stored encrypted in the DB
new_password = generate_user_password()
password = decrypt(resource.rabbitmq_password) \
if resource.rabbitmq_password else new_password
encrypted_password = resource.rabbitmq_password or \
encrypt(new_password)
self._client.create_user(username, password)
return username, encrypted_password
def put_agent(self,
agent_name='agent_1',
instance_id='node_instance_1',
deployment_id='deployment_1'):
node_instance = self._get_or_create_node_instance(
instance_id, deployment_id)
agent = Agent(id=agent_name,
name=agent_name,
ip='127.0.0.1',
install_method='remote',
system='centos core',
version='4.5.5',
visibility='tenant',
state=AgentState.CREATING,
rabbitmq_username='******'.format(agent_name),
rabbitmq_password=encrypt(
AMQPManager._generate_user_password()),
rabbitmq_exchange=agent_name,
created_at=get_formatted_timestamp(),
updated_at=get_formatted_timestamp())
agent.node_instance = node_instance
return self.sm.put(agent)
def encrypt_values(self, encryption_key, table_name, column_name,
primary_key='_storage_id'):
"""Encrypt the values of one column in a table
"""
values = self.run_query("SELECT {0}, {1} FROM {2}".format(
primary_key, column_name, table_name))
# There is no relevant data in the snapshot
if len(values['all']) < 1:
return
encrypted_values = []
for value in values['all']:
encrypted_value = encrypt(bytes(value[1]), encryption_key)
encrypted_values.append((value[0], encrypted_value))
update_query = """UPDATE {0}
SET {1} = encrypted_values.value
FROM (VALUES %s) AS encrypted_values ({2}, value)
WHERE {0}.{2} = encrypted_values.{2}""" \
.format(table_name, column_name, primary_key)
self.run_query(update_query, vars=encrypted_values, bulk_query=True)
def put_agent(self,
agent_name='agent_1',
instance_id='node_instance_1',
deployment_id='deployment_1'):
node_instance = self._get_or_create_node_instance(instance_id,
deployment_id)
agent = Agent(
id=agent_name,
name=agent_name,
ip='127.0.0.1',
install_method='remote',
system='centos core',
version='4.5.5',
visibility='tenant',
state=AgentState.CREATING,
rabbitmq_username='******'.format(agent_name),
rabbitmq_password=encrypt(generate_user_password()),
rabbitmq_exchange=agent_name,
created_at=get_formatted_timestamp(),
updated_at=get_formatted_timestamp()
)
agent.node_instance = node_instance
return self.sm.put(agent)
def _handle_default_db_config(server):
server.db.create_all()
admin_user = get_admin_user()
fd, temp_auth_file = tempfile.mkstemp()
os.close(fd)
with open(temp_auth_file, 'w') as f:
yaml.dump(auth_dict, f)
try:
# We're mocking the AMQPManager, we aren't really using Rabbit here
default_tenant = create_default_user_tenant_and_roles(
admin_username=admin_user['username'],
admin_password=admin_user['password'],
amqp_manager=MagicMock(),
authorization_file_path=temp_auth_file
)
default_tenant.rabbitmq_password = encrypt(
AMQPManager._generate_user_password()
)
finally:
os.remove(temp_auth_file)
utils.set_current_tenant(default_tenant)
def _encrypt_values(secrets_list, password):
key = generate_key_using_password(password)
for secret in secrets_list:
secret['value'] = encrypt(secret['value'], key)
secret['encrypted'] = True
