def get_archive_credential_revisions(id):
try:
cred = Credential.get(id)
except Credential.DoesNotExist:
return jsonify({}), 404
if (cred.data_type != 'credential' and
cred.data_type != 'archive-credential'):
return jsonify({}), 404
revisions = []
_range = range(1, cred.revision + 1)
ids = []
for i in _range:
ids.append("{0}-{1}".format(id, i))
for revision in Credential.batch_get(ids):
revisions.append({
'id': revision.id,
'name': revision.name,
'revision': revision.revision,
'enabled': revision.enabled,
'modified_date': revision.modified_date,
'modified_by': revision.modified_by
})
return jsonify({
'revisions': sorted(
revisions,
key=lambda k: k['revision'],
reverse=True
)
})
def run(self, days, force, ids):
if not settings.DYNAMODB_TABLE_ARCHIVE:
logger.error('DYNAMODB_TABLE_ARCHIVE is not configured, exiting.')
return 1
if days and ids:
logger.error('--days and --ids options are mutually exclusive')
return 1
if not days and not ids:
logger.error('Either --days or --ids options are required')
return 1
credentials = []
if ids:
# filter strips an empty string
_ids = [_id.strip() for _id in list(filter(None, ids.split(',')))]
if not _ids:
logger.error('Passed in --ids argument is empty')
return 1
for credential in Credential.batch_get(_ids):
if credential.enabled:
logger.warning('Skipping enabled credential {}'.format(
credential.id))
continue
credentials.append(credential)
else:
for credential in Credential.data_type_date_index.query(
'credential'):
tz = credential.modified_date.tzinfo
now = datetime.now(tz)
delta = now - credential.modified_date
if not credential.enabled and delta.days > days:
credentials.append(credential)
self.archive(credentials, force=force)
def get_archive_credential_revisions(id):
try:
cred = Credential.get(id)
except DoesNotExist:
logging.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if (cred.data_type != 'credential'
and cred.data_type != 'archive-credential'):
return jsonify({}), 404
revisions = []
_range = range(1, cred.revision + 1)
ids = []
for i in _range:
ids.append("{0}-{1}".format(id, i))
for revision in Credential.batch_get(ids):
revisions.append({
'id': revision.id,
'name': revision.name,
'revision': revision.revision,
'enabled': revision.enabled,
'modified_date': revision.modified_date,
'modified_by': revision.modified_by,
'documentation': revision.documentation
})
return jsonify({
'revisions':
sorted(revisions, key=lambda k: k['revision'], reverse=True)
})
def _get_credentials(credential_ids):
credentials = []
with stats.timer('service_batch_get_credentials'):
for cred in Credential.batch_get(credential_ids):
data_key = keymanager.decrypt_key(
cred.data_key, encryption_context={'id': cred.id})
cipher_version = cred.cipher_version
cipher = CipherManager(data_key, cipher_version)
_credential_pairs = cipher.decrypt(cred.credential_pairs)
_credential_pairs = json.loads(_credential_pairs)
credentials.append({
'id': cred.id,
'name': cred.name,
'enabled': cred.enabled,
'revision': cred.revision,
'credential_pairs': _credential_pairs
})
return credentials
def _get_credentials(credential_ids):
credentials = []
with stats.timer('service_batch_get_credentials'):
for cred in Credential.batch_get(credential_ids):
data_key = keymanager.decrypt_key(
cred.data_key,
encryption_context={'id': cred.id}
)
cipher_version = cred.cipher_version
cipher = CipherManager(data_key, cipher_version)
_credential_pairs = cipher.decrypt(cred.credential_pairs)
_credential_pairs = json.loads(_credential_pairs)
credentials.append({
'id': cred.id,
'name': cred.name,
'enabled': cred.enabled,
'revision': cred.revision,
'credential_pairs': _credential_pairs
})
return credentials
def get_archive_credential_revisions(id):
if not acl_module_check(
resource_type='credential', action='metadata', resource_id=id):
msg = "{} does not have access to credential {} revisions".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg}
return jsonify(error_msg), 403
try:
cred = Credential.get(id)
except DoesNotExist:
logging.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if (cred.data_type != 'credential'
and cred.data_type != 'archive-credential'):
return jsonify({}), 404
_range = range(1, cred.revision + 1)
ids = []
for i in _range:
ids.append("{0}-{1}".format(id, i))
revisions_response = RevisionsResponse.from_credentials(
Credential.batch_get(ids))
return revisions_response_schema.dumps(revisions_response)
def archive(self, credentials, force):
services = list(Service.data_type_date_index.query('service'))
for credential in credentials:
if self.credential_in_service(credential.id, services):
msg = ('Skipping archival of disabled credential {}, as it'
' is still mapped to a service.')
logger.warning(msg.format(credential.id))
continue
saves = []
deletes = []
# save the current record.
archive_credential = CredentialArchive.from_credential(
credential, )
saves.append(archive_credential)
# fetch and save every revision
revisions = Credential.batch_get(
credentialmanager.get_revision_ids_for_credential(credential))
for revision in revisions:
archive_revision = CredentialArchive.from_credential(
revision, )
saves.append(archive_revision)
deletes.append(revision)
deletes.append(credential)
try:
self.save(saves, force=force)
except Exception:
logger.exception(
'Failed to batch save {}, skipping deletion.'.format(
credential.id))
stats.incr('archive.save.failure')
continue
try:
self.delete(deletes, force=force)
except Exception:
logger.exception('Failed to batch delete {}'.format(
credential.id))
stats.incr('archive.delete.failure')
def get_credentials(credential_ids):
with stats.timer('service_batch_get_credentials'):
_credential_ids = copy.deepcopy(credential_ids)
return [cred for cred in Credential.batch_get(_credential_ids)]
def get_archive_credential_revisions(id):
"""
Returns a list of the metadata of all the revisions of the provided
credential.
.. :quickref: Credential Revisions; Get a list of the metadata of all the
revisions of the provided credential.
**Example request**:
.. sourcecode:: http
GET /v1/archive/credentials/abcd12345bf4f1cafe8e722d3860404
:query string next_page: If paged results were returned in a call, this
query string can be used to fetch the next page.
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"revisions": [
{
"id": "abcd12345bf4f1cafe8e722d3860404-1",
"name": "Example Credential",
"credential_keys": [],
"credential_pairs": {},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {}
},
...
],
next_page: null
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 403: Client does not have permissions to get credential
metadata for the provided credential ID.
:statuscode 404: The provided credential ID does not exist.
"""
if not acl_module_check(
resource_type='credential', action='metadata', resource_id=id):
msg = "{} does not have access to credential {} revisions".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg}
return jsonify(error_msg), 403
try:
cred = Credential.get(id)
except DoesNotExist:
logger.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if (cred.data_type != 'credential'
and cred.data_type != 'archive-credential'):
return jsonify({}), 404
revisions_response = RevisionsResponse.from_credentials(
Credential.batch_get(
credentialmanager.get_revision_ids_for_credential(cred)))
return revisions_response_schema.dumps(revisions_response)