def encrypt_values(self, encryption_key, table_name, column_name, primary_key='_storage_id'): """Encrypt the values of one column in a table """ values = self.run_query("SELECT {0}, {1} FROM {2}".format( primary_key, column_name, table_name)) # There is no relevant data in the snapshot if len(values['all']) < 1: return encrypted_values = [] for value in values['all']: encrypted_value = encrypt(value[1], encryption_key) encrypted_values.append((value[0], encrypted_value)) update_query = """UPDATE {0} SET {1} = encrypted_values.value FROM (VALUES %s) AS encrypted_values ({2}, value) WHERE {0}.{2} = encrypted_values.{2}""" \ .format(table_name, column_name, primary_key) self.run_query(update_query, vars=encrypted_values, bulk_query=True)
def _create_agent(self, name, state, request_dict): timestamp = utils.get_formatted_timestamp() rabbitmq_password = request_dict.get('rabbitmq_password') rabbitmq_password = encrypt(rabbitmq_password) if rabbitmq_password \ else rabbitmq_password # TODO: remove these fields from the runtime properties new_agent = models.Agent( id=name, name=name, ip=request_dict.get('ip'), install_method=request_dict.get('install_method'), system=request_dict.get('system'), state=state, version=request_dict.get('version'), rabbitmq_username=request_dict.get('rabbitmq_username'), rabbitmq_password=rabbitmq_password, rabbitmq_exchange=request_dict.get('rabbitmq_exchange'), created_at=timestamp, updated_at=timestamp, ) storage_manager = get_storage_manager() node_instance = storage_manager.get( models.NodeInstance, request_dict.get('node_instance_id')) new_agent.node_instance = node_instance return storage_manager.put(new_agent)
def put(self, key, **kwargs): """ Create a new secret or update an existing secret if the flag update_if_exists is set to true """ secret_params = self._get_secret_params(key) encrypted_value = encrypt(secret_params['value']) sm = get_storage_manager() timestamp = utils.get_formatted_timestamp() try: new_secret = models.Secret( id=key, value=encrypted_value, created_at=timestamp, updated_at=timestamp, visibility=secret_params['visibility'], is_hidden_value=secret_params['is_hidden_value'] ) return sm.put(new_secret) except ConflictError: secret = sm.get(models.Secret, key) if secret and secret_params['update_if_exists']: secret.value = encrypted_value secret.updated_at = timestamp return sm.update(secret, validate_global=True) raise
def encrypt_values(self, encryption_key, table_name, column_name): """Encrypt the values of one column in a table """ # try to work with _storage_id, if does not exists, try with id key = '_storage_id' values = self.run_query("SELECT {0}, {1} FROM {2}".format( key, column_name, table_name)) if values['all'] is None: key = 'id' values = self.run_query("SELECT {0}, {1} FROM {2}".format( key, column_name, table_name)) # There is no relevant data in the snapshot if len(values['all']) < 1: return encrypted_values = [] for value in values['all']: encrypted_value = encrypt(bytes(value[1]), encryption_key) encrypted_values.append((value[0], encrypted_value)) update_query = """ UPDATE {0} SET {1} = encrypted_values.value FROM (VALUES %s) AS encrypted_values ({2}, value) WHERE {0}.{2} = encrypted_values.{2}""".format(table_name, column_name, key) self.run_query(update_query, vars=encrypted_values, bulk_query=True)
def _update_value(self, secret): request_dict = rest_utils.get_json_and_verify_params({ 'value': {'type': text_type, 'optional': True} }) value = request_dict.get('value') if value: secret.value = encrypt(value)
def create_tenant_vhost_and_user(self, tenant): """ Create a new RabbitMQ vhost and user, and grant the user permissions on the vhost :param tenant: An SQLAlchemy Tenant object :return: The updated tenant object """ vhost = tenant.rabbitmq_vhost or \ self.VHOST_NAME_PATTERN.format(tenant.name) username = tenant.rabbitmq_username or \ self.USERNAME_PATTERN.format(tenant.name) # The password is being stored encrypted in the DB new_password = AMQPManager._generate_user_password() password = decrypt(tenant.rabbitmq_password) \ if tenant.rabbitmq_password else new_password encrypted_password = tenant.rabbitmq_password or encrypt(new_password) self._client.create_vhost(vhost) self._client.create_user(username, password) self._client.set_vhost_permissions(vhost, username, '.*', '.*', '.*') # Gives configure and write permissions to the specific exchanges of # events, logs and monitoring allowed_resources = '^cloudify-(events|logs|monitoring)$' self._client.set_vhost_permissions('/', username, configure=allowed_resources, write=allowed_resources) tenant.rabbitmq_vhost = vhost tenant.rabbitmq_username = username tenant.rabbitmq_password = encrypted_password return tenant
def put(self, key, **kwargs): """ Create a new secret or update an existing secret if the flag update_if_exists is set to true """ secret_params = self._get_secret_params(key) encrypted_value = encrypt(secret_params['value']) sm = get_storage_manager() timestamp = utils.get_formatted_timestamp() try: new_secret = models.Secret( id=key, value=encrypted_value, created_at=timestamp, updated_at=timestamp, visibility=secret_params['visibility'], is_hidden_value=secret_params['is_hidden_value'] ) return sm.put(new_secret) except ConflictError: secret = sm.get(models.Secret, key) if secret and secret_params['update_if_exists']: get_resource_manager().validate_modification_permitted( secret) secret.value = encrypted_value secret.updated_at = timestamp return sm.update(secret) raise
def _create_agent(self, name, state, request_dict): timestamp = utils.get_formatted_timestamp() rabbitmq_password = request_dict.get('rabbitmq_password') rabbitmq_password = encrypt(rabbitmq_password) if rabbitmq_password \ else rabbitmq_password # TODO: remove these fields from the runtime properties new_agent = models.Agent( id=name, name=name, ip=request_dict.get('ip'), install_method=request_dict.get('install_method'), system=request_dict.get('system'), state=state, version=request_dict.get('version'), rabbitmq_username=request_dict.get('rabbitmq_username'), rabbitmq_password=rabbitmq_password, rabbitmq_exchange=request_dict.get('rabbitmq_exchange'), created_at=timestamp, updated_at=timestamp, ) storage_manager = get_storage_manager() node_instance = storage_manager.get( models.NodeInstance, request_dict.get('node_instance_id') ) new_agent.node_instance = node_instance return storage_manager.put(new_agent)
def _update_value(self, secret): request_dict = rest_utils.get_json_and_verify_params({ 'value': {'type': unicode, 'optional': True} }) value = request_dict.get('value') if value: secret.value = encrypt(value)
def _create_rabbitmq_user(self, resource): username = resource.rabbitmq_username or \ USERNAME_PATTERN.format(resource.name) # The password is being stored encrypted in the DB new_password = generate_user_password() password = decrypt(resource.rabbitmq_password) \ if resource.rabbitmq_password else new_password encrypted_password = resource.rabbitmq_password or \ encrypt(new_password) self._client.create_user(username, password) return username, encrypted_password
def put_agent(self, agent_name='agent_1', instance_id='node_instance_1', deployment_id='deployment_1'): node_instance = self._get_or_create_node_instance( instance_id, deployment_id) agent = Agent(id=agent_name, name=agent_name, ip='127.0.0.1', install_method='remote', system='centos core', version='4.5.5', visibility='tenant', state=AgentState.CREATING, rabbitmq_username='******'.format(agent_name), rabbitmq_password=encrypt( AMQPManager._generate_user_password()), rabbitmq_exchange=agent_name, created_at=get_formatted_timestamp(), updated_at=get_formatted_timestamp()) agent.node_instance = node_instance return self.sm.put(agent)
def encrypt_values(self, encryption_key, table_name, column_name, primary_key='_storage_id'): """Encrypt the values of one column in a table """ values = self.run_query("SELECT {0}, {1} FROM {2}".format( primary_key, column_name, table_name)) # There is no relevant data in the snapshot if len(values['all']) < 1: return encrypted_values = [] for value in values['all']: encrypted_value = encrypt(bytes(value[1]), encryption_key) encrypted_values.append((value[0], encrypted_value)) update_query = """UPDATE {0} SET {1} = encrypted_values.value FROM (VALUES %s) AS encrypted_values ({2}, value) WHERE {0}.{2} = encrypted_values.{2}""" \ .format(table_name, column_name, primary_key) self.run_query(update_query, vars=encrypted_values, bulk_query=True)
def put_agent(self, agent_name='agent_1', instance_id='node_instance_1', deployment_id='deployment_1'): node_instance = self._get_or_create_node_instance(instance_id, deployment_id) agent = Agent( id=agent_name, name=agent_name, ip='127.0.0.1', install_method='remote', system='centos core', version='4.5.5', visibility='tenant', state=AgentState.CREATING, rabbitmq_username='******'.format(agent_name), rabbitmq_password=encrypt(generate_user_password()), rabbitmq_exchange=agent_name, created_at=get_formatted_timestamp(), updated_at=get_formatted_timestamp() ) agent.node_instance = node_instance return self.sm.put(agent)
def _handle_default_db_config(server): server.db.create_all() admin_user = get_admin_user() fd, temp_auth_file = tempfile.mkstemp() os.close(fd) with open(temp_auth_file, 'w') as f: yaml.dump(auth_dict, f) try: # We're mocking the AMQPManager, we aren't really using Rabbit here default_tenant = create_default_user_tenant_and_roles( admin_username=admin_user['username'], admin_password=admin_user['password'], amqp_manager=MagicMock(), authorization_file_path=temp_auth_file ) default_tenant.rabbitmq_password = encrypt( AMQPManager._generate_user_password() ) finally: os.remove(temp_auth_file) utils.set_current_tenant(default_tenant)
def _encrypt_values(secrets_list, password): key = generate_key_using_password(password) for secret in secrets_list: secret['value'] = encrypt(secret['value'], key) secret['encrypted'] = True