def encrypt_user_metadata(self, req, keys): """ Encrypt user-metadata header values. Replace each x-object-meta-<key> user metadata header with a corresponding x-object-transient-sysmeta-crypto-meta-<key> header which has the crypto metadata required to decrypt appended to the encrypted value. :param req: a swob Request :param keys: a dict of encryption keys """ prefix = get_object_transient_sysmeta('crypto-meta-') user_meta_headers = [h for h in req.headers.items() if is_user_meta(self.server_type, h[0]) and h[1]] crypto_meta = None for name, val in user_meta_headers: short_name = strip_user_meta_prefix(self.server_type, name) new_name = prefix + short_name enc_val, crypto_meta = encrypt_header_val( self.crypto, val, keys[self.server_type]) req.headers[new_name] = append_crypto_meta(enc_val, crypto_meta) req.headers.pop(name) # store a single copy of the crypto meta items that are common to all # encrypted user metadata independently of any such meta that is stored # with the object body because it might change on a POST. This is done # for future-proofing - the meta stored here is not currently used # during decryption. if crypto_meta: meta = dump_crypto_meta({'cipher': crypto_meta['cipher'], 'key_id': keys['id']}) req.headers[get_object_transient_sysmeta('crypto-meta')] = meta
def test_headers_to_object_info_transient_sysmeta(self): headers = {get_object_transient_sysmeta('Whatevs'): 14, get_object_transient_sysmeta('somethingelse'): 0} resp = headers_to_object_info(headers.items(), 200) self.assertEqual(len(resp['transient_sysmeta']), 2) self.assertEqual(resp['transient_sysmeta']['whatevs'], 14) self.assertEqual(resp['transient_sysmeta']['somethingelse'], 0)
def test_headers_to_object_info_transient_sysmeta(self): headers = {get_object_transient_sysmeta('Whatevs'): 14, get_object_transient_sysmeta('somethingelse'): 0} resp = headers_to_object_info(headers.items(), 200) self.assertEqual(len(resp['transient_sysmeta']), 2) self.assertEqual(resp['transient_sysmeta']['whatevs'], 14) self.assertEqual(resp['transient_sysmeta']['somethingelse'], 0)
def encrypt_user_metadata(self, req, keys): """ Encrypt user-metadata header values. Replace each x-object-meta-<key> user metadata header with a corresponding x-object-transient-sysmeta-crypto-meta-<key> header which has the crypto metadata required to decrypt appended to the encrypted value. :param req: a swob Request :param keys: a dict of encryption keys """ prefix = get_object_transient_sysmeta('crypto-meta-') user_meta_headers = [ h for h in req.headers.items() if is_user_meta(self.server_type, h[0]) and h[1] ] crypto_meta = None for name, val in user_meta_headers: short_name = strip_user_meta_prefix(self.server_type, name) new_name = prefix + short_name enc_val, crypto_meta = encrypt_header_val(self.crypto, val, keys[self.server_type]) req.headers[new_name] = append_crypto_meta(enc_val, crypto_meta) req.headers.pop(name) # store a single copy of the crypto meta items that are common to all # encrypted user metadata independently of any such meta that is stored # with the object body because it might change on a POST. This is done # for future-proofing - the meta stored here is not currently used # during decryption. if crypto_meta: meta = dump_crypto_meta({ 'cipher': crypto_meta['cipher'], 'key_id': keys['id'] }) req.headers[get_object_transient_sysmeta('crypto-meta')] = meta
def decrypt_user_metadata(self, keys): prefix = get_object_transient_sysmeta('crypto-meta-') prefix_len = len(prefix) new_prefix = get_user_meta_prefix(self.server_type).title() result = [] for name, val in self._response_headers: if name.lower().startswith(prefix) and val: short_name = name[prefix_len:] decrypted_value = self._decrypt_header( name, val, keys[self.server_type], required=True) result.append((new_prefix + short_name, decrypted_value)) return result
def decrypt_user_metadata(self, keys): prefix = get_object_transient_sysmeta('crypto-meta-') prefix_len = len(prefix) new_prefix = get_user_meta_prefix(self.server_type).title() result = [] for name, val in self._response_headers: if name.lower().startswith(prefix) and val: short_name = name[prefix_len:] decrypted_value = self._decrypt_header( name, val, keys[self.server_type], required=True) result.append((new_prefix + short_name, decrypted_value)) return result
def purge_crypto_sysmeta_headers(headers): return [ h for h in headers if not h[0].lower().startswith(( get_object_transient_sysmeta('crypto-'), get_sys_meta_prefix('object') + 'crypto-')) ]
def purge_crypto_sysmeta_headers(headers): return [h for h in headers if not h[0].lower().startswith( (get_object_transient_sysmeta('crypto-'), get_sys_meta_prefix('object') + 'crypto-'))]
def get_sys_migrator_header(path_type): if path_type == 'object': return get_object_transient_sysmeta(MIGRATOR_HEADER) return '%s%s' % (get_sys_meta_prefix(path_type), MIGRATOR_HEADER)