def create_encrypted_datum(secret, payload, content_type, content_encoding,
tenant, crypto_manager, datum_repo, kek_repo):
"""Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param payload: secret data to store
:param content_type: payload content mime type
:param content_encoding: payload content encoding
:param tenant: the tenant (entity) who owns the secret
:param crypto_manager: the crypto plugin manager
:param datum_repo: the encrypted datum repository
:param kek_repo: the KEK metadata repository
:retval The response body, None if N/A
"""
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
# Encrypt payload
LOG.debug('Encrypting secret payload...')
new_datum = crypto_manager.encrypt(payload, content_type, content_encoding,
secret, tenant, kek_repo)
datum_repo.create_from(new_datum)
return new_datum
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type
or pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type))
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info('Updated secret for project: %s', external_project_id)
def _extract_payload(self, json_data):
"""Extracts and returns the payload from the JSON data.
:raises: LimitExceeded if the payload is too big
"""
payload = json_data.get('payload', '')
if secret_too_big(payload):
raise exception.LimitExceeded()
return payload.strip()
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
validate(json_data, self.schema)
except ValidationError as e:
raise exception.InvalidObject(schema=schema_name, reason=str(e))
# Validate/normalize 'name'.
name = json_data.get('name', '').strip()
if not name:
name = None
json_data['name'] = name
# Validate/convert 'expiration' if provided.
expiration = self._extract_expiration(json_data, schema_name)
if expiration:
# Verify not already expired.
utcnow = timeutils.utcnow()
if expiration <= utcnow:
raise exception.InvalidObject(schema=schema_name,
reason=_("'expiration' is "
"before current time"))
json_data['expiration'] = expiration
# Validate/convert 'plain_text' if provided.
if 'plain_text' in json_data:
plain_text = json_data['plain_text']
if secret_too_big(plain_text):
raise exception.LimitExceeded()
plain_text = plain_text.strip()
if not plain_text:
raise exception.InvalidObject(schema=schema_name,
reason=_("If 'plain_text' "
"specified, must be "
"non empty"))
json_data['plain_text'] = plain_text
# TODO: Add validation of 'mime_type' based on loaded plugins.
return json_data
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type
or pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type))
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
secret_model = self.repos.secret_repo.get(
entity_id=self.secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret_model:
_secret_not_found()
if secret_model.encrypted_data:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id,
self.repos.project_repo)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(payload,
content_type,
content_encoding,
secret_model.to_dict_fields(),
secret_model,
project_model,
self.repos,
transport_key_id=transport_key_id)
def create_encrypted_datum(secret, plain_text, tenant, crypto_manager,
tenant_secret_repo, datum_repo):
"""
Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param plain_text: plain-text of the secret data to store
:param tenant: the tenant (entity) who owns the secret
:param crypto_manager: the crypto plugin manager
:param tenant_secret_repo: the tenant/secret association repository
:param datum_repo: the encrypted datum repository
:retval The response body, None if N/A
"""
if not plain_text:
raise exception.NoDataToProcess()
if validators.secret_too_big(plain_text):
raise exception.LimitExceeded()
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
fields = secret.to_dict_fields()
fields['plain_text'] = plain_text
# Encrypt plain_text
LOG.debug('Encrypting plain_text secret')
new_datum = crypto_manager.encrypt(plain_text, secret, tenant)
datum_repo.create_from(new_datum)
# Create Tenant/Secret entity.
new_assoc = models.TenantSecret()
new_assoc.tenant_id = tenant.id
new_assoc.secret_id = secret.id
new_assoc.role = "admin"
new_assoc.status = models.States.ACTIVE
tenant_secret_repo.create_from(new_assoc)
return new_datum
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name,
reason=e.message,
property=get_invalid_property(e))
# Validate/normalize 'name'.
name = json_data.get('name', '').strip()
if not name:
name = None
json_data['name'] = name
# Validate/convert 'expiration' if provided.
expiration = self._extract_expiration(json_data, schema_name)
if expiration:
# Verify not already expired.
utcnow = timeutils.utcnow()
if expiration <= utcnow:
raise exception.InvalidObject(schema=schema_name,
reason=_("'expiration' is "
"before current time"),
property="expiration")
json_data['expiration'] = expiration
# Validate/convert 'payload' if provided.
if 'payload' in json_data:
content_type = json_data.get('payload_content_type')
if content_type is None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("If 'payload' is supplied, 'payload_content_type'"
" must also be supplied."),
property="payload_content_type"
)
content_encoding = json_data.get('payload_content_encoding')
if content_type == 'application/octet-stream' and \
content_encoding is None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("payload_content_encoding must be specified "
"when payload_content_type is application/"
"octet-stream."),
property="payload_content_encoding"
)
if content_type.startswith('text/plain') and \
content_encoding is not None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("payload_content_encoding must not be specified "
"when payload_content_type is text/plain"),
property="payload_content_encoding"
)
payload = json_data['payload']
if secret_too_big(payload):
raise exception.LimitExceeded()
payload = payload.strip()
if not payload:
raise exception.InvalidObject(schema=schema_name,
reason=_("If 'payload' "
"specified, must be "
"non empty"),
property="payload")
json_data['payload'] = payload
elif 'payload_content_type' in json_data and \
parent_schema is None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("payload must be provided "
"when payload_content_type is specified"),
property="payload"
)
return json_data
