def encrypt(self, credential):
"""Attempt to encrypt a plaintext credential.
:param credential: a plaintext representation of a credential
:returns: an encrypted credential
"""
try:
return self.crypto.encrypt(credential.encode('utf-8'))
except (TypeError, ValueError):
msg = _('Credential could not be encrypted. Please contact the'
' administrator')
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)
def decrypt(self, credential):
"""Attempt to decrypt a credential.
:param credential: an encrypted credential string
:returns: a decrypted credential
"""
try:
return self.crypto.decrypt(bytes(credential)).decode('utf-8')
except (fernet.InvalidToken, TypeError, ValueError):
msg = _('Credential could not be decrypted. Please contact the'
' administrator')
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)
def encrypt(self, credential):
"""Attempt to encrypt a plaintext credential.
:param credential: a plaintext representation of a credential
:returns: an encrypted credential
"""
crypto, keys = get_multi_fernet_keys()
try:
return (crypto.encrypt(credential.encode('utf-8')),
primary_key_hash(keys))
except (TypeError, ValueError) as e:
msg = 'Credential could not be encrypted: %s' % str(e)
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)
def decrypt(self, credential):
"""Attempt to decrypt a credential.
:param credential: an encrypted credential string
:returns: a decrypted credential
"""
key_utils = fernet_utils.FernetUtils(CONF.credential.key_repository,
MAX_ACTIVE_KEYS)
keys = key_utils.load_keys(use_null_key=True)
fernet_keys = [fernet.Fernet(key) for key in keys]
crypto = fernet.MultiFernet(fernet_keys)
try:
if isinstance(credential, six.text_type):
credential = credential.encode('utf-8')
return crypto.decrypt(credential).decode('utf-8')
except (fernet.InvalidToken, TypeError, ValueError):
msg = _('Credential could not be decrypted. Please contact the'
' administrator')
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)
def encrypt(self, credential):
"""Attempt to encrypt a plaintext credential.
:param credential: a plaintext representation of a credential
:returns: an encrypted credential
"""
crypto, keys = get_multi_fernet_keys()
if keys[0] == fernet_utils.NULL_KEY:
LOG.warning(
'Encrypting credentials with the null key. Please properly '
'encrypt credentials using `keystone-manage credential_setup`,'
' `keystone-manage credential_migrate`, and `keystone-manage '
'credential_rotate`')
try:
return (crypto.encrypt(credential.encode('utf-8')),
primary_key_hash(keys))
except (TypeError, ValueError) as e:
msg = _('Credential could not be encrypted: %s') % str(e)
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)