def run_generate_passphrases(author,
force_cleartext,
interactive,
save_location,
site_name,
passphrase_catalog=None):
"""Generates passphrases for site
:param author: identifies author generating new certificates for
tracking information
:param force_cleartext: if True, forces cleartext output of passphrases
:param interactive: Enables input prompts for "prompt: true" passphrases
:param save_location: path to save generated passphrases to
:param site_name: site name to process
:param passphrase_catalog: path to a passphrase catalog to override other
discovered catalogs
:return:
"""
_run_precommand_decrypt(site_name)
config.set_global_enc_keys(site_name)
engine.secrets.generate_passphrases(site_name,
save_location,
author,
passphrase_catalog=passphrase_catalog,
interactive=interactive,
force_cleartext=force_cleartext)
def run_decrypt(overwrite, path, save_location, site_name):
"""Unwraps and decrypts secret documents for a site
:param overwrite: if True, overwrites original files with decrypted
:param path: file(s) or directory(ies) to decrypt
:param save_location: if specified saves to the given path, otherwise
returns list of decrypted information
:param site_name: site name to process
:return: decrypted data list if save_location is None
:rtype: list
"""
decrypted_data = []
config.set_global_enc_keys(site_name)
if type(path) is not list and type(path) is not tuple:
path = [path]
for p in path:
decrypted = engine.secrets.decrypt(p, site_name=site_name)
if overwrite:
for file_path, data in decrypted.items():
files.write(data, file_path)
elif save_location is None:
for data in decrypted.values():
decrypted_data.append(data)
else:
for file_path, data in decrypted.items():
file_name = os.path.split(file_path)[1]
file_save_location = os.path.join(save_location, file_name)
files.write(data, file_save_location)
return decrypted_data
def run_check_pki_certs(days, site_name):
"""Checks PKI certificates for upcoming expiration
:param days: number of days in advance to check for upcoming expirations
:param site_name: site name to process
:return:
"""
_run_precommand_decrypt(site_name)
config.set_global_enc_keys(site_name)
expiring_certs_exist, cert_results = engine.secrets.check_cert_expiry(
site_name, duration=days)
return expiring_certs_exist, cert_results
def test_get_global_creds_missing_creds(temp_deployment_files, tmpdir):
# Create site files
site_dir = tmpdir.join("deployment_files", "site", "cicd")
save_location = tmpdir.mkdir("encrypted_site_files")
save_location_str = str(save_location)
# Capture global credentials, verify they are not present and we default
# to site credentials instead.
config.set_global_enc_keys("cicd")
passphrase, salt = secrets.get_global_creds("cicd")
assert passphrase.decode() == 'ytrr89erARAiPE34692iwUMvWqqBvC'
assert salt.decode() == 'MySecretSalt1234567890]['
def run_genesis_bundle(build_dir, site_name, validators):
"""Runs genesis bundle via promenade
:param build_dir: output directory for the generated bundle
:param site_name: site name to process
:param validators: if True, runs validation scripts on genesis bundle
:return:
"""
_run_precommand_decrypt(site_name)
encryption_key = os.environ.get("PROMENADE_ENCRYPTION_KEY")
config.set_global_enc_keys(site_name)
bundle.build_genesis(build_dir, encryption_key, validators,
logging.DEBUG == LOG.getEffectiveLevel(), site_name)
def run_upload(buffer_mode, collection, context_marker, ctx, os_auth_token,
os_auth_url, os_domain_name, os_password,
os_project_domain_name, os_project_name, os_user_domain_name,
os_username, site_name):
"""Uploads a collection of documents to shipyard
:param buffer_mode: mode used when uploading documents
:param collection: specifies the name to use for uploaded collection
:param context_marker: UUID used to correlate logs, transactions, etc...
:param ctx: dictionary containing various data used by shipyard
:param os_auth_token: authentication token
:param os_auth_url: authentication url
:param os_domain_name: domain name
:param os_password: password
:param os_project_domain_name: project domain name
:param os_project_name: project name
:param os_user_domain_name: user domain name
:param os_username: username
:param site_name: site name to process
:return: response from shipyard instance
"""
_run_precommand_decrypt(site_name)
if not ctx.obj:
ctx.obj = {}
# Build API parameters required by Shipyard API Client.
if os_auth_token:
os.environ['OS_AUTH_TOKEN'] = os_auth_token
auth_vars = {'token': os_auth_token, 'auth_url': os_auth_url}
else:
auth_vars = {
'user_domain_name': os_user_domain_name,
'project_name': os_project_name,
'username': os_username,
'password': os_password,
'auth_url': os_auth_url
}
# Domain-scoped params
if os_domain_name:
auth_vars['domain_name'] = os_domain_name
auth_vars['project_domain_name'] = None
# Project-scoped params
else:
auth_vars['project_domain_name'] = os_project_domain_name
ctx.obj['API_PARAMETERS'] = {'auth_vars': auth_vars}
ctx.obj['context_marker'] = str(context_marker)
ctx.obj['site_name'] = site_name
ctx.obj['collection'] = collection
config.set_global_enc_keys(site_name)
return ShipyardHelper(ctx, buffer_mode).upload_documents()
def test_get_global_creds_missing_pass(temp_deployment_files, tmpdir):
# Create site files
site_dir = tmpdir.join("deployment_files", "site", "cicd")
# Create global salt file
with open(
os.path.join(str(site_dir), 'secrets', 'passphrases',
'cicd-global-salt-encrypted.yaml'), "w") as outfile:
outfile.write(GLOBAL_SALT_DOC)
save_location = tmpdir.mkdir("encrypted_site_files")
save_location_str = str(save_location)
# Demonstrate that encryption fails when only the global salt or
# only the global passphrase are present among the site files.
with pytest.raises(exceptions.GlobalCredentialsNotFound):
config.set_global_enc_keys("cicd")
def run_encrypt(author, save_location, site_name, path=None):
"""Wraps and encrypts site secret documents
:param author: identifies author generating new certificates for
tracking information
:param save_location: path to save encrypted documents to, if None the
original documents are overwritten
:param site_name: site name to process
:param path: path to the document(s) to encrypt
:return:
"""
config.set_global_enc_keys(site_name)
if save_location is None and path is None:
save_location = config.get_site_repo()
engine.secrets.encrypt(save_location,
author,
site_name=site_name,
path=path)
def test_global_encrypt_decrypt(temp_deployment_files, tmpdir):
# Create site files
site_dir = tmpdir.join("deployment_files", "site", "cicd")
# Create and encrypt global passphrase and salt file using site keys
with open(os.path.join(str(site_dir), 'secrets',
'passphrases',
'cicd-global-passphrase-encrypted.yaml'), "w") \
as outfile:
outfile.write(GLOBAL_PASSPHRASE_SALT_DOC)
save_location = tmpdir.mkdir("encrypted_site_files")
save_location_str = str(save_location)
# Encrypt the global passphrase and salt file using site passphrase/salt
config.set_global_enc_keys("cicd")
secrets.encrypt(save_location_str, "pytest", "cicd")
# Create and encrypt a global type document
global_doc_path = os.path.join(str(site_dir), 'secrets', 'passphrases',
'globally_encrypted_doc.yaml')
with open(global_doc_path, "w") as outfile:
outfile.write(TEST_GLOBAL_DATA)
# encrypt documents and validate that they were encrypted
doc_mgr = PeglegSecretManagement(file_path=global_doc_path,
author='pytest',
site_name='cicd')
doc_mgr.encrypt_secrets(global_doc_path)
doc = doc_mgr.documents[0]
assert doc.is_encrypted()
assert doc.data['encrypted']['by'] == 'pytest'
doc_mgr = PeglegSecretManagement(file_path=global_doc_path,
author='pytest',
site_name='cicd')
decrypted_data = doc_mgr.get_decrypted_secrets()
test_data = list(yaml.safe_load_all(TEST_GLOBAL_DATA))
assert test_data[0]['data'] == decrypted_data[0]['data']
assert test_data[0]['schema'] == decrypted_data[0]['schema']
def test_get_global_creds(temp_deployment_files, tmpdir):
# Create site files
site_dir = tmpdir.join("deployment_files", "site", "cicd")
# Create global passphrase and salt file
with open(os.path.join(str(site_dir), 'secrets',
'passphrases',
'cicd-global-passphrase-encrypted.yaml'), "w") \
as outfile:
outfile.write(GLOBAL_PASSPHRASE_SALT_DOC)
save_location = tmpdir.mkdir("encrypted_site_files")
save_location_str = str(save_location)
# Encrypt the global passphrase and salt file using site passphrase/salt
config.set_global_enc_keys("cicd")
secrets.encrypt(save_location_str, "pytest", "cicd")
encrypted_files = listdir(save_location_str)
assert len(encrypted_files) > 0
# Capture global credentials, verify we have the right ones
passphrase, salt = secrets.get_global_creds("cicd")
assert passphrase.decode() == "TbKYNtM@3gXpL=AFLAwU?&Ey"
assert salt.decode() == "h3=DQ#GNYEuCvybgpfW7ZxAP"
def run_wrap_secret(author, encrypt, filename, layer, name, output_path,
schema, site_name):
"""Wraps a bare secrets file with identifying information for pegleg
:param author: identifies author generating new certificates for
tracking information
:param encrypt: if False, leaves files in cleartext format
:param filename: path to file to be wrapped
:param layer: layer for document to be wrapped in, e.g. site or global
:param name: name for the docuemnt wrap
:param output_path: path to output wrapped document to
:param schema: schema for the document wrap
:param site_name: site name to process
:return:
"""
config.set_global_enc_keys(site_name)
wrap_secret(author,
filename,
output_path,
schema,
name,
layer,
encrypt,
site_name=site_name)