Exemplo n.º 1
0
def run_generate_passphrases(author,
                             force_cleartext,
                             interactive,
                             save_location,
                             site_name,
                             passphrase_catalog=None):
    """Generates passphrases for site

    :param author: identifies author generating new certificates for
                   tracking information
    :param force_cleartext: if True, forces cleartext output of passphrases
    :param interactive: Enables input prompts for "prompt: true" passphrases
    :param save_location: path to save generated passphrases to
    :param site_name: site name to process
    :param passphrase_catalog: path to a passphrase catalog to override other
    discovered catalogs
    :return:
    """
    _run_precommand_decrypt(site_name)
    config.set_global_enc_keys(site_name)
    engine.secrets.generate_passphrases(site_name,
                                        save_location,
                                        author,
                                        passphrase_catalog=passphrase_catalog,
                                        interactive=interactive,
                                        force_cleartext=force_cleartext)
Exemplo n.º 2
0
def run_decrypt(overwrite, path, save_location, site_name):
    """Unwraps and decrypts secret documents for a site

    :param overwrite: if True, overwrites original files with decrypted
    :param path: file(s) or directory(ies) to decrypt
    :param save_location: if specified saves to the given path, otherwise
                          returns list of decrypted information
    :param site_name: site name to process
    :return: decrypted data list if save_location is None
    :rtype: list
    """
    decrypted_data = []
    config.set_global_enc_keys(site_name)
    if type(path) is not list and type(path) is not tuple:
        path = [path]
    for p in path:
        decrypted = engine.secrets.decrypt(p, site_name=site_name)
        if overwrite:
            for file_path, data in decrypted.items():
                files.write(data, file_path)
        elif save_location is None:
            for data in decrypted.values():
                decrypted_data.append(data)
        else:
            for file_path, data in decrypted.items():
                file_name = os.path.split(file_path)[1]
                file_save_location = os.path.join(save_location, file_name)
                files.write(data, file_save_location)
    return decrypted_data
Exemplo n.º 3
0
def run_check_pki_certs(days, site_name):
    """Checks PKI certificates for upcoming expiration

    :param days: number of days in advance to check for upcoming expirations
    :param site_name: site name to process
    :return:
    """
    _run_precommand_decrypt(site_name)
    config.set_global_enc_keys(site_name)
    expiring_certs_exist, cert_results = engine.secrets.check_cert_expiry(
        site_name, duration=days)
    return expiring_certs_exist, cert_results
Exemplo n.º 4
0
def test_get_global_creds_missing_creds(temp_deployment_files, tmpdir):
    # Create site files
    site_dir = tmpdir.join("deployment_files", "site", "cicd")

    save_location = tmpdir.mkdir("encrypted_site_files")
    save_location_str = str(save_location)

    # Capture global credentials, verify they are not present and we default
    # to site credentials instead.
    config.set_global_enc_keys("cicd")
    passphrase, salt = secrets.get_global_creds("cicd")
    assert passphrase.decode() == 'ytrr89erARAiPE34692iwUMvWqqBvC'
    assert salt.decode() == 'MySecretSalt1234567890]['
Exemplo n.º 5
0
def run_genesis_bundle(build_dir, site_name, validators):
    """Runs genesis bundle via promenade

    :param build_dir: output directory for the generated bundle
    :param site_name: site name to process
    :param validators: if True, runs validation scripts on genesis bundle
    :return:
    """
    _run_precommand_decrypt(site_name)
    encryption_key = os.environ.get("PROMENADE_ENCRYPTION_KEY")
    config.set_global_enc_keys(site_name)
    bundle.build_genesis(build_dir, encryption_key, validators,
                         logging.DEBUG == LOG.getEffectiveLevel(), site_name)
Exemplo n.º 6
0
def run_upload(buffer_mode, collection, context_marker, ctx, os_auth_token,
               os_auth_url, os_domain_name, os_password,
               os_project_domain_name, os_project_name, os_user_domain_name,
               os_username, site_name):
    """Uploads a collection of documents to shipyard

    :param buffer_mode: mode used when uploading documents
    :param collection: specifies the name to use for uploaded collection
    :param context_marker: UUID used to correlate logs, transactions, etc...
    :param ctx: dictionary containing various data used by shipyard
    :param os_auth_token: authentication token
    :param os_auth_url: authentication url
    :param os_domain_name: domain name
    :param os_password: password
    :param os_project_domain_name: project domain name
    :param os_project_name: project name
    :param os_user_domain_name: user domain name
    :param os_username: username
    :param site_name: site name to process
    :return: response from shipyard instance
    """
    _run_precommand_decrypt(site_name)
    if not ctx.obj:
        ctx.obj = {}
    # Build API parameters required by Shipyard API Client.
    if os_auth_token:
        os.environ['OS_AUTH_TOKEN'] = os_auth_token
        auth_vars = {'token': os_auth_token, 'auth_url': os_auth_url}
    else:
        auth_vars = {
            'user_domain_name': os_user_domain_name,
            'project_name': os_project_name,
            'username': os_username,
            'password': os_password,
            'auth_url': os_auth_url
        }
    # Domain-scoped params
    if os_domain_name:
        auth_vars['domain_name'] = os_domain_name
        auth_vars['project_domain_name'] = None
    # Project-scoped params
    else:
        auth_vars['project_domain_name'] = os_project_domain_name
    ctx.obj['API_PARAMETERS'] = {'auth_vars': auth_vars}
    ctx.obj['context_marker'] = str(context_marker)
    ctx.obj['site_name'] = site_name
    ctx.obj['collection'] = collection
    config.set_global_enc_keys(site_name)
    return ShipyardHelper(ctx, buffer_mode).upload_documents()
Exemplo n.º 7
0
def test_get_global_creds_missing_pass(temp_deployment_files, tmpdir):
    # Create site files
    site_dir = tmpdir.join("deployment_files", "site", "cicd")

    # Create global salt file
    with open(
            os.path.join(str(site_dir), 'secrets', 'passphrases',
                         'cicd-global-salt-encrypted.yaml'), "w") as outfile:
        outfile.write(GLOBAL_SALT_DOC)

    save_location = tmpdir.mkdir("encrypted_site_files")
    save_location_str = str(save_location)

    # Demonstrate that encryption fails when only the global salt or
    # only the global passphrase are present among the site files.
    with pytest.raises(exceptions.GlobalCredentialsNotFound):
        config.set_global_enc_keys("cicd")
Exemplo n.º 8
0
def run_encrypt(author, save_location, site_name, path=None):
    """Wraps and encrypts site secret documents

    :param author: identifies author generating new certificates for
                   tracking information
    :param save_location: path to save encrypted documents to, if None the
                          original documents are overwritten
    :param site_name: site name to process
    :param path: path to the document(s) to encrypt
    :return:
    """
    config.set_global_enc_keys(site_name)
    if save_location is None and path is None:
        save_location = config.get_site_repo()
    engine.secrets.encrypt(save_location,
                           author,
                           site_name=site_name,
                           path=path)
Exemplo n.º 9
0
def test_global_encrypt_decrypt(temp_deployment_files, tmpdir):
    # Create site files
    site_dir = tmpdir.join("deployment_files", "site", "cicd")

    # Create and encrypt global passphrase and salt file using site keys
    with open(os.path.join(str(site_dir), 'secrets',
                           'passphrases',
                           'cicd-global-passphrase-encrypted.yaml'), "w") \
            as outfile:
        outfile.write(GLOBAL_PASSPHRASE_SALT_DOC)

    save_location = tmpdir.mkdir("encrypted_site_files")
    save_location_str = str(save_location)

    # Encrypt the global passphrase and salt file using site passphrase/salt
    config.set_global_enc_keys("cicd")
    secrets.encrypt(save_location_str, "pytest", "cicd")

    # Create and encrypt a global type document
    global_doc_path = os.path.join(str(site_dir), 'secrets', 'passphrases',
                                   'globally_encrypted_doc.yaml')
    with open(global_doc_path, "w") as outfile:
        outfile.write(TEST_GLOBAL_DATA)

    # encrypt documents and validate that they were encrypted
    doc_mgr = PeglegSecretManagement(file_path=global_doc_path,
                                     author='pytest',
                                     site_name='cicd')
    doc_mgr.encrypt_secrets(global_doc_path)
    doc = doc_mgr.documents[0]
    assert doc.is_encrypted()
    assert doc.data['encrypted']['by'] == 'pytest'

    doc_mgr = PeglegSecretManagement(file_path=global_doc_path,
                                     author='pytest',
                                     site_name='cicd')
    decrypted_data = doc_mgr.get_decrypted_secrets()
    test_data = list(yaml.safe_load_all(TEST_GLOBAL_DATA))
    assert test_data[0]['data'] == decrypted_data[0]['data']
    assert test_data[0]['schema'] == decrypted_data[0]['schema']
Exemplo n.º 10
0
def test_get_global_creds(temp_deployment_files, tmpdir):
    # Create site files
    site_dir = tmpdir.join("deployment_files", "site", "cicd")

    # Create global passphrase and salt file
    with open(os.path.join(str(site_dir), 'secrets',
                           'passphrases',
                           'cicd-global-passphrase-encrypted.yaml'), "w") \
            as outfile:
        outfile.write(GLOBAL_PASSPHRASE_SALT_DOC)

    save_location = tmpdir.mkdir("encrypted_site_files")
    save_location_str = str(save_location)

    # Encrypt the global passphrase and salt file using site passphrase/salt
    config.set_global_enc_keys("cicd")
    secrets.encrypt(save_location_str, "pytest", "cicd")
    encrypted_files = listdir(save_location_str)
    assert len(encrypted_files) > 0

    # Capture global credentials, verify we have the right ones
    passphrase, salt = secrets.get_global_creds("cicd")
    assert passphrase.decode() == "TbKYNtM@3gXpL=AFLAwU?&Ey"
    assert salt.decode() == "h3=DQ#GNYEuCvybgpfW7ZxAP"
Exemplo n.º 11
0
def run_wrap_secret(author, encrypt, filename, layer, name, output_path,
                    schema, site_name):
    """Wraps a bare secrets file with identifying information for pegleg

    :param author: identifies author generating new certificates for
                   tracking information
    :param encrypt: if False, leaves files in cleartext format
    :param filename: path to file to be wrapped
    :param layer: layer for document to be wrapped in, e.g. site or global
    :param name: name for the docuemnt wrap
    :param output_path: path to output wrapped document to
    :param schema: schema for the document wrap
    :param site_name: site name to process
    :return:
    """
    config.set_global_enc_keys(site_name)
    wrap_secret(author,
                filename,
                output_path,
                schema,
                name,
                layer,
                encrypt,
                site_name=site_name)