def get_credential(id):
if not acl_module_check(
resource_type='credential', action='metadata', resource_id=id):
msg = "{} does not have access to credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
credential = Credential.get(id)
except DoesNotExist:
logging.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if (credential.data_type != 'credential'
and credential.data_type != 'archive-credential'):
return jsonify({}), 404
permissions = {
'metadata':
True,
'get':
False,
'update':
acl_module_check(resource_type='credential',
action='update',
resource_id=id),
}
include_credential_pairs = False
if acl_module_check(resource_type='credential',
action='get',
resource_id=id):
permissions['get'] = True
include_credential_pairs = True
log_line = "{0} get credential {1}".format(authnz.get_logged_in_user(),
id)
logging.info(log_line)
credential_response = CredentialResponse.from_credential(
credential,
include_credential_keys=True,
include_credential_pairs=include_credential_pairs,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def revert_credential_to_revision(id, to_revision):
'''
Revert the provided credential to the provided revision.
.. :quickref: Credential; Revert the provided credential to the provided
revision
**Example request**:
.. sourcecode:: http
PUT /v1/credentials/abcd12345bf4f1cafe8e722d3860404/1
:param id: The credential ID to revert.
:type id: str
:param to_revision: The revision to revert this credential to.
:type to_revision: int
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "abcd12345bf4f1cafe8e722d3860404",
"name": "Example Credential",
"credential_keys": ["example_credential_key"],
"credential_pairs": {},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 400: Invalid input; the update would create conflicting
credential keys in a mapped service.
:statuscode 403: Client does not have access to revert the provided
credential ID.
'''
if not acl_module_check(
resource_type='credential', action='revert', resource_id=id):
msg = "{} does not have access to revert credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
current_credential = Credential.get(id)
except DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if current_credential.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
new_revision = credentialmanager.get_latest_credential_revision(
id, current_credential.revision)
try:
revert_credential = Credential.get('{}-{}'.format(id, to_revision))
except DoesNotExist:
logger.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if revert_credential.data_type != 'archive-credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
if revert_credential.equals(current_credential):
ret = {'error': 'No difference between old and new credential.'}
return jsonify(ret), 400
services = servicemanager.get_services_for_credential(id)
if revert_credential.credential_pairs:
_credential_pairs = revert_credential.decrypted_credential_pairs
_check, ret = credentialmanager.check_credential_pair_values(
_credential_pairs)
if not _check:
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id, list(_credential_pairs.keys()), services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# Try to save to the archive
try:
Credential(
id='{0}-{1}'.format(id, new_revision),
name=revert_credential.name,
data_type='archive-credential',
credential_pairs=revert_credential.credential_pairs,
metadata=revert_credential.metadata,
enabled=revert_credential.enabled,
revision=new_revision,
data_key=revert_credential.data_key,
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation,
tags=revert_credential.tags,
last_rotation_date=revert_credential.last_rotation_date,
).save(id__null=True)
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(
id=id,
name=revert_credential.name,
data_type='credential',
credential_pairs=revert_credential.credential_pairs,
metadata=revert_credential.metadata,
enabled=revert_credential.enabled,
revision=new_revision,
data_key=revert_credential.data_key,
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation,
tags=revert_credential.tags,
last_rotation_date=revert_credential.last_rotation_date,
)
cred.save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('credential_update', service_names, [cred.id])
return credential_response_schema.dumps(
CredentialResponse.from_credential(cred))
def update_credential(id):
'''
Update the provided credential using the data provided in the POST body.
.. :quickref: Credential; Update the provided credential using the data
provided in the post body.
**Example request**:
.. sourcecode:: http
PUT /v1/credentials/abcd12345bf4f1cafe8e722d3860404
:param id: The credential ID to update.
:type id: str
:<json string name: The friendly name for the credential.
:<json Dictionary{string: string} credential_pairs: A dictionary of
arbitrary key/value pairs to be encrypted at rest.
:<json Dictionary{string: string} metadata: A dictionary of arbitrary key/
value pairs for custom per-credential end-user extensions. This is not
encrypted at rest.
:<json boolean enabled: Whether or not this credential is enabled.
:<json string documentation: End-user provided documentation for this
credential.
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "abcd12345bf4f1cafe8e722d3860404",
"name": "Example Credential",
"credential_keys": ["example_credential_key"],
"credential_pairs": {
"example_credential_key": "example_credential_value"
},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 400: Invalid input; either the data provided was not in the
correct format, or the update would create conflicting
credential keys in a mapped service.
:statuscode 403: Client does not have access to update the provided
credential ID.
'''
if not acl_module_check(
resource_type='credential', action='update', resource_id=id):
msg = "{} does not have access to update credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
_cred = Credential.get(id)
except DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if _cred.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
update = {
'name': data.get('name', _cred.name),
'last_rotation_date': _cred.last_rotation_date,
'credential_pairs': _cred.credential_pairs,
'enabled': _cred.enabled,
'metadata': data.get('metadata', _cred.metadata),
'documentation': data.get('documentation', _cred.documentation),
'tags': data.get('tags', _cred.tags),
}
# Enforce documentation, EXCEPT if we are restoring an old revision
if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION')
and not data.get('revision')):
return jsonify({'error': 'documentation is a required field'}), 400
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
services = servicemanager.get_services_for_credential(id)
revision = credentialmanager.get_latest_credential_revision(
id, _cred.revision)
if 'credential_pairs' in data:
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id, list(credential_pairs.keys()), services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# If the credential pair passed in the update is different from the
# decrypted credential pair of the most recent revision, assume that
# this is a new credential pair and update last_rotation_date
if credential_pairs != _cred.decrypted_credential_pairs:
update['last_rotation_date'] = misc.utcnow()
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
update['credential_pairs'] = cipher.encrypt(
json.dumps(credential_pairs))
# Try to save to the archive
try:
Credential(
id='{0}-{1}'.format(id, revision),
name=update['name'],
data_type='archive-credential',
credential_pairs=update['credential_pairs'],
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'],
tags=update['tags'],
last_rotation_date=update['last_rotation_date'],
).save(id__null=True)
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(
id=id,
name=update['name'],
data_type='credential',
credential_pairs=update['credential_pairs'],
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'],
tags=update['tags'],
last_rotation_date=update['last_rotation_date'],
)
cred.save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('credential_update', service_names, [cred.id])
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def create_credential():
'''
Create a credential using the data provided in the POST body.
.. :quickref: Credential; Create a credential using the data provided in
the post body.
**Example request**:
.. sourcecode:: http
POST /v1/credentials
:<json string name: The friendly name for the credential. (required)
:<json Dictionary{string: string} credential_pairs: A dictionary of
arbitrary key/value pairs to be encrypted at rest. (required)
:<json Dictionary{string: string} metadata: A dictionary of arbitrary key/
value pairs for custom per-credential end-user extensions. This is not
encrypted at rest.
:<json boolean enabled: Whether or not this credential is enabled.
(default: true)
:<json string documentation: End-user provided documentation for this
credential. (required)
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "abcd12345bf4f1cafe8e722d3860404",
"name": "Example Credential",
"credential_keys": ["example_credential_key"],
"credential_pairs": {
"example_credential_key": "example_credential_value"
},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 400: Invalid input; either the data provided was not in the
correct format, or a required field was not provided.
:statuscode 403: Client does not have access to create credentials.
'''
if not acl_module_check(resource_type='credential', action='create'):
msg = "{} does not have access to create credentials".format(
authnz.get_logged_in_user())
error_msg = {'error': msg}
return jsonify(error_msg), 403
data = request.get_json()
if not data.get('documentation') and settings.get('ENFORCE_DOCUMENTATION'):
return jsonify({'error': 'documentation is a required field'}), 400
if not data.get('credential_pairs'):
return jsonify({'error': 'credential_pairs is a required field'}), 400
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query('credential',
name__eq=data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
last_rotation_date = misc.utcnow()
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation'),
tags=data.get('tags', []),
last_rotation_date=last_rotation_date,
).save(id__null=True)
# Make this the current revision
cred = Credential(
id=id,
data_type='credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation'),
tags=data.get('tags', []),
last_rotation_date=last_rotation_date,
)
cred.save()
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def get_credential(id):
"""
Returns a credential object for the provided credential id.
.. :quickref: Credential; Get a credential from the provided id.
**Example request**:
.. sourcecode:: http
GET /v1/credentials/abcd12345bf4f1cafe8e722d3860404
:param id: The credential ID to get.
:type id: str
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "...",
"name": "Example Credential",
"credential_keys": [
"api_key",
"api_user"
],
"credential_pairs": {
"api_key": "1234",
"api_user": "******"
},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 403: Client does not have permissions to get the credential for
the provided ID.
:statuscode 404: The provided credential ID does not exist.
"""
metadata_only = misc.get_boolean(request.args.get('metadata_only'))
if not acl_module_check(
resource_type='credential', action='metadata', resource_id=id):
msg = "{} does not have access to credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
credential = Credential.get(id)
except DoesNotExist:
logger.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if credential.data_type != 'credential':
return jsonify({}), 404
permissions = {
'metadata':
True,
'get':
False,
'update':
acl_module_check(resource_type='credential',
action='update',
resource_id=id),
}
include_credential_pairs = False
if not metadata_only and acl_module_check(
resource_type='credential', action='get', resource_id=id):
permissions['get'] = True
include_credential_pairs = True
if settings.ENABLE_SAVE_LAST_DECRYPTION_TIME:
# Also try to save the archived credential to stay consistent
try:
archived_credential = Credential.get('{}-{}'.format(
id, credential.revision))
except DoesNotExist:
archived_credential = None
logger.error('Archived credential {}-{} not found'.format(
id, credential.revision))
now = misc.utcnow()
credential.last_decrypted_date = now
credential.save()
if archived_credential:
archived_credential.last_decrypted_date = now
archived_credential.save()
log_line = "{0} get credential {1}".format(authnz.get_logged_in_user(),
id)
logger.info(log_line)
credential_response = CredentialResponse.from_credential(
credential,
include_credential_keys=True,
include_credential_pairs=include_credential_pairs,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def revert_credential_to_revision(id, to_revision):
if not acl_module_check(
resource_type='credential', action='revert', resource_id=id):
msg = "{} does not have access to revert credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
current_credential = Credential.get(id)
except DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if current_credential.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
new_revision = credentialmanager.get_latest_credential_revision(
id, current_credential.revision)
try:
revert_credential = Credential.get('{}-{}'.format(id, to_revision))
except DoesNotExist:
logging.warning('Item with id {0} does not exist.'.format(id))
return jsonify({}), 404
if revert_credential.data_type != 'archive-credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
if revert_credential.equals(current_credential):
ret = {'error': 'No difference between old and new credential.'}
return jsonify(ret), 400
services = servicemanager.get_services_for_credential(id)
if revert_credential.credential_pairs:
_credential_pairs = revert_credential.decrypted_credential_pairs
_check, ret = credentialmanager.check_credential_pair_values(
_credential_pairs)
if not _check:
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id, list(_credential_pairs.keys()), services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
# Try to save to the archive
try:
Credential(
id='{0}-{1}'.format(id, new_revision),
name=revert_credential.name,
data_type='archive-credential',
credential_pairs=revert_credential.credential_pairs,
metadata=revert_credential.metadata,
enabled=revert_credential.enabled,
revision=new_revision,
data_key=revert_credential.data_key,
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation,
).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(
id=id,
name=revert_credential.name,
data_type='credential',
credential_pairs=revert_credential.credential_pairs,
metadata=revert_credential.metadata,
enabled=revert_credential.enabled,
revision=new_revision,
data_key=revert_credential.data_key,
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation,
)
cred.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('credential_update', service_names, [cred.id])
return credential_response_schema.dumps(
CredentialResponse.from_credential(cred))
def update_credential(id):
if not acl_module_check(
resource_type='credential', action='update', resource_id=id):
msg = "{} does not have access to update credential {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
try:
_cred = Credential.get(id)
except DoesNotExist:
return jsonify({'error': 'Credential not found.'}), 404
if _cred.data_type != 'credential':
msg = 'id provided is not a credential.'
return jsonify({'error': msg}), 400
data = request.get_json()
update = {}
revision = credentialmanager.get_latest_credential_revision(
id, _cred.revision)
update['name'] = data.get('name', _cred.name)
if 'enabled' in data:
if not isinstance(data['enabled'], bool):
return jsonify({'error': 'Enabled must be a boolean.'}), 400
update['enabled'] = data['enabled']
else:
update['enabled'] = _cred.enabled
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
services = servicemanager.get_services_for_credential(id)
if 'credential_pairs' in data:
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
# Ensure credential pairs don't conflicts with pairs from other
# services
conflicts = servicemanager.pair_key_conflicts_for_services(
id, list(credential_pairs.keys()), services)
if conflicts:
ret = {
'error': 'Conflicting key pairs in mapped service.',
'conflicts': conflicts
}
return jsonify(ret), 400
update['credential_pairs'] = json.dumps(credential_pairs)
else:
update['credential_pairs'] = _cred.decrypted_credential_pairs
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(update['credential_pairs'])
update['metadata'] = data.get('metadata', _cred.metadata)
update['documentation'] = data.get('documentation', _cred.documentation)
# Enforce documentation, EXCEPT if we are restoring an old revision
if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION')
and not data.get('revision')):
return jsonify({'error': 'documentation is a required field'}), 400
# Try to save to the archive
try:
Credential(id='{0}-{1}'.format(id, revision),
name=update['name'],
data_type='archive-credential',
credential_pairs=credential_pairs,
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation']).save(id__null=True)
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
try:
cred = Credential(id=id,
name=update['name'],
data_type='credential',
credential_pairs=credential_pairs,
metadata=update['metadata'],
enabled=update['enabled'],
revision=revision,
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation'])
cred.save()
except PutError as e:
logging.error(e)
return jsonify({'error': 'Failed to update active credential.'}), 500
if services:
service_names = [x.id for x in services]
msg = 'Updated credential "{0}" ({1}); Revision {2}'
msg = msg.format(cred.name, cred.id, cred.revision)
graphite.send_event(service_names, msg)
webhook.send_event('credential_update', service_names, [cred.id])
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)
def create_credential():
if not acl_module_check(resource_type='credential', action='create'):
msg = "{} does not have access to create credentials".format(
authnz.get_logged_in_user())
error_msg = {'error': msg}
return jsonify(error_msg), 403
data = request.get_json()
if not data.get('documentation') and settings.get('ENFORCE_DOCUMENTATION'):
return jsonify({'error': 'documentation is a required field'}), 400
if not data.get('credential_pairs'):
return jsonify({'error': 'credential_pairs is a required field'}), 400
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
# Ensure credential pair keys are lowercase
credential_pairs = credentialmanager.lowercase_credential_pairs(
data['credential_pairs'])
_check, ret = credentialmanager.check_credential_pair_values(
credential_pairs)
if not _check:
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query('credential',
name__eq=data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation')).save(id__null=True)
# Make this the current revision
cred = Credential(id=id,
data_type='credential',
name=data['name'],
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
enabled=data.get('enabled'),
data_key=data_key['ciphertext'],
cipher_version=2,
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation'))
cred.save()
permissions = {
'metadata': True,
'get': True,
'update': True,
}
credential_response = CredentialResponse.from_credential(
cred,
include_credential_keys=True,
include_credential_pairs=True,
)
credential_response.permissions = permissions
return credential_response_schema.dumps(credential_response)