def _get_latest_blind_credential_revision(id, revision): i = revision + 1 while True: _id = '{0}-{1}'.format(id, i) try: BlindCredential.get(_id) except DoesNotExist: return i i = i + 1
def _get_latest_blind_credential_revision(id, revision): i = revision + 1 while True: _id = '{0}-{1}'.format(id, i) try: BlindCredential.get(_id) except BlindCredential.DoesNotExist: return i i = i + 1
def get_archive_blind_credential_revisions(id): try: cred = BlindCredential.get(id) except BlindCredential.DoesNotExist: return jsonify({}), 404 if (cred.data_type != 'blind-credential' and cred.data_type != 'archive-blind-credential'): return jsonify({}), 404 revisions = [] _range = range(1, cred.revision + 1) ids = [] for i in _range: ids.append("{0}-{1}".format(id, i)) for revision in BlindCredential.batch_get(ids): revisions.append({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by }) return jsonify({ 'revisions': sorted( revisions, key=lambda k: k['revision'], reverse=True ) })
def get_archive_blind_credential_revisions(id): try: cred = BlindCredential.get(id) except DoesNotExist: return jsonify({}), 404 if (cred.data_type != 'blind-credential' and cred.data_type != 'archive-blind-credential'): logging.warning('Item with id {0} does not exist.'.format(id)) return jsonify({}), 404 revisions = [] _range = range(1, cred.revision + 1) ids = [] for i in _range: ids.append("{0}-{1}".format(id, i)) for revision in BlindCredential.batch_get(ids): revisions.append({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation }) return jsonify({ 'revisions': sorted(revisions, key=lambda k: k['revision'], reverse=True) })
def get_blind_credential(id): try: cred = BlindCredential.get(id) except DoesNotExist: logger.warning( 'Item with id {0} does not exist.'.format(id) ) return jsonify({}), 404 if (cred.data_type != 'blind-credential' and cred.data_type != 'archive-blind-credential'): return jsonify({}), 404 return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation })
def get_blind_credential(id): try: cred = BlindCredential.get(id) except BlindCredential.DoesNotExist: return jsonify({}), 404 if (cred.data_type != 'blind-credential' and cred.data_type != 'archive-blind-credential'): return jsonify({}), 404 return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by })
def update_blind_credential(id): try: _cred = BlindCredential.get(id) except Credential.DoesNotExist: return jsonify({'error': 'Blind credential not found.'}), 404 if _cred.data_type != 'blind-credential': msg = 'id provided is not a blind-credential.' return jsonify({'error': msg}), 400 data = request.get_json() update = {} revision = _get_latest_blind_credential_revision(id, _cred.revision) update['name'] = data.get('name', _cred.name) if 'enabled' in data: if not isinstance(data['enabled'], bool): return jsonify({'error': 'Enabled must be a boolean.'}), 400 update['enabled'] = data['enabled'] else: update['enabled'] = _cred.enabled if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 services = _get_services_for_blind_credential(id) if 'credential_pairs' in data: for key in ['data_key', 'cipher_type', 'cipher_version']: if key not in data: msg = '{0} required when updating credential_pairs.' msg = msg.format(key) return jsonify({'error': msg}), 400 update['credential_pairs'] = data['credential_pairs'] update['credential_keys'] = data.get('credential_keys', []) if not isinstance(update['credential_keys'], list): return jsonify({ 'error': 'credential_keys must be a list.' }), 400 # Ensure credential keys don't conflicts with pairs from other # services conflicts = _pair_key_conflicts_for_services( id, data['credential_keys'], services ) if conflicts: ret = { 'error': 'Conflicting key pairs in mapped service.', 'conflicts': conflicts } return jsonify(ret), 400 if not isinstance(data['data_key'], dict): return jsonify({ 'error': 'data_key must be a dict with a region/key mapping.' }), 400 update['data_key'] = data['data_key'] update['cipher_type'] = data['cipher_type'] update['cipher_version'] = data['cipher_version'] else: update['credential_pairs'] = _cred.credential_pairs update['credential_keys'] = _cred.credential_keys update['data_key'] = _cred.data_key update['cipher_type'] = _cred.cipher_type update['cipher_version'] = _cred.cipher_version update['metadata'] = data.get('metadata', _cred.metadata) # Try to save to the archive try: BlindCredential( id='{0}-{1}'.format(id, revision), data_type='archive-blind-credential', name=update['name'], credential_pairs=update['credential_pairs'], credential_keys=update['credential_keys'], metadata=update['metadata'], revision=revision, enabled=update['enabled'], data_key=update['data_key'], cipher_type=update['cipher_type'], cipher_version=update['cipher_version'], modified_by=authnz.get_logged_in_user() ).save(id__null=True) except PutError as e: logging.error(e) return jsonify( {'error': 'Failed to add blind-credential to archive.'} ), 500 try: cred = BlindCredential( id=id, data_type='blind-credential', name=update['name'], credential_pairs=update['credential_pairs'], credential_keys=update['credential_keys'], metadata=update['metadata'], revision=revision, enabled=update['enabled'], data_key=update['data_key'], cipher_type=update['cipher_type'], cipher_version=update['cipher_version'], modified_by=authnz.get_logged_in_user() ) cred.save() except PutError as e: logging.error(e) return jsonify( {'error': 'Failed to update active blind-credential.'} ), 500 if services: service_names = [x.id for x in services] msg = 'Updated credential "{0}" ({1}); Revision {2}' msg = msg.format(cred.name, cred.id, cred.revision) graphite.send_event(service_names, msg) webhook.send_event('blind_credential_update', service_names, [cred.id]) return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by })
def update_blind_credential(id): try: _cred = BlindCredential.get(id) except DoesNotExist: return jsonify({'error': 'Blind credential not found.'}), 404 if _cred.data_type != 'blind-credential': msg = 'id provided is not a blind-credential.' return jsonify({'error': msg}), 400 data = request.get_json() update = {} revision = _get_latest_blind_credential_revision(id, _cred.revision) update['name'] = data.get('name', _cred.name) if 'enabled' in data: if not isinstance(data['enabled'], bool): return jsonify({'error': 'Enabled must be a boolean.'}), 400 update['enabled'] = data['enabled'] else: update['enabled'] = _cred.enabled if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 services = _get_services_for_blind_credential(id) if 'credential_pairs' in data: for key in ['data_key', 'cipher_type', 'cipher_version']: if key not in data: msg = '{0} required when updating credential_pairs.' msg = msg.format(key) return jsonify({'error': msg}), 400 update['credential_pairs'] = data['credential_pairs'] update['credential_keys'] = data.get('credential_keys', []) if not isinstance(update['credential_keys'], list): return jsonify({'error': 'credential_keys must be a list.'}), 400 # Ensure credential keys don't conflicts with pairs from other # services conflicts = _pair_key_conflicts_for_services(id, data['credential_keys'], services) if conflicts: ret = { 'error': 'Conflicting key pairs in mapped service.', 'conflicts': conflicts } return jsonify(ret), 400 if not isinstance(data['data_key'], dict): return jsonify({ 'error': 'data_key must be a dict with a region/key mapping.' }), 400 update['data_key'] = data['data_key'] update['cipher_type'] = data['cipher_type'] update['cipher_version'] = data['cipher_version'] else: update['credential_pairs'] = _cred.credential_pairs update['credential_keys'] = _cred.credential_keys update['data_key'] = _cred.data_key update['cipher_type'] = _cred.cipher_type update['cipher_version'] = _cred.cipher_version update['metadata'] = data.get('metadata', _cred.metadata) update['documentation'] = data.get('documentation', _cred.documentation) # Enforce documentation, EXCEPT if we are restoring an old revision if (not update['documentation'] and settings.get('ENFORCE_DOCUMENTATION') and not data.get('revision')): return jsonify({'error': 'documentation is a required field'}), 400 # Try to save to the archive try: BlindCredential( id='{0}-{1}'.format(id, revision), data_type='archive-blind-credential', name=update['name'], credential_pairs=update['credential_pairs'], credential_keys=update['credential_keys'], metadata=update['metadata'], revision=revision, enabled=update['enabled'], data_key=update['data_key'], cipher_type=update['cipher_type'], cipher_version=update['cipher_version'], modified_by=authnz.get_logged_in_user(), documentation=update['documentation']).save(id__null=True) except PutError as e: logging.error(e) return jsonify({'error': 'Failed to add blind-credential to archive.'}), 500 try: cred = BlindCredential(id=id, data_type='blind-credential', name=update['name'], credential_pairs=update['credential_pairs'], credential_keys=update['credential_keys'], metadata=update['metadata'], revision=revision, enabled=update['enabled'], data_key=update['data_key'], cipher_type=update['cipher_type'], cipher_version=update['cipher_version'], modified_by=authnz.get_logged_in_user(), documentation=update['documentation']) cred.save() except PutError as e: logging.error(e) return jsonify({'error': 'Failed to update active blind-credential.'}), 500 if services: service_names = [x.id for x in services] msg = 'Updated credential "{0}" ({1}); Revision {2}' msg = msg.format(cred.name, cred.id, cred.revision) graphite.send_event(service_names, msg) webhook.send_event('blind_credential_update', service_names, [cred.id]) return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation })
def revert_blind_credential_to_revision(id, to_revision): try: current_credential = BlindCredential.get(id) except DoesNotExist: return jsonify({'error': 'Blind credential not found.'}), 404 if current_credential.data_type != 'blind-credential': msg = 'id provided is not a blind-credential.' return jsonify({'error': msg}), 400 new_revision = credentialmanager.get_latest_blind_credential_revision( id, current_credential.revision ) try: revert_credential = BlindCredential.get('{}-{}'.format(id, to_revision)) except DoesNotExist: return jsonify({'error': 'Blind credential not found.'}), 404 if revert_credential.data_type != 'archive-blind-credential': msg = 'id provided is not an archive-blind-credential.' return jsonify({'error': msg}), 400 if revert_credential.equals(current_credential): ret = { 'error': 'No difference between old and new blind credential.' } return jsonify(ret), 400 services = servicemanager.get_services_for_blind_credential(id) if revert_credential.credential_keys: # Ensure credential keys don't conflicts with pairs from other # services conflicts = servicemanager.pair_key_conflicts_for_services( id, revert_credential.credential_keys, services ) if conflicts: ret = { 'error': 'Conflicting key pairs in mapped service.', 'conflicts': conflicts } return jsonify(ret), 400 # Try to save to the archive try: BlindCredential( id='{}-{}'.format(id, new_revision), data_type='archive-blind-credential', name=revert_credential.name, credential_pairs=revert_credential.credential_pairs, credential_keys=revert_credential.credential_keys, metadata=revert_credential.metadata, revision=new_revision, enabled=revert_credential.enabled, data_key=revert_credential.data_key, cipher_type=revert_credential.cipher_type, cipher_version=revert_credential.cipher_version, modified_by=authnz.get_logged_in_user(), documentation=revert_credential.documentation ).save(id__null=True) except PutError as e: logger.error(e) return jsonify( {'error': 'Failed to add blind-credential to archive.'} ), 500 try: cred = BlindCredential( id=id, data_type='blind-credential', name=revert_credential.name, credential_pairs=revert_credential.credential_pairs, credential_keys=revert_credential.credential_keys, metadata=revert_credential.metadata, revision=new_revision, enabled=revert_credential.enabled, data_key=revert_credential.data_key, cipher_type=revert_credential.cipher_type, cipher_version=revert_credential.cipher_version, modified_by=authnz.get_logged_in_user(), documentation=revert_credential.documentation ) cred.save() except PutError as e: logger.error(e) return jsonify( {'error': 'Failed to update active blind-credential.'} ), 500 if services: service_names = [x.id for x in services] msg = 'Updated credential "{0}" ({1}); Revision {2}' msg = msg.format(cred.name, cred.id, cred.revision) graphite.send_event(service_names, msg) webhook.send_event('blind_credential_update', service_names, [cred.id]) return jsonify({ 'id': cred.id, 'name': cred.name, 'credential_pairs': cred.credential_pairs, 'credential_keys': list(cred.credential_keys), 'cipher_type': cred.cipher_type, 'cipher_version': cred.cipher_version, 'metadata': cred.metadata, 'revision': cred.revision, 'enabled': cred.enabled, 'data_key': cred.data_key, 'modified_date': cred.modified_date, 'modified_by': cred.modified_by, 'documentation': cred.documentation })