def setUp(self): registry_url = "docker.io" self.config = ProxyCacheConfig( upstream_registry=registry_url, organization=User(username="******", organization=True), ) encrypter = FieldEncrypter(app.config.get("DATABASE_SECRET_KEY")) username_field = ProxyCacheConfig.upstream_registry_username password_field = ProxyCacheConfig.upstream_registry_password user = LazyEncryptedValue( encrypter.encrypt_value( "user", field_max_length=username_field.max_length), username_field, ) password = LazyEncryptedValue( encrypter.encrypt_value( "pass", field_max_length=password_field.max_length), password_field, ) self.auth_config = ProxyCacheConfig( upstream_registry=registry_url, upstream_registry_username=user, upstream_registry_password=password, organization=User(username="******", organization=True), )
def test_encryption(test_data, version, secret_key, use_valid_key): encrypter = FieldEncrypter(secret_key, version) encrypted = encrypter.encrypt_value(test_data, field_max_length=255) assert encrypted != test_data if use_valid_key: decrypted = encrypter.decrypt_value(encrypted) assert decrypted == test_data with pytest.raises(DecryptionFailureException): encrypter.decrypt_value("somerandomvalue") else: decrypter = FieldEncrypter("some other key", version) with pytest.raises(DecryptionFailureException): decrypter.decrypt_value(encrypted)
def initialize_database(): db_encrypter.initialize(FieldEncrypter("anothercrazykey!")) db.create_tables(all_models) Role.create(name="admin") Role.create(name="write") Role.create(name="read") TeamRole.create(name="admin") TeamRole.create(name="creator") TeamRole.create(name="member") Visibility.create(name="public") Visibility.create(name="private") LoginService.create(name="google") LoginService.create(name="github") LoginService.create(name="quayrobot") LoginService.create(name="ldap") LoginService.create(name="jwtauthn") LoginService.create(name="keystone") LoginService.create(name="dex") LoginService.create(name="oidc") BuildTriggerService.create(name="github") BuildTriggerService.create(name="custom-git") BuildTriggerService.create(name="bitbucket") BuildTriggerService.create(name="gitlab") AccessTokenKind.create(name="build-worker") AccessTokenKind.create(name="pushpull-token") LogEntryKind.create(name="account_change_plan") LogEntryKind.create(name="account_change_cc") LogEntryKind.create(name="account_change_password") LogEntryKind.create(name="account_convert") LogEntryKind.create(name="create_robot") LogEntryKind.create(name="delete_robot") LogEntryKind.create(name="create_repo") LogEntryKind.create(name="push_repo") LogEntryKind.create(name="pull_repo") LogEntryKind.create(name="delete_repo") LogEntryKind.create(name="create_tag") LogEntryKind.create(name="move_tag") LogEntryKind.create(name="delete_tag") LogEntryKind.create(name="revert_tag") LogEntryKind.create(name="add_repo_permission") LogEntryKind.create(name="change_repo_permission") LogEntryKind.create(name="delete_repo_permission") LogEntryKind.create(name="change_repo_visibility") LogEntryKind.create(name="change_repo_trust") LogEntryKind.create(name="add_repo_accesstoken") LogEntryKind.create(name="delete_repo_accesstoken") LogEntryKind.create(name="set_repo_description") LogEntryKind.create(name="change_repo_state") LogEntryKind.create(name="build_dockerfile") LogEntryKind.create(name="org_create_team") LogEntryKind.create(name="org_delete_team") LogEntryKind.create(name="org_invite_team_member") LogEntryKind.create(name="org_delete_team_member_invite") LogEntryKind.create(name="org_add_team_member") LogEntryKind.create(name="org_team_member_invite_accepted") LogEntryKind.create(name="org_team_member_invite_declined") LogEntryKind.create(name="org_remove_team_member") LogEntryKind.create(name="org_set_team_description") LogEntryKind.create(name="org_set_team_role") LogEntryKind.create(name="create_prototype_permission") LogEntryKind.create(name="modify_prototype_permission") LogEntryKind.create(name="delete_prototype_permission") LogEntryKind.create(name="setup_repo_trigger") LogEntryKind.create(name="delete_repo_trigger") LogEntryKind.create(name="create_application") LogEntryKind.create(name="update_application") LogEntryKind.create(name="delete_application") LogEntryKind.create(name="reset_application_client_secret") # Note: These next two are deprecated. LogEntryKind.create(name="add_repo_webhook") LogEntryKind.create(name="delete_repo_webhook") LogEntryKind.create(name="add_repo_notification") LogEntryKind.create(name="delete_repo_notification") LogEntryKind.create(name="reset_repo_notification") LogEntryKind.create(name="regenerate_robot_token") LogEntryKind.create(name="repo_verb") LogEntryKind.create(name="repo_mirror_enabled") LogEntryKind.create(name="repo_mirror_disabled") LogEntryKind.create(name="repo_mirror_config_changed") LogEntryKind.create(name="repo_mirror_sync_started") LogEntryKind.create(name="repo_mirror_sync_failed") LogEntryKind.create(name="repo_mirror_sync_success") LogEntryKind.create(name="repo_mirror_sync_now_requested") LogEntryKind.create(name="repo_mirror_sync_tag_success") LogEntryKind.create(name="repo_mirror_sync_tag_failed") LogEntryKind.create(name="repo_mirror_sync_test_success") LogEntryKind.create(name="repo_mirror_sync_test_failed") LogEntryKind.create(name="repo_mirror_sync_test_started") LogEntryKind.create(name="service_key_create") LogEntryKind.create(name="service_key_approve") LogEntryKind.create(name="service_key_delete") LogEntryKind.create(name="service_key_modify") LogEntryKind.create(name="service_key_extend") LogEntryKind.create(name="service_key_rotate") LogEntryKind.create(name="take_ownership") LogEntryKind.create(name="manifest_label_add") LogEntryKind.create(name="manifest_label_delete") LogEntryKind.create(name="change_tag_expiration") LogEntryKind.create(name="toggle_repo_trigger") LogEntryKind.create(name="create_app_specific_token") LogEntryKind.create(name="revoke_app_specific_token") ImageStorageLocation.create(name="local_eu") ImageStorageLocation.create(name="local_us") ApprBlobPlacementLocation.create(name="local_eu") ApprBlobPlacementLocation.create(name="local_us") ImageStorageTransformation.create(name="squash") ImageStorageTransformation.create(name="aci") ImageStorageSignatureKind.create(name="gpg2") # NOTE: These MUST be copied over to NotificationKind, since every external # notification can also generate a Quay.io notification. ExternalNotificationEvent.create(name="repo_push") ExternalNotificationEvent.create(name="build_queued") ExternalNotificationEvent.create(name="build_start") ExternalNotificationEvent.create(name="build_success") ExternalNotificationEvent.create(name="build_cancelled") ExternalNotificationEvent.create(name="build_failure") ExternalNotificationEvent.create(name="vulnerability_found") ExternalNotificationEvent.create(name="repo_mirror_sync_started") ExternalNotificationEvent.create(name="repo_mirror_sync_success") ExternalNotificationEvent.create(name="repo_mirror_sync_failed") ExternalNotificationMethod.create(name="quay_notification") ExternalNotificationMethod.create(name="email") ExternalNotificationMethod.create(name="webhook") ExternalNotificationMethod.create(name="flowdock") ExternalNotificationMethod.create(name="hipchat") ExternalNotificationMethod.create(name="slack") NotificationKind.create(name="repo_push") NotificationKind.create(name="build_queued") NotificationKind.create(name="build_start") NotificationKind.create(name="build_success") NotificationKind.create(name="build_cancelled") NotificationKind.create(name="build_failure") NotificationKind.create(name="vulnerability_found") NotificationKind.create(name="service_key_submitted") NotificationKind.create(name="password_required") NotificationKind.create(name="over_private_usage") NotificationKind.create(name="expiring_license") NotificationKind.create(name="maintenance") NotificationKind.create(name="org_team_invite") NotificationKind.create(name="repo_mirror_sync_started") NotificationKind.create(name="repo_mirror_sync_success") NotificationKind.create(name="repo_mirror_sync_failed") NotificationKind.create(name="test_notification") QuayRegion.create(name="us") QuayService.create(name="quay") MediaType.create(name="text/plain") MediaType.create(name="application/json") MediaType.create(name="text/markdown") MediaType.create(name="application/vnd.cnr.blob.v0.tar+gzip") MediaType.create(name="application/vnd.cnr.package-manifest.helm.v0.json") MediaType.create(name="application/vnd.cnr.package-manifest.kpm.v0.json") MediaType.create( name="application/vnd.cnr.package-manifest.docker-compose.v0.json") MediaType.create(name="application/vnd.cnr.package.kpm.v0.tar+gzip") MediaType.create(name="application/vnd.cnr.package.helm.v0.tar+gzip") MediaType.create( name="application/vnd.cnr.package.docker-compose.v0.tar+gzip") MediaType.create(name="application/vnd.cnr.manifests.v0.json") MediaType.create(name="application/vnd.cnr.manifest.list.v0.json") for media_type in DOCKER_SCHEMA1_CONTENT_TYPES: MediaType.create(name=media_type) for media_type in DOCKER_SCHEMA2_CONTENT_TYPES: MediaType.create(name=media_type) for media_type in OCI_CONTENT_TYPES: MediaType.create(name=media_type) LabelSourceType.create(name="manifest") LabelSourceType.create(name="api", mutable=True) LabelSourceType.create(name="internal") UserPromptKind.create(name="confirm_username") UserPromptKind.create(name="enter_name") UserPromptKind.create(name="enter_company") RepositoryKind.create(name="image") RepositoryKind.create(name="application") ApprTagKind.create(name="tag") ApprTagKind.create(name="release") ApprTagKind.create(name="channel") DisableReason.create(name="user_toggled") DisableReason.create(name="successive_build_failures") DisableReason.create(name="successive_build_internal_errors") TagKind.create(name="tag")
def test_encryption_value(secret_key, encrypted_value, expected_decrypted_value): encrypter = FieldEncrypter(secret_key) decrypted = encrypter.decrypt_value(encrypted_value) assert decrypted == expected_decrypted_value
def upgrade(op, tables, tester): from app import app logger.info("Migrating to external_reference from existing columns") op.add_column("repomirrorconfig", sa.Column("external_reference", sa.Text(), nullable=True)) logger.info("Reencrypting existing columns") if app.config.get("SETUP_COMPLETE", False) and not tester.is_testing(): old_key_encrypter = FieldEncrypter(app.config.get("SECRET_KEY")) starting_id = 0 has_additional = True while has_additional: has_additional = False query = RepoMirrorConfig.select().where(RepoMirrorConfig.id >= starting_id).limit(10) for row in query: starting_id = max(starting_id, row.id + 1) has_additional = True logger.debug("Re-encrypting information for row %s", row.id) has_changes = False try: if row.external_registry_username: row.external_registry_username.decrypt() except DecryptionFailureException: # Encrypted using the older SECRET_KEY. Migrate it. decrypted = row.external_registry_username.decrypt(old_key_encrypter) row.external_registry_username = DecryptedValue(decrypted) has_changes = True try: if row.external_registry_password: row.external_registry_password.decrypt() except DecryptionFailureException: # Encrypted using the older SECRET_KEY. Migrate it. decrypted = row.external_registry_password.decrypt(old_key_encrypter) row.external_registry_password = DecryptedValue(decrypted) has_changes = True if has_changes: logger.debug("Saving re-encrypted information for row %s", row.id) row.save() if app.config.get("SETUP_COMPLETE", False) or tester.is_testing(): for repo_mirror in _iterate( RepoMirrorConfig, (RepoMirrorConfig.external_reference >> None) ): repo = "%s/%s/%s" % ( repo_mirror.external_registry, repo_mirror.external_namespace, repo_mirror.external_repository, ) logger.info("migrating %s" % repo) repo_mirror.external_reference = repo repo_mirror.save() op.drop_column("repomirrorconfig", "external_registry") op.drop_column("repomirrorconfig", "external_namespace") op.drop_column("repomirrorconfig", "external_repository") op.alter_column( "repomirrorconfig", "external_reference", nullable=False, existing_type=sa.Text() ) tester.populate_column("repomirrorconfig", "external_reference", tester.TestDataType.String)