def test_get(self):
with self.assertRaisesRegexp(exc.NoSuchEntity, r'Password'):
passwords.get(0)
no_match = passwords.get(0, assert_exists=False)
self.assertIs(None, no_match)
def getPassword(self, password_id, include_history=False):
"""
Get the specified password record (decrypted) and optionally password history.
:param password_id: The ID of password to lookup.
:type password_id: int
:param include_history: Whether to include history (previous passwords) for this password.
:type include_history: bool
"""
pw = passwords.get(password_id)
auditlog.log(auditlog.CODE_CONTENT_VIEW, target=pw)
return pw.to_dict(decrypt=True, include_history=include_history)
def reveal(self, password_id, _=None):
"""
(AJAX) Returns the specified password. (This is a separate action for the purposes of auditing.)
(jquery will pass an additional _ arg for no-caching purposes.)
"""
pw = passwords.get(password_id)
if not pw:
raise ValueError("Invalid password specified: {0}".format(password_id))
auditlog.log(auditlog.CODE_CONTENT_VIEW, target=pw)
return pw.password_decrypted
def backup_database():
"""
Backups entire database contents to a YAML file which is encrypted using the password
from a specified mapped password in the database.
"""
try:
dir_mode = int(config.get("backups.dir_mode", "0700"), 8)
file_mode = int(config.get("backups.file_mode", "0600"), 8)
# Before we do anything, validate the configuration.
if not os.path.exists(config["backups.path"]):
# Attempt to make the directories.
os.makedirs(config["backups.path"], mode=dir_mode)
if not config.get("backups.encryption.password_id"):
raise exc.ConfigurationError(
"Cannot backup without configured password_id (backups.encryption.password_id)"
)
try:
pw = passwords.get(config["backups.encryption.password_id"])
except exc.NoSuchEntity as x:
raise exc.ConfigurationError(
"Configured backups.encryption.password_id does not exist in database: {0}".format(x)
)
backup_fname = datetime.now().strftime("backup-%Y-%m-%d-%H-%M.gpg")
msg = "Backing up database to {fname}, secured by password id={pw.id}, resource={resource.name}[{resource.id}]"
log.info(msg.format(fname=backup_fname, pw=pw, resource=pw.resource))
exporter = GpgYamlExporter(passphrase=pw.password_decrypted, use_tags=True, include_key_metadata=True)
encrypted_stream = BytesIO()
exporter.export(stream=encrypted_stream)
encrypted_stream.seek(0) # Just to ensure it's rewound
backup_file = os.path.join(config["backups.path"], backup_fname)
with open(backup_file, "w") as fp:
fp.write(encrypted_stream.read())
os.chmod(backup_file, file_mode)
except:
log.critical("Error backing up database.", exc_info=True)
raise
def check_duplicate_username(form, field):
username = field.data
existing = resource = None
if hasattr(form, 'resource_id'):
# It's being added
resource = resources.get(form.resource_id.data)
existing = resource.passwords.filter_by(username=username).first()
elif hasattr(form, 'password_id'):
# Lookup from pw_id
pw = passwords.get(form.password_id.data)
resource = pw.resource
q = resource.passwords.filter_by(username=username)
q = q.filter(Password.id != pw.id) # @UndefinedVariable
existing = q.first()
else:
raise Exception("Unexpected condition.")
if existing:
raise ValidationError("Username \"{0}\" already exists for this resource \"{1}\".".format(username, resource.name))
def view(self, password_id):
pw = passwords.get(password_id)
auditlog.log(auditlog.CODE_CONTENT_VIEW, target=pw)
return render('password/view.html', {'password': pw})
def edit(self, password_id):
pw = passwords.get(password_id)
form = PasswordEditForm(request_params(), obj=pw, password_id=pw.id)
return render('password/edit.html', {'form': form})
