def migrate_credentials(self): crypto, keys = credential_fernet.get_multi_fernet_keys() primary_key_hash = credential_fernet.primary_key_hash(keys) # FIXME(lbragstad): We *should* be able to use Hints() to ask only for # credentials that have a key_hash equal to a secondary key hash or # None, but Hints() doesn't seem to honor None values. See # https://bugs.launchpad.net/keystone/+bug/1614154. As a workaround - # we have to ask for *all* credentials and filter them ourselves. credentials = self.credential_api.driver.list_credentials( driver_hints.Hints() ) for credential in credentials: if credential['key_hash'] != primary_key_hash: # If the key_hash isn't None but doesn't match the # primary_key_hash, then we know the credential was encrypted # with a secondary key. Let's decrypt it, and send it through # the update path to re-encrypt it with the new primary key. decrypted_blob = self.credential_provider_api.decrypt( credential['encrypted_blob'] ) cred = {'blob': decrypted_blob} self.credential_api.update_credential( credential['id'], cred )
def validate_primary_key(self): crypto, keys = credential_fernet.get_multi_fernet_keys() primary_key_hash = credential_fernet.primary_key_hash(keys) credentials = self.credential_api.driver.list_credentials( driver_hints.Hints()) for credential in credentials: if credential['key_hash'] != primary_key_hash: msg = _('Unable to rotate credential keys because not all ' 'credentials are encrypted with the primary key. ' 'Please make sure all credentials have been encrypted ' 'with the primary key using `keystone-manage ' 'credential_migrate`.') raise SystemExit(msg)
def validate_primary_key(self): crypto, keys = credential_fernet.get_multi_fernet_keys() primary_key_hash = credential_fernet.primary_key_hash(keys) credentials = self.credential_api.driver.list_credentials( driver_hints.Hints() ) for credential in credentials: if credential['key_hash'] != primary_key_hash: msg = _('Unable to rotate credential keys because not all ' 'credentials are encrypted with the primary key. ' 'Please make sure all credentials have been encrypted ' 'with the primary key using `keystone-manage ' 'credential_migrate`.') raise SystemExit(msg)
def upgrade(migrate_engine): meta = sql.MetaData() meta.bind = migrate_engine session = sql.orm.sessionmaker(bind=migrate_engine)() credential_table = sql.Table('credential', meta, autoload=True) credentials = list(credential_table.select().execute()) for credential in credentials: crypto, keys = credential_fernet.get_multi_fernet_keys() primary_key_hash = credential_fernet.primary_key_hash(keys) encrypted_blob = crypto.encrypt(credential['blob'].encode('utf-8')) values = { 'encrypted_blob': encrypted_blob, 'key_hash': primary_key_hash } update = credential_table.update().where( credential_table.c.id == credential.id).values(values) session.execute(update) session.commit() session.close()
def upgrade(migrate_engine): meta = sql.MetaData() meta.bind = migrate_engine session = sql.orm.sessionmaker(bind=migrate_engine)() credential_table = sql.Table('credential', meta, autoload=True) credentials = list(credential_table.select().execute()) for credential in credentials: crypto, keys = credential_fernet.get_multi_fernet_keys() primary_key_hash = credential_fernet.primary_key_hash(keys) encrypted_blob = crypto.encrypt(credential['blob'].encode('utf-8')) values = { 'encrypted_blob': encrypted_blob, 'key_hash': primary_key_hash } update = credential_table.update().where( credential_table.c.id == credential.id ).values(values) session.execute(update) session.commit() session.close()