This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/endpoints/key_server.py

143 lines
3.7 KiB
Python
Raw Normal View History

2016-03-16 19:49:25 +00:00
from datetime import datetime
2016-03-23 22:16:03 +00:00
import jwt
2016-03-16 19:49:25 +00:00
from flask import Blueprint, jsonify, abort, request, make_response
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
from cryptography.hazmat.backends import default_backend
import data.model
import data.model.service_keys
from util.security import strictjwt
key_server = Blueprint('key_server', __name__)
JWT_HEADER_NAME = 'Authorization'
JWT_AUDIENCE = 'quay'
2016-03-25 22:44:11 +00:00
def _validate_jwk(jwk, kid):
if 'kty' not in jwk:
abort(400)
if 'kid' not in jwk or jwk['kid'] != kid:
abort(400)
if jwk['kty'] == 'EC':
if 'x' not in jwk or 'y' not in jwk:
abort(400)
elif jwk['kty'] == 'RSA':
if 'e' not in jwk or 'n' not in jwk:
abort(400)
else:
abort(400)
def _validate_jwt(encoded_jwt, jwk, service):
2016-03-23 22:16:03 +00:00
public_key = RSAPublicNumbers(e=jwk.e,
n=jwk.n).public_key(default_backend())
2016-03-16 19:49:25 +00:00
try:
2016-03-23 22:16:03 +00:00
strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],
audience=JWT_AUDIENCE, issuer=service)
2016-03-16 19:49:25 +00:00
except strictjwt.InvalidTokenError:
abort(400)
2016-03-28 23:00:00 +00:00
def _signer_kid(encoded_jwt):
2016-03-23 22:16:03 +00:00
decoded_jwt = jwt.decode(encoded_jwt, verify=False)
2016-03-28 23:00:00 +00:00
return decoded_jwt.get('signer_kid', None)
2016-03-23 22:16:03 +00:00
2016-03-28 23:00:00 +00:00
def _signer_key(signer_kid):
try:
return data.model.service_keys.get_service_key(signer_kid)
except data.model.ServiceKeyDoesNotExist:
abort(403)
2016-03-23 22:16:03 +00:00
2016-03-16 19:49:25 +00:00
@key_server.route('/services/<service>/keys', methods=['GET'])
def get_service_keys(service):
2016-03-25 22:44:11 +00:00
keys = data.model.service_keys.get_service_keys(service)
2016-03-23 22:16:03 +00:00
return jsonify({'keys': [key.jwk for key in keys]})
2016-03-16 19:49:25 +00:00
2016-03-25 22:44:11 +00:00
@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
def get_service_key(service, kid):
2016-03-29 18:49:07 +00:00
try:
key = data.model.service_keys.get_service_key(kid)
except data.model.ServiceKeyDoesNotExist:
abort(404)
if key.approval is None:
abort(409)
2016-03-29 18:49:07 +00:00
2016-03-25 22:44:11 +00:00
return jsonify(key.jwk)
2016-03-16 19:49:25 +00:00
@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
def put_service_keys(service, kid):
expiration_date = request.args.get('expiration', None)
if expiration_date:
try:
expiration_date = datetime.utcfromtimestamp(float(expiration_date))
except ValueError:
abort(400)
try:
jwk = request.json()
except ValueError:
abort(400)
2016-03-23 22:16:03 +00:00
encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
if not encoded_jwt:
abort(400)
2016-03-28 23:00:00 +00:00
_validate_jwk(jwk, kid)
2016-03-29 18:49:07 +00:00
metadata = {'ip': request.remote_addr}
2016-03-28 23:00:00 +00:00
signer_kid = _signer_kid(encoded_jwt)
2016-03-29 18:49:07 +00:00
if kid == signer_kid:
# The key is self-signed. Create a new instance and await approval.
_validate_jwt(encoded_jwt, jwk, service)
data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date)
return make_response('', 202)
metadata.update({'created_by': 'Key Rotation'})
signer_key = _signer_key(signer_kid)
signer_jwk = signer_key.jwk
2016-03-28 23:00:00 +00:00
if signer_key.service != service:
abort(403)
2016-03-29 18:49:07 +00:00
_validate_jwt(encoded_jwt, signer_jwk, service)
2016-03-23 22:16:03 +00:00
2016-03-25 22:44:11 +00:00
try:
2016-03-28 23:00:00 +00:00
data.model.service_keys.replace_service_key(kid, jwk, metadata, expiration_date)
2016-03-25 22:44:11 +00:00
except data.model.ServiceKeyDoesNotExist:
2016-03-28 23:00:00 +00:00
abort(404)
2016-03-16 19:49:25 +00:00
2016-03-29 18:49:07 +00:00
return make_response('', 200)
2016-03-16 19:49:25 +00:00
@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
def delete_service_key(service, kid):
2016-03-23 22:16:03 +00:00
encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
if not encoded_jwt:
2016-03-16 19:49:25 +00:00
abort(400)
2016-03-23 22:16:03 +00:00
2016-03-28 23:00:00 +00:00
signer_kid = _signer_kid(encoded_jwt)
signer_key = _signer_key(signer_kid)
2016-03-16 19:49:25 +00:00
2016-03-28 23:00:00 +00:00
if (kid == signer_kid) or (signer_key.approval is not None):
_validate_jwt(encoded_jwt, signer_key.jwk, service)
try:
data.model.service_keys.delete_service_key(service, kid)
except data.model.ServiceKeyDoesNotExist:
abort(404)
return make_response('', 200)
2016-03-16 19:49:25 +00:00
2016-03-28 23:00:00 +00:00
abort(403)