2016-03-31 20:42:31 +00:00
|
|
|
import logging
|
2016-04-13 19:50:56 +00:00
|
|
|
from datetime import datetime, timedelta
|
2016-03-16 19:49:25 +00:00
|
|
|
|
2016-04-11 16:04:42 +00:00
|
|
|
from flask import Blueprint, jsonify, abort, request, make_response
|
|
|
|
from jwt import get_unverified_header
|
2016-03-16 19:49:25 +00:00
|
|
|
|
2016-03-30 20:16:11 +00:00
|
|
|
from app import app
|
2016-09-23 21:50:09 +00:00
|
|
|
from data.interfaces.key_server import pre_oci_model as model, ServiceKeyDoesNotExist
|
2016-08-31 18:31:43 +00:00
|
|
|
from data.model.log import log_action
|
2016-05-31 20:48:19 +00:00
|
|
|
from util.security import jwtutil
|
2016-03-16 19:49:25 +00:00
|
|
|
|
|
|
|
|
2016-03-31 20:42:31 +00:00
|
|
|
logger = logging.getLogger(__name__)
|
2016-03-16 19:49:25 +00:00
|
|
|
key_server = Blueprint('key_server', __name__)
|
|
|
|
|
|
|
|
JWT_HEADER_NAME = 'Authorization'
|
2016-03-31 20:41:53 +00:00
|
|
|
JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']
|
2016-03-16 19:49:25 +00:00
|
|
|
|
|
|
|
|
2016-04-07 00:03:48 +00:00
|
|
|
def _validate_jwk(jwk):
|
2016-03-25 22:44:11 +00:00
|
|
|
if 'kty' not in jwk:
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
if jwk['kty'] == 'EC':
|
|
|
|
if 'x' not in jwk or 'y' not in jwk:
|
|
|
|
abort(400)
|
|
|
|
elif jwk['kty'] == 'RSA':
|
|
|
|
if 'e' not in jwk or 'n' not in jwk:
|
|
|
|
abort(400)
|
|
|
|
else:
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
|
|
|
|
def _validate_jwt(encoded_jwt, jwk, service):
|
2016-05-31 20:48:19 +00:00
|
|
|
public_key = jwtutil.jwk_dict_to_public_key(jwk)
|
2016-03-16 19:49:25 +00:00
|
|
|
|
|
|
|
try:
|
2016-05-31 20:48:19 +00:00
|
|
|
jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],
|
2016-08-31 18:31:43 +00:00
|
|
|
audience=JWT_AUDIENCE, issuer=service)
|
2016-05-31 20:48:19 +00:00
|
|
|
except jwtutil.InvalidTokenError:
|
2016-04-01 17:55:29 +00:00
|
|
|
logger.exception('JWT validation failure')
|
2016-03-16 19:49:25 +00:00
|
|
|
abort(400)
|
|
|
|
|
|
|
|
|
2016-05-03 18:01:33 +00:00
|
|
|
def _signer_kid(encoded_jwt, allow_none=False):
|
2016-04-11 16:04:42 +00:00
|
|
|
headers = get_unverified_header(encoded_jwt)
|
2016-05-03 18:01:33 +00:00
|
|
|
kid = headers.get('kid', None)
|
|
|
|
if not kid and not allow_none:
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
return kid
|
2016-03-23 22:16:03 +00:00
|
|
|
|
|
|
|
|
2016-05-03 18:01:33 +00:00
|
|
|
def _lookup_service_key(service, signer_kid, approved_only=True):
|
2016-03-28 23:00:00 +00:00
|
|
|
try:
|
2016-08-31 18:31:43 +00:00
|
|
|
return model.get_service_key(signer_kid, service=service, approved_only=approved_only)
|
|
|
|
except ServiceKeyDoesNotExist:
|
2016-03-28 23:00:00 +00:00
|
|
|
abort(403)
|
2016-03-23 22:16:03 +00:00
|
|
|
|
|
|
|
|
2016-03-16 19:49:25 +00:00
|
|
|
@key_server.route('/services/<service>/keys', methods=['GET'])
|
2016-03-30 17:20:35 +00:00
|
|
|
def list_service_keys(service):
|
2016-08-31 18:31:43 +00:00
|
|
|
keys = model.list_service_keys(service)
|
2016-03-23 22:16:03 +00:00
|
|
|
return jsonify({'keys': [key.jwk for key in keys]})
|
2016-03-16 19:49:25 +00:00
|
|
|
|
|
|
|
|
2016-03-25 22:44:11 +00:00
|
|
|
@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
|
2016-03-29 19:58:14 +00:00
|
|
|
def get_service_key(service, kid):
|
2016-03-29 18:49:07 +00:00
|
|
|
try:
|
2016-08-31 18:31:43 +00:00
|
|
|
key = model.get_service_key(kid, alive_only=False, approved_only=False)
|
|
|
|
except ServiceKeyDoesNotExist:
|
2016-03-29 18:49:07 +00:00
|
|
|
abort(404)
|
|
|
|
|
|
|
|
if key.approval is None:
|
2016-03-29 19:58:14 +00:00
|
|
|
abort(409)
|
2016-03-29 18:49:07 +00:00
|
|
|
|
2016-04-27 21:44:59 +00:00
|
|
|
if key.expiration_date is not None and key.expiration_date <= datetime.utcnow():
|
2016-04-27 18:48:12 +00:00
|
|
|
abort(403)
|
|
|
|
|
2016-04-13 19:50:56 +00:00
|
|
|
resp = jsonify(key.jwk)
|
2016-04-27 21:44:59 +00:00
|
|
|
lifetime = min(timedelta(days=1), ((key.expiration_date or datetime.max) - datetime.utcnow()))
|
|
|
|
resp.cache_control.max_age = max(0, lifetime.total_seconds())
|
2016-04-13 19:50:56 +00:00
|
|
|
return resp
|
2016-03-25 22:44:11 +00:00
|
|
|
|
|
|
|
|
2016-03-16 19:49:25 +00:00
|
|
|
@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
|
2016-04-05 16:40:29 +00:00
|
|
|
def put_service_key(service, kid):
|
2016-04-05 15:58:34 +00:00
|
|
|
metadata = {'ip': request.remote_addr}
|
|
|
|
|
2016-04-12 21:58:52 +00:00
|
|
|
rotation_duration = request.args.get('rotation', None)
|
2016-03-16 19:49:25 +00:00
|
|
|
expiration_date = request.args.get('expiration', None)
|
2016-04-05 15:58:34 +00:00
|
|
|
if expiration_date is not None:
|
2016-03-16 19:49:25 +00:00
|
|
|
try:
|
|
|
|
expiration_date = datetime.utcfromtimestamp(float(expiration_date))
|
|
|
|
except ValueError:
|
2016-04-01 17:55:29 +00:00
|
|
|
logger.exception('Error parsing expiration date on key')
|
2016-03-16 19:49:25 +00:00
|
|
|
abort(400)
|
|
|
|
|
|
|
|
try:
|
2016-03-31 20:42:31 +00:00
|
|
|
jwk = request.get_json()
|
2016-03-16 19:49:25 +00:00
|
|
|
except ValueError:
|
2016-04-01 17:55:29 +00:00
|
|
|
logger.exception('Error parsing JWK')
|
2016-03-16 19:49:25 +00:00
|
|
|
abort(400)
|
|
|
|
|
2016-03-31 20:42:31 +00:00
|
|
|
jwt_header = request.headers.get(JWT_HEADER_NAME, '')
|
2016-05-31 20:48:19 +00:00
|
|
|
match = jwtutil.TOKEN_REGEX.match(jwt_header)
|
2016-03-31 20:42:31 +00:00
|
|
|
if match is None:
|
2016-04-01 17:55:29 +00:00
|
|
|
logger.error('Could not find matching bearer token')
|
2016-03-23 22:16:03 +00:00
|
|
|
abort(400)
|
2016-04-01 17:55:29 +00:00
|
|
|
|
2016-03-31 20:42:31 +00:00
|
|
|
encoded_jwt = match.group(1)
|
2016-03-23 22:16:03 +00:00
|
|
|
|
2016-04-07 00:03:48 +00:00
|
|
|
_validate_jwk(jwk)
|
2016-03-28 23:00:00 +00:00
|
|
|
|
2016-05-03 18:01:33 +00:00
|
|
|
signer_kid = _signer_kid(encoded_jwt, allow_none=True)
|
2016-03-31 20:42:31 +00:00
|
|
|
if kid == signer_kid or signer_kid is None:
|
2016-03-29 18:49:07 +00:00
|
|
|
# The key is self-signed. Create a new instance and await approval.
|
|
|
|
_validate_jwt(encoded_jwt, jwk, service)
|
2016-08-31 18:31:43 +00:00
|
|
|
model.create_service_key('', kid, service, jwk, metadata, expiration_date,
|
|
|
|
rotation_duration=rotation_duration)
|
2016-04-01 17:55:29 +00:00
|
|
|
|
|
|
|
key_log_metadata = {
|
|
|
|
'kid': kid,
|
|
|
|
'preshared': False,
|
|
|
|
'service': service,
|
|
|
|
'name': '',
|
|
|
|
'expiration_date': expiration_date,
|
|
|
|
'user_agent': request.headers.get('User-Agent'),
|
|
|
|
'ip': request.remote_addr,
|
|
|
|
}
|
|
|
|
|
|
|
|
log_action('service_key_create', None, metadata=key_log_metadata, ip=request.remote_addr)
|
2016-03-29 18:49:07 +00:00
|
|
|
return make_response('', 202)
|
|
|
|
|
2016-05-03 18:01:33 +00:00
|
|
|
# Key is going to be rotated.
|
2016-03-29 18:49:07 +00:00
|
|
|
metadata.update({'created_by': 'Key Rotation'})
|
2016-05-03 18:01:33 +00:00
|
|
|
signer_key = _lookup_service_key(service, signer_kid)
|
2016-03-29 18:49:07 +00:00
|
|
|
signer_jwk = signer_key.jwk
|
2016-03-28 23:00:00 +00:00
|
|
|
|
2016-03-29 18:49:07 +00:00
|
|
|
_validate_jwt(encoded_jwt, signer_jwk, service)
|
2016-03-23 22:16:03 +00:00
|
|
|
|
2016-03-25 22:44:11 +00:00
|
|
|
try:
|
2016-08-31 18:31:43 +00:00
|
|
|
model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
|
|
|
|
except ServiceKeyDoesNotExist:
|
2016-03-28 23:00:00 +00:00
|
|
|
abort(404)
|
2016-03-16 19:49:25 +00:00
|
|
|
|
2016-04-01 17:55:29 +00:00
|
|
|
key_log_metadata = {
|
|
|
|
'kid': kid,
|
|
|
|
'signer_kid': signer_key.kid,
|
|
|
|
'service': service,
|
|
|
|
'name': signer_key.name,
|
|
|
|
'expiration_date': expiration_date,
|
|
|
|
'user_agent': request.headers.get('User-Agent'),
|
|
|
|
'ip': request.remote_addr,
|
|
|
|
}
|
|
|
|
|
|
|
|
log_action('service_key_rotate', None, metadata=key_log_metadata, ip=request.remote_addr)
|
2016-03-29 18:49:07 +00:00
|
|
|
return make_response('', 200)
|
|
|
|
|
2016-03-16 19:49:25 +00:00
|
|
|
|
|
|
|
@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
|
|
|
|
def delete_service_key(service, kid):
|
2016-03-31 20:42:31 +00:00
|
|
|
jwt_header = request.headers.get(JWT_HEADER_NAME, '')
|
2016-05-31 20:48:19 +00:00
|
|
|
match = jwtutil.TOKEN_REGEX.match(jwt_header)
|
2016-03-31 20:42:31 +00:00
|
|
|
if match is None:
|
2016-03-16 19:49:25 +00:00
|
|
|
abort(400)
|
2016-04-13 17:59:07 +00:00
|
|
|
|
2016-03-31 20:42:31 +00:00
|
|
|
encoded_jwt = match.group(1)
|
2016-03-23 22:16:03 +00:00
|
|
|
|
2016-03-28 23:00:00 +00:00
|
|
|
signer_kid = _signer_kid(encoded_jwt)
|
2016-05-03 18:01:33 +00:00
|
|
|
signer_key = _lookup_service_key(service, signer_kid, approved_only=False)
|
2016-03-16 19:49:25 +00:00
|
|
|
|
2016-05-03 18:01:33 +00:00
|
|
|
self_signed = kid == signer_kid
|
2016-03-30 17:20:35 +00:00
|
|
|
approved_key_for_service = signer_key.approval is not None
|
|
|
|
|
|
|
|
if self_signed or approved_key_for_service:
|
2016-03-28 23:00:00 +00:00
|
|
|
_validate_jwt(encoded_jwt, signer_key.jwk, service)
|
2016-03-30 17:20:35 +00:00
|
|
|
|
2016-03-28 23:00:00 +00:00
|
|
|
try:
|
2016-08-31 18:31:43 +00:00
|
|
|
model.delete_service_key(kid)
|
|
|
|
except ServiceKeyDoesNotExist:
|
2016-03-28 23:00:00 +00:00
|
|
|
abort(404)
|
2016-03-30 17:20:35 +00:00
|
|
|
|
2016-04-14 19:04:32 +00:00
|
|
|
key_log_metadata = {
|
|
|
|
'kid': kid,
|
|
|
|
'signer_kid': signer_key.kid,
|
|
|
|
'service': service,
|
|
|
|
'name': signer_key.name,
|
|
|
|
'user_agent': request.headers.get('User-Agent'),
|
|
|
|
'ip': request.remote_addr,
|
|
|
|
}
|
|
|
|
|
|
|
|
log_action('service_key_delete', None, metadata=key_log_metadata, ip=request.remote_addr)
|
2016-04-07 00:03:48 +00:00
|
|
|
return make_response('', 204)
|
2016-03-16 19:49:25 +00:00
|
|
|
|
2016-03-28 23:00:00 +00:00
|
|
|
abort(403)
|