quay/endpoints/key_server.py

import logging

from datetime import datetime, timedelta

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
from flask import Blueprint, jsonify, abort, request, make_response
from jwkest.jwk import keyrep, RSAKey, ECKey
from jwt import get_unverified_header

import data.model
import data.model.service_keys
from data.model.log import log_action

from app import app
from auth.registry_jwt_auth import TOKEN_REGEX
from util.security import strictjwt


logger = logging.getLogger(__name__)
key_server = Blueprint('key_server', __name__)

JWT_HEADER_NAME = 'Authorization'
JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']


def _validate_jwk(jwk):
  if 'kty' not in jwk:
    abort(400)

  if jwk['kty'] == 'EC':
    if 'x' not in jwk or 'y' not in jwk:
      abort(400)
  elif jwk['kty'] == 'RSA':
    if 'e' not in jwk or 'n' not in jwk:
      abort(400)
  else:
    abort(400)


def _jwk_dict_to_public_key(jwk):
  jwkest_key = keyrep(jwk)
  if isinstance(jwkest_key, RSAKey):
    pycrypto_key = jwkest_key.key
    return RSAPublicNumbers(e=pycrypto_key.e, n=pycrypto_key.n).public_key(default_backend())
  elif isinstance(jwkest_key, ECKey):
    x, y = jwkest_key.get_key()
    return EllipticCurvePublicNumbers(x, y, jwkest_key.curve).public_key(default_backend())


def _validate_jwt(encoded_jwt, jwk, service):
  public_key = _jwk_dict_to_public_key(jwk)

  try:
    strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],
                     audience=JWT_AUDIENCE, issuer=service)
  except strictjwt.InvalidTokenError:
    logger.exception('JWT validation failure')
    abort(400)


def _signer_kid(encoded_jwt):
  headers = get_unverified_header(encoded_jwt)
  return headers.get('kid', None)


def _signer_key(service, signer_kid):
  try:
    return data.model.service_keys.get_service_key(signer_kid, service=service)
  except data.model.ServiceKeyDoesNotExist:
    abort(403)


@key_server.route('/services/<service>/keys', methods=['GET'])
def list_service_keys(service):
  keys = data.model.service_keys.list_service_keys(service)
  return jsonify({'keys': [key.jwk for key in keys]})


@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
def get_service_key(service, kid):
  try:
    key = data.model.service_keys.get_service_key(kid)
  except data.model.ServiceKeyDoesNotExist:
    abort(404)

  if key.approval is None:
    abort(409)

  resp = jsonify(key.jwk)

  # Set the cache header to be a year for non-expiring keys.
  lifetime = timedelta(days=365)
  if key.expiration_date is not None:
    lifetime = key.expiration_date - key.created_date
  resp.cache_control.max_age = lifetime.seconds

  return resp


@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
def put_service_key(service, kid):
  metadata = {'ip': request.remote_addr}

  rotation_duration = request.args.get('rotation', None)
  expiration_date = request.args.get('expiration', None)
  if expiration_date is not None:
    try:
      expiration_date = datetime.utcfromtimestamp(float(expiration_date))
    except ValueError:
      logger.exception('Error parsing expiration date on key')
      abort(400)

  try:
    jwk = request.get_json()
  except ValueError:
    logger.exception('Error parsing JWK')
    abort(400)

  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
  match = TOKEN_REGEX.match(jwt_header)
  if match is None:
    logger.error('Could not find matching bearer token')
    abort(400)

  encoded_jwt = match.group(1)

  _validate_jwk(jwk)

  signer_kid = _signer_kid(encoded_jwt)

  if kid == signer_kid or signer_kid is None:
    # The key is self-signed. Create a new instance and await approval.
    _validate_jwt(encoded_jwt, jwk, service)
    data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date,
                                               rotation_duration=rotation_duration)

    key_log_metadata = {
      'kid': kid,
      'preshared': False,
      'service': service,
      'name': '',
      'expiration_date': expiration_date,
      'user_agent': request.headers.get('User-Agent'),
      'ip': request.remote_addr,
    }

    log_action('service_key_create', None, metadata=key_log_metadata, ip=request.remote_addr)
    return make_response('', 202)

  metadata.update({'created_by': 'Key Rotation'})
  signer_key = _signer_key(service, signer_kid)
  signer_jwk = signer_key.jwk
  if signer_key.service != service:
    abort(403)

  _validate_jwt(encoded_jwt, signer_jwk, service)

  try:
    data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
  except data.model.ServiceKeyDoesNotExist:
    abort(404)

  key_log_metadata = {
    'kid': kid,
    'signer_kid': signer_key.kid,
    'service': service,
    'name': signer_key.name,
    'expiration_date': expiration_date,
    'user_agent': request.headers.get('User-Agent'),
    'ip': request.remote_addr,
  }

  log_action('service_key_rotate', None, metadata=key_log_metadata, ip=request.remote_addr)
  return make_response('', 200)


@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
def delete_service_key(service, kid):
  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
  match = TOKEN_REGEX.match(jwt_header)
  if match is None:
    abort(400)

  encoded_jwt = match.group(1)

  signer_kid = _signer_kid(encoded_jwt)
  signer_key = _signer_key(service, signer_kid)

  self_signed = kid == signer_kid or signer_kid == ''
  approved_key_for_service = signer_key.approval is not None

  if self_signed or approved_key_for_service:
    _validate_jwt(encoded_jwt, signer_key.jwk, service)

    try:
      data.model.service_keys.delete_service_key(kid)
    except data.model.ServiceKeyDoesNotExist:
      abort(404)

    return make_response('', 204)

  abort(403)
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`import logging`

keyserver: add cache-control headers 2016-04-13 19:50:56 +00:00			`from datetime import datetime, timedelta`
service key server wip 2016-03-16 19:49:25 +00:00
			`from cryptography.hazmat.backends import default_backend`
keyserver: get signer kid from unverified headers 2016-04-11 16:04:42 +00:00			`from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers`
			`from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers`
			`from flask import Blueprint, jsonify, abort, request, make_response`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`from jwkest.jwk import keyrep, RSAKey, ECKey`
keyserver: get signer kid from unverified headers 2016-04-11 16:04:42 +00:00			`from jwt import get_unverified_header`
service key server wip 2016-03-16 19:49:25 +00:00
			`import data.model`
			`import data.model.service_keys`
keys ui WIP 2016-04-01 17:55:29 +00:00			`from data.model.log import log_action`
service key server wip 2016-03-16 19:49:25 +00:00
add final service key config 2016-03-30 20:16:11 +00:00			`from app import app`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`from auth.registry_jwt_auth import TOKEN_REGEX`
service key server wip 2016-03-16 19:49:25 +00:00			`from util.security import strictjwt`


key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`logger = logging.getLogger(__name__)`
service key server wip 2016-03-16 19:49:25 +00:00			`key_server = Blueprint('key_server', __name__)`

			`JWT_HEADER_NAME = 'Authorization'`
key server: derive audience from host and scheme 2016-03-31 20:41:53 +00:00			`JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']`
service key server wip 2016-03-16 19:49:25 +00:00

keyserver: tests! 2016-04-07 00:03:48 +00:00			`def _validate_jwk(jwk):`
rework superuser api 2016-03-25 22:44:11 +00:00			`if 'kty' not in jwk:`
			`abort(400)`

			`if jwk['kty'] == 'EC':`
			`if 'x' not in jwk or 'y' not in jwk:`
			`abort(400)`
			`elif jwk['kty'] == 'RSA':`
			`if 'e' not in jwk or 'n' not in jwk:`
			`abort(400)`
			`else:`
			`abort(400)`


key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`def _jwk_dict_to_public_key(jwk):`
			`jwkest_key = keyrep(jwk)`
			`if isinstance(jwkest_key, RSAKey):`
			`pycrypto_key = jwkest_key.key`
			`return RSAPublicNumbers(e=pycrypto_key.e, n=pycrypto_key.n).public_key(default_backend())`
			`elif isinstance(jwkest_key, ECKey):`
			`x, y = jwkest_key.get_key()`
			`return EllipticCurvePublicNumbers(x, y, jwkest_key.curve).public_key(default_backend())`


rework superuser api 2016-03-25 22:44:11 +00:00			`def _validate_jwt(encoded_jwt, jwk, service):`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`public_key = _jwk_dict_to_public_key(jwk)`
service key server wip 2016-03-16 19:49:25 +00:00
			`try:`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],`
			`audience=JWT_AUDIENCE, issuer=service)`
service key server wip 2016-03-16 19:49:25 +00:00			`except strictjwt.InvalidTokenError:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.exception('JWT validation failure')`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`


converging on proper rotation 2016-03-28 23:00:00 +00:00			`def _signer_kid(encoded_jwt):`
keyserver: get signer kid from unverified headers 2016-04-11 16:04:42 +00:00			`headers = get_unverified_header(encoded_jwt)`
			`return headers.get('kid', None)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00

service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`def _signer_key(service, signer_kid):`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`try:`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`return data.model.service_keys.get_service_key(signer_kid, service=service)`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`except data.model.ServiceKeyDoesNotExist:`
			`abort(403)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00

service key server wip 2016-03-16 19:49:25 +00:00			`@key_server.route('/services/<service>/keys', methods=['GET'])`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`def list_service_keys(service):`
			`keys = data.model.service_keys.list_service_keys(service)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`return jsonify({'keys': [key.jwk for key in keys]})`
service key server wip 2016-03-16 19:49:25 +00:00

rework superuser api 2016-03-25 22:44:11 +00:00			`@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])`
add notification path and use for service keys 2016-03-29 19:58:14 +00:00			`def get_service_key(service, kid):`
canonicalize json 2016-03-29 18:49:07 +00:00			`try:`
			`key = data.model.service_keys.get_service_key(kid)`
			`except data.model.ServiceKeyDoesNotExist:`
			`abort(404)`

			`if key.approval is None:`
add notification path and use for service keys 2016-03-29 19:58:14 +00:00			`abort(409)`
canonicalize json 2016-03-29 18:49:07 +00:00
keyserver: add cache-control headers 2016-04-13 19:50:56 +00:00			`resp = jsonify(key.jwk)`

			`# Set the cache header to be a year for non-expiring keys.`
			`lifetime = timedelta(days=365)`
			`if key.expiration_date is not None:`
			`lifetime = key.expiration_date - key.created_date`
			`resp.cache_control.max_age = lifetime.seconds`

			`return resp`
rework superuser api 2016-03-25 22:44:11 +00:00

service key server wip 2016-03-16 19:49:25 +00:00			`@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])`
key_server: remove s at the end of endpoint 2016-04-05 16:40:29 +00:00			`def put_service_key(service, kid):`
keyserver: insert rotation policy into metadata 2016-04-05 15:58:34 +00:00			`metadata = {'ip': request.remote_addr}`

service keys: add rotation_duration field 2016-04-12 21:58:52 +00:00			`rotation_duration = request.args.get('rotation', None)`
service key server wip 2016-03-16 19:49:25 +00:00			`expiration_date = request.args.get('expiration', None)`
keyserver: insert rotation policy into metadata 2016-04-05 15:58:34 +00:00			`if expiration_date is not None:`
service key server wip 2016-03-16 19:49:25 +00:00			`try:`
			`expiration_date = datetime.utcfromtimestamp(float(expiration_date))`
			`except ValueError:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.exception('Error parsing expiration date on key')`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`

			`try:`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`jwk = request.get_json()`
service key server wip 2016-03-16 19:49:25 +00:00			`except ValueError:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.exception('Error parsing JWK')`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`

key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`jwt_header = request.headers.get(JWT_HEADER_NAME, '')`
			`match = TOKEN_REGEX.match(jwt_header)`
			`if match is None:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.error('Could not find matching bearer token')`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`abort(400)`
keys ui WIP 2016-04-01 17:55:29 +00:00
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`encoded_jwt = match.group(1)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
keyserver: tests! 2016-04-07 00:03:48 +00:00			`_validate_jwk(jwk)`
converging on proper rotation 2016-03-28 23:00:00 +00:00
			`signer_kid = _signer_kid(encoded_jwt)`

key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`if kid == signer_kid or signer_kid is None:`
canonicalize json 2016-03-29 18:49:07 +00:00			`# The key is self-signed. Create a new instance and await approval.`
			`_validate_jwt(encoded_jwt, jwk, service)`
service keys: add rotation_duration field 2016-04-12 21:58:52 +00:00			`data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date,`
			`rotation_duration=rotation_duration)`
keys ui WIP 2016-04-01 17:55:29 +00:00
			`key_log_metadata = {`
			`'kid': kid,`
			`'preshared': False,`
			`'service': service,`
			`'name': '',`
			`'expiration_date': expiration_date,`
			`'user_agent': request.headers.get('User-Agent'),`
			`'ip': request.remote_addr,`
			`}`

			`log_action('service_key_create', None, metadata=key_log_metadata, ip=request.remote_addr)`
canonicalize json 2016-03-29 18:49:07 +00:00			`return make_response('', 202)`

			`metadata.update({'created_by': 'Key Rotation'})`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`signer_key = _signer_key(service, signer_kid)`
canonicalize json 2016-03-29 18:49:07 +00:00			`signer_jwk = signer_key.jwk`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`if signer_key.service != service:`
			`abort(403)`

canonicalize json 2016-03-29 18:49:07 +00:00			`_validate_jwt(encoded_jwt, signer_jwk, service)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
rework superuser api 2016-03-25 22:44:11 +00:00			`try:`
clear notifications on delete/replace service_key 2016-03-29 21:16:51 +00:00			`data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)`
rework superuser api 2016-03-25 22:44:11 +00:00			`except data.model.ServiceKeyDoesNotExist:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(404)`
service key server wip 2016-03-16 19:49:25 +00:00
keys ui WIP 2016-04-01 17:55:29 +00:00			`key_log_metadata = {`
			`'kid': kid,`
			`'signer_kid': signer_key.kid,`
			`'service': service,`
			`'name': signer_key.name,`
			`'expiration_date': expiration_date,`
			`'user_agent': request.headers.get('User-Agent'),`
			`'ip': request.remote_addr,`
			`}`

			`log_action('service_key_rotate', None, metadata=key_log_metadata, ip=request.remote_addr)`
canonicalize json 2016-03-29 18:49:07 +00:00			`return make_response('', 200)`

service key server wip 2016-03-16 19:49:25 +00:00
			`@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])`
			`def delete_service_key(service, kid):`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`jwt_header = request.headers.get(JWT_HEADER_NAME, '')`
			`match = TOKEN_REGEX.match(jwt_header)`
			`if match is None:`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`
Fix timeouts in the JWT endpoint tests 2016-04-13 17:59:07 +00:00
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`encoded_jwt = match.group(1)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`signer_kid = _signer_kid(encoded_jwt)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`signer_key = _signer_key(service, signer_kid)`
service key server wip 2016-03-16 19:49:25 +00:00
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`self_signed = kid == signer_kid or signer_kid == ''`
			`approved_key_for_service = signer_key.approval is not None`

			`if self_signed or approved_key_for_service:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`_validate_jwt(encoded_jwt, signer_key.jwk, service)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`try:`
keyserver: tests! 2016-04-07 00:03:48 +00:00			`data.model.service_keys.delete_service_key(kid)`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`except data.model.ServiceKeyDoesNotExist:`
			`abort(404)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00
keyserver: tests! 2016-04-07 00:03:48 +00:00			`return make_response('', 204)`
service key server wip 2016-03-16 19:49:25 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(403)`