quay/endpoints/keyserver/__init__.py

import logging

from datetime import datetime, timedelta

from flask import Blueprint, jsonify, abort, request, make_response
from jwt import get_unverified_header

from app import app
from endpoints.keyserver.models_interface import ServiceKeyDoesNotExist
from endpoints.keyserver.models_pre_oci import pre_oci_model as model
from util.security import jwtutil


logger = logging.getLogger(__name__)
key_server = Blueprint('key_server', __name__)


JWT_HEADER_NAME = 'Authorization'
JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']


def _validate_jwk(jwk):
  if 'kty' not in jwk:
    abort(400)

  if jwk['kty'] == 'EC':
    if 'x' not in jwk or 'y' not in jwk:
      abort(400)
  elif jwk['kty'] == 'RSA':
    if 'e' not in jwk or 'n' not in jwk:
      abort(400)
  else:
    abort(400)


def _validate_jwt(encoded_jwt, jwk, service):
  public_key = jwtutil.jwk_dict_to_public_key(jwk)

  try:
    jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],
                   audience=JWT_AUDIENCE, issuer=service)
  except jwtutil.InvalidTokenError:
    logger.exception('JWT validation failure')
    abort(400)


def _signer_kid(encoded_jwt, allow_none=False):
  headers = get_unverified_header(encoded_jwt)
  kid = headers.get('kid', None)
  if not kid and not allow_none:
    abort(400)

  return kid


def _lookup_service_key(service, signer_kid, approved_only=True):
  try:
    return model.get_service_key(signer_kid, service=service, approved_only=approved_only)
  except ServiceKeyDoesNotExist:
    abort(403)


def jwk_with_kid(key):
  jwk = key.jwk.copy()
  jwk.update({'kid': key.kid})
  return jwk


@key_server.route('/services/<service>/keys', methods=['GET'])
def list_service_keys(service):
  keys = model.list_service_keys(service)
  return jsonify({'keys': [jwk_with_kid(key) for key in keys]})


@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
def get_service_key(service, kid):
  try:
    key = model.get_service_key(kid, alive_only=False, approved_only=False)
  except ServiceKeyDoesNotExist:
    abort(404)

  if key.approval is None:
    abort(409)

  if key.expiration_date is not None and key.expiration_date <= datetime.utcnow():
    abort(403)

  resp = jsonify(key.jwk)
  lifetime = min(timedelta(days=1), ((key.expiration_date or datetime.max) - datetime.utcnow()))
  resp.cache_control.max_age = max(0, lifetime.total_seconds())
  return resp


@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
def put_service_key(service, kid):
  metadata = {'ip': request.remote_addr}

  rotation_duration = request.args.get('rotation', None)
  expiration_date = request.args.get('expiration', None)
  if expiration_date is not None:
    try:
      expiration_date = datetime.utcfromtimestamp(float(expiration_date))
    except ValueError:
      logger.exception('Error parsing expiration date on key')
      abort(400)

  try:
    jwk = request.get_json()
  except ValueError:
    logger.exception('Error parsing JWK')
    abort(400)

  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
  match = jwtutil.TOKEN_REGEX.match(jwt_header)
  if match is None:
    logger.error('Could not find matching bearer token')
    abort(400)

  encoded_jwt = match.group(1)

  _validate_jwk(jwk)

  signer_kid = _signer_kid(encoded_jwt, allow_none=True)
  if kid == signer_kid or signer_kid is None:
    # The key is self-signed. Create a new instance and await approval.
    _validate_jwt(encoded_jwt, jwk, service)
    model.create_service_key('', kid, service, jwk, metadata, expiration_date,
                             rotation_duration=rotation_duration)

    model.log_action('service_key_create', request.remote_addr, metadata_dict={
      'kid': kid,
      'preshared': False,
      'service': service,
      'name': '',
      'expiration_date': expiration_date,
      'user_agent': request.headers.get('User-Agent'),
      'ip': request.remote_addr,
    })

    return make_response('', 202)

  # Key is going to be rotated.
  metadata.update({'created_by': 'Key Rotation'})
  signer_key = _lookup_service_key(service, signer_kid)
  signer_jwk = signer_key.jwk

  _validate_jwt(encoded_jwt, signer_jwk, service)

  try:
    model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
  except ServiceKeyDoesNotExist:
    abort(404)

  model.log_action('service_key_rotate', request.remote_addr, metadata_dict={
    'kid': kid,
    'signer_kid': signer_key.kid,
    'service': service,
    'name': signer_key.name,
    'expiration_date': expiration_date,
    'user_agent': request.headers.get('User-Agent'),
    'ip': request.remote_addr,
  })

  return make_response('', 200)


@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
def delete_service_key(service, kid):
  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
  match = jwtutil.TOKEN_REGEX.match(jwt_header)
  if match is None:
    abort(400)

  encoded_jwt = match.group(1)

  signer_kid = _signer_kid(encoded_jwt)
  signer_key = _lookup_service_key(service, signer_kid, approved_only=False)

  self_signed = kid == signer_kid
  approved_key_for_service = signer_key.approval is not None

  if self_signed or approved_key_for_service:
    _validate_jwt(encoded_jwt, signer_key.jwk, service)

    try:
      model.delete_service_key(kid)
    except ServiceKeyDoesNotExist:
      abort(404)

    model.log_action('service_key_delete', request.remote_addr, metadata_dict={
      'kid': kid,
      'signer_kid': signer_key.kid,
      'service': service,
      'name': signer_key.name,
      'user_agent': request.headers.get('User-Agent'),
      'ip': request.remote_addr,
    })

    return make_response('', 204)

  abort(403)
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`import logging`
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00
keyserver: add cache-control headers 2016-04-13 19:50:56 +00:00			`from datetime import datetime, timedelta`
service key server wip 2016-03-16 19:49:25 +00:00
keyserver: get signer kid from unverified headers 2016-04-11 16:04:42 +00:00			`from flask import Blueprint, jsonify, abort, request, make_response`
			`from jwt import get_unverified_header`
service key server wip 2016-03-16 19:49:25 +00:00
add final service key config 2016-03-30 20:16:11 +00:00			`from app import app`
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`from endpoints.keyserver.models_interface import ServiceKeyDoesNotExist`
			`from endpoints.keyserver.models_pre_oci import pre_oci_model as model`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`from util.security import jwtutil`
service key server wip 2016-03-16 19:49:25 +00:00

key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`logger = logging.getLogger(__name__)`
service key server wip 2016-03-16 19:49:25 +00:00			`key_server = Blueprint('key_server', __name__)`

endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00
service key server wip 2016-03-16 19:49:25 +00:00			`JWT_HEADER_NAME = 'Authorization'`
key server: derive audience from host and scheme 2016-03-31 20:41:53 +00:00			`JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']`
service key server wip 2016-03-16 19:49:25 +00:00

keyserver: tests! 2016-04-07 00:03:48 +00:00			`def _validate_jwk(jwk):`
rework superuser api 2016-03-25 22:44:11 +00:00			`if 'kty' not in jwk:`
			`abort(400)`

			`if jwk['kty'] == 'EC':`
			`if 'x' not in jwk or 'y' not in jwk:`
			`abort(400)`
			`elif jwk['kty'] == 'RSA':`
			`if 'e' not in jwk or 'n' not in jwk:`
			`abort(400)`
			`else:`
			`abort(400)`


			`def _validate_jwt(encoded_jwt, jwk, service):`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`public_key = jwtutil.jwk_dict_to_public_key(jwk)`
service key server wip 2016-03-16 19:49:25 +00:00
			`try:`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],`
create key server data interface 2016-08-31 18:31:43 +00:00			`audience=JWT_AUDIENCE, issuer=service)`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`except jwtutil.InvalidTokenError:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.exception('JWT validation failure')`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`


Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`def _signer_kid(encoded_jwt, allow_none=False):`
keyserver: get signer kid from unverified headers 2016-04-11 16:04:42 +00:00			`headers = get_unverified_header(encoded_jwt)`
Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`kid = headers.get('kid', None)`
			`if not kid and not allow_none:`
			`abort(400)`

			`return kid`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00

Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`def _lookup_service_key(service, signer_kid, approved_only=True):`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`try:`
create key server data interface 2016-08-31 18:31:43 +00:00			`return model.get_service_key(signer_kid, service=service, approved_only=approved_only)`
			`except ServiceKeyDoesNotExist:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(403)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00

key server: fix tests by exporting jwk_with_kid 2016-10-25 19:57:55 +00:00			`def jwk_with_kid(key):`
			`jwk = key.jwk.copy()`
			`jwk.update({'kid': key.kid})`
			`return jwk`


service key server wip 2016-03-16 19:49:25 +00:00			`@key_server.route('/services/<service>/keys', methods=['GET'])`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`def list_service_keys(service):`
create key server data interface 2016-08-31 18:31:43 +00:00			`keys = model.list_service_keys(service)`
key server: add kid to services JWKs 2016-10-25 19:33:01 +00:00			`return jsonify({'keys': [jwk_with_kid(key) for key in keys]})`
service key server wip 2016-03-16 19:49:25 +00:00

rework superuser api 2016-03-25 22:44:11 +00:00			`@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])`
add notification path and use for service keys 2016-03-29 19:58:14 +00:00			`def get_service_key(service, kid):`
canonicalize json 2016-03-29 18:49:07 +00:00			`try:`
create key server data interface 2016-08-31 18:31:43 +00:00			`key = model.get_service_key(kid, alive_only=False, approved_only=False)`
			`except ServiceKeyDoesNotExist:`
canonicalize json 2016-03-29 18:49:07 +00:00			`abort(404)`

			`if key.approval is None:`
add notification path and use for service keys 2016-03-29 19:58:14 +00:00			`abort(409)`
canonicalize json 2016-03-29 18:49:07 +00:00
Hide expired keys outside of their staleness window 2016-04-27 21:44:59 +00:00			`if key.expiration_date is not None and key.expiration_date <= datetime.utcnow():`
key server: 403 on expired approved keys (#1410) 2016-04-27 18:48:12 +00:00			`abort(403)`

keyserver: add cache-control headers 2016-04-13 19:50:56 +00:00			`resp = jsonify(key.jwk)`
Hide expired keys outside of their staleness window 2016-04-27 21:44:59 +00:00			`lifetime = min(timedelta(days=1), ((key.expiration_date or datetime.max) - datetime.utcnow()))`
			`resp.cache_control.max_age = max(0, lifetime.total_seconds())`
keyserver: add cache-control headers 2016-04-13 19:50:56 +00:00			`return resp`
rework superuser api 2016-03-25 22:44:11 +00:00

service key server wip 2016-03-16 19:49:25 +00:00			`@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])`
key_server: remove s at the end of endpoint 2016-04-05 16:40:29 +00:00			`def put_service_key(service, kid):`
keyserver: insert rotation policy into metadata 2016-04-05 15:58:34 +00:00			`metadata = {'ip': request.remote_addr}`

service keys: add rotation_duration field 2016-04-12 21:58:52 +00:00			`rotation_duration = request.args.get('rotation', None)`
service key server wip 2016-03-16 19:49:25 +00:00			`expiration_date = request.args.get('expiration', None)`
keyserver: insert rotation policy into metadata 2016-04-05 15:58:34 +00:00			`if expiration_date is not None:`
service key server wip 2016-03-16 19:49:25 +00:00			`try:`
			`expiration_date = datetime.utcfromtimestamp(float(expiration_date))`
			`except ValueError:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.exception('Error parsing expiration date on key')`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`

			`try:`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`jwk = request.get_json()`
service key server wip 2016-03-16 19:49:25 +00:00			`except ValueError:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.exception('Error parsing JWK')`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`

key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`jwt_header = request.headers.get(JWT_HEADER_NAME, '')`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`match = jwtutil.TOKEN_REGEX.match(jwt_header)`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`if match is None:`
keys ui WIP 2016-04-01 17:55:29 +00:00			`logger.error('Could not find matching bearer token')`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`abort(400)`
keys ui WIP 2016-04-01 17:55:29 +00:00
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`encoded_jwt = match.group(1)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
keyserver: tests! 2016-04-07 00:03:48 +00:00			`_validate_jwk(jwk)`
converging on proper rotation 2016-03-28 23:00:00 +00:00
Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`signer_kid = _signer_kid(encoded_jwt, allow_none=True)`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`if kid == signer_kid or signer_kid is None:`
canonicalize json 2016-03-29 18:49:07 +00:00			`# The key is self-signed. Create a new instance and await approval.`
			`_validate_jwt(encoded_jwt, jwk, service)`
create key server data interface 2016-08-31 18:31:43 +00:00			`model.create_service_key('', kid, service, jwk, metadata, expiration_date,`
			`rotation_duration=rotation_duration)`
keys ui WIP 2016-04-01 17:55:29 +00:00
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`model.log_action('service_key_create', request.remote_addr, metadata_dict={`
keys ui WIP 2016-04-01 17:55:29 +00:00			`'kid': kid,`
			`'preshared': False,`
			`'service': service,`
			`'name': '',`
			`'expiration_date': expiration_date,`
			`'user_agent': request.headers.get('User-Agent'),`
			`'ip': request.remote_addr,`
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`})`
keys ui WIP 2016-04-01 17:55:29 +00:00
canonicalize json 2016-03-29 18:49:07 +00:00			`return make_response('', 202)`

Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`# Key is going to be rotated.`
canonicalize json 2016-03-29 18:49:07 +00:00			`metadata.update({'created_by': 'Key Rotation'})`
Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`signer_key = _lookup_service_key(service, signer_kid)`
canonicalize json 2016-03-29 18:49:07 +00:00			`signer_jwk = signer_key.jwk`
converging on proper rotation 2016-03-28 23:00:00 +00:00
canonicalize json 2016-03-29 18:49:07 +00:00			`_validate_jwt(encoded_jwt, signer_jwk, service)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
rework superuser api 2016-03-25 22:44:11 +00:00			`try:`
create key server data interface 2016-08-31 18:31:43 +00:00			`model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)`
			`except ServiceKeyDoesNotExist:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(404)`
service key server wip 2016-03-16 19:49:25 +00:00
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`model.log_action('service_key_rotate', request.remote_addr, metadata_dict={`
keys ui WIP 2016-04-01 17:55:29 +00:00			`'kid': kid,`
			`'signer_kid': signer_key.kid,`
			`'service': service,`
			`'name': signer_key.name,`
			`'expiration_date': expiration_date,`
			`'user_agent': request.headers.get('User-Agent'),`
			`'ip': request.remote_addr,`
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`})`
keys ui WIP 2016-04-01 17:55:29 +00:00
canonicalize json 2016-03-29 18:49:07 +00:00			`return make_response('', 200)`

service key server wip 2016-03-16 19:49:25 +00:00
			`@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])`
			`def delete_service_key(service, kid):`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`jwt_header = request.headers.get(JWT_HEADER_NAME, '')`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`match = jwtutil.TOKEN_REGEX.match(jwt_header)`
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`if match is None:`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`
Fix timeouts in the JWT endpoint tests 2016-04-13 17:59:07 +00:00
key server: misc cleanup to get it working 2016-03-31 20:42:31 +00:00			`encoded_jwt = match.group(1)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`signer_kid = _signer_kid(encoded_jwt)`
Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`signer_key = _lookup_service_key(service, signer_kid, approved_only=False)`
service key server wip 2016-03-16 19:49:25 +00:00
Fix key server to not list expired keys Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested. Fixes #1430 2016-05-03 18:01:33 +00:00			`self_signed = kid == signer_kid`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`approved_key_for_service = signer_key.approval is not None`

			`if self_signed or approved_key_for_service:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`_validate_jwt(encoded_jwt, signer_key.jwk, service)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`try:`
create key server data interface 2016-08-31 18:31:43 +00:00			`model.delete_service_key(kid)`
			`except ServiceKeyDoesNotExist:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(404)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`model.log_action('service_key_delete', request.remote_addr, metadata_dict={`
Add delete logging and tests for logging 2016-04-14 19:04:32 +00:00			`'kid': kid,`
			`'signer_kid': signer_key.kid,`
			`'service': service,`
			`'name': signer_key.name,`
			`'user_agent': request.headers.get('User-Agent'),`
			`'ip': request.remote_addr,`
endpoints.keyserver: new fs org for data interface 2017-07-06 17:49:54 +00:00			`})`
Add delete logging and tests for logging 2016-04-14 19:04:32 +00:00
keyserver: tests! 2016-04-07 00:03:48 +00:00			`return make_response('', 204)`
service key server wip 2016-03-16 19:49:25 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(403)`