This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/data/model/service_keys.py

199 lines
6.4 KiB
Python
Raw Normal View History

import re
from calendar import timegm
2016-03-23 22:16:03 +00:00
from datetime import datetime, timedelta
from peewee import JOIN_LEFT_OUTER
from Crypto.PublicKey import RSA
from jwkest.jwk import RSAKey
from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval
from data.model import (ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, ServiceNameInvalid,
db_transaction, config)
from data.model.notification import create_notification, delete_all_notifications_by_path_prefix
from util.security.fingerprint import canonical_kid
2016-03-23 22:16:03 +00:00
_SERVICE_NAME_REGEX = re.compile(r'^[a-z0-9_]+$')
2016-03-28 23:00:00 +00:00
def _expired_keys_clause(service):
return ((ServiceKey.service == service) &
(ServiceKey.expiration_date <= datetime.utcnow()))
2016-03-23 22:16:03 +00:00
def _stale_expired_keys_service_clause(service):
return ((ServiceKey.service == service) & _stale_expired_keys_clause())
def _stale_expired_keys_clause():
expired_ttl = timedelta(seconds=config.app_config['EXPIRED_SERVICE_KEY_TTL_SEC'])
return (ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl))
2016-03-23 22:16:03 +00:00
2016-03-28 23:00:00 +00:00
def _stale_unapproved_keys_clause(service):
2016-04-01 17:55:29 +00:00
unapproved_ttl = timedelta(seconds=config.app_config['UNAPPROVED_SERVICE_KEY_TTL_SEC'])
2016-03-30 22:27:44 +00:00
return ((ServiceKey.service == service) &
2016-03-28 23:00:00 +00:00
(ServiceKey.approval >> None) &
2016-04-01 17:55:29 +00:00
(ServiceKey.created_date <= (datetime.utcnow() - unapproved_ttl)))
2016-03-16 19:49:25 +00:00
2016-03-28 23:00:00 +00:00
def _gc_expired(service):
ServiceKey.delete().where(_stale_expired_keys_service_clause(service) |
2016-03-28 23:00:00 +00:00
_stale_unapproved_keys_clause(service)).execute()
2016-03-23 22:16:03 +00:00
2016-03-25 22:44:11 +00:00
def _verify_service_name(service_name):
if not _SERVICE_NAME_REGEX.match(service_name):
raise ServiceNameInvalid
def _notify_superusers(key):
notification_metadata = {
'name': key.name,
'kid': key.kid,
'service': key.service,
'jwk': key.jwk,
'metadata': key.metadata,
'created_date': timegm(key.created_date.utctimetuple()),
}
2016-04-01 17:55:29 +00:00
if key.expiration_date is not None:
notification_metadata['expiration_date'] = timegm(key.expiration_date.utctimetuple())
superusers = User.select().where(User.username << config.app_config['SUPER_USERS'])
2016-03-25 22:44:11 +00:00
for superuser in superusers:
create_notification('service_key_submitted', superuser, metadata=notification_metadata,
lookup_path='/service_key_approval/{0}/{1}'.format(key.kid, superuser.id))
2016-03-25 22:44:11 +00:00
def create_service_key(name, kid, service, jwk, metadata, expiration_date, rotation_duration=None):
_verify_service_name(service)
_gc_expired(service)
key = ServiceKey.create(name=name, kid=kid, service=service, jwk=jwk, metadata=metadata,
expiration_date=expiration_date, rotation_duration=rotation_duration)
_notify_superusers(key)
return key
def generate_service_key(service, expiration_date, kid=None, name='', metadata=None,
rotation_duration=None):
private_key = RSA.generate(2048)
jwk = RSAKey(key=private_key.publickey()).serialize()
if kid is None:
kid = canonical_kid(jwk)
key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date,
rotation_duration=rotation_duration)
return (private_key, key)
2016-03-28 23:00:00 +00:00
def replace_service_key(old_kid, kid, jwk, metadata, expiration_date):
2016-03-28 23:00:00 +00:00
try:
with db_transaction():
key = db_for_update(ServiceKey.select().where(ServiceKey.kid == old_kid)).get()
2016-04-01 17:55:29 +00:00
key.metadata.update(metadata)
2016-03-28 23:00:00 +00:00
ServiceKey.create(name=key.name, kid=kid, service=key.service, jwk=jwk,
2016-04-01 17:55:29 +00:00
metadata=key.metadata, expiration_date=expiration_date,
rotation_duration=key.rotation_duration, approval=key.approval)
2016-03-28 23:00:00 +00:00
key.delete_instance()
except ServiceKey.DoesNotExist:
raise ServiceKeyDoesNotExist
_notify_superusers(key)
delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(old_kid))
2016-03-28 23:00:00 +00:00
_gc_expired(key.service)
2016-04-01 17:55:29 +00:00
def update_service_key(kid, name=None, metadata=None):
2016-03-16 19:49:25 +00:00
try:
with db_transaction():
key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
2016-04-01 17:55:29 +00:00
if name is not None:
key.name = name
if metadata is not None:
key.metadata.update(metadata)
key.save()
2016-03-16 19:49:25 +00:00
except ServiceKey.DoesNotExist:
2016-03-25 22:44:11 +00:00
raise ServiceKeyDoesNotExist
2016-03-28 18:52:20 +00:00
2016-04-01 17:55:29 +00:00
def delete_service_key(kid):
2016-03-16 19:49:25 +00:00
try:
2016-04-01 17:55:29 +00:00
key = ServiceKey.get(kid=kid)
ServiceKey.delete().where(ServiceKey.kid == kid).execute()
2016-03-16 19:49:25 +00:00
except ServiceKey.DoesNotExist:
2016-04-01 17:55:29 +00:00
raise ServiceKeyDoesNotExist
delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(kid))
2016-04-01 17:55:29 +00:00
_gc_expired(key.service)
return key
def set_key_expiration(kid, expiration_date):
try:
service_key = get_service_key(kid)
except ServiceKey.DoesNotExist:
raise ServiceKeyDoesNotExist
service_key.expiration_date = expiration_date
service_key.save()
2016-03-28 23:00:00 +00:00
def approve_service_key(kid, approver, approval_type, notes=''):
try:
with db_transaction():
2016-03-25 22:44:11 +00:00
key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
2016-03-23 22:16:03 +00:00
if key.approval is not None:
raise ServiceKeyAlreadyApproved
approval = ServiceKeyApproval.create(approver=approver, approval_type=approval_type,
notes=notes)
key.approval = approval
key.save()
except ServiceKey.DoesNotExist:
raise ServiceKeyDoesNotExist
2016-03-28 23:00:00 +00:00
delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(kid))
2016-04-05 19:27:45 +00:00
return key
2016-03-28 23:00:00 +00:00
def _list_service_keys_query(kid=None, service=None, approved_only=False, approval_type=None):
query = ServiceKey.select().join(ServiceKeyApproval, JOIN_LEFT_OUTER)
2016-03-28 23:00:00 +00:00
if approved_only:
query = query.where(~(ServiceKey.approval >> None))
if approval_type is not None:
query = query.where(ServiceKeyApproval.approval_type == approval_type)
2016-03-28 23:00:00 +00:00
if service is not None:
query = query.where(ServiceKey.service == service)
2016-03-30 22:27:44 +00:00
query = query.where(~(_expired_keys_clause(service)) |
2016-03-28 23:00:00 +00:00
~(_stale_unapproved_keys_clause(service)))
if kid is not None:
query = query.where(ServiceKey.kid == kid)
2016-03-28 23:00:00 +00:00
query = query.where(~(_stale_expired_keys_clause()) | (ServiceKey.expiration_date >> None))
2016-03-28 23:00:00 +00:00
return query
2016-04-01 17:55:29 +00:00
def list_all_keys():
2016-03-30 17:20:35 +00:00
return list(_list_service_keys_query())
2016-03-28 23:00:00 +00:00
2016-03-30 17:20:35 +00:00
def list_service_keys(service):
return list(_list_service_keys_query(service=service, approved_only=True))
2016-03-28 23:00:00 +00:00
2016-03-30 17:20:35 +00:00
def get_service_key(kid, service=None):
try:
return _list_service_keys_query(kid=kid, service=service).get()
except ServiceKey.DoesNotExist:
raise ServiceKeyDoesNotExist