quay/endpoints/key_server.py

from datetime import datetime

import jwt

from flask import Blueprint, jsonify, abort, request, make_response
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
from cryptography.hazmat.backends import default_backend

import data.model
import data.model.service_keys

from util.security import strictjwt


key_server = Blueprint('key_server', __name__)

JWT_HEADER_NAME = 'Authorization'
JWT_AUDIENCE = 'quay'


def _validate_jwk(jwk, kid):
  if 'kty' not in jwk:
    abort(400)

  if 'kid' not in jwk or jwk['kid'] != kid:
    abort(400)

  if jwk['kty'] == 'EC':
    if 'x' not in jwk or 'y' not in jwk:
      abort(400)
  elif jwk['kty'] == 'RSA':
    if 'e' not in jwk or 'n' not in jwk:
      abort(400)
  else:
    abort(400)


def _validate_jwt(encoded_jwt, jwk, service):
  public_key = RSAPublicNumbers(e=jwk.e,
                                n=jwk.n).public_key(default_backend())

  try:
    strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],
                     audience=JWT_AUDIENCE, issuer=service)
  except strictjwt.InvalidTokenError:
    abort(400)


def _signer_kid(encoded_jwt):
  decoded_jwt = jwt.decode(encoded_jwt, verify=False)
  return decoded_jwt.get('signer_kid', None)


def _signer_key(service, signer_kid):
  try:
    return data.model.service_keys.get_service_key(signer_kid, service=service)
  except data.model.ServiceKeyDoesNotExist:
    abort(403)


@key_server.route('/services/<service>/keys', methods=['GET'])
def list_service_keys(service):
  keys = data.model.service_keys.list_service_keys(service)
  return jsonify({'keys': [key.jwk for key in keys]})


@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
def get_service_key(service, kid):
  try:
    key = data.model.service_keys.get_service_key(kid)
  except data.model.ServiceKeyDoesNotExist:
    abort(404)

  if key.approval is None:
    abort(409)

  return jsonify(key.jwk)


@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
def put_service_keys(service, kid):
  expiration_date = request.args.get('expiration', None)
  if expiration_date:
    try:
      expiration_date = datetime.utcfromtimestamp(float(expiration_date))
    except ValueError:
      abort(400)

  try:
    jwk = request.json()
  except ValueError:
    abort(400)

  encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
  if not encoded_jwt:
    abort(400)

  _validate_jwk(jwk, kid)

  metadata = {'ip': request.remote_addr}
  signer_kid = _signer_kid(encoded_jwt)

  if kid == signer_kid or signer_kid == '':
    # The key is self-signed. Create a new instance and await approval.
    _validate_jwt(encoded_jwt, jwk, service)
    data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date)
    return make_response('', 202)

  metadata.update({'created_by': 'Key Rotation'})
  signer_key = _signer_key(service, signer_kid)
  signer_jwk = signer_key.jwk
  if signer_key.service != service:
    abort(403)

  _validate_jwt(encoded_jwt, signer_jwk, service)

  try:
    data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
  except data.model.ServiceKeyDoesNotExist:
    abort(404)

  return make_response('', 200)


@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
def delete_service_key(service, kid):
  encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
  if not encoded_jwt:
    abort(400)

  signer_kid = _signer_kid(encoded_jwt)
  signer_key = _signer_key(service, signer_kid)

  self_signed = kid == signer_kid or signer_kid == ''
  approved_key_for_service = signer_key.approval is not None

  if self_signed or approved_key_for_service:
    _validate_jwt(encoded_jwt, signer_key.jwk, service)

    try:
      data.model.service_keys.delete_service_key(service, kid)
    except data.model.ServiceKeyDoesNotExist:
      abort(404)

    return make_response('', 200)

  abort(403)
service key server wip 2016-03-16 19:49:25 +00:00			`from datetime import datetime`

service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`import jwt`

service key server wip 2016-03-16 19:49:25 +00:00			`from flask import Blueprint, jsonify, abort, request, make_response`
			`from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers`
			`from cryptography.hazmat.backends import default_backend`

			`import data.model`
			`import data.model.service_keys`

			`from util.security import strictjwt`


			`key_server = Blueprint('key_server', __name__)`

			`JWT_HEADER_NAME = 'Authorization'`
			`JWT_AUDIENCE = 'quay'`


rework superuser api 2016-03-25 22:44:11 +00:00			`def _validate_jwk(jwk, kid):`
			`if 'kty' not in jwk:`
			`abort(400)`

			`if 'kid' not in jwk or jwk['kid'] != kid:`
			`abort(400)`

			`if jwk['kty'] == 'EC':`
			`if 'x' not in jwk or 'y' not in jwk:`
			`abort(400)`
			`elif jwk['kty'] == 'RSA':`
			`if 'e' not in jwk or 'n' not in jwk:`
			`abort(400)`
			`else:`
			`abort(400)`


			`def _validate_jwt(encoded_jwt, jwk, service):`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`public_key = RSAPublicNumbers(e=jwk.e,`
			`n=jwk.n).public_key(default_backend())`
service key server wip 2016-03-16 19:49:25 +00:00
			`try:`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],`
			`audience=JWT_AUDIENCE, issuer=service)`
service key server wip 2016-03-16 19:49:25 +00:00			`except strictjwt.InvalidTokenError:`
			`abort(400)`


converging on proper rotation 2016-03-28 23:00:00 +00:00			`def _signer_kid(encoded_jwt):`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`decoded_jwt = jwt.decode(encoded_jwt, verify=False)`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`return decoded_jwt.get('signer_kid', None)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00

service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`def _signer_key(service, signer_kid):`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`try:`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`return data.model.service_keys.get_service_key(signer_kid, service=service)`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`except data.model.ServiceKeyDoesNotExist:`
			`abort(403)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00

service key server wip 2016-03-16 19:49:25 +00:00			`@key_server.route('/services/<service>/keys', methods=['GET'])`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`def list_service_keys(service):`
			`keys = data.model.service_keys.list_service_keys(service)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`return jsonify({'keys': [key.jwk for key in keys]})`
service key server wip 2016-03-16 19:49:25 +00:00

rework superuser api 2016-03-25 22:44:11 +00:00			`@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])`
add notification path and use for service keys 2016-03-29 19:58:14 +00:00			`def get_service_key(service, kid):`
canonicalize json 2016-03-29 18:49:07 +00:00			`try:`
			`key = data.model.service_keys.get_service_key(kid)`
			`except data.model.ServiceKeyDoesNotExist:`
			`abort(404)`

			`if key.approval is None:`
add notification path and use for service keys 2016-03-29 19:58:14 +00:00			`abort(409)`
canonicalize json 2016-03-29 18:49:07 +00:00
rework superuser api 2016-03-25 22:44:11 +00:00			`return jsonify(key.jwk)`


service key server wip 2016-03-16 19:49:25 +00:00			`@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])`
			`def put_service_keys(service, kid):`
			`expiration_date = request.args.get('expiration', None)`
			`if expiration_date:`
			`try:`
			`expiration_date = datetime.utcfromtimestamp(float(expiration_date))`
			`except ValueError:`
			`abort(400)`

			`try:`
			`jwk = request.json()`
			`except ValueError:`
			`abort(400)`

service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)`
			`if not encoded_jwt:`
			`abort(400)`

converging on proper rotation 2016-03-28 23:00:00 +00:00			`_validate_jwk(jwk, kid)`

canonicalize json 2016-03-29 18:49:07 +00:00			`metadata = {'ip': request.remote_addr}`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`signer_kid = _signer_kid(encoded_jwt)`

service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`if kid == signer_kid or signer_kid == '':`
canonicalize json 2016-03-29 18:49:07 +00:00			`# The key is self-signed. Create a new instance and await approval.`
			`_validate_jwt(encoded_jwt, jwk, service)`
			`data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date)`
			`return make_response('', 202)`

			`metadata.update({'created_by': 'Key Rotation'})`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`signer_key = _signer_key(service, signer_kid)`
canonicalize json 2016-03-29 18:49:07 +00:00			`signer_jwk = signer_key.jwk`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`if signer_key.service != service:`
			`abort(403)`

canonicalize json 2016-03-29 18:49:07 +00:00			`_validate_jwt(encoded_jwt, signer_jwk, service)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
rework superuser api 2016-03-25 22:44:11 +00:00			`try:`
clear notifications on delete/replace service_key 2016-03-29 21:16:51 +00:00			`data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)`
rework superuser api 2016-03-25 22:44:11 +00:00			`except data.model.ServiceKeyDoesNotExist:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(404)`
service key server wip 2016-03-16 19:49:25 +00:00
canonicalize json 2016-03-29 18:49:07 +00:00			`return make_response('', 200)`

service key server wip 2016-03-16 19:49:25 +00:00
			`@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])`
			`def delete_service_key(service, kid):`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00			`encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)`
			`if not encoded_jwt:`
service key server wip 2016-03-16 19:49:25 +00:00			`abort(400)`
service keys: do all the right stuff 2016-03-23 22:16:03 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`signer_kid = _signer_kid(encoded_jwt)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`signer_key = _signer_key(service, signer_kid)`
service key server wip 2016-03-16 19:49:25 +00:00
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00			`self_signed = kid == signer_kid or signer_kid == ''`
			`approved_key_for_service = signer_key.approval is not None`

			`if self_signed or approved_key_for_service:`
converging on proper rotation 2016-03-28 23:00:00 +00:00			`_validate_jwt(encoded_jwt, signer_key.jwk, service)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`try:`
			`data.model.service_keys.delete_service_key(service, kid)`
			`except data.model.ServiceKeyDoesNotExist:`
			`abort(404)`
service_keys: s/get_keys/list_keys 2016-03-30 17:20:35 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`return make_response('', 200)`
service key server wip 2016-03-16 19:49:25 +00:00
converging on proper rotation 2016-03-28 23:00:00 +00:00			`abort(403)`