vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

create key server data interface

Browse source
This commit is contained in:
Jimmy Zelinskie 2016-08-31 14:31:43 -04:00
parent c06d395f96
commit 2e5a94bc0b
4 changed files with 140 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
data/interfaces/key_server.py Normal file
View file

@ -0,0 +1,122 @@
from collections import namedtuple
import data.model
class ServiceKey(namedtuple('ServiceKey', ['name', 'kid', 'service', 'jwk', 'metadata',
'created_date', 'expiration_date', 'rotation_duration',
'approval'])):
"""
Service Key represents a public key (JWK) being used by an instance of a particular service to
authenticate with other services.
"""
pass
class ServiceKeyException(Exception):
pass
class ServiceKeyDoesNotExist(ServiceKeyException):
pass
# TODO(jzelinskie): make this interface support superuser API
class KeyServerDataInterface(object):
"""
Interface that represents all data store interactions required by a JWT key service.
"""
@classmethod
def list_service_keys(cls, service):
"""
Returns a list of service keys or an empty list if the service does not exist.
"""
raise NotImplementedError()
@classmethod
def get_service_key(cls, signer_kid, service=None, alive_only=None, approved_only=None):
"""
Returns a service kid with the given kid or raises ServiceKeyNotFound.
"""
raise NotImplementedError()
@classmethod
def create_service_key(cls, name, kid, service, jwk, metadata, expiration_date,
rotation_duration=None):
"""
Stores a service key.
"""
raise NotImplementedError()
@classmethod
def replace_service_key(cls, old_kid, kid, jwk, metadata, expiration_date):
"""
Replaces a service with a new key or raises ServiceKeyNotFound.
"""
raise NotImplementedError()
@classmethod
def delete_service_key(cls, kid):
"""
Deletes and returns a service key with the given kid or raises ServiceKeyNotFound.
"""
raise NotImplementedError()
class PreOCIModel(KeyServerDataInterface):
"""
PreOCIModel implements the data model for JWT key service using a database schema before it was
changed to support the OCI specification.
"""
@classmethod
def _db_key_to_servicekey(cls, key):
"""
Converts the database model of a service key into a ServiceKey.
"""
return ServiceKey(
name=key.name,
kid=key.kid,
service=key.service,
jwk=key.jwk,
metadata=key.metadata,
created_date=key.created_date,
expiration_date=key.expiration_date,
rotation_duration=key.rotation_duration,
approval=key.approval,
)
@classmethod
def list_service_keys(cls, service):
return data.model.service_keys.list_service_keys(service)
@classmethod
def get_service_key(cls, signer_kid, service=None, alive_only=True, approved_only=True):
try:
key = data.model.service_keys.get_service_key(signer_kid, service, alive_only, approved_only)
return cls._db_key_to_servicekey(key)
except data.model.ServiceKeyDoesNotExist:
raise ServiceKeyDoesNotExist()
@classmethod
def create_service_key(cls, name, kid, service, jwk, metadata, expiration_date,
rotation_duration=None):
key = data.model.service_keys.create_service_key(name, kid, service, jwk, metadata,
expiration_date, rotation_duration)
return cls._db_key_to_servicekey(key)
@classmethod
def replace_service_key(cls, old_kid, kid, jwk, metadata, expiration_date):
try:
data.model.service_keys.replace_service_key(old_kid, kid, jwk, metadata, expiration_date)
except data.model.ServiceKeyDoesNotExist:
raise ServiceKeyDoesNotExist()
@classmethod
def delete_service_key(cls, kid):
try:
key = data.model.service_keys.delete_service_key(kid)
return cls._db_key_to_servicekey(key)
except data.model.ServiceKeyDoesNotExist:
raise ServiceKeyDoesNotExist()

31
endpoints/key_server.py → endpoints/keyserver/__init__.py
View file

@ -4,11 +4,9 @@ from datetime import datetime, timedelta
from flask import Blueprint, jsonify, abort, request, make_response
from jwt import get_unverified_header
import data.model
import data.model.service_keys
from data.model.log import log_action
from app import app
from data.interfaces.key_server import PreOCIModel as model, ServiceKeyDoesNotExist
from data.model.log import log_action
from util.security import jwtutil
@ -38,7 +36,7 @@ def _validate_jwt(encoded_jwt, jwk, service):
try:
jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],
audience=JWT_AUDIENCE, issuer=service)
audience=JWT_AUDIENCE, issuer=service)
except jwtutil.InvalidTokenError:
logger.exception('JWT validation failure')
abort(400)
@ -55,23 +53,22 @@ def _signer_kid(encoded_jwt, allow_none=False):
def _lookup_service_key(service, signer_kid, approved_only=True):
try:
return data.model.service_keys.get_service_key(signer_kid, service=service,
approved_only=approved_only)
except data.model.ServiceKeyDoesNotExist:
return model.get_service_key(signer_kid, service=service, approved_only=approved_only)
except ServiceKeyDoesNotExist:
abort(403)
@key_server.route('/services/<service>/keys', methods=['GET'])
def list_service_keys(service):
keys = data.model.service_keys.list_service_keys(service)
keys = model.list_service_keys(service)
return jsonify({'keys': [key.jwk for key in keys]})
@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
def get_service_key(service, kid):
try:
key = data.model.service_keys.get_service_key(kid, alive_only=False, approved_only=False)
except data.model.ServiceKeyDoesNotExist:
key = model.get_service_key(kid, alive_only=False, approved_only=False)
except ServiceKeyDoesNotExist:
abort(404)
if key.approval is None:
@ -119,8 +116,8 @@ def put_service_key(service, kid):
if kid == signer_kid or signer_kid is None:
# The key is self-signed. Create a new instance and await approval.
_validate_jwt(encoded_jwt, jwk, service)
data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date,
rotation_duration=rotation_duration)
model.create_service_key('', kid, service, jwk, metadata, expiration_date,
rotation_duration=rotation_duration)
key_log_metadata = {
'kid': kid,
@ -143,8 +140,8 @@ def put_service_key(service, kid):
_validate_jwt(encoded_jwt, signer_jwk, service)
try:
data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
except data.model.ServiceKeyDoesNotExist:
model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
except ServiceKeyDoesNotExist:
abort(404)
key_log_metadata = {
@ -180,8 +177,8 @@ def delete_service_key(service, kid):
_validate_jwt(encoded_jwt, signer_key.jwk, service)
try:
data.model.service_keys.delete_service_key(kid)
except data.model.ServiceKeyDoesNotExist:
model.delete_service_key(kid)
except ServiceKeyDoesNotExist:
abort(404)
key_log_metadata = {

6
test/test_endpoints.py
View file

@ -18,7 +18,7 @@ from jwkest.jwk import RSAKey
from app import app
from data import model
from data.database import ServiceKeyApprovalType
from endpoints import key_server
from endpoints import keyserver
from endpoints.api import api, api_bp
from endpoints.api.user import Signin
from endpoints.web import web as web_bp
@ -28,7 +28,7 @@ from test.helpers import assert_action_logged
try:
app.register_blueprint(web_bp, url_prefix='')
app.register_blueprint(key_server.key_server, url_prefix='')
app.register_blueprint(keyserver.key_server, url_prefix='')
except ValueError:
# This blueprint was already registered
pass
@ -355,7 +355,7 @@ class KeyServerTestCase(EndpointTestCase):
def _get_test_jwt_payload(self):
return {
'iss': 'sample_service',
'aud': key_server.JWT_AUDIENCE,
'aud': keyserver.JWT_AUDIENCE,
'exp': int(time.time()) + 60,
'iat': int(time.time()),
'nbf': int(time.time()),

2
web.py
View file

@ -7,7 +7,7 @@ from endpoints.api import api_bp
from endpoints.bitbuckettrigger import bitbuckettrigger
from endpoints.githubtrigger import githubtrigger
from endpoints.gitlabtrigger import gitlabtrigger
from endpoints.key_server import key_server
from endpoints.keyserver import key_server
from endpoints.oauthlogin import oauthlogin
from endpoints.realtime import realtime
from endpoints.web import web