From 5568cc77b875ea4e6209ad836ec5c9949e66bdf9 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Mon, 23 May 2016 16:00:48 -0400 Subject: [PATCH] remove all default keys (#1485) This change: - Generates a new BitTorrent pepper by default - Generates a new pagination key by default - Changes the pagination key format to base64 - Removes selfsigned JWT certs - Moves test keys to test/data --- config.py | 13 +++++++++---- .../jwt.crt => test/data/registry_v2_auth.crt | 0 .../data/registry_v2_auth_private.key | 0 test/{ => data}/signing-private.gpg | Bin test/{ => data}/signing-public.gpg | 0 test/testconfig.py | 6 ++++-- util/security/crypto.py | 4 ++-- 7 files changed, 15 insertions(+), 8 deletions(-) rename conf/selfsigned/jwt.crt => test/data/registry_v2_auth.crt (100%) rename conf/selfsigned/jwt.key => test/data/registry_v2_auth_private.key (100%) rename test/{ => data}/signing-private.gpg (100%) rename test/{ => data}/signing-public.gpg (100%) diff --git a/config.py b/config.py index 476f72b21..ebd8f65e1 100644 --- a/config.py +++ b/config.py @@ -1,5 +1,9 @@ +from uuid import uuid4 + import os.path +from cryptography.fernet import Fernet + import requests @@ -258,8 +262,8 @@ class DefaultConfig(object): # Registry v2 JWT Auth config JWT_AUTH_MAX_FRESH_S = 60 * 60 + 60 # At most signed for one hour, accounting for clock skew JWT_AUTH_TOKEN_ISSUER = 'quay-test-issuer' - JWT_AUTH_CERTIFICATE_PATH = 'conf/selfsigned/jwt.crt' - JWT_AUTH_PRIVATE_KEY_PATH = 'conf/selfsigned/jwt.key' + JWT_AUTH_CERTIFICATE_PATH = None + JWT_AUTH_PRIVATE_KEY_PATH = None # The URL endpoint to which we redirect OAuth when generating a token locally. LOCAL_OAUTH_HANDLER = '/oauth/localapp' @@ -317,13 +321,14 @@ class DefaultConfig(object): FEATURE_BITTORRENT = False BITTORRENT_PIECE_SIZE = 512 * 1024 BITTORRENT_ANNOUNCE_URL = 'https://localhost:6881/announce' - BITTORRENT_FILENAME_PEPPER = '3ae93fef-c30a-427e-9ba0-eea0fd710419' + BITTORRENT_FILENAME_PEPPER = str(uuid4()) BITTORRENT_WEBSEED_LIFETIME = 3600 # "Secret" key for generating encrypted paging tokens. Only needed to be secret to # hide the ID range for production (in which this value is overridden). Should *not* # be relied upon for secure encryption otherwise. - PAGE_TOKEN_KEY = 'um=/?Kqgp)2yQaS/A6C{NL=dXE&>C:}(' + # This value is a Fernet key and should be 32bytes URL-safe base64 encoded. + PAGE_TOKEN_KEY = '0OYrc16oBuksR8T3JGB-xxYSlZ2-7I_zzqrLzggBJ58=' # The timeout for service key approval. UNAPPROVED_SERVICE_KEY_TTL_SEC = 60 * 60 * 24 # One day diff --git a/conf/selfsigned/jwt.crt b/test/data/registry_v2_auth.crt similarity index 100% rename from conf/selfsigned/jwt.crt rename to test/data/registry_v2_auth.crt diff --git a/conf/selfsigned/jwt.key b/test/data/registry_v2_auth_private.key similarity index 100% rename from conf/selfsigned/jwt.key rename to test/data/registry_v2_auth_private.key diff --git a/test/signing-private.gpg b/test/data/signing-private.gpg similarity index 100% rename from test/signing-private.gpg rename to test/data/signing-private.gpg diff --git a/test/signing-public.gpg b/test/data/signing-public.gpg similarity index 100% rename from test/signing-public.gpg rename to test/data/signing-public.gpg diff --git a/test/testconfig.py b/test/testconfig.py index 3fdb00ec2..9d64cbe7d 100644 --- a/test/testconfig.py +++ b/test/testconfig.py @@ -70,6 +70,8 @@ class TestConfig(DefaultConfig): SIGNING_ENGINE = 'gpg2' GPG2_PRIVATE_KEY_NAME = 'EEB32221' - GPG2_PRIVATE_KEY_FILENAME = '/test/signing-private.gpg' - GPG2_PUBLIC_KEY_FILENAME = '/test/signing-public.gpg' + GPG2_PRIVATE_KEY_FILENAME = '/test/data/signing-private.gpg' + GPG2_PUBLIC_KEY_FILENAME = '/test/data/signing-public.gpg' + JWT_AUTH_CERTIFICATE_PATH = 'test/data/registry_v2_auth.crt' + JWT_AUTH_PRIVATE_KEY_PATH = 'test/data/registry_v2_auth_private.key' diff --git a/util/security/crypto.py b/util/security/crypto.py index 0792c9d66..d25c860e6 100644 --- a/util/security/crypto.py +++ b/util/security/crypto.py @@ -4,12 +4,12 @@ from cryptography.fernet import Fernet, InvalidToken def encrypt_string(string, key): """ Encrypts a string with the specified key. The key must be 32 raw bytes. """ - f = Fernet(base64.urlsafe_b64encode(key)) + f = Fernet(key) return f.encrypt(string) def decrypt_string(string, key, ttl=None): """ Decrypts an encrypted string with the specified key. The key must be 32 raw bytes. """ - f = Fernet(base64.urlsafe_b64encode(key)) + f = Fernet(key) try: return f.decrypt(str(string), ttl=ttl) except InvalidToken: