initial import for Open Source 🎉

endpoints/keyserver/__init__.py

@@ -0,0 +1,203 @@
+import logging
+
+from datetime import datetime, timedelta
+
+from flask import Blueprint, jsonify, abort, request, make_response
+from jwt import get_unverified_header
+
+from app import app
+from data.logs_model import logs_model
+from endpoints.keyserver.models_interface import ServiceKeyDoesNotExist
+from endpoints.keyserver.models_pre_oci import pre_oci_model as model
+from util.security import jwtutil
+from util.request import get_request_ip
+
+
+logger = logging.getLogger(__name__)
+key_server = Blueprint('key_server', __name__)
+
+
+JWT_HEADER_NAME = 'Authorization'
+JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']
+
+
+def _validate_jwk(jwk):
+  if 'kty' not in jwk:
+    abort(400)
+
+  if jwk['kty'] == 'EC':
+    if 'x' not in jwk or 'y' not in jwk:
+      abort(400)
+  elif jwk['kty'] == 'RSA':
+    if 'e' not in jwk or 'n' not in jwk:
+      abort(400)
+  else:
+    abort(400)
+
+
+def _validate_jwt(encoded_jwt, jwk, service):
+  public_key = jwtutil.jwk_dict_to_public_key(jwk)
+
+  try:
+    jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],
+                   audience=JWT_AUDIENCE, issuer=service)
+  except jwtutil.InvalidTokenError:
+    logger.exception('JWT validation failure')
+    abort(400)
+
+
+def _signer_kid(encoded_jwt, allow_none=False):
+  headers = get_unverified_header(encoded_jwt)
+  kid = headers.get('kid', None)
+  if not kid and not allow_none:
+    abort(400)
+
+  return kid
+
+
+def _lookup_service_key(service, signer_kid, approved_only=True):
+  try:
+    return model.get_service_key(signer_kid, service=service, approved_only=approved_only)
+  except ServiceKeyDoesNotExist:
+    abort(403)
+
+
+def jwk_with_kid(key):
+  jwk = key.jwk.copy()
+  jwk.update({'kid': key.kid})
+  return jwk
+
+
+@key_server.route('/services/<service>/keys', methods=['GET'])
+def list_service_keys(service):
+  keys = model.list_service_keys(service)
+  return jsonify({'keys': [jwk_with_kid(key) for key in keys]})
+
+
+@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
+def get_service_key(service, kid):
+  try:
+    key = model.get_service_key(kid, alive_only=False, approved_only=False)
+  except ServiceKeyDoesNotExist:
+    abort(404)
+
+  if key.approval is None:
+    abort(409)
+
+  if key.expiration_date is not None and key.expiration_date <= datetime.utcnow():
+    abort(403)
+
+  resp = jsonify(key.jwk)
+  lifetime = min(timedelta(days=1), ((key.expiration_date or datetime.max) - datetime.utcnow()))
+  resp.cache_control.max_age = max(0, lifetime.total_seconds())
+  return resp
+
+
+@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
+def put_service_key(service, kid):
+  metadata = {'ip': get_request_ip()}
+
+  rotation_duration = request.args.get('rotation', None)
+  expiration_date = request.args.get('expiration', None)
+  if expiration_date is not None:
+    try:
+      expiration_date = datetime.utcfromtimestamp(float(expiration_date))
+    except ValueError:
+      logger.exception('Error parsing expiration date on key')
+      abort(400)
+
+  try:
+    jwk = request.get_json()
+  except ValueError:
+    logger.exception('Error parsing JWK')
+    abort(400)
+
+  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
+  match = jwtutil.TOKEN_REGEX.match(jwt_header)
+  if match is None:
+    logger.error('Could not find matching bearer token')
+    abort(400)
+
+  encoded_jwt = match.group(1)
+
+  _validate_jwk(jwk)
+
+  signer_kid = _signer_kid(encoded_jwt, allow_none=True)
+  if kid == signer_kid or signer_kid is None:
+    # The key is self-signed. Create a new instance and await approval.
+    _validate_jwt(encoded_jwt, jwk, service)
+    model.create_service_key('', kid, service, jwk, metadata, expiration_date,
+                             rotation_duration=rotation_duration)
+
+    logs_model.log_action('service_key_create', ip=get_request_ip(), metadata={
+      'kid': kid,
+      'preshared': False,
+      'service': service,
+      'name': '',
+      'expiration_date': expiration_date,
+      'user_agent': request.headers.get('User-Agent'),
+      'ip': get_request_ip(),
+    })
+
+    return make_response('', 202)
+
+  # Key is going to be rotated.
+  metadata.update({'created_by': 'Key Rotation'})
+  signer_key = _lookup_service_key(service, signer_kid)
+  signer_jwk = signer_key.jwk
+
+  _validate_jwt(encoded_jwt, signer_jwk, service)
+
+  try:
+    model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
+  except ServiceKeyDoesNotExist:
+    abort(404)
+
+  logs_model.log_action('service_key_rotate', ip=get_request_ip(), metadata={
+    'kid': kid,
+    'signer_kid': signer_key.kid,
+    'service': service,
+    'name': signer_key.name,
+    'expiration_date': expiration_date,
+    'user_agent': request.headers.get('User-Agent'),
+    'ip': get_request_ip(),
+  })
+
+  return make_response('', 200)
+
+
+@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
+def delete_service_key(service, kid):
+  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
+  match = jwtutil.TOKEN_REGEX.match(jwt_header)
+  if match is None:
+    abort(400)
+
+  encoded_jwt = match.group(1)
+
+  signer_kid = _signer_kid(encoded_jwt)
+  signer_key = _lookup_service_key(service, signer_kid, approved_only=False)
+
+  self_signed = kid == signer_kid
+  approved_key_for_service = signer_key.approval is not None
+
+  if self_signed or approved_key_for_service:
+    _validate_jwt(encoded_jwt, signer_key.jwk, service)
+
+    try:
+      model.delete_service_key(kid)
+    except ServiceKeyDoesNotExist:
+      abort(404)
+
+    logs_model.log_action('service_key_delete', ip=get_request_ip(), metadata={
+      'kid': kid,
+      'signer_kid': signer_key.kid,
+      'service': service,
+      'name': signer_key.name,
+      'user_agent': request.headers.get('User-Agent'),
+      'ip': get_request_ip(),
+    })
+
+    return make_response('', 204)
+
+  abort(403)

endpoints/keyserver/models_interface.py

@@ -0,0 +1,65 @@
+from abc import ABCMeta, abstractmethod
+from collections import namedtuple
+
+from six import add_metaclass
+
+
+class ServiceKey(namedtuple('ServiceKey', ['name', 'kid', 'service', 'jwk', 'metadata',
+                                           'created_date', 'expiration_date', 'rotation_duration',
+                                           'approval'])):
+  """
+  Service Key represents a public key (JWK) being used by an instance of a particular service to
+  authenticate with other services.
+  """
+  pass
+
+
+class ServiceKeyException(Exception):
+  pass
+
+
+class ServiceKeyDoesNotExist(ServiceKeyException):
+  pass
+
+
+@add_metaclass(ABCMeta)
+class KeyServerDataInterface(object):
+  """
+  Interface that represents all data store interactions required by a JWT key service.
+  """
+
+  @abstractmethod
+  def list_service_keys(self, service):
+    """
+    Returns a list of service keys or an empty list if the service does not exist.
+    """
+    pass
+
+  @abstractmethod
+  def get_service_key(self, signer_kid, service=None, alive_only=None, approved_only=None):
+    """
+    Returns a service kid with the given kid or raises ServiceKeyNotFound.
+    """
+    pass
+
+  @abstractmethod
+  def create_service_key(self, name, kid, service, jwk, metadata, expiration_date,
+                         rotation_duration=None):
+    """
+    Stores a service key.
+    """
+    pass
+
+  @abstractmethod
+  def replace_service_key(self, old_kid, kid, jwk, metadata, expiration_date):
+    """
+    Replaces a service with a new key or raises ServiceKeyNotFound.
+    """
+    pass
+
+  @abstractmethod
+  def delete_service_key(self, kid):
+    """
+    Deletes and returns a service key with the given kid or raises ServiceKeyNotFound.
+    """
+    pass

endpoints/keyserver/models_pre_oci.py

@@ -0,0 +1,59 @@
+import data.model
+
+from endpoints.keyserver.models_interface import (KeyServerDataInterface, ServiceKey,
+                                                  ServiceKeyDoesNotExist)
+
+
+class PreOCIModel(KeyServerDataInterface):
+  """
+  PreOCIModel implements the data model for JWT key service using a database schema before it was
+  changed to support the OCI specification.
+  """
+  def list_service_keys(self, service):
+    return data.model.service_keys.list_service_keys(service)
+
+  def get_service_key(self, signer_kid, service=None, alive_only=True, approved_only=True):
+    try:
+      key = data.model.service_keys.get_service_key(signer_kid, service, alive_only, approved_only)
+      return _db_key_to_servicekey(key)
+    except data.model.ServiceKeyDoesNotExist:
+      raise ServiceKeyDoesNotExist()
+
+  def create_service_key(self, name, kid, service, jwk, metadata, expiration_date,
+                         rotation_duration=None):
+    key = data.model.service_keys.create_service_key(name, kid, service, jwk, metadata,
+                                                     expiration_date, rotation_duration)
+    return _db_key_to_servicekey(key)
+
+  def replace_service_key(self, old_kid, kid, jwk, metadata, expiration_date):
+    try:
+      data.model.service_keys.replace_service_key(old_kid, kid, jwk, metadata, expiration_date)
+    except data.model.ServiceKeyDoesNotExist:
+      raise ServiceKeyDoesNotExist()
+
+  def delete_service_key(self, kid):
+    try:
+      key = data.model.service_keys.delete_service_key(kid)
+      return _db_key_to_servicekey(key)
+    except data.model.ServiceKeyDoesNotExist:
+      raise ServiceKeyDoesNotExist()
+
+
+pre_oci_model = PreOCIModel()
+
+
+def _db_key_to_servicekey(key):
+  """
+  Converts the Pre-OCI database model of a service key into a ServiceKey.
+  """
+  return ServiceKey(
+    name=key.name,
+    kid=key.kid,
+    service=key.service,
+    jwk=key.jwk,
+    metadata=key.metadata,
+    created_date=key.created_date,
+    expiration_date=key.expiration_date,
+    rotation_duration=key.rotation_duration,
+    approval=key.approval,
+  )