Source code for keystone.credential.providers.fernet.core
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from cryptography import fernet
from oslo_log import log
from keystone.common import fernet_utils
import keystone.conf
from keystone.credential.providers import core
from keystone import exception
from keystone.i18n import _
CONF = keystone.conf.CONF
LOG = log.getLogger(__name__)
# NOTE(lbragstad): Credential key rotation operates slightly different than
# Fernet key rotation. Each credential holds a hash of the key that encrypted
# it. This is important for credential key rotation because it helps us make
# sure we don't over-rotate credential keys. During a rotation of credential
# keys, if any credential has not been re-encrypted with the current primary
# key, we can abandon the key rotation until all credentials have been migrated
# to the new primary key. If we don't take this step, it is possible that we
# could remove a key used to encrypt credentials, leaving them recoverable.
# This also means that we don't need to expose a `[credential] max_active_keys`
# option through configuration. Instead we will use a global configuration and
# share that across all places that need to use FernetUtils for credential
# encryption.
MAX_ACTIVE_KEYS = 3
[docs]class Provider(core.Provider):
@property
[docs] def crypto(self):
keys = [fernet.Fernet(key) for key in self._get_encryption_keys()]
return fernet.MultiFernet(keys)
def _get_encryption_keys(self):
self.key_utils = fernet_utils.FernetUtils(
CONF.credential.key_repository, MAX_ACTIVE_KEYS
)
return self.key_utils.load_keys()
[docs] def encrypt(self, credential):
"""Attempt to encrypt a plaintext credential.
:param credential: a plaintext representation of a credential
:returns: an encrypted credential
"""
try:
return self.crypto.encrypt(credential.encode('utf-8'))
except (TypeError, ValueError):
msg = _('Credential could not be encrypted. Please contact the'
' administrator')
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)
[docs] def decrypt(self, credential):
"""Attempt to decrypt a credential.
:param credential: an encrypted credential string
:returns: a decrypted credential
"""
try:
return self.crypto.decrypt(bytes(credential)).decode('utf-8')
except (fernet.InvalidToken, TypeError, ValueError):
msg = _('Credential could not be decrypted. Please contact the'
' administrator')
LOG.error(msg)
raise exception.CredentialEncryptionError(msg)