| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a special authorization plugin that verifies the
identity of the node as well as checking that the node is authorized
to make a request on behalf of the pod for which it is asking secrets.
If all checks pass the path is rewritten to point to the proper secrets
namespace for the pod. By rewriting paths, in case of catastrophic
failure of the plugin no secret can be found as the path matches nothing.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This authentication module connects to docker to figure out the pod
name associated to the PID requesting the service by ay of discovering
the container id via the process cgroup namespace.
The pod name as set in the metadata label named 'io.kubernetes.pod.name'
is then used as the 'remote_user' attribute on the request.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
custodia.client library now logs requests and responses.
The auditfile argument of setup_logging() can be set to None to
configure client logging without audit file.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This allows to easily use end-to-end encrypted requests and replies
to fetch secrets.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the term secret and not key to refer to .. well .. secrets.
Store the last response instead of returning it to the caller, this
way there is a consistent way to get access to it and only as needed.
Change the name to CustodiaSimpleClient in preparaion for extending the
support to other Secret types.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
The payload was not being set with the provided value when a PUT
operation token was parsed. This resulted in attempting to store
an empty value instead of the provided secret.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
All authorization modules need to be executed, we cannot bail at the
first one that returns a positive answer. Some authz modules attach
data to the requst as a side effect and they need to be run even if
others also authorize access.
Additionally if a later module returns an explicit Deny, then that
must override any previous granted access.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
In the server case auditlog is used in the pipeline too, so make it public.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
setup.py no longer installs Custodia's tests files. The test cases are
only shipped in the source distribution.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This plugin takes a nother store to use and ecnrypts all content.
note: it does not encrypt key names nor the containers
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adda an 'origin' argument to the logger formatting that
coms from the configuration parser and ties a log entry to the
implementing class as well as the specific configuration facility
that instantiated it.
Also adds per configuration section debugging unless the global
debug statment is true, in which case all objects have debugging
forcibly turned on.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
| |
Use custom configuration and databases, do not rely on in-tree data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The code was errnoeously refusing to create containers or keys on
the base directory where there are no parents.
For single component keys always assume / exists in the database.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The custom logging and traceback functions as well as the audit logger
are replaced with Python's logging framework. For now the loggers are
hard-coded to use a StreamHandler(sys.stderr) as root handler and a
FileHandler for the audit log.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The latter is customized to show Travis' CI build status on Github,
and will have more hosting specific content going forward.
The regular README will be targeted for offline information, and will
not be necessarilya markdown file either.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
tox 2.0 has a bug in envsitepackagesdir variable substitution. Install
tox<2.0 for Travis CI.
Custodia now depends on python-requests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The server can be now configured using a new parameter called
"server_url".
Setting server_url to "http://0.0.0.0:80/" will make the server listen
on TCP port 80, while setting it to "http+unix://%2fsocket" will make
the server listen on the unix socket named "/socket".
The backwards compatible "server_socket" is retained and used if no
server_url is provided.
The request dict has a new field "client_id" that contains either a
PID or a peer name. In the future the field can be augmented with a
TLS client cert DN or other similar identifier.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This pugin allows to mangle and forward requests to another custodia
server, locally or on the network.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
This makes it simpler to use a custodia server, whether exposed over
HTTP, HTTPS or a unix socket with the http+unix schema.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
A new internal method _absolute_key() is used to join key name and name
space. etcd treats the key space like a file system so the method checks
the key for '//', '.', and '..' to prevent invalid paths and path traversal
attacks.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Use a new verb, "span" to create namespaces/containers.
This will be needed for the Etcd plugin which need to distinguish between
a directory and a key.
The sqlite/enclite just pass the request to their set() method.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
Moves the secrets.Namespaces plugin to the proper authorizers file and
fixes it to properly enforce the user-named namespace is being used.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The store as throwing an exception in case of an unesisting key.
Now it returns None as expected on missing keys, and properly
wraps encoding exceptions if the JWE can't be decoded.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit removes the option to pas a filter parameter.
It also changes the way database plugins are expected to return
results, results are now expected to be relative to the path
requested.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
With this env var we force the local /bin/coverage to still source locally
unavailable modules from the .tox directory.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #9
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #8
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|