| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
This plugin takes a nother store to use and ecnrypts all content.
note: it does not encrypt key names nor the containers
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adda an 'origin' argument to the logger formatting that
coms from the configuration parser and ties a log entry to the
implementing class as well as the specific configuration facility
that instantiated it.
Also adds per configuration section debugging unless the global
debug statment is true, in which case all objects have debugging
forcibly turned on.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
| |
Use custom configuration and databases, do not rely on in-tree data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The code was errnoeously refusing to create containers or keys on
the base directory where there are no parents.
For single component keys always assume / exists in the database.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The custom logging and traceback functions as well as the audit logger
are replaced with Python's logging framework. For now the loggers are
hard-coded to use a StreamHandler(sys.stderr) as root handler and a
FileHandler for the audit log.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The server can be now configured using a new parameter called
"server_url".
Setting server_url to "http://0.0.0.0:80/" will make the server listen
on TCP port 80, while setting it to "http+unix://%2fsocket" will make
the server listen on the unix socket named "/socket".
The backwards compatible "server_socket" is retained and used if no
server_url is provided.
The request dict has a new field "client_id" that contains either a
PID or a peer name. In the future the field can be augmented with a
TLS client cert DN or other similar identifier.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This pugin allows to mangle and forward requests to another custodia
server, locally or on the network.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
This makes it simpler to use a custodia server, whether exposed over
HTTP, HTTPS or a unix socket with the http+unix schema.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
A new internal method _absolute_key() is used to join key name and name
space. etcd treats the key space like a file system so the method checks
the key for '//', '.', and '..' to prevent invalid paths and path traversal
attacks.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Use a new verb, "span" to create namespaces/containers.
This will be needed for the Etcd plugin which need to distinguish between
a directory and a key.
The sqlite/enclite just pass the request to their set() method.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
| |
Moves the secrets.Namespaces plugin to the proper authorizers file and
fixes it to properly enforce the user-named namespace is being used.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The store as throwing an exception in case of an unesisting key.
Now it returns None as expected on missing keys, and properly
wraps encoding exceptions if the JWE can't be decoded.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit removes the option to pas a filter parameter.
It also changes the way database plugins are expected to return
results, results are now expected to be relative to the path
requested.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #9
|
|
|
|
|
|
|
|
|
| |
Uses the same method as the server, the request and response are quite
symmetrical here.
also fix a bug with the subject name missing in the replies.
Adapt tests.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
The Secrets class now logs any GET/SET/DEL of a key in a audit log file.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This avoids issues where spaces get turned to %20 and then name
matching comparisons (like for KEMHandler) fail.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The patch fixes to typos in the tear down function of two test suites.
The tests now cleanup and remove temporary files like Unix socket and
test databases.
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes: #3
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
If 'signing_algorithms' is not explicitly set in the configuration
file use a reasonable default based on the server key type.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Also fix errors in handling encrypted requests, as well errors in
the test suite.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
If debug is set to True, then custodia's own Exception handlers will
print a stack trace to standard output to aid debugging.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This way clients that already have JWK key objects do not have to
export/import them. Other clients can simply call JWK upfront like
in the modified test.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This makes it easier to build clients.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
The name ('sub') and the time ('exp') must be checked before letting
the reuqest proceed.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
using the same key for signing and encryption is generally a frown
upon approach in the scirty community as it may lead to some attacks.
Change the code to use key pairs, where the first key is the signing
key and the second one is the encryption key.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
These messages are returned as is by the HTTP server as the status
code reason, str() returns a more human readable format.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
parse_qs will always return lists even for single-valued parameters,
check for it in the Validator and properly handle the case.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This way checks and hives are created from the same list and will not
get out of sync (they are before this commit).
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This allows admins to configure where the socket needs to be created
ithout forcing to change the cwd of the daemon to the same place.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Newer pylint version completely removed the star-args warning, including
recognizing the exception in the source code.
Remove it from all source code to avoid annoyinf pylint errors about
unrecognized exceptions, and add a general exception in the pylint makefile
invocation, as apparently it is ok there. This will avoid warnings if older
versions of pylint are used.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
A missing query would not lead to the default 'simple' type being selected.
Add tests for PUT/GET/DELETE of a simple key.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The new 'kem' type allows the backend to authorize access to keys based on
a signed request where the key mus be whitelisted in advance in a kemkeys
database.
The reply is encrypted with the client public key.
Signed-off-by: Simo Sorce <simo@redhat.com>
|