I recently received a request to add additional features to Pegleg's
generate passphrases command. The desire was to support multiple
types of secrets:
1. passphrases (24+ characters, including characters from upper,
lower, number, symbol).
2. base64 encoded passphrases.
3. UUID4.
As well as adding an additional flag to prevent Pegleg from
regenerating specific passphrases that are sensitive to rotation.
Finally, responding to an enhancement request interactive
passphrase generation can now be specified via the command line for
all passphrases, or by specifying 'prompt': True for specific
passphrases in passphrase-catalog.yaml
These objectives were completed by:
1. Updating passphrase_catalog.py to support a type field. If a
type is not specified, default to existing passphrase generation.
If an invalid value is specified, raise an exception.
2. Updating passphrase_catalog.py to support a regenerable field. If
the regenerable field is not specified, default to True. If an
invalid value is specified, raise an exception. When regenerable
is determined, secrets of 'uuid' type always use regenerable=False
as they should be one time values created at time of deployment
but not rotated.
3. Updating passphrase_catalog.py to support a prompt field. If the
prompt field is not specified, default to False. If an invalid
value is specified, raise an exception.
4. Adding appropriate exceptions.
5. Updating passphrase_generator.py to handle the new type checks,
UUID will use UUID4, base64 uses the existing logic of generating
a random passphrase and base64 encoding it, and existing logic
remains for generating a random passphrase.
6. Updating passphrase_generator.py to handle the regenerable field.
It checks if a file is present at the expected save path, and if
regenerable=False. If both are true, the passphrase is skipped so
the passphrase is not overwritten.
7. Updating unit tests to validate the new type checks.
NOTE: # nosec is used in passphrase_generator.py on the
'if passphrase_type == <special type>' statements. These are not a
security concern, but do cause Bandit error B105. See documentation
for B105 in [0]
Local testing of the generate passphrase command with the following
passphrase types:
passphrase_b64 : base64
passphrase_uuid : uuid
passphrase_specified : passphrase (specified)
passphrase_defaulted : passphrase (defaulted)
Resulted in the following data for each:
passphrase_b64.yaml:data: !!binary |
UDI1SGFFZHFlbWhITjBrdGJHZGFWRkp6UlZWdFdVNUQ=
passphrase_uuid.yaml:data: 5ce7c6bc-00d2-4b2c-9222-54891f075656
passphrase_specified.yaml:data: cYTenMYXFHUKn6ppYjx#+Hdx
passphrase_defaulted.yaml:data: 13ryjaM?I@sP#3&YQXuQEik4
[0] https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
Change-Id: I389316c5194ffa06f3df5114f7ac5f4f2887b319
Pytest includes a fixture that can be used to generate temporary
directories. Previously Pegleg had implemented a hombrewed version of a
temporary directory fixture. This change removes the homebrewed version
and replaces it with the tmpdir fixture.
Implement tmpdir fixture in tests
Upgrade all testing packages to use the latest features
Removes unused imports and organizes import lists
Removes mock package requirement and uses unittest.mock, included in
python >3.3
Implements a slightly cleaner method to get proxy info
Change-Id: If66e1cfba858d5fb8948529deb8fb2d32345f630
This patch addresses inconsistent code style and enforces it with a
gate for future submissions.
Separate work will be done in the future to address several of the
PEP8 ignores for docstrings, and attempt to bring the tests directory
to PEP8 compliance.
This patch:
1. Updates .style.yapf to set the knobs desired for YAPF.
2. Updates tox.ini to allow one of the knobs to work.
3. Removes unused code from several __init__.py files.
4. Updates the YAPF version in test-requirements.txt to latest (this
is needed for several knobs to work).
5. Stylistic changes to the python codebase in Pegleg.
6. Updates to tox.ini to run YAPF during PEP8 check.
Change-Id: Ieaa0fdef2b601d01c875d64b840986e54df73abf
Some applications, such as k8s, require a base64 encoded string.
This patch updates the passphrase catalog such that the user can
specify to use base64 encoding on one or more passphrases found in
the passphrase catalog.
We add that support by:
1. Updating pegleg.engine.catalogs.passphrase_catalog to include a
method which determines what encoding type to use, if any.
2. Updating pegleg.engine.generators.passphrase_generator.generate
to encode the passphrase in base64 if detected. This change is
designed to easily add other supported encoding methods in the
future if desired.
3. Updating tests.unit.engine.test_generate_passphrases to
demonstrate that the encoding field in passphrase catalog is
being used, and that the resultant passphrase is in fact base64
encoded. Also show that when encoding type is not specified, or
is set to 'none' that base64 encoding does not take place.
4. Updating tests.unit.engine.test_generate_passphrases to
demonstrate that the encoding field in passphrase catalog is
being used, and that the resultant passphrase is in fact base64
encoded. We also demonstrate the flow from original passphrase
to bytes, to base64 encoded, to encrypted, and back again yields
the expected values at each step of encoding/decoding/encryption
and decryption.
Change-Id: I47c740ca13be57ed74b6780f80c90b39e935708b
The exception raised on attempting to generate passphrases without a
passphrase catalog has been revised from a
PassphraseSchemaNotFoundException to a
PassphraseCatalogNotFoundException
Change-Id: Ifbb2903638ffffe5008db52adb6f874bcfa25a99
1. Adds the passphrases generation capability in Pegleg CLI,
so that pegleg can generation random passwords based on a
specification declared in pegleg/PassphrasesCatalog documents
2. Pegleg also wraps the generated passphrase documents in
pegleg managed documents, and encrypts the data.
3. Adds unit test cases for passphrase generation.
4. Updates pegleg CLI document.
Change-Id: I21d7668788cc24a8e0cc9cb0fb11df97600d0090