When pegleg wraps documents, it uses the original document name as the
name of the managed document. This often results in duplicate documents
(i.e. identical in name and schema). For example, it is expected to have
identically named deckhand document pairs: Certificate & CertificateKey;
CertificateAuthority & CertificateAuthorityKey; PublicKey & PrivateKey.
However, this could also occur for unrelated document types that happen
to have the same name, and generally defeats the principle that each
document is identified by a schema top-level key and the metadata.name.
This change uses a combination of the original document schema and name
to build the name of the pegleg/PeglegManagedDocument/v1.
Change-Id: Iab186ae7e9d24a30cb413be89a17fad960e10bea
Barbican is being enabled, as such the metadata field should not be
modified by Pegleg. If it says encrypted, then Barbican will
encrypt.
If it says cleartext, Barbican won't. All pegleg needs to do is
decrypt the document prior to bundling it which exists already
without this change.
This reverts commit 2d88f48989.
Change-Id: I8900f910f9816508a8ec5c23932252bb9d1fde09
This patch updates layer for wrapped documents to preserve original
layer. Previously all encrypted documents had site layer.
Update encrypt/decrypt logic when determining global keys.
Update units tests.
Change-Id: I447aeaea08a4514655fcabfc7077b6d4b282e27f
Barbican expects storagePolicy:cleartext when accepting documents
from Pegleg. Once the document is decrypted updated storagePolicy to
cleartext.
During genesis bundle creation, the encrypted documents are
decrypted, then the whole bundle is encrypted. Once the bundle gets
deployed the contained documents should all have the correct storage
policy of cleartext.
As a result, two unit tests are updated to no longer compare the
storagePolicy, as it is expected everything going to Barbican is
cleartext, but in order for Pegleg to know to encrypt the original
document is storagePolicy:encrypted
Change-Id: I5167ce6b3030d143d1ff0b789883529a6557eeca
One of the well-known issues of Python is that dictionaries do not
maintain order in their keys once created. This causes YAML data dumps
to output in a seemingly random order or alphabetically. As these output
files are often kept in their own repositories, they must go through
review or comparison in VCS. If the order of keys is switching for these
files every time Pegleg is ran, it makes it difficult for a user to
compare newly generated files with the old.
To fix this issue, we can change all dictionaries used to template
YAML files into OrderedDict objects. The OrderedDict objects will
maintain order through their dumping to YAML.
Change-Id: I0c1ee3f3f37ed8598d2ba81528d5c61447cbd0d0
Pytest includes a fixture that can be used to generate temporary
directories. Previously Pegleg had implemented a hombrewed version of a
temporary directory fixture. This change removes the homebrewed version
and replaces it with the tmpdir fixture.
Implement tmpdir fixture in tests
Upgrade all testing packages to use the latest features
Removes unused imports and organizes import lists
Removes mock package requirement and uses unittest.mock, included in
python >3.3
Implements a slightly cleaner method to get proxy info
Change-Id: If66e1cfba858d5fb8948529deb8fb2d32345f630
This patch addresses inconsistent code style and enforces it with a
gate for future submissions.
Separate work will be done in the future to address several of the
PEP8 ignores for docstrings, and attempt to bring the tests directory
to PEP8 compliance.
This patch:
1. Updates .style.yapf to set the knobs desired for YAPF.
2. Updates tox.ini to allow one of the knobs to work.
3. Removes unused code from several __init__.py files.
4. Updates the YAPF version in test-requirements.txt to latest (this
is needed for several knobs to work).
5. Stylistic changes to the python codebase in Pegleg.
6. Updates to tox.ini to run YAPF during PEP8 check.
Change-Id: Ieaa0fdef2b601d01c875d64b840986e54df73abf
This patchset adds support for globally encrypted secrets.
Documents with a "site" layer will be encrypted/decrypted with the
standard PEGLEG_PASSPHRASE and PEGLEG_SALT environment variables.
If any secrets exist for the site with a schema of "global_passphrase"
or "global_salt" their values will be captured and used to decrypt
any secrets that do not belong to "site" layer. If the global keys
do not exist, Pegleg will default to using site keys.
Expected usage:
1. Set site passphrase/salt environment variables
2. Select a global passphrase and salt
3. Use Pegleg's "wrap" command to wrap and encrypt the global keys
4. Encrypt or wrap documents with "global" layer
5. Provide Pegleg path to decrypt
In the case of (4) and (5) Pegleg will determine the correct keys
to use automatically
Change-Id: I5de6d63573619b346fe011628ae21e053e0711f6
Metadata schema for managed documents should now be metadata/Document/v1,
not deckhand/Document/v1.
Change-Id: Id500fc7d5b68a4c296848c07a9644f375e949289
1. Adds the passphrases generation capability in Pegleg CLI,
so that pegleg can generation random passwords based on a
specification declared in pegleg/PassphrasesCatalog documents
2. Pegleg also wraps the generated passphrase documents in
pegleg managed documents, and encrypts the data.
3. Adds unit test cases for passphrase generation.
4. Updates pegleg CLI document.
Change-Id: I21d7668788cc24a8e0cc9cb0fb11df97600d0090
This patch set adds hacking rule to pegleg and fixes outstanding non-
docstring related violations.
Change-Id: I5bb5e78c211f24cf95669124bfcf9603bea8bf15
Signed-off-by: Tin Lam <tin@irrational.io>