From fc27b775db634123f2a02ee5806c516a14b1428d Mon Sep 17 00:00:00 2001 From: Alejandro Roiz Walss Date: Tue, 30 Jan 2024 18:51:30 -0600 Subject: [PATCH 1/5] fix dynamodb saves --- confidant/routes/blind_credentials.py | 8 ++++---- confidant/routes/credentials.py | 15 ++++++++------- confidant/routes/services.py | 4 ++-- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/confidant/routes/blind_credentials.py b/confidant/routes/blind_credentials.py index 8e9ca4de..32696c83 100644 --- a/confidant/routes/blind_credentials.py +++ b/confidant/routes/blind_credentials.py @@ -188,7 +188,7 @@ def create_blind_credential(): if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 for cred in BlindCredential.data_type_date_index.query( - 'blind-credential', name__eq=data['name']): + 'blind-credential'): # Conflict, the name already exists msg = 'Name already exists. See id: {0}'.format(cred.id) return jsonify({'error': msg, 'reference': cred.id}), 409 @@ -210,7 +210,7 @@ def create_blind_credential(): cipher_version=data['cipher_version'], modified_by=authnz.get_logged_in_user(), documentation=data.get('documentation') - ).save(id__null=True) + ).save() # Make this the current revision cred = BlindCredential( id=id, @@ -344,7 +344,7 @@ def update_blind_credential(id): cipher_version=update['cipher_version'], modified_by=authnz.get_logged_in_user(), documentation=update['documentation'] - ).save(id__null=True) + ).save() except PutError as e: logger.error(e) return jsonify( @@ -454,7 +454,7 @@ def revert_blind_credential_to_revision(id, to_revision): cipher_version=revert_credential.cipher_version, modified_by=authnz.get_logged_in_user(), documentation=revert_credential.documentation - ).save(id__null=True) + ).save() except PutError as e: logger.error(e) return jsonify( diff --git a/confidant/routes/credentials.py b/confidant/routes/credentials.py index 045170ba..c0498e3d 100644 --- a/confidant/routes/credentials.py +++ b/confidant/routes/credentials.py @@ -616,10 +616,11 @@ def create_credential(): if not _check: return jsonify(ret), 400 for cred in Credential.data_type_date_index.query( - 'credential', name__eq=data['name']): - # Conflict, the name already exists - msg = 'Name already exists. See id: {0}'.format(cred.id) - return jsonify({'error': msg, 'reference': cred.id}), 409 + 'credential'): + if cred.name == data['name']: + # Conflict, the name already exists + msg = 'Name already exists. See id: {0}'.format(cred.id) + return jsonify({'error': msg, 'reference': cred.id}), 409 # Generate an initial stable ID to allow name changes id = str(uuid.uuid4()).replace('-', '') # Try to save to the archive @@ -643,7 +644,7 @@ def create_credential(): documentation=data.get('documentation'), tags=data.get('tags', []), last_rotation_date=last_rotation_date, - ).save(id__null=True) + ).save() # Make this the current revision cred = Credential( id=id, @@ -882,7 +883,7 @@ def update_credential(id): documentation=update['documentation'], tags=update['tags'], last_rotation_date=update['last_rotation_date'], - ).save(id__null=True) + ).save() except PutError as e: logger.error(e) return jsonify({'error': 'Failed to add credential to archive.'}), 500 @@ -1056,7 +1057,7 @@ def revert_credential_to_revision(id, to_revision): documentation=revert_credential.documentation, tags=revert_credential.tags, last_rotation_date=revert_credential.last_rotation_date, - ).save(id__null=True) + ).save() except PutError as e: logger.error(e) return jsonify({'error': 'Failed to add credential to archive.'}), 500 diff --git a/confidant/routes/services.py b/confidant/routes/services.py index 3d585505..f8bc9823 100644 --- a/confidant/routes/services.py +++ b/confidant/routes/services.py @@ -650,7 +650,7 @@ def map_service_credentials(id): enabled=data.get('enabled'), revision=revision, modified_by=authnz.get_logged_in_user() - ).save(id__null=True) + ).save() except PutError as e: logger.error(e) return jsonify({'error': 'Failed to add service to archive.'}), 500 @@ -811,7 +811,7 @@ def revert_service_to_revision(id, to_revision): enabled=revert_service.enabled, revision=new_revision, modified_by=authnz.get_logged_in_user() - ).save(id__null=True) + ).save() except PutError as e: logger.error(e) return jsonify({'error': 'Failed to add service to archive.'}), 500 From 7051659c7cba98ce66f709f70b8dda3544f25861 Mon Sep 17 00:00:00 2001 From: Alejandro Roiz Walss Date: Tue, 30 Jan 2024 18:57:32 -0600 Subject: [PATCH 2/5] use filter_condition --- confidant/routes/credentials.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/confidant/routes/credentials.py b/confidant/routes/credentials.py index c0498e3d..489d8a45 100644 --- a/confidant/routes/credentials.py +++ b/confidant/routes/credentials.py @@ -616,11 +616,10 @@ def create_credential(): if not _check: return jsonify(ret), 400 for cred in Credential.data_type_date_index.query( - 'credential'): - if cred.name == data['name']: - # Conflict, the name already exists - msg = 'Name already exists. See id: {0}'.format(cred.id) - return jsonify({'error': msg, 'reference': cred.id}), 409 + 'credential', filter_condition=Credential.name == data['name']): + # Conflict, the name already exists + msg = 'Name already exists. See id: {0}'.format(cred.id) + return jsonify({'error': msg, 'reference': cred.id}), 409 # Generate an initial stable ID to allow name changes id = str(uuid.uuid4()).replace('-', '') # Try to save to the archive From 830064af53bbfd1ee489d1d0e015e9bfecead3b9 Mon Sep 17 00:00:00 2001 From: Alejandro Roiz Walss Date: Tue, 30 Jan 2024 18:59:12 -0600 Subject: [PATCH 3/5] use filter_condition for blind credentials --- confidant/routes/blind_credentials.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/confidant/routes/blind_credentials.py b/confidant/routes/blind_credentials.py index 32696c83..ed690660 100644 --- a/confidant/routes/blind_credentials.py +++ b/confidant/routes/blind_credentials.py @@ -188,7 +188,7 @@ def create_blind_credential(): if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 for cred in BlindCredential.data_type_date_index.query( - 'blind-credential'): + 'blind-credential', filter_condition=BlindCredential.name == data['name']): # Conflict, the name already exists msg = 'Name already exists. See id: {0}'.format(cred.id) return jsonify({'error': msg, 'reference': cred.id}), 409 From e2108fdda54a78a095f889ce100147a5737b086b Mon Sep 17 00:00:00 2001 From: Alejandro Roiz Walss Date: Tue, 30 Jan 2024 19:02:57 -0600 Subject: [PATCH 4/5] fix lint --- confidant/routes/blind_credentials.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/confidant/routes/blind_credentials.py b/confidant/routes/blind_credentials.py index ed690660..5cbf6d37 100644 --- a/confidant/routes/blind_credentials.py +++ b/confidant/routes/blind_credentials.py @@ -188,7 +188,9 @@ def create_blind_credential(): if not isinstance(data.get('metadata', {}), dict): return jsonify({'error': 'metadata must be a dict'}), 400 for cred in BlindCredential.data_type_date_index.query( - 'blind-credential', filter_condition=BlindCredential.name == data['name']): + 'blind-credential', + filter_condition=BlindCredential.name == data['name'] + ): # Conflict, the name already exists msg = 'Name already exists. See id: {0}'.format(cred.id) return jsonify({'error': msg, 'reference': cred.id}), 409 From 221108299fc7c83477038803e6eb3719c447e973 Mon Sep 17 00:00:00 2001 From: Alejandro Roiz Walss Date: Wed, 28 Feb 2024 18:39:35 -0600 Subject: [PATCH 5/5] Sanitize user input for services and credentials --- confidant/routes/credentials.py | 11 ++++++++--- confidant/routes/services.py | 11 ++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/confidant/routes/credentials.py b/confidant/routes/credentials.py index 489d8a45..e186f870 100644 --- a/confidant/routes/credentials.py +++ b/confidant/routes/credentials.py @@ -4,7 +4,7 @@ import re import uuid -from flask import blueprints, jsonify, request +from flask import blueprints, escape, jsonify, request from pynamodb.exceptions import DoesNotExist, PutError from confidant import authnz, clients, settings @@ -624,15 +624,20 @@ def create_credential(): id = str(uuid.uuid4()).replace('-', '') # Try to save to the archive revision = 1 + for key, value in credential_pairs.items(): + value = escape(value) + credential_pairs[key] = value credential_pairs = json.dumps(credential_pairs) data_key = keymanager.create_datakey(encryption_context={'id': id}) cipher = CipherManager(data_key['plaintext'], version=2) credential_pairs = cipher.encrypt(credential_pairs) last_rotation_date = misc.utcnow() + + sanitized_name = escape(data['name']) cred = Credential( id='{0}-{1}'.format(id, revision), data_type='archive-credential', - name=data['name'], + name=sanitized_name, credential_pairs=credential_pairs, metadata=data.get('metadata'), revision=revision, @@ -648,7 +653,7 @@ def create_credential(): cred = Credential( id=id, data_type='credential', - name=data['name'], + name=sanitized_name, credential_pairs=credential_pairs, metadata=data.get('metadata'), revision=revision, diff --git a/confidant/routes/services.py b/confidant/routes/services.py index f8bc9823..be42c733 100644 --- a/confidant/routes/services.py +++ b/confidant/routes/services.py @@ -1,6 +1,6 @@ import logging -from flask import blueprints, jsonify, request +from flask import blueprints, escape, jsonify, request from pynamodb.exceptions import DoesNotExist, PutError from confidant import authnz, settings @@ -640,9 +640,14 @@ def map_service_credentials(id): # credential IDs. filtered_credential_ids = [cred.id for cred in credentials] # Try to save to the archive + + if _service: + service_id = _service.id + else: + service_id = escape(id) try: Service( - id='{0}-{1}'.format(id, revision), + id='{0}-{1}'.format(service_id, revision), data_type='archive-service', credentials=filtered_credential_ids, blind_credentials=data.get('blind_credentials'), @@ -657,7 +662,7 @@ def map_service_credentials(id): try: service = Service( - id=id, + id=service_id, data_type='service', credentials=filtered_credential_ids, blind_credentials=data.get('blind_credentials'),