New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Use MultiFernet for encryption #123
Conversation
@kevgliss If you wouldn't mind taking a look when you have a minute. I have a feeling at least part of the errors I'm seeing have to do with my local environment and not necessarily the changes I've made. |
@@ -32,7 +32,6 @@ | |||
'Flask-Bcrypt==0.6.2', | |||
'Flask-Principal==0.4.0', | |||
'Flask-Mail==0.9.1', | |||
'SQLAlchemy-Utils==0.30.11', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like I also use the JSON type from SQLAlchemy-Utils so we should leave it in for the moment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
I think this should be okay. I would just add back in SQLAlchemy and see if the tests pass. You could also post a stack trace to see if we can narrow down the errors you are seeing locally. |
3d76445
to
927d52d
Compare
I still can't seem to save anything locally. Here is the content of [removed] |
You will need to make an authority before you can issue any certificates.
Should return a message complaining what might be missing from the request. Which authority are you trying to use? The only one currently packaged with Lemur is the Are you doing this from the UI or the API? In either case ff you could give me the JSON you are sending to the API, I can probably spot whats missing. |
Here's what I'm sending:
|
Can you try with |
Tried with the same result. |
Which branch/commit are you working from? When you make the request there should be a more descriptive message in the body of the response. Also I noticed in your stack trace you are doing a PUT request.
The JSON you are sending I would expect to be handled by a POST. See: https://github.com/Netflix/lemur/blob/master/lemur/authorities/views.py#L302 for the variables allowed in a PUT request (editing an authority). |
I just tested this out and it looks good. Everything encrypts and decrypts like I would expect. I think throwing an exception for improperly formatted keys makes sense. After that is added I will go ahead and merge this in. I will put the migration script in a separate pull request. Thanks! |
Thanks a lot. I'm not sure what my issue locally is. I'm doing things through the UI, so I would expect it to In any case, I'll add in that exception and finish this up. |
Fernet will actually throw an exception if the key passed to it is not valid. We could add some checks at startup or something to make it easier to debug, but I think as long as the requirement is documented we'll be alright. The exception thrown by Fernet is pretty clear too. |
Maybe we should have a comment in the generated configuration file to document the requirement. I'll add it to the docs too. |
Facilitates key rotation and uses more secure encryption than what sqlalchemy-utils does. Fixes Netflix#117 and Netflix#119.
Current status: All should be ready to go pending a decision on how best to handle the key requirements. As of now, I've documented the requirement on the administration page. As it stands, the application will still start with a bad key, but Fernet will throw an exception when it tries to encrypt something. Is there a better channel to communicate errors with users? |
I think that should be enough - we generate good defaults and point out the requirements for those who wander off the beaten path. I am going to merge this in, thanks for the all the work. Feel free to hit me up on gitter if you are still struggling with creating authorities, or open an issue and I can see if I can tease out any more clues. |
Use MultiFernet for encryption
Awesome. Thanks for the help in putting this together. |
Updated the submodule
Facilitates key rotation and uses more secure encryption than what
sqlalchemy-utils does.
Fixes #117 and #119.
This is still a work in progress. I'm having some trouble testing locally. When I try to create new certificates, authorities, roles, etc. I end getting "not created" errors for what seem to be unrelated reasons. I'm hoping you can take a look and see how it works yourself.
TODO: