# Credential Manager for Orchestrator

Credential and Key Manager
<br>
Juan Carlos Maureira<br>
Maycoll Catalan<br>
<br>

In [1]:
# Importacion de librerias base para desarrollo en notebook
import sys
import os
from pathlib import Path
from IPython.core.magic import register_cell_magic

# Full display
from IPython.display import display, HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

# Se establece la ruta con las librerias
deploy_path="../lib/python"
sys.path.insert(0, os.path.abspath(deploy_path))

%load_ext autoreload
%autoreload 2

# Metódo magico de deploy to create folders and files
@register_cell_magic
def deploy(target, cell):
    'deploy classes coded in the cell'
    
    full_target = "%s/%s" % (deploy_path,target)
    if not os.path.exists(os.path.dirname(full_target)):
        os.makedirs(os.path.dirname(full_target))
        init_file = "'%s/__init__.py" % os.path.dirname(full_target)
        if not os.path.exists(init_file):
            open(init_file,"w").close()
    
    with open(full_target, 'wt') as fd:
        fd.write(cell)

class StopExecution(Exception):
    def _render_traceback_(self):
        pass

### Clases

In [2]:
%%deploy /credentialmanager/loggers/__init__.py
import logging
from logging import warning, info
from logging.config import fileConfig
import sys

class NullLogger:
    def __init__(self):
        pass
    def info(*args,**kwargs):
        pass
    def warning(*args,**kwargs):
        pass
    def error(*args,**kwargs):
        pass
    def critical(*args,**kwargs):
        pass
    def debug(*args,**kwargs):
        pass
    
class BasicLogger:
    def __init__(self, name):
        self.name = name
        logging.basicConfig(format='%(asctime)s | %(levelname)s : %(message)s',level=logging.INFO, stream=sys.stdout)
        self.logger = logging.getLogger(self.name)
        
    def info(self,*args,**kwargs):
        self.logger.info(*args,**kwargs)
    def critical(self,*args,**kwargs):
        self.logger.critical(*args,**kwargs)
    def warning(self,*args,**kwargs):
        self.logger.warning(*args,**kwargs)
    def error(self,*args,**kwargs):
        self.logger.error(*args,**kwargs)
    def debug(self,*args,**kwargs):
        self.logger.debug(*args,**kwargs)

class FileLogger:
    def __init__(self, name, config_file="etc/logging.ini", logfile="logs/orchestrator.log"):
        self.name = name
        fileConfig(config_file)
        self.logger = logging.getLogger(self.name)

    def info(self,*args,**kwargs):
        self.logger.info(*args,**kwargs)
    def critical(self,*args,**kwargs):
        self.logger.critical(*args,**kwargs)
    def warning(self,*args,**kwargs):
        self.logger.warning(*args,**kwargs)
    def error(self,*args,**kwargs):
        self.logger.error(*args,**kwargs)
    def debug(self,*args,**kwargs):
        self.logger.debug(*args,**kwargs)

In [3]:
%%deploy credentialmanager/exceptions/__init__.py
# Exception module for Credential Manager

class MultipleCredentialsFound(Exception):
    def __init__(self, label):
        super(MultipleCredentialsFound, self).__init__("Label: %s" % (label))


class KeyIsNotInstance(Exception):
    def __init__(self):
        super(KeyIsNotInstance, self).init("The Key is not an Instance of Encryption")

class NoExpirationDateFound(Exception):
    def __init__(self):
        super(NoExpirationDateFound, self).__init__("No Expiration date on keys found")


class ProtectedEncryptionKey(Exception):
    def __init__(self):
        super(ProtectedEncryptionKey, self).__init__("Protected Encryption Key")

        
class LabelNecessary(Exception):
    def __init__(self):
        super(LabelNecessary, self).__init__("Label is necessary")
        
        
class PassphraseNecessary(Exception):
    def __init__(self):
        super(PassphraseNecessary, self).__init__("Passphrase is necessary for private key")

        
class PassphraseNotNecessary(Exception):
    def __init__(self):
        super(PassphraseNotNecessary, self).__init__("Passphrase is not necessary for public key")

        
class ExpiredKey(Exception):
    def __init__(self):
        super(ExpiredKey, self).__init__("Key expired")
        
        
class ExpiredCredential(Exception):
    def __init__(self):
        super(ExpiredCredential, self).__init__("Credential expired")
        
        
class ExpiredToken(Exception):
    def __init__(self):
        super(ExpiredToken, self).__init__("Token expired")
        

class PastExpirationDate(Exception):
    def __init__(self):
        super(PastExpirationDate, self).__init__("Expiration date is before today")


class WrongKeyPassphrase(Exception):
    def __init__(self):
        super(WrongKeyPassphrase, self).__init__("The passphrase for the key is wrong")

        
class WrongCredential(Exception):
    def __init__(self):
        super(WrongCredential, self).__init__("The credential is wrong")
        

class CredentialNotFound(Exception):
    def __init__(self, label):
        super(CredentialNotFound, self).__init__("Credential with Label: %s, not found on database" % (label))

        
class KeyNotFound(Exception):
    def __init__(self, label):
        super(KeyNotFound, self).__init__("Key with label: %s, not found on database" %(label))
        

class TokenNotFound(Exception):
    def __init__(self, label):
        super(TokenNotFound, self).__init__("Token for Label: %s, not found on database" % (label))
        
        
class TokenNotAvailable(Exception):
    def __init__(self, label):
        super(TokenNotAvailable, self).__init__("Token for Label: %s, not availabe" % (label))
             

class CredentialAlreadyExists(Exception):
    def __init__(self, label):
        super(CredentialAlreadyExists, self).__init__("Credential with Label: %s, already exists" % (label))

        
class KeyAlreadyExists(Exception):
    def __init__(self, label):
        super(KeyAlreadyExists, self).__init__("Key with label: %s, already exists" %(label))

        
class TokenAlreadyExists(Exception):
    def __init__(self, label):
        super(TokenAlreadyExists, self).__init__("Token for Label: %s, already exists" % (label))
        
        
class TokenAlreadyAssigned(Exception):
    def __init__(self, label):
        super(TokenAlreadyAssigned, self).__init__("Token for Label: %s, already assigned for user" % (label))
        
        
class UnknownCredentialType(Exception):
    def __init__(self, arg):
        super(UnknownCredentialType, self).__init__(type(arg))

        
class UnknownType(Exception):
    def __init__(self, arg):
        super(UnknownType, self).__init__(type(arg))

        
class UnknownKeyType(Exception):
    def __init__(self, arg):
        super(UnknownKeyType, self).__init__(type(arg))
   
    
class UnknownTokenType(Exception):
    def __init__(self, arg):
        super(UnknownTokenType, self).__init__(type(arg))


class EmptyCredential(Exception):
    def __init__(self, label):
        super(EmptyCredential, self).__init__(label)

                
class LocalKeyNotFound(Exception):
    def __init__(self, label):
        super(LocalKeyNotFound, self).__init__("Local key with label: %s, not found" %(label))
        

class LocalCredentialNotFound(Exception):
    def __init__(self, label):
        super(LocalCredentialNotFound, self).__init__("Local credential with label: %s, not found" %(label))


class MultipleKeysFound(Exception):
    def __init__(self, label):
        super(MultipleKeysFound, self).__init__(label)
        
        
class AlreadyExists(Exception):
    def __init__(self, type_, label):
        super().__init__("%s with label: %s, already exists" %(type_, label))
        

class AlreadyStored(Exception):
    def __init__(self,type_, label):
        super(AlreadyStored, self).__init__("%s with label: %s, already stored" %(type_, label))
        
        
class AlreadyEncrypted(Exception):
    def __init__(self,type_, label):
        super(AlreadyEncrypted, self).__init__("%s with label: %s, already encrypted, it must be flat" %(type_, label))
        
        
class KeyNotLoaded(Exception):
    def __init__(self):
        super(KeyNotLoaded, self).__init__()
        
        
class PrivateKeyNotLoaded(Exception):
    def __init__(self):
        super(PrivateKeyNotLoaded, self).__init__("there is no private key to perform action")


class StoreCredentialError(Exception):
    def __init__(self):
        super(StoreCredentialError, self).__init__("could not store credential")


class StoreCredentialFileError(Exception):
    def __init__(self):
        super(StoreCredentialFileError, self).__init__("could not store credential in file")
        
        
class CredentialNotDecrypted(Exception):
    def __init__(self):
        super(CredentialNotDecrypted, self).__init__("credential could not be decrypted")
        
        
class KeyNotFound(Exception):
    def __init__(self, label):
        super(KeyNotFound, self).__init__("Key with label: %s, not found on database" %(label))
        
class hasChanged(Exception):
    def __init__(self, label):
        super(hasChanged, self).__init__("%s has changed" %(label))

class VaultNotFound(Exception):
    def __init__(self, vault_type):
        super(VaultNotFound, self).__init__(vault_type)
        
class CredentialAlreadyDigested(Exception):
    def __init__(self, label):
        super(CredentialAlreadyDigested, self).__init__(label)

In [4]:
%%deploy credentialmanager/vault/__init__.py
from .AbstractCredentialVault import *
from .AbstractKeyVault import *
from .AbstractSharedTokenVault import *
from .CredentialVault import *
from .KeyVault import *
from .TokenVault import *

In [5]:
%%deploy credentialmanager/vault/AbstractCredentialVault.py
# Abstract Credential Vault module for Credential Manager

import json
import base64
import ast
import time
from sqlalchemy import create_engine, and_, inspect
from sqlalchemy.sql import func
from sqlalchemy import *
from datetime import datetime
from Crypto.Hash import SHA256
from Crypto.Signature import pkcs1_15
from ..Credential import *
from ..exceptions import *
from sqlalchemy.orm import sessionmaker
from sqlalchemy.pool import StaticPool

class AbstractCredentialVault(BasicLogger):
    
    def query(self, sql):
        e = None
        for retry in range(0,10):
            try:
                result = self.getEngine().execute(sql).fetchall()
                return result
            except Exception as e:
                # retry operation
                time.sleep(10)

        raise RuntimeError("AbstractCredentialVault:Could not execute Query: %s : %s" % (sql,e))
        
    def buildCredentialFromTuple(self, tup, key):
        
        label                    = tup[1]
        b64_encrypted_credential = tup[3]
        uuid_credential          = tup[5]
        nonce_credential         = tup[6]
        tag_credential           = tup[7]
        token_credential         = tup[8]
        creation_credential      = tup[9]
        expiration_credential    = tup[10]
        encrypted_credential     = base64.b64decode(b64_encrypted_credential.encode("ascii"))

        if key.getPrivateKey() is None:
            raise PrivateKeyNotLoaded()

        content_shamir = key.decrypt(encrypted_credential)
        type_credential = 2

        if nonce_credential is not None:

            credential_nonce_encode = nonce_credential.encode("ascii")
            nonce_credential = base64.b64decode(credential_nonce_encode)
            credential_tag_encode = tag_credential.encode("ascii")
            tag_credential = base64.b64decode(credential_tag_encode)

        return Credential(label, content_shamir, uuid_credential, nonce_credential, tag_credential, token_credential, type_credential, creation_credential, expiration_credential)
        
    def __init__(self, owner, conn_str, table_name="credentials"):
        print("credential vault",conn_str)
        self.__engine = create_engine(conn_str,  connect_args={'timeout': 1})
        self.__table_name = table_name
        self.__id = "default"
        self.__owner = owner
        
        #signature credential?
        self.signature_credential = None

        self.hash_message = None
        BasicLogger.__init__(self,self.__class__.__name__)

        if not self.initialized():
            self.create()

    def initialized(self):

        engine = self.getEngine()
        ins = inspect(engine)
        if not ins.has_table(self.__table_name):
            self.debug("table %s does not exists" % self.__table_name)
            return False
        metadata = MetaData(engine)
        self.table = Table(self.__table_name, metadata, autoload=True, autoload_with=engine)

        return True

    def create(self):
        """
        Create a table in the database to be used by the credential
        """
        self.debug("Creating storage")
        engine = self.getEngine()
        metadata = MetaData(engine)
        # Create a table with the appropriate Columns
        self.table = Table(self.__table_name, metadata,
                           Column('Id', Integer, primary_key=True, nullable=False),
                           Column('label', String),
                           Column('key_id', String),
                           Column('credential', String),
                           Column('signature', String),
                           Column('uuid', String),
                           Column('nonce', String),
                           Column('tag', String),
                           Column('token', String),
                           Column('creation', DateTime(timezone=True), server_default=func.now()),
                           Column('expiration', DateTime(timezone=True), onupdate=func.now()),
                           Column('type', Integer),
                           Column('active', Boolean))
        # Implement the creation
        metadata.create_all()

    def getEngine(self):
        """
        Get the engine to be used in the credential, by default is psql
        """
        return self.__engine
    
    def getId(self):
        """
        get the id related to the credential
        """
        return self.__id

    def setId(self, vault_id):
        """
        Set the id of the credential related to the vault
        """
        self.__id = vault_id

    def listCredentials(self, key, active=True):
        """
        List the credentials that are active, if no active is given, by default is True
        """
        key_id = key.getUUID()
        sql = self.table.select().where(and_(
            self.table.columns.active == active,
            self.table.columns.key_id == key_id,
        ))
        results = self.query(sql)
        credential_list = []
        for result in results:
            try:
                credential_list.append(self.buildCredentialFromTuple(result,key))
            except Exception as e:
                raise e
                
        return credential_list

    def existCredential(self, credential):
        """
        Check if the credential exist
        """
        try:
            sql = self.table.select().where(and_(
                self.table.columns.label == credential.getLabel(),
                self.table.columns.active == True
            ))
            result = self.__engine.execute(sql).fetchall()
            if len(result) == 1:
                self.debug("credential label:%s already stored"%(credential.getLabel()))
                return True
            elif len(result) > 1:
                # many credentials match
                raise MultipleCredentialsFound(label)
            else:
                return False
        except Exception as e:
            raise e            

    def getCredential(self, key, label):
        key_id = key.getUUID()

        sql = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.key_id == key_id,
            self.table.columns.active == True
        ))

        result = self.query(sql)
        
        if len(result) == 1:
            try:
                crd = self.buildCredentialFromTuple(result[0], key)
                return crd
            except Exception as e:
                raise e
        elif len(result) > 1:
            # many credentials match
            raise MultipleCredentialsFound(label)
        else:
            raise CredentialNotFound(label)
            
    def encryptCredential(self, credential, destination_key):
        credential_ = credential.content
        label = credential.getLabel()
        uuid = credential.uuid
        nonce = credential.nonce
        tag = credential.tag
        token = credential.token
        type_ = credential.type_
        creation = credential.creation
        expiration = credential.expiration
        serialized_credential = credential.toString()
        encrypted_credential = destination_key.encrypt(serialized_credential)
        b64_encypted_credential = base64.b64encode(encrypted_credential).decode("ascii")
        
        Credential_object = Credential.getFromBase64String(\
        label, uuid, b64_encypted_credential, nonce, tag, token, type_, creation, expiration, True)
        
        return Credential_object

    def storeCredential(self, key, credential):
        """
        Store the credential in the database using sqlAlchemy
        """
        engine = self.getEngine()
        key_id = key.getUUID()
        serialized_credential = credential.toString()
        encrypted_credential = key.encrypt(serialized_credential)
        b64_encypted_credential = base64.b64encode(encrypted_credential).decode("ascii")
        
        
        if credential.nonce is not None:
            credential_uuid = credential.uuid
            credential_nonce = base64.b64encode(credential.nonce).decode("ascii")
            credential_tag = base64.b64encode(credential.tag).decode("ascii")
            credential_token = credential.token
            credential_creation = credential.creation
            credential_expiration = credential.expiration
            credential_type = 3
        else:
            credential_uuid = credential.uuid
            credential_nonce = credential.nonce
            credential_tag = credential.tag
            credential_token = credential.token
            credential_creation = credential.creation
            credential_expiration = credential.expiration
            credential_type = 3
        
        print(credential_token)
        
        if not self.existCredential(credential):
            try:
                sql = self.table.insert().values({
                    "key_id": key_id,
                    "label": credential.getLabel(),
                    "uuid" : credential_uuid,
                    "credential": b64_encypted_credential,
                    "nonce": credential_nonce,
                    "tag": credential_tag,
                    "token": credential_token,
                    "creation": credential_creation,
                    "expiration": credential_expiration,
                    "type": credential_type,
                    "active": True
                })

                result = engine.execute(sql)
                self.debug("credential label:%s has been stored"%(credential.getLabel()))
                if result.rowcount == 1:
                    return True
            except Exception as e:
                raise e

        raise CredentialAlreadyExists(credential.getLabel())
        
    def checkCredentialExpiration(self, label):
        """
        Check the expiration date of the credential
        """
        sql_exist = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.active == True
        ))
        sql = self.table.select().where(and_(
            self.table.columns.expiration <= datetime.now(),
            self.table.columns.label == label,
            self.table.columns.active == True
        ))
        query_exist = self.__engine.execute(sql_exist).fetchall()
        query = self.__engine.execute(sql).fetchall()
        if len(query_exist) == 0:
            raise CredentialNotFound(label)
        if len(query) == 0:
            return True
        else:
            raise ExpiredCredential()
            
    def getCredentialExpirationDate(self, label):
        """
        Get expiration date of credential
        """
        sql = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.active == True
        ))
        query = self.__engine.execute(sql).fetchall()
        if len(query) == 0:
            raise CredentialNotFound(label)
        expiration_date = query[0][9]
        return expiration_date
        
    def setCredentialExpiration(self, label, date):
        """
        Set the expiration date of the credential
        """
        sql = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.active == True
        ))
        query = self.__engine.execute(sql).fetchall()
        if len(query) == 0:
            raise CredentialNotFound(label)
        exp_date = datetime.strptime(date.strftime('%Y-%m-%d %H:%M:%S'), '%Y-%m-%d %H:%M:%S')
        # Create "Session" class and session
        Session = sessionmaker(bind=self.__engine)
        session = Session()
        try:
            # Update field expiration
            session.query(self.table).filter(self.table.columns.label == label, self.table.columns.active == True).update({"expiration": exp_date})
            session.commit()
        finally:
            session.close()
    
    def storeSignature(self, credential, key_1):
        """
        Create Signature on the credential, it will be store in signature credential using private key
        """
        if credential.type_ == 1:
            private = key_1.getPrivateKey()
            serialized_credential = credential.toString()
            hash_msg = SHA256.new(serialized_credential)
            self.hash_message = hash_msg
            signer = pkcs1_15.new(private)
            self.signature_credential = signer.sign(hash_msg)

            # Store signature on database
            label = credential.getLabel()
            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.active == True
            ))
            # Create "Session" class and session
            Session = sessionmaker(bind=self.__engine)
            session = Session()
            try:
                # Update field Signature
                session.query(self.table).filter(self.table.columns.label == label, self.table.columns.active == True).update({"signature": self.signature_credential})
                session.commit()
            finally:
                session.close()
        else:
            raise AlreadyEncrypted("Credential", credential.getLabel())

    def checkValiditySignature(self, credential, key):
        """
        Check the validity of the credential using the signature credential already store with the original credential
        this will be used usin the public key
        """
        if credential.type_ == 1:
            public_key = key.getPublicKey()
            serialized_credential = credential.toString()
            hash_msg = SHA256.new(serialized_credential)
            self.hash_message = hash_msg

            # Retrieve signature on database
            label = credential.getLabel()

            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.active == True
            ))
            result = self.__engine.execute(sql).fetchall()
            try:
                pkcs1_15.new(public_key).verify(self.hash_message,result[0][4])
                return True
            except (ValueError, TypeError):
                raise hasChanged("Credential")
        else:
            raise AlreadyEncrypted("Credential", credential.getLabel())

    def __repr__(self):
        return "%s" % type(self)

In [6]:
%%deploy credentialmanager/vault/AbstractKeyVault.py
# Abstract Key Vault module for Credential Manager

import base64
from sqlalchemy import create_engine, and_, inspect
from sqlalchemy.sql import func, text
from sqlalchemy.orm import sessionmaker
from sqlalchemy import *
from datetime import datetime
from ..exceptions import *
from ..RSAImplementation import *
from ..EncryptionKey import *
from ..ProtectedEncryptionKey import *
import pandas as pd
from sqlalchemy.pool import StaticPool

class AbstractKeyVault(BasicLogger):
    """
    Abstract Class for the KeyChain
    """

    def __init__(self, owner, conn_str, table_name="key_chain"):
        self.__engine = create_engine(conn_str, connect_args={'timeout': 1})
        self.__table_name = table_name
        self.__id = "default"
        self.__owner = owner
        self.signature_key = None
        BasicLogger.__init__(self,self.__class__.__name__)
        if not self.initialized():
            self.create()

    def initialized(self):
        engine = self.getEngine()
        ins = inspect(engine)
        if not ins.has_table(self.__table_name):
            self.debug("table %s does not exists" % self.__table_name)
            return False

        metadata = MetaData(engine)
        self.table = Table(self.__table_name, metadata, autoload=True, autoload_with=engine)

        return True

    def create(self):
        """
        Create the Table with the neccesary attributes and types  using SqlAlchemy to store Keys
        """
        self.debug("Creating storage for Keychain")
        engine = self.getEngine()
        metadata = MetaData(engine)
        # Create a table with the appropriate Columns
        self.table = Table(self.__table_name, metadata,
                           Column('Id', Integer, primary_key=True, nullable=False),
                           Column('label', String),
                           Column('uuid', String),
                           Column('key', String),
                           Column('creation', DateTime(timezone=True), server_default=func.now()),
                           Column('expiration', DateTime(timezone=True), onupdate=func.now()),
                           Column('active', Boolean),
                           Column('passphrase', Boolean))
        # Implement the creation
        metadata.create_all()


    def getEngine(self):
        """
        Get the engine that's will be use to manage the keys
        return: a engine object
        """
        return self.__engine


    def getId(self):
        """
        Get the Id of the Key
        return: an Id
        """
        return self.__id


    def setId(self, vault_id):
        """
        Set the Id of the Key from the vault
        param: vault_id, the id of the vault that contains the Key
        """
        self.__id = vault_id


    def checkKeyExpiration(self, key):
        """
        Check the expiration date of the key
        param: key , the key to be check
        """
        key_id = key.getUUID()
        sql_exist = self.table.select().where(and_(
            self.table.columns.uuid == key_id
        ))
        sql = self.table.select().where(and_(
            self.table.columns.expiration <= datetime.now(),
            self.table.columns.uuid == key_id
        ))
        query_exist = self.__engine.execute(sql_exist).fetchall()
        query = self.__engine.execute(sql).fetchall()
        if len(query_exist) == 0:
            raise KeyNotFound(key.getLabel())
        if len(query) == 0:
            return True
        else:
            raise ExpiredKey()
    
    
    def getKeyExpirationDate(self, key):
        """
        Get expiration date of the key
        """
        key_id = key.getUUID()
        sql = self.table.select().where(and_(
            self.table.columns.uuid == key_id
        ))
        query = self.__engine.execute(sql).fetchall()
        if len(query) == 0:
            raise KeyNotFound(key.getLabel())
        expiration_date = query[0][5]
        return expiration_date
            
    def setKeyExpiration(self, key, date):
        """
        Set the expiration date of the key
        """
        key_id = key.getUUID()
        sql = self.table.select().where(and_(
            self.table.columns.uuid == key_id
        ))
        query = self.__engine.execute(sql).fetchall()
        if len(query) == 0:
            raise KeyNotFound(key.getLabel())
        exp_date = datetime.strptime(date.strftime('%Y-%m-%d %H:%M:%S'), '%Y-%m-%d %H:%M:%S')
        # Create "Session" class and session
        Session = sessionmaker(bind=self.__engine)
        session = Session()
        try:
            # Update field expiration
            session.query(self.table).filter(self.table.columns.uuid == key_id).update({"expiration": exp_date})
            session.commit()
        finally:
            session.close()

    def listKeys(self, active=True):
        """
        List the keys that are active
        return: query that could be manage with a dataframe
        """
        try:
            sql = self.table.select().where(and_(
                self.table.columns.active == active,
            ))
            results = self.__engine.execute(sql).fetchall()
            key_list = []
            for result in results:
                label = result[1]
                uuid = result[2]
                creation = result[4]
                expiration = result[5]
                b64_exp_key = result[3]
                b64_key_bytes = b64_exp_key.encode("ascii")
                exp_key = base64.b64decode(b64_key_bytes).decode("ascii")
                try:
                    key_content = RSA.importKey(exp_key, passphrase=None)
                    key_list.append(EncryptionKey(label, key_id=uuid, key=None, public_key=key_content, creation=creation, expiration=expiration))
                except:
                    key_list.append(ProtectedEncryptionKey(label, creation=creation, expiration=expiration, key_id=uuid, key=b64_exp_key, public_key=None))
            return key_list
        except Exception as e:
            raise e


    def existKey(self, key=None, label=None):
        """
        Check if the key exists or not, if not it's going to raise an exception
        param: key, the key to be check
               label: the label of the key
        return: True if the key exists
        """
        try:
            sql = None
            if label is None and key is not None:
                label = key.getLabel()
            elif label is None and key is None:
                raise RuntimeError("getKey: key or label must be provided")

            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.active == True
            ))
            result = self.__engine.execute(sql).fetchall()
            if len(result) == 1:
                return True
            elif len(result) > 1:
                # many keys match
                return True
            else:
                return False
        except Exception as e:
            raise e


    def getKey(self, label=None, passphrase=None):
        """
        Get the key based on a label and a passphrase
        param: label, the label related to the key
               passphrase, the security passphrase that was attached to the key
        return, an EncryptionKey object with the label, uuid and the content of the key
        """
        sql = None
        if passphrase is None and label is None:
            raise ProtectedEncryptionKey()
        if label is None and passphrase is not None:
            raise LabelNecessary()
        
        sql = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.active == True
        ))
        result = self.__engine.execute(sql).fetchall()
               
        if len(result) == 1:
            # only one key match
            uuid = result[0][2]
            b64_exp_key = result[0][3]
            b64_key_bytes = b64_exp_key.encode("ascii")
            exp_key = base64.b64decode(b64_key_bytes).decode("ascii")
            creation = result[0][4]
            expiration = result[0][5]
            try:
                if passphrase is not None:
                    key_content = RSA.importKey(exp_key, passphrase=passphrase)
                    try:
                        key_content = RSA.importKey(exp_key, passphrase=None)
                    except:
                        return EncryptionKey(label, key_id=uuid, key=key_content, public_key=None, creation=creation, expiration=expiration)
                    return EncryptionKey(label, key_id=uuid, key=None, public_key=key_content, creation=creation, expiration=expiration)
                else:
                    try:
                        key_content = RSA.importKey(exp_key, passphrase=passphrase)
                        check_type= EncryptionKey(label, key_id=uuid, key=key_content, public_key=None, creation=creation, expiration=expiration)
                        message= "check key"
                        message_byte = message.encode("ascii") 
                        encrypted_message= check_type.encrypt(message_byte)
                        decrypted_message_byte = check_type.decrypt(encrypted_message)
                        decrypted_message = decrypted_message_byte.decode("ascii") 
                        if decrypted_message == message:
                            return EncryptionKey(label, key_id=uuid, key=key_content, public_key=None, creation=creation, expiration=expiration)
                    except TypeError as e:
                        return EncryptionKey(label, key_id=uuid, key=None, public_key=key_content, creation=creation, expiration=expiration)
            except:
                raise WrongKeyPassphrase()

        elif len(result) > 1:
            # many keys match
            raise MultipleKeysFound(label)
        else:
            raise KeyNotFound(label)


    def storeKey(self, key, passphrase=None):
        """
        Store keys in the database using SqlAlchemy
        param: key: the key that's looking to be stored
               passphrase, the security passphrase that was attached to the key
        return: True if the store was successful
        """
        engine = self.getEngine()
        if passphrase is None:
            pass_flag = False
        else:
            pass_flag = True
        if not self.existKey(key):
            try:
                # get public and private pem strings
                if key.getPrivateKey() is not None:
                    exported_key = key.getPrivateKey().exportKey("PEM", passphrase, pkcs=1)
                else:
                    if passphrase is None:
                        exported_key = key.getPublicKey().exportKey(format="PEM")
                    else:
                        raise PassphraseNotNecessary()
                    
                b64_exported_key = base64.b64encode(exported_key).decode("ascii")
                sql = self.table.insert().values({
                    "label": key.getLabel(),
                    "uuid": key.getUUID(),
                    "key": b64_exported_key,
                    "creation": key.getCreation(),
                    "expiration": key.getExpiration(),
                    "active": True,
                    "passphrase": pass_flag
                })
                result = engine.execute(sql)
                self.debug("key with label:%s has been stored"%(key.getLabel()))
                if result.rowcount == 1:
                    return True
            except Exception as e:
                raise e

        raise AlreadyExists("Key", key.getLabel())

    def storeSignature(self, owner, key):
        """
        Create Signature on the key, it will be store in key using private key
        """
        private_key = key
        hash_msg = SHA256.new(owner)

        owner = pkcs1_15.new(private_key)
        self.signature_key = owner.sign(hash_msg)

    def checkValiditySignature(self, credential, key):
        """
        Check the validity of the key using the signature
        this will be used usin the public
        """
        public_key = key
        try:
            pkcs1_15.new(public_key).verify(self.signature_credential, credential)
            return True
        except (ValueError, TypeError):
            raise hasChanged("Key")

In [7]:
%%deploy credentialmanager/vault/AbstractSharedTokenVault.py
# Abstract Token Vault module for Credential Manager

import json
import base64
import ast
from datetime import datetime
import jsonpickle
import time
import traceback

from sqlalchemy import create_engine, and_, inspect
from sqlalchemy.orm import sessionmaker
from sqlalchemy.sql import func
from sqlalchemy import *
from sqlalchemy.orm import sessionmaker
from sqlalchemy.sql import text
from sqlalchemy.pool import StaticPool

from Crypto.Hash import SHA256
from Crypto.Signature import pkcs1_15

from ..Credential import *
from ..exceptions import *
from ..ShamirImplementation import *

class AbstractSharedTokenVault(BasicLogger):

    def query(self, sql):
        e = None
        for retry in range(0,10):
            try:
                result = self.getEngine().execute(sql).fetchall() 
                return result
            except Exception as e:
                time.sleep(10)
                self.getEngine().dispose()
                self.__engine = create_engine(self.conn_str, connect_args={'timeout': 1})

        raise RuntimeError("CredentialMananger:Could not execute Query: %s: %s" % (sql,e))

    def __init__(self, owner, conn_str, table_name="shared_token"):
        print("shared token vault:",conn_str)
        self.__shamir = ShamirImplementation()
        self.__engine = create_engine(conn_str, connect_args={'timeout': 1})
        self.__table_name = table_name
        self.conn_str = conn_str
        self.__id = "default"
        self.__owner = owner
        #signature
        self.signature_token = None
        self.hash_message = None
        BasicLogger.__init__(self,self.__class__.__name__)
        if not self.initialized():
            self.create()

    def initialized(self):
        
        engine = self.getEngine()
        ins = inspect(engine)
        if not ins.has_table(self.__table_name):
            self.debug("table %s does not exists" % self.__table_name)
            return False
        
        metadata = MetaData(engine)
        self.table = Table(self.__table_name, metadata, autoload=True, autoload_with=engine)

        return True

    def create(self):
        """
        Create a table in the database to be used by the credential
        """
        engine = self.getEngine()
        metadata = MetaData(engine)
        # Create a table with the appropriate Columns
        self.table = Table(self.__table_name, metadata,
                           Column('Id', Integer, primary_key=True, nullable=False),
                           Column('label', String),
                           Column('key_id', String),
                           Column('whom', String),
                           Column('token', String),
                           Column('comment', String),
                           Column('creation', DateTime(timezone=True), server_default=func.now()),
                           Column('expiration', DateTime(timezone=True), onupdate=func.now()),
                           Column('signature', String),
                           Column('active', Boolean))
        # Implement the creation
        metadata.create_all()

    def getEngine(self):
        """
        Get the engine to be used in the credential, by default is psql
        """
        return self.__engine

    def getId(self):
        """
        get the id related to the credential
        """
        return self.__id

    def setId(self, vault_id):
        """
        Set the id of the credential related to the vault
        """
        self.__id = vault_id

    def listTokens(self, key, active=True):
        """
        List assigned or unassigned tokens
        """
        key_id = key.getUUID()
        sql = self.table.select().where(and_(
            self.table.columns.active == active,
            self.table.columns.key_id == key_id,
        ))
        result = self.query(sql)
        token_list = []
        for token in result:
            encrypted_token = base64.b64decode(token[4].encode("ascii"))
            serialized_token = key.decrypt(encrypted_token)
            str_token = serialized_token
            token_list.append(Token(label=token[1], token=str_token, type_=1, whom=token[3], comment=token[5], creation=token[6], expiration=token[7]))
        return token_list
    
    def checkTokenExpiration(self, key, label, whom):
        """
        Check the expiration date of the credential
        """
        try:
            key_id = key.getUUID()
            if whom is None:
                sql_exist = self.table.select().where(and_(
                    self.table.columns.label == label,
                    self.table.columns.key_id == key_id,
                ))
                sql = self.table.select().where(and_(
                    self.table.columns.label == label,
                    self.table.columns.key_id == key_id,
                    self.table.columns.expiration <= datetime.now(),
                ))
            else:
                sql_exist = self.table.select().where(and_(
                    self.table.columns.label == label,
                    self.table.columns.key_id == key_id,
                    self.table.columns.whom == whom,
                    self.table.columns.active == True
                ))
                sql = self.table.select().where(and_(
                    self.table.columns.label == label,
                    self.table.columns.key_id == key_id,
                    self.table.columns.whom == whom,
                    self.table.columns.expiration <= datetime.now(),
                    self.table.columns.active == True
                ))
            query_exist = self.query(sql_exist)
            query = self.query(sql)
            if len(query_exist) == 0:
                raise TokenNotFound(label)
            if len(query) == 0:
                return True
            else:
                raise ExpiredToken()
        except Exception as e:
            raise e
            
    def getTokenExpirationDate(self, key, label, whom):
        """
        Get expiration date of credential
        """
        try:
            key_id = key.getUUID()
            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.key_id == key_id,
                self.table.columns.whom == whom,
                self.table.columns.active == True
            ))
            query = self.query(sql)
            if len(query) == 0:
                raise CredentialNotFound(label)
            expiration_date = query[0][7]
            return expiration_date
        except Exception as e:
            raise e

    def existTokens(self, key, credential):
        """
        Check if the credential exist
        """
        try:
            key_id = key.getUUID()
            label = credential.getLabel()
            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.key_id == key_id,
            ))
            result = self.query(sql)
            if len(result) >= 1:
                return True
            elif len(result) == 0:
                return False
        except Exception as e:
            raise e
            
    def getTokensByLabel(self, key, label, whom=None, active=True):
        key_id = key.getUUID()

        if whom is None and label is not None:
            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.key_id == key_id,
                self.table.columns.active == active
            ))
        elif label is None and whom is not None: 
            sql = self.table.select().where(and_(
                self.table.columns.whom == whom,
                self.table.columns.key_id == key_id,
                self.table.columns.active == active
            ))
        elif label is not None and whom is not None: 
            sql = self.table.select().where(and_(
                self.table.columns.label == label,
                self.table.columns.key_id == key_id,
                self.table.columns.whom == whom,
                self.table.columns.active == active
            ))

        result = None
        result = self.query(sql)

        if len(result) >= 1:
            tokens= []
            for row in result:
                #tokens match
                if key.getPrivateKey() is not None:
                    encrypted_row = base64.b64decode(row[4].encode("ascii"))
                    serialized_row = key.decrypt(encrypted_row)
                    str_row = serialized_row
                    tokens.append(Token(label=row[1], token=str_row, type_=1, whom=row[3], comment=row[5], creation=row[6], expiration=row[7]))
                else:
                    tokens.append(Token(label=row[1], token=row[4], type_=2, whom=row[3], comment=row[5], creation=row[6], expiration=row[7]))
            #dict_tokens = ast.literal_eval(tokens[0])
            return tokens
        elif len(result) == 0:
            #tokens not found
            raise TokenNotFound(label)
                
    def assignToken(self, key, whom, label, date, comment, serialize=False):
        """
        Set the expiration date of the credential
        """
        key_id = key.getUUID()
        # Se valida la existencia de token asignado (activo)
        sql = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.key_id == key_id,
            self.table.columns.whom == whom,
            self.table.columns.active == True
        ))
        result = self.query(sql)
        if len(result) >= 1:
            raise TokenAlreadyAssigned(label)
        # Se valida la existencia de token disponibles (no activo)
        sql = self.table.select().where(and_(
            self.table.columns.label == label,
            self.table.columns.key_id == key_id,
            self.table.columns.active == False
        ))
        result = self.query(sql)
        if len(result) == 0:
            raise TokenNotAvailable(label)
        
        exp_date = datetime.strptime(date.strftime('%Y-%m-%d %H:%M:%S'), '%Y-%m-%d %H:%M:%S')
        # Create "Session" class and session
        Session = sessionmaker(bind=self.__engine)
        session = Session()
        try:
            # Update fields whom and expiration
            record = session.query(self.table)\
            .filter(self.table.columns.label == label, self.table.columns.active == False).first()
            session.query(self.table)\
            .filter(self.table.columns.label == label, self.table.columns.active == False, self.table.columns.Id == record[0])\
            .update({"whom": whom,"expiration": exp_date,"comment": comment,"active": True,})
            session.commit()
        finally:
            session.close()
            
        token_lst = self.getTokensByLabel(key, label, whom)
        
        if serialize:
            return [ t.serialize() for t in token_lst]
        
        return token_lst

    def getAssignedToken(self, key, label, whom, serialize=False):
        token = None
        try:
            token_lst = self.getTokensByLabel(key, label, whom)
        except Exception as e:
            raise(e)
            
        if serialize:
            
            return [ token.serialize() for token in token_lst]
        
        return token_lst
    
    def createToken(self, credential, n_unlock, shared_users):
        """
        Encrypt Credential with Shamir and create tokens
        """
        token = self.__shamir.encryptSecret(credential, n_unlock, shared_users)
        if token is False:
            return "token already generated for this credential"
        return token

    def storeToken(self, key, credential, token_list):
        """
        Store tokens on database
        """
        engine = self.getEngine()
        key_id = key.getUUID()
        
        for token in token_list:
            if credential.getLabel() == token.getLabel():
                try:
                    # backwards compatibility for older tokens
                    # fresh created tokens have the share in bytes and asigned tokens have the share as string
                    token_b64 = token.getToken()
                    if isinstance(token_b64,str):
                        token_b64 = token_b64.encode("ascii")

                    encrypted_token = key.encrypt(token_b64)
                    b64_encypted_token = base64.b64encode(encrypted_token).decode("ascii")

                    active = True
                    if token.getExpiration() is None and token.getWhom() is None:
                        active = False

                    sql = self.table.insert().values({
                        "label"      : credential.getLabel(),
                        "key_id"     : key_id,
                        "whom"       : token.getWhom(),
                        "token"      : b64_encypted_token,
                        "comment"    : token.getComment(),
                        "creation"   : token.getCreation(),
                        "expiration" : token.getExpiration(),
                        "active"     : active
                    })
                    result = engine.execute(sql)
                except Exception as e:
                    print(e)                        
                    traceback.print_exc()
                    raise e
            else:
                raise WrongCredential()
            
    def storeReceivedToken(self, key, credential, token):
        """
        Store tokens on database
        """
        engine = self.getEngine()
        key_id = key.getUUID()
        if not self.existTokens(key, credential):
            if credential.getLabel() == token.getLabel():
                if token.getType() == 1:
                    token_ = token.getToken()
                    token_byte = token_.encode("ascii")            
                    encrypted_token = key.encrypt(token_byte)
                    b64_encypted_token = base64.b64encode(encrypted_token).decode("ascii")
                    try:
                        sql = self.table.insert().values({
                            "label": credential.getLabel(),
                            "key_id": key_id,
                            "whom": token.getWhom(),
                            "token": b64_encypted_token,
                            "comment": token.getComment(),
                            "creation"   : token.getCreation(),
                            'expiration': token.getExpiration(),
                            "active": True
                        })

                        result = engine.execute(sql)

                        return True
                    
                    except Exception as e:
                        raise e
                else:
                    raise AlreadyEncrypted("Token", token.getLabel())
            else:
                raise WrongCredential()
        else:            
            raise TokenAlreadyExists(credential.getLabel())
        
    def storeSignature(self, token, key):
        """
        Create Signature for token, it will be store using private key
        """
        private = key.getPrivateKey()
        if token.getType() == 1:
            serialized_token = json.dumps(token.getToken()).encode("ascii")
            hash_msg = SHA256.new(serialized_token)
            #hash_msg = SHA256.new(token.getToken())
            self.hash_message = hash_msg
            signer = pkcs1_15.new(private)
            self.signature_token = signer.sign(hash_msg)        
            # Create "Session" class and session
            Session = sessionmaker(bind=self.__engine)
            session = Session()
            try:
                # Update field Signature
                session.query(self.table).filter(self.table.columns.label == token.getLabel(), self.table.columns.whom == token.getWhom(), self.table.columns.active == True)\
                .update({"signature": self.signature_token})
                session.commit()
            finally:
                session.close()
        else:
            raise AlreadyEncrypted("Token", token.getLabel())

    def checkValiditySignature(self, token, key):
        """
        Check the validity of the token using the signature credential already store with the original token
        this will be used usin the public key
        """
        b64_token = base64.b64decode(token).decode("ascii")
        token_loaded = jsonpickle.loads(b64_token)
        for token_object in token_loaded:
            if token_object.getType() == 1:
                public_key = key.getPublicKey()
                serialized_token = json.dumps(token_object.getToken()).encode("ascii")
                hash_msg = SHA256.new(serialized_token)
                #hash_msg = SHA256.new(token_object.getToken())
                self.hash_message = hash_msg
                # Retrieve signature on database
                sql = self.table.select().where(and_(
                    self.table.columns.label == token_object.getLabel(),
                    self.table.columns.whom == token_object.getWhom(),
                    self.table.columns.active == True
                ))
                result = self.query(sql)
                try:
                    pkcs1_15.new(public_key).verify(self.hash_message,result[0][8])
                    return True
                except (ValueError, TypeError):
                    raise hasChanged("Token")
            else:
                raise AlreadyEncrypted("Token", token.getLabel())
    
    def __repr__(self):
        return "%s" % type(self)

In [8]:
%%deploy credentialmanager/vault/CredentialVault.py
### PostgreSQL Credential, SGDACredential, Local Credential
import inspect
import os
from sqlalchemy.engine.url import make_url
from .AbstractCredentialVault import *

class LocalCredentialsVault(AbstractCredentialVault):
    """
    Local credentials vault
    based on SQLite
    """

    def __init__(self, owner, table_name=None):
        self.sqlite_file = owner.conn_db
        url = make_url(self.sqlite_file)
        if url.drivername == 'sqlite' and url.database !='./.credentials/localVault.sqlite':
            conn_str = self.sqlite_file
        else:
            self.sqlite_file = './.credentials/localVault.sqlite'
            os.makedirs(os.path.dirname(self.sqlite_file), exist_ok=True)
            conn_str = 'sqlite:///'+self.sqlite_file
        if table_name is None:
            super(LocalCredentialsVault, self).__init__(owner, conn_str)
        else:
            super(LocalCredentialsVault, self).__init__(owner, conn_str, table_name=table_name)


class PGSqlCredentialsVault(AbstractCredentialVault):
    """
    PostgreSQL credential vault
    """

    def __init__(self, owner, credential):
        self.setId("pgsql_vault")
        # create the connection string for this credential storage
        conn_str = "postgresql+psycopg2://{}:{}@{}/{}".format(credential.content['username'], credential.content['password'],
                                                   credential.content['host'], credential.content['database'])

        if not credential.hasKey("table"):
            super().__init__(owner, conn_str)
        else:
            super().__init__(owner, conn_str, table_name="credentials")


# Credential vaults need to be created by inheriting a credentialVault class
class SGDACredentialVault(PGSqlCredentialsVault):
    def __init__(self, owner):
        self.setId("sgda_vault")
        # get the credential from the current vault in owner
        credential = owner.retrieve("sgda_vault_credential", False, None)
        super().__init__(owner,credential)

In [9]:
%%deploy credentialmanager/vault/KeyVault.py
### PostgreSQL Key, SGDAKey, Local Key
import inspect
import os
from sqlalchemy.engine.url import make_url
from .AbstractKeyVault import *

class LocalKeyVault(AbstractKeyVault):
    """
    Local Key vault
    based on SQLite
    """

    def __init__(self, owner, table_name=None):
        self.sqlite_file = owner.conn_db
        url = make_url(self.sqlite_file)
        if url.drivername == 'sqlite' and url.database !='./.credentials/localVault.sqlite':
            conn_str = self.sqlite_file
        else:
            self.sqlite_file = './.credentials/localVault.sqlite'
            os.makedirs(os.path.dirname(self.sqlite_file), exist_ok=True)
            conn_str = 'sqlite:///'+self.sqlite_file
        if table_name is None:
            super(LocalKeyVault, self).__init__(owner, conn_str)
        else:
            super(LocalKeyVault, self).__init__(owner, conn_str, table_name=table_name)
            

class PSQLKeyVault(AbstractKeyVault):
    """
    PostgreSQL Key vault
    """

    def __init__(self, owner, credential):
        self.setId("pgsql_keyVault")
        # create the connection string for this credential storage
        conn_str = "postgresql+psycopg2://{}:{}@{}/{}".format(credential.content['username'], credential.content['password'],
                                                   credential.content['host'], credential.content['database'])

        if not credential.hasKey("table"):
            super().__init__(owner, conn_str)
        else:
            super().__init__(owner, conn_str, table_name="key_chain")
        
        
# final key vaults need to be created by inheriting a KeyVault class
class SGDAKeyVault(PSQLKeyVault):
    def __init__(self, owner):
        self.setId("sgda_key_vault")
        # get the credential from the current vault in owner
        credential = owner.retrieve("sgda_vault_credential", False, None)
        super().__init__(owner, credential)


In [10]:
%%deploy credentialmanager/vault/TokenVault.py
### PostgreSQL SharedToken, SGDASharedToken, Local SharedToken
import inspect
import os
from sqlalchemy.engine.url import make_url
from .AbstractSharedTokenVault import *
            
class LocalSharedTokenVault(AbstractSharedTokenVault):
    """
    Local Shared Token vault
    based on SQLite
    """

    def __init__(self, owner, table_name=None):
        self.sqlite_file = owner.conn_db
        url = make_url(self.sqlite_file)
        if url.drivername == 'sqlite' and url.database !='./.credentials/localVault.sqlite':
            conn_str = self.sqlite_file
        else:
            self.sqlite_file = './.credentials/localVault.sqlite'
            os.makedirs(os.path.dirname(self.sqlite_file), exist_ok=True)
            conn_str = 'sqlite:///'+self.sqlite_file
        if table_name is None:
            super(LocalSharedTokenVault, self).__init__(owner, conn_str)
        else:
            super(LocalSharedTokenVault, self).__init__(owner, conn_str, table_name=table_name)   

            
class PSQLSharedTokenVault(AbstractSharedTokenVault):
    """
    PostgreSQL Shamir Token vault
    """

    def __init__(self, owner, credential):
        self.setId("pgsql_tokenVault")
        # create the connection string for this credential storage
        conn_str = "postgresql+psycopg2://{}:{}@{}/{}".format(credential.content['username'], credential.content['password'],
                                                   credential.content['host'], credential.content['database'])

        if not credential.hasKey("table"):
            super().__init__(owner, conn_str)
        else:
            super().__init__(owner, conn_str, table_name="shared_token")

            
# token vaults need to be created by inheriting a TokenVault class
class SGDASharedTokenVault(PSQLSharedTokenVault):
    def __init__(self, owner):
        self.setId("sgda_sharedtoken_vault")
        # get the credential from the current vault in owner
        credential = owner.retrieve("sgda_vault_credential", False, None)
        super().__init__(owner, credential)
        


In [11]:
%%deploy credentialmanager/SerializedObject.py
# Serialized object

import json
import os
import base64

class SerializedObject:
    def __init__(self):
        self._object = None

    def serialize(self):
        self._object = self.getAsJson()
        encode_object = base64.b64encode(self._object).decode('ascii')
        return encode_object

    @classmethod
    def deserialize(cls, b64_object):
        decode_object = base64.b64decode(b64_object.encode('ascii'))
        dict_object = json.loads(decode_object)
        return cls.buildFromJson(dict_object)
        

In [12]:
%%deploy credentialmanager/Credential.py
# Credential module for Credential Manager

import json
import os
import base64
import ast
import uuid as _uuid
from datetime import datetime
from dateutil.relativedelta import relativedelta
from .exceptions import *
from .loggers import BasicLogger
from .SerializedObject import SerializedObject
from .ShamirImplementation import *

class Credential(BasicLogger,SerializedObject):
    credential_path = "./.credentials"
    def __init__(self, label, content, uuid=None, nonce=None, tag=None, token=None, type_=1, creation=None, expiration=None):
        if creation is None:
            creation = datetime.now()
            creation = creation.replace(microsecond=0)
        if expiration is None:
            expiration = creation + relativedelta(days=365)
        self.label = label
        if uuid is None:
            self.uuid  = str(_uuid.uuid4())
        else:
            self.uuid = uuid
        self.content = content
        self.nonce = nonce
        self.tag = tag
        self.token = token
        self.type_ = type_
        self.creation = creation
        self.expiration = expiration
        BasicLogger.__init__(self,self.__class__.__name__)
        SerializedObject.__init__(self)
    
    @classmethod
    def load(cls, label, key):
        """
        Loads credential from local source
        param: label, the label of credential
        """
        credential_file = "%s/%s.credential" % (cls.credential_path, label)
        os.makedirs(cls.credential_path, exist_ok=True)
        if os.path.exists(credential_file):
            try:
                with open(credential_file, 'r') as file:
                    dict_credential = json.load(file)
                    credential_type = dict_credential["type"]
                    credential_creation = datetime.strptime(dict_credential["creation"],'%Y-%m-%d %H:%M:%S')
                    credential_expiration = datetime.strptime(dict_credential["expiration"],'%Y-%m-%d %H:%M:%S')
                    if type(dict_credential["content"]) == dict:
                        credential_label = dict_credential["label"]
                        credential_content = dict_credential["content"]
                        credential_uuid = dict_credential["uuid"]
                        credential_nonce = dict_credential["nonce"]
                        credential_tag = dict_credential["tag"]
                        credential_token = dict_credential["token"]
                    else:
                        credential_label = dict_credential["label"]
                        if key is not None:                            
                            credential_content_decode_prev = base64.b64decode(dict_credential["content"].encode("ascii"))
                            credential_content_decrypt = key.decrypt(credential_content_decode_prev)
                            credential_content = base64.b64decode(credential_content_decrypt)  
                        else:
                            credential_content_encode = dict_credential["content"].encode("ascii")
                            credential_content = base64.b64decode(credential_content_encode)
                        credential_nonce_encode = dict_credential["nonce"].encode("ascii")
                        credential_nonce = base64.b64decode(credential_nonce_encode)
                        credential_tag_encode = dict_credential["tag"].encode("ascii")
                        credential_uuid = dict_credential["uuid"].encode("ascii")
                        credential_tag = base64.b64decode(credential_tag_encode)
                        credential_token_encode_index = dict_credential["token"][0].encode("ascii")
                        credential_token_encode_token = dict_credential["token"][1].encode("ascii")
                        credential_token = (int(base64.b64decode(credential_token_encode_index)),base64.b64decode(credential_token_encode_token)) 
                    
                    
                    return Credential(credential_label, credential_content, uuid=credential_uuid, nonce=credential_nonce, tag=credential_tag, token=credential_token,\
                                      type_=credential_type, creation=credential_creation, expiration=credential_expiration)
            except Exception as e:
                raise (e)
        else:
            raise (LocalCredentialNotFound(label))
    
    def save(self):
        """
        Saves the encrypted data into the credentials file
        """
        os.makedirs(self.credential_path, exist_ok=True)
        credential_file = "%s/%s.credential" % (self.credential_path, self.label)
        if not os.path.exists(credential_file):
            with open(credential_file, 'w+', encoding='utf-8') as cf:
                dict_credential = {}
                if type(self.content) == dict:
                    self_content = self.content
                    self_uuid = self.uuid
                    self_nonce = self.nonce
                    self_tag = self.tag
                    self_token = self.token
                    self_type = self.type_
                    self_creation = self.creation
                    self_expiration = self.expiration
                else:
                    self_content = self.content
                    self_uuid = base64.b64encode(self.uuid).decode("ascii")
                    self_nonce = base64.b64encode(self.nonce).decode("ascii")
                    self_tag = base64.b64encode(self.tag).decode("ascii")
                    self_token = (base64.b64encode(bytes(str(self.token[0]), 'ascii')).decode("ascii"),base64.b64encode(self.token[1]).decode("ascii"))
                    self_type = self.type_
                    self_creation = self.creation
                    self_expiration = self.expiration

                        
                dict_credential["label"] = self.label
                dict_credential["content"] = self_content
                dict_credential["uuid"] = self_uuid
                dict_credential["nonce"] = self_nonce
                dict_credential["tag"] = self_tag
                dict_credential["token"] = self_token
                dict_credential["type"] = self_type
                dict_credential["creation"] = str(self_creation)
                dict_credential["expiration"] = str(self_expiration)
                json.dump(dict_credential, cf)
        else:
            raise (AlreadyExists("Credential", self.label))

    def __getitem__(self, key):
        if key in self.content:
            return self.content[key]
        return None

    def getLabel(self):
        """
        Get the label of the credential
        """
        return self.label
    
    def isDecrypted(self):
        if self.type_ == 1:
            return True
        return False
    
    def updateNonce(self, nonce):
        """
        Update nonce of the credential
        """
        if self.tag is not None:
            self.nonce = nonce
        return self.nonce
    
    def updateTag(self, tag):
        """
        Update tag of the credential
        """
        self.tag = tag
        return self.tag
    
    def updateToken(self, token):
        """
        Update token of the credential
        """
        #if self.token is not None:
        self.token = token
        return self.token
    
    def updateContent(self, content):
        """
        Update content of the credential
        """
        if self.tag is not None:
            self.content = content
        return self.content
    
    def updateType(self, type_):
        """
        Update type of the credential
        """
        self.type_ = type_
        return self.type_

    def hasKey(self, key):
        """
        Get the key in the object
        """
        if key in self.content:
            return key in self.content
        return None

    def toString(self):
        """
        Transform the string into a base64 type
        return: base64 object
        """
        if self.content is not None and type(self.content) != bytes:
            string_bytes = json.dumps(self.content).encode("ascii")
            base64_bytes = base64.b64encode(string_bytes)
            return base64_bytes
        if self.content is not None and type(self.content) == bytes:
            base64_bytes = base64.b64encode(self.content)
            return base64_bytes
        raise EmptyCredential(self.label)
        
    def getAsJson(self):
        """
        returns object in json format
        """
        if type(self.content) == dict :
            content = json.dumps(self.content).encode('ascii')
            content = base64.b64encode(content).decode("ascii")
        else:
            if self.type_==2:
                content = self.content
            else:
                content = base64.b64encode(self.content.encode("ascii")).decode("ascii")
            
        nonce=None
        if  self.nonce is None:
            nonce = self.nonce
        else:
            nonce = base64.b64encode(self.nonce).decode("ascii")

        tag = None
        if self.tag is not None:            
            tag = base64.b64encode(self.tag).decode("ascii")
        
        return json.dumps({
            "label"      : self.label,
            "content"    : content,
            "uuid"       : self.uuid,
            "nonce"      : nonce,
            "tag"        : tag,
            "token"      : self.token,
            "type_"      : self.type_,
            "creation"   : str(self.creation),
            "expiration" : str(self.expiration)
        }).encode('ascii')
    
    def decrypt(self, tokens):
        if tokens is not None:
            if not isinstance(tokens, list):
                raise UnknownTokenType(tokens)
                
            for token_element in tokens:
                if token_element.getExpiration() <= datetime.now():
                    raise ExpiredToken()
            
            shamir = ShamirImplementation()
            
            return shamir.decryptSecret(tokens, self)
        raise RuntimeError("No tokens given")
    
    @classmethod
    def buildFromJson(cls,json):
        """
        returns representation of the object
        """
        nonce = None
        tag = None
        try:
            content = ast.literal_eval(base64.b64decode(json["content"]).decode('ascii'))
        except Exception as e:
            content = json["content"]
            
        if json["nonce"] is not None:
            nonce = base64.b64decode(json["nonce"])
            
        if json["tag"] is not None:
            tag = base64.b64decode(json["tag"])
                
        return Credential(
            label=json["label"],
            content=content,
            uuid=json["uuid"],
            nonce=nonce,
            tag=tag,
            token=json["token"],
            type_=json["type_"],
            creation=datetime.strptime(json["creation"],'%Y-%m-%d %H:%M:%S'),
            expiration=datetime.strptime(json["expiration"],'%Y-%m-%d %H:%M:%S'),
        )

    def __repr__(self):
        return "Credential[label=%s,uuid=%s,token=%s,type=%s,creation=%s,expiration=%s]" % (self.label, self.uuid, self.token, self.type_, self.creation, self.expiration)

In [13]:
%%deploy credentialmanager/RSAImplementation.py
# RSA Implementation module for Credential Manager

import base64
import json
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from Crypto.Hash import SHA256
from Crypto.Signature import pkcs1_15

class RSAImplementation:
    """
            RSA Implementation
            Here we generate the keys using RSA methods
    """

    max_msg_length=212
    
    def __init__(self):
        pass

    def generate(self):
        new_key = RSA.generate(2048)
        return new_key

    def encrypt(self, msg, key):
        """
        This method encrypt data based on a public key
        :param public_key:
        :param data:
        :return: the data encrypted
        """
        encryptor = PKCS1_OAEP.new(key.getPublicKey())
        
        if len(msg)>self.max_msg_length:
            # divide the message in chunks of 212 bytes
            chunks = [msg[i:i+self.max_msg_length] for i in range(0, len(msg), self.max_msg_length)]
            lst_encrypted = []
            for chunk in chunks:
                lst_encrypted.append(base64.b64encode(encryptor.encrypt(chunk)).decode("utf8"))
            
            encrypted = base64.b64encode(json.dumps(lst_encrypted).encode("utf8"))
        else:
            encrypted = base64.b64encode(json.dumps([ base64.b64encode(encryptor.encrypt(msg)).decode("utf8") ]).encode("utf8"))

        return encrypted

    def decrypt(self, encrypted, key):
        """
        This method decrypts the data based on a private key
        :param private_key: The private key required for decryption
        :param encrypted: The encrypted data that's looking to be decrypted
        :return: the data decrypted
        """

        json_str = base64.b64decode(encrypted)
        lst_encrypted = json.loads(json_str.decode("utf8"))
                
        decryptor = PKCS1_OAEP.new(key.getPrivateKey())        
        lst_msg = []
        for encrypted_chunk in lst_encrypted:
            lst_msg.append(decryptor.decrypt(base64.b64decode(encrypted_chunk)).decode("utf8") )
        
        msg = "".join(lst_msg)
        return msg
    
    def signature(self, key, msg, owner):
        private_key = key.getPrivateKey
        hash_msg = SHA256.new(msg)

        owner = pkcs1_15.new(private_key)
        signature = owner.sign(hash_msg)

        return signature

    def verifySignature(self, key, msg, original_msg):
        public_key = key.getPublicKey
        try:
            pkcs1_15.new(public_key).verify(msg, original_msg)
        except (ValueError, TypeError):
            raise hasChanged("Data")



In [14]:
%%deploy credentialmanager/ShamirImplementation.py
# Shamir’s Secret Implementation module for Credential Manager

import json
import ast
import base64
from binascii import hexlify,unhexlify
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Protocol.SecretSharing import Shamir
from .Token import Token
from .loggers import BasicLogger
from .exceptions import *

class ShamirImplementation(BasicLogger):
    """
    Shamir’s shared secret Implementation
    """

    def __init__(self):
        BasicLogger.__init__(self,self.__class__.__name__)
    
    def generate_token(self):
        new_key = get_random_bytes(16)
        return new_key

    def encryptSecret(self, credential, n_unlock, shared_users):
        """
        Encrypt a crendential (the shared secret) with n unlock tokens from shared_users total tokens
        """
        if credential.type_ == 2 :
            raise CredentialAlreadyDigested(credential.label)

        key = self.generate_token()
        shared_keys = []
        user_token = []
        shares = Shamir.split(n_unlock, shared_users, key)
        
        for idx, share in shares:
            if idx == 1:
                token_bytes = str((idx, hexlify(share))).encode("ascii")
                b64_token = base64.b64encode(token_bytes).decode("ascii")
                
                user_token.append(b64_token)
            else:
                token_bytes = str((idx, hexlify(share))).encode("ascii")
                b64_token = base64.b64encode(token_bytes).decode("ascii")
                token_byte = b64_token.encode("ascii")
                shared_keys.append(Token(label=credential.getLabel(), token=token_byte, type_=3, whom=None, comment=None, creation=None, expiration=None))
        
        cipher = AES.new(key, AES.MODE_EAX)
        credential_content =  str(credential.content).encode("ascii")
        cipher = AES.new(key, AES.MODE_EAX)
        nonce = cipher.nonce
        cipher_credential, tag = cipher.encrypt_and_digest(credential_content)
        
        credential.updateTag(tag)
        credential.updateNonce(nonce)
        credential.updateToken(user_token[0])
        credential.updateType(2)
        credential.updateContent(cipher_credential)

        return shared_keys

    def decryptSecret(self, tokens, credential):
        """
        decrypt a credential with given tokens
        """
       # Key recontruction process
        retrieve_tokens= []
        for token_object in tokens:
            token = token_object.getToken()
            retrieve_tokens.append(token)
        
        # tokens are still serialized
        retrieve_tokens.append(credential.token)
        
        shares = []        
        for token in retrieve_tokens:
            # this is awful, but we keep it for backwards compat           
            token_bytes = base64.b64decode(token).decode("ascii")
            token_raw = ast.literal_eval(token_bytes)

            stripped_token = str(token_raw).replace(')','').replace('(','').replace(" b'","").replace("'","")
            idx, share = [ s.strip() for s in stripped_token.split(",") ]
            shares.append((int(idx), unhexlify(share)))
                    
        key = Shamir.combine(shares)
        
        # We recover and decrypt the message
        nonce = credential.nonce
        tag   = credential.tag
        
        cipher_credential = base64.b64decode(credential.content)
        
        cipher = AES.new(key, AES.MODE_EAX,nonce=nonce)
        try:
            credential_decrypt = cipher.decrypt(cipher_credential)
            cipher.verify(tag)
            decoded_content = credential_decrypt.decode('ascii')
            dict_content = ast.literal_eval(decoded_content)
            credential.updateContent(dict_content)
            credential.updateNonce(None)
            credential.updateToken(None)
            credential.updateTag(None)
            credential.updateType(1)
            
        except:
            # try to decode double b64 encoded payload
            try:
                b64_cipher_crd   = base64.b64decode(credential.content).decode("ascii").replace('\"',"")
                cipher_credential = base64.b64decode(b64_cipher_crd)
                cipher = AES.new(key, AES.MODE_EAX,nonce=nonce)
                credential_decrypt = None
                try:
                    credential_decrypt = cipher.decrypt(cipher_credential)
                except Exception as e:
                    raise e
                cipher.verify(tag)
                decoded_content = credential_decrypt.decode('ascii')
                dict_content = ast.literal_eval(decoded_content)
                credential.updateContent(dict_content)
                credential.updateNonce(None)
                credential.updateToken(None)
                credential.updateTag(None)
                credential.updateType(1)
            except:
                #credential.updateContent(credential_decrypt)
                credential.updateNonce(None)
                credential.updateToken(None)
                credential.updateTag(None)
                credential.updateType(4)
             

In [15]:
%%deploy credentialmanager/Token.py
# Encryption Key module for Credential Manager

import os
import json
from datetime import datetime
from dateutil.relativedelta import relativedelta
from .exceptions import *
from .loggers import BasicLogger
from .SerializedObject import SerializedObject


class Token(BasicLogger,SerializedObject):
    """
    Token that contains part of the information
    necessary to decrypt a credential
    """
    def __init__(self, label, token, type_=1, whom=None, comment=None, creation=None, expiration=None):
        BasicLogger.__init__(self,self.__class__.__name__)
        SerializedObject.__init__(self)
        if creation is None:
            creation = datetime.now()
            creation = creation.replace(microsecond=0)
        self.__label = label
        self.__token = token
        self.__type = type_
        self.__whom = whom
        self.__comment = comment
        self.__creation = creation
        self.__expiration = expiration

        
    def getLabel(self):
        """
        get the label related to the token
        """
        return self.__label

    
    def getToken(self):
        """
        get token
        """
        return self.__token
    
    
    def getType(self):
        """
        gets the state of the token 1: plane 2: encrypted 3: b64
        """
        return self.__type

    
    def getWhom(self):
        """
        get assigned user or process related to the token
        """
        return self.__whom
    
    
    def getComment(self):
        """
        get assigned user or process related to the token
        """
        return self.__comment
    
    
    def getCreation(self):
        """
        get assigned user or process related to the token
        """
        return self.__creation
    
    
    def getExpiration(self):
        """
        get assigned user or process related to the token
        """
        return self.__expiration
    
    def getAsJson(self):
        """
        returns object in json format
        """
        return json.dumps({
            "label"      : self.__label,
            "token"      : self.__token,
            "type"       : self.__type,
            "whom"       : self.__whom,
            "comment"    : self.__comment,
            "creation"   : str(self.__creation),
            "expiration" : str(self.__expiration)
        }).encode('ascii')


    @classmethod
    def buildFromJson(cls,json):
        """
        returns representation of the object
        """
        if json["expiration"] == 'None':
            expiration= None
        else:
            expiration=datetime.strptime(json["expiration"],'%Y-%m-%d %H:%M:%S')
            
        return Token(
            label=json["label"],
            token=json["token"],
            type_=json["type"],
            whom=json["whom"],
            comment=json["comment"],
            creation=datetime.strptime(json["creation"],'%Y-%m-%d %H:%M:%S'),
            expiration=expiration
        )

    def __repr__(self):
        return "Token[label=%s,token=%s,type=%s,whom=%s,comment=%s,creation=%s,expiration=%s]" %\
        (self.__label, self.__token, self.__type, self.__whom, self.__comment, self.__creation, self.__expiration)
    

In [16]:
%%deploy credentialmanager/EncryptionKey.py
# Encryption Key module for Credential Manager

import os
import uuid
import json
from datetime import datetime
from dateutil.relativedelta import relativedelta
from .exceptions import *
from .RSAImplementation import *
from .loggers import BasicLogger
from .SerializedObject import SerializedObject


class EncryptionKey(BasicLogger,SerializedObject):
    """
    Encryption key manage the encryptions and decryptions of the credential manager as a whole
    EncryptionKey
    Represents a unique RSA Key
    """
    keychain_path = "./.credentials"
    def __init__(self, label, key_id=None, key=None, public_key=None, creation=None, expiration=None):
        self.__rsa = RSAImplementation()
        if creation is None:
            creation = datetime.now()
            creation = creation.replace(microsecond=0)
        if expiration is None:
            expiration = creation + relativedelta(days=365)
        BasicLogger.__init__(self,self.__class__.__name__)
        SerializedObject.__init__(self)
        if key_id is None and key is None:
            self.__key = self.__rsa.generate()
            self.__uuid = str(uuid.uuid4())
            self.__label = label
            self.__pubkey = self.__key.publickey()
            self.__creation = creation
            self.__expiration = expiration
        else:
            self.__label = label
            self.__uuid = key_id
            self.__key = key
            self.__pubkey = public_key
            self.__creation = creation
            self.__expiration = expiration

    def getUUID(self):
        """
        Get the uuuid from the instance
        """
        return self.__uuid

    def getLabel(self):
        """
        Get the label related to the key
        """
        return self.__label

    def getPublicKey(self):
        """
        Get the public key that's going to be used for encryption
        """
        if self.__key is not None:
            return self.__key.publickey()
        else:
             return self.__pubkey

    def getPrivateKey(self):
        """
        Get the private key that's going to be used for decrypt
        """
        return self.__key
       
    def getCreation(self):
        """
        Get the label related to the key
        """
        return self.__creation
    
    def getExpiration(self):
        """
        Get the label related to the key
        """
        return self.__expiration

    def encodeKey(self):
        if self.__key is not None:
            exported_key = self.__key.exportKey("PEM", None, pkcs=1)
            self.__key   = base64.b64encode(exported_key).decode("ascii")  
        if self.__pubkey is not None:
            exported_key = self.__pubkey.exportKey("PEM", None, pkcs=1)
            self.__pubkey   = base64.b64encode(exported_key).decode("ascii") 
        
    def decodeKey(self):
        if self.__key is not None:
            b64_private_bytes = self.__key.encode("ascii")
            private_key = base64.b64decode(b64_private_bytes).decode("ascii")
            self.__key = RSA.importKey(private_key, None)
        if self.__pubkey is not None:
            b64_public_bytes = self.__pubkey.encode("ascii")
            public_key = base64.b64decode(b64_public_bytes).decode("ascii")
            self.__pubkey = RSA.importKey(public_key)  

    @classmethod
    def load(cls, label, passphrase=None):
        """
        Loads private and public key  (!load only private key for the inicial key generated!)
        param: passphrase, the passphrase to secure the key
               label, the label related to the key
        """
        private_key_file = "%s/%s_private.key" % (cls.keychain_path, label)
        public_key_file = "%s/%s_public.key" % (cls.keychain_path, label)
        os.makedirs(cls.keychain_path, exist_ok=True)
        if os.path.exists(private_key_file):
            try:
                with open(private_key_file, 'r') as file:
                    dict_key = json.load(file)
                    key_label = dict_key["label"]
                    uuid = dict_key["uuid"]
                    b64_private_key = dict_key["private_key"]
                    b64_private_bytes = b64_private_key.encode("ascii")
                    private_key = base64.b64decode(b64_private_bytes).decode("ascii")
                    creation = datetime.strptime(dict_key['creation'],'%Y-%m-%d %H:%M:%S')
                    expiration = datetime.strptime(dict_key['expiration'],'%Y-%m-%d %H:%M:%S')
                    try:
                        key = RSA.importKey(private_key, passphrase=passphrase)
                    except ValueError:
                        raise WrongKeyPassphrase()
                    return EncryptionKey(key_label, key_id=uuid, key=key, public_key=None, creation=creation, expiration=expiration)
            except Exception as e:
                raise (e)
        elif os.path.exists(public_key_file):
            try:
                with open(public_key_file, 'r') as file:
                    dict_key = json.load(file)
                    key_label = dict_key["label"]
                    uuid = dict_key["uuid"]           
                    b64_public_key = dict_key["public_key"]
                    b64_public_bytes = b64_public_key.encode("ascii")
                    public_key = base64.b64decode(b64_public_bytes).decode("ascii")
                    pubkey = RSA.importKey(public_key) 
                    creation = datetime.strptime(dict_key['creation'],'%Y-%m-%d %H:%M:%S')
                    expiration = datetime.strptime(dict_key['expiration'],'%Y-%m-%d %H:%M:%S')
                    return EncryptionKey(key_label, key_id=uuid, key=None, public_key=pubkey, creation=creation, expiration=expiration)
            except Exception as e:
                raise (e)
        else:
            raise (LocalKeyNotFound(label))
    
    def save(self, passphrase=None):
        """
        Saves the encrypted data into the credentials file
        param: passphrase, the passphrase for the protection of the key
        """
        os.makedirs(self.keychain_path, exist_ok=True)
        private_key_file = "%s/%s_private.key" % (self.keychain_path, self.__label)
        public_key_file = "%s/%s_public.key" % (self.keychain_path, self.__label)
        if self.__key is not None:
            if not os.path.exists(private_key_file):
                # Create private key
                exported_key = self.__key.exportKey("PEM", passphrase, pkcs=1)
                b64_exported_key = base64.b64encode(exported_key).decode("ascii") 
                with open(private_key_file, 'w+', encoding='utf-8') as pk:
                    dict_key = {}
                    dict_key["label"] = self.__label
                    dict_key["uuid"] = self.__uuid
                    dict_key["private_key"] = b64_exported_key
                    dict_key["creation"] = str(self.__creation)
                    dict_key["expiration"] = str(self.__expiration)
                    json.dump(dict_key, pk)
            else:
                raise (KeyAlreadyExists(self.__label))
        else:
            if not os.path.exists(public_key_file):
                # Create public key
                public_key = self.__pubkey
                exported_public_key = public_key.exportKey(format="PEM")
                b64_exported_public_key = base64.b64encode(exported_public_key).decode("ascii")
                with open(public_key_file, 'w+', encoding='utf-8') as puk:
                    dict_key = {}
                    dict_key["label"] = self.__label
                    dict_key["uuid"] = self.__uuid
                    dict_key["public_key"] = b64_exported_public_key
                    dict_key["creation"] = str(self.__creation)
                    dict_key["expiration"] = str(self.__expiration)
                    json.dump(dict_key, puk)
            else:
                raise (KeyAlreadyExists(self.__label))
            
    def exportPublicKey(self):
        """
        Export public key information
        """
        try:
            public_key = self.__key.publickey()
            exported_public_key = public_key.exportKey(format="PEM")
            b64_exported_public_key = base64.b64encode(exported_public_key).decode("ascii")
            dict_key = {}
            dict_key["label"] = self.__label
            dict_key["uuid"] = self.__uuid
            dict_key["public_key"] = b64_exported_public_key
            dict_key["creation"] = str(self.__creation)
            dict_key["expiration"] = str(self.__expiration)
            dict_key_encode = json.dumps(dict_key).encode("ascii")
            b64_dict_key = base64.b64encode(dict_key_encode).decode("ascii") 
            return b64_dict_key
        except Exception as e:
            raise (e)
        
    def importPublicKey(b64_key):
        """
        Import public key information and return ecryption key object
        """
        try:
            dict_key_decoded = base64.b64decode(b64_key).decode("ascii")
            dict_key = json.loads(dict_key_decoded)
            key_label = dict_key["label"]
            uuid = dict_key["uuid"]
            b64_public_key = dict_key["public_key"]
            b64_public_bytes = b64_public_key.encode("ascii")
            public_key = base64.b64decode(b64_public_bytes).decode("ascii")
            pubkey = RSA.importKey(public_key)
            creation = datetime.strptime(dict_key['creation'],'%Y-%m-%d %H:%M:%S')
            expiration = datetime.strptime(dict_key['expiration'],'%Y-%m-%d %H:%M:%S')
            return EncryptionKey(key_label, key_id=uuid, key=None, public_key=pubkey, creation=creation, expiration=expiration)
        except Exception as e:
            raise (e)
        
    def destroy(self):
        """
        Overwrite the key file if exists, then destroy it
        """
        os.makedirs(self.keychain_path, exist_ok=True)

        if self.__key is not None:
            key_file = "%s/%s.key" % (self.keychain_path, self.__label)
            if os.path.exists(key_file):
                try:
                    os.remove(key_file)
                except Exception as e:
                    raise (e)
            else:
                raise (LocalKeyNotFound(self.__label))
        else:
            raise (KeyNotLoaded())

    def encrypt(self, msg):
        """
        This method encrypt data based on a public key
        :param public_key:
        :param msg:
        :return: the data encrypted
        """
        if isinstance(msg, (bytes, bytearray)):
            encrypted = self.__rsa.encrypt(msg, key=self)
            return encrypted
        else:
            return RuntimeError("The msg is not a byte string")

    def decrypt(self, encrypted):
        """
        This method decrypts the data based on a private key
        :param private_key: The private key required for decryption
        :param encrypted: The encrypted data that's looking to be decrypted
        :return: the data decrypted
        """
        msg = self.__rsa.decrypt(encrypted, key=self)
        return msg
    
    def getAsJson(self):
        """
        returns object in json format
        """
        self.encodeKey()
        json_key = json.dumps({
            "label"      : self.__label,
            "key_id"     : self.__uuid,
            "key"        : self.__key,
            "public_key" : self.__pubkey,
            "creation"   : str(self.__creation),
            "expiration" : str(self.__expiration)
        }).encode('ascii')
        self.decodeKey()
        return json_key

    @classmethod
    def buildFromJson(cls,json):
        """
        returns representation of the object
        """
        private_key= None
        public_key= None
        if json["key"] is not None:
            b64_private_bytes = json["key"].encode("ascii")
            decode_key = base64.b64decode(b64_private_bytes).decode("ascii")
            private_key = RSA.importKey(decode_key, None)
        if json["public_key"] is not None:
            b64_public_bytes = json["public_key"].encode("ascii")
            decode_key = base64.b64decode(b64_public_bytes).decode("ascii")
            public_key = RSA.importKey(decode_key)
        return EncryptionKey(
            label=json["label"],
            key_id=json["key_id"],
            key=private_key,
            public_key=public_key,
            creation=datetime.strptime(json["creation"],'%Y-%m-%d %H:%M:%S'),
            expiration=datetime.strptime(json["expiration"],'%Y-%m-%d %H:%M:%S')
        )

    def __repr__(self):
        return "EncryptionKey[label=%s,id=%s,key=%s,pubkey=%s,creation=%s,expiration=%s]" %\
            (self.__label, self.__uuid, self.__key, self.__pubkey, self.__creation, self.__expiration)


In [17]:
%%deploy credentialmanager/ProtectedEncryptionKey.py
# ProtectedEncryptionKey Key module for Credential Manager

import os
import uuid
import json
from .exceptions import *
from .RSAImplementation import *
from .loggers import BasicLogger
from .EncryptionKey import *


class ProtectedEncryptionKey(BasicLogger):
    """
    ProtectedEncryptionKey key manage the decryptions to get... 
    """
    def __init__(self, label, creation, expiration, key_id=None, key=None, public_key=None):
        self.__rsa = RSAImplementation()
        BasicLogger.__init__(self,self.__class__.__name__)
        self.__label = label
        self.__uuid = key_id
        self.__key = key
        self.__pubkey = public_key
        self.__creation = creation
        self.__expiration = expiration

    def getUUID(self):
        """
        Get the uuuid from the instance
        """
        return self.__uuid

    def getLabel(self):
        """
        Get the label related to the key
        """
        return self.__label


    def getPrivateKey(self):
        """
        Get the private key that's going to be used for decrypt
        """
        return self.__key

    def decryptKey(self, passphrase=None):
        """
        Loads private and public key  (!load only private key for the inicial key generated!)
        param: passphrase, the passphrase to secure the key
               label, the label related to the key
        """
        try:
            b64_private_key = self.__key
            b64_private_bytes = b64_private_key.encode("ascii")
            private_key = base64.b64decode(b64_private_bytes).decode("ascii")
            try:
                key = RSA.importKey(private_key, passphrase=passphrase)
            except ValueError:
                raise WrongKeyPassphrase()
            return EncryptionKey(self.__label, key_id=self.__uuid, key=key, public_key=None, creation=self.__creation, expiration=self.__expiration)
        except Exception as e:
            raise (e)

    def __repr__(self):
        return "ProtectedEncryptionKey[label=%s,id=%s,key=%s,pubkey=%s,creation=%s,expiration=%s]" %\
            (self.__label, self.__uuid, self.__key, self.__pubkey, self.__creation, self.__expiration)


In [18]:
%%deploy credentialmanager/CredentialManager.py
# Credential Manager module for Credential Manager

import ctypes
from .vault.CredentialVault import *
from .vault.TokenVault import *
from .vault.KeyVault import *
from .Credential import *
from .ShamirImplementation import *
from .EncryptionKey import *
from .ProtectedEncryptionKey import ProtectedEncryptionKey
import inspect
import sqlalchemy as sal
import traceback

class CredentialManager(object):
    """
    Credential Manager, the base of this module
    """
    def __init__(self, key, conn_db='sqlite:///./.credentials/localVault.sqlite'):
        # todo: check whether key is an instance of EncryptionKey or not
        self.owner_key = key
        # handle multiple vault types
        self.vaults = {
            "credentials" :{},
            "tokens"      :{},
            "keys"        :{}            
        }
        # only one vault is current for each type
        self.current_vault = {
            "credentials" :None,
            "tokens"      :None,
            "keys"        :None
        }
        self.__shamir = ShamirImplementation()
        self.conn_db = conn_db
        
        # create default credential vault
        self.attachVault(LocalCredentialsVault)
        self.attachVault(LocalSharedTokenVault)
        self.attachVault(LocalKeyVault)

    def attachVault(self, vault_type, **kwargs):
        """
        Attach a vault into the credential manager
        param: vault_type, the vault to be attached
        """
        vault_type_in_scope = inspect.isclass(vault_type)
        if vault_type_in_scope:
            vault = vault_type(self, **kwargs)
            vault_id = vault.getId()
            
            if isinstance(vault, AbstractCredentialVault):
                self.vaults["credentials"][vault_id] = vault
                self.current_vault["credentials"] = vault
            elif isinstance(vault, AbstractSharedTokenVault):
                self.vaults["tokens"][vault_id] = vault
                self.current_vault["tokens"] = vault
            elif isinstance(vault, AbstractKeyVault):
                self.vaults["keys"][vault_id] = vault
                self.current_vault["keys"] = vault
            else:
                raise VaultNotFound(str(vault_type))

        else:
            raise VaultNotFound(str(vault_type))

    def detachVault(self, vault_id):
        """
        Detach a vault from the credential manager
        param: vault_id, the id of the vault to be detach
        """
        
        if vault_id == "default":
            raise RuntimeError("Could not detach default vault")
        
        if vault_id in self.vaults["credentials"]:
            # TODO: verify when vauld_id exists in the dict
            del self.vaults["credentials"][vault_id]            
            self.current_vault = self.vaults["credentials"]["default"]
        elif vault_id in self.vaults["keys"]:
            del self.vaults["keys"][vault_id]            
            self.current_vault = self.vaults["keys"]["default"]
        elif vault_id in self.vaults["tokens"]:
            del self.vaults["tokens"][vault_id]            
            self.current_vault = self.vaults["tokens"]["default"]
        else:
            raise VaultNotFound(vault_id)

    def retrieve(self, label, decrypt=True, token=None, whom=None):
        """
        retrieve the credential from the vault by the owner key and the label
        param: label, the label related to the credential
        return: the credential as a base64 object
        """
        if whom is None:
            whom = self.owner_key.getLabel()
        
        if not isinstance(label, str):
            raise UnknownType(label)
        try:
            credential = self.current_vault["credentials"].getCredential(self.owner_key, label)
            
            if token is not None:
                if not isinstance(token, list):
                    raise UnknownTokenType(token)
                # when credential is decrypted with token the content of the credential is updated
                self.decryptCredential(credential, token, whom)
                if credential.type_ != 1:
                    raise CredentialNotDecrypted()
                    
            elif decrypt is True and token is None:
                self.decryptCredential(credential, token, whom)
                if credential.type_ != 1:
                    raise CredentialNotDecrypted()
                    
            return credential
        except Exception as e:
            raise e
    
    def store(self, credential, n_unlock=2, shared_users=4):
        """
        encrypt with shamir and store credential by the current vault of the owner
        param: credential, the credential to be store
        """
        if not isinstance(credential, Credential):
            raise UnknownCredentialType(credential)
        if not isinstance(n_unlock, int):
            raise UnknownType(n_unlock)
        if not isinstance(shared_users, int):
            raise UnknownType(shared_users)
        try:
            if not self.current_vault["credentials"].existCredential(credential):
                if credential.type_ == 1:
                    # when creating the tokens, the credential is encrypted with shamir updating the content of the credential
                    token_list = self.createToken(credential, n_unlock, shared_users)
                    result = self.storeToken(credential, token_list)                    
                    
                self.current_vault["credentials"].storeCredential(self.owner_key, credential)   
                return True
            else:
                raise CredentialAlreadyExists(credential.label)
        except Exception as e:
            raise e
        
    def createToken(self, credential, n_unlock=2, shared_users=4):
        """
        encrypt with shamir and create tokens:
        when creating the tokens, the credential is encrypted with shamir
        updating the content of the credential
        """
        if not isinstance(credential, Credential):
            raise UnknownCredentialType(credential)
        if not isinstance(n_unlock, int):
            raise UnknownType(n_unlock)
        if not isinstance(shared_users, int):
            raise UnknownType(shared_users)
        try:
            token_list = self.current_vault["tokens"].createToken(credential, n_unlock, shared_users)
            return token_list
        except Exception as e:
            raise e
    
    def storeToken(self, credential, token_list):
        """
        stores token received by credential owner
        param: token, additional token required to decrypt credential
        """
        if not isinstance(credential, Credential):
            raise UnknownCredentialType(credential)
        if not isinstance(token_list, list):
            raise UnknownTokenType(token_list)
        try:
            result = self.current_vault["tokens"].storeToken(self.owner_key, credential, token_list)
            return result
        except Exception as e:
            raise e
            
    def storeReceivedToken(self, credential, token):
        """
        stores token received by credential owner
        param: token, additional token required to decrypt credential
        """
        if not isinstance(credential, Credential):
            raise UnknownCredentialType(credential)
            
        token_lst = []
        if not isinstance(token, Token):
            if not isinstance(token,list):
                raise UnknownTokenType(token)
            token_lst = token
        else:
            token_lst = [ token ]
        try:
            r = []
            for token in token_lst:
                result = self.current_vault["tokens"].storeReceivedToken(self.owner_key, credential, token)
                r.append(result)
                
            return r
        except Exception as e:
            raise e
    
    def retrieveTokens(self, label=None, whom=None, active=False):
        """
        Retrieve tokens for credential label on database
        """
        if label is None and whom is None:
            raise ValueError("you must enter at least one parameter")
        if label is not None:
            if not isinstance(label, str):
                raise UnknownType(label)
        if whom is not None:
            if not isinstance(whom, str):
                raise UnknownType(whom)
        try:
            result = self.current_vault["tokens"].getTokensByLabel(self.owner_key, label, whom, active=active)
            return result
        except Exception as e:
            raise e
        
    def assignToken(self, whom, label, exp_date=None, comment="", serialize=False):
        """
        Assigns available tokens
        """
        if exp_date is None:
                    now = datetime.now()
                    exp_date = now + relativedelta(days=365)
        if not isinstance(label, str):
            raise UnknownType(label)
        if not isinstance(whom, str):
            raise UnknownType(whom)
        if not isinstance(exp_date, datetime):
            raise UnknownType(exp_date)
        try:
            if exp_date < datetime.now():
                raise PastExpirationDate()
            date= exp_date            
            assigned_token = self.current_vault["tokens"].assignToken(self.owner_key, whom, label, date, comment, serialize=serialize)
            return assigned_token
        except Exception as e:
            raise e       
        
    def getAssignedToken(self, label:str, whom:str, serialize=False):
        try:
            token_to_send = self.current_vault["tokens"].getAssignedToken(self.owner_key, label, whom, serialize=serialize)
            return token_to_send
        except Exception as e:
            raise e        
            
    def signToken(self, label, whom):
            """
            Sign credential with key from credential manager
            """
            try:
                tokens = self.retrieveTokens(label, whom, True)
                for token in tokens:
                    self.current_vault["tokens"].storeSignature(token, self.owner_key)
            except Exception as e:
                raise e              
                
    def verifyToken(self, token):
            """
            Check if signed token has been modified
            """
            try:
                return self.current_vault["tokens"].checkValiditySignature(token, self.owner_key)
            except Exception as e:
                raise e         
                
    def getTokenList(self, active=False):
        """
        Get Tokens from vault
        active: True by default list assigned token
        active: False list not assigned token
        """
        if not isinstance(active, bool):
            raise UnknownType(active)
        try:
            token_list = self.current_vault["tokens"].listTokens(self.owner_key, active=active)
            return token_list
        except Exception as e:
            raise e
            
    def getTokenExpirationDate(self, label, whom):
        """
        Get Date expiration on the related key
        """
        if not isinstance(label, str):
            raise UnknownType(label)
        if not isinstance(whom, str):
            raise UnknownType(whom)
        try:
            exp_date = self.current_vault["tokens"].getTokenExpirationDate(self.owner_key, label, whom)
            return exp_date
        except Exception as e:
            raise e
            
    def checkTokenExpiration(self, label, whom=None):
        """
        Check expiration of the token related to the user
        """
        if not isinstance(label, str):
            raise UnknownType(label)
        if whom is not None:
            if not isinstance(whom, str):
                raise UnknownType(whom)
        try:
            status = self.current_vault["tokens"].checkTokenExpiration(self.owner_key, label, whom)
            return status
        except Exception as e:
            raise e
    
    def decryptCredential(self, shamir_credential, token, whom=None):
        """
        decrypt credential to see the content 
        param:
        """ 

        if not isinstance(shamir_credential, Credential):
            raise UnknownCredentialType(shamir_credential)
        if token is not None:
            if not isinstance(token, list):
                raise UnknownTokenType(token)
                
        if whom is None:
            whom = self.owner_key.getLabel()
        try:
            if token is None:
                # look for tokens in the local vault
                token = self.retrieveTokens(shamir_credential.getLabel(), whom, active=True)
                status = self.checkTokenExpiration(shamir_credential.getLabel(), whom)                
                if status:
                    # when credential is decrypted with token the content of the credential is updated
                    return self.__shamir.decryptSecret(token, shamir_credential)
            else:
                for token_element in token:
                    if token_element.getExpiration() <= datetime.now():
                        raise ExpiredToken()
                else:
                    # when credential is decrypted with token the content of the credential is updated
                    return self.__shamir.decryptSecret(token, shamir_credential)
                
        except Exception as e:
            raise e
    
    def getCredentialList(self, active=True):
        """
        Get Credential from the vault with the same owner
        param: active, by default is True
        return the credential list of the owner that are active
        """
        if not isinstance(active, bool):
            raise UnknownType(active)
        try:
            return self.current_vault["credentials"].listCredentials(self.owner_key,active=active)
        except Exception as e:
            raise e
    
    def signCredential(self, credential, key):
        """
        Sign credential with key from credential manager
        """
        if not isinstance(credential, Credential):
            raise UnknownCredentialType(credential)
        try:
            return self.current_vault["credentials"].storeSignature(credential=credential,key_1=key)
        except Exception as e:
            raise e
            
    def encryptCredential(self, credential, destination_key):
        """
        Encrypt open credential with key given as argument
        """
        if not isinstance(credential, Credential):
            raise UnknownCredentialType(credential)
            
        if not isinstance(destination_key, EncryptionKey):
            raise UnknownKeyType(destination_key)
        try:
            credential_ = self.current_vault["credentials"].encryptCredential(credential, destination_key)
            return credential_
        except Exception as e:
            raise e

    def verifyCredential(self, credential, key):
        """
        Check if signed credential has been modified
        """
        try:
            return self.current_vault["credentials"].checkValiditySignature(credential=credential, key=key)
        except Exception as e:
            raise e
            
    def checkCredentialExpiration(self, label):
        """
        Check the expire on the related credential
        """
        if not isinstance(label, str):
            raise UnknownType(label)
        try:
            return self.current_vault["credentials"].checkCredentialExpiration(label)
        except Exception as e:
            raise e
            
    def setCredentialExpiration(self, label, exp_date):
        """
        Set the expire on the related key
        param:key to configure and expiration date
        """
        if not isinstance(label, str):
            raise UnknownType(label)
        try:
            self.current_vault["credentials"].setCredentialExpiration(label, exp_date)
        except Exception as e:
            raise e
            
    def getCredentialExpirationDate(self, label):
        """
        Get Date expiration on the related key
        """
        if not isinstance(label, str):
            raise UnknownType(label)
        try:
            return self.current_vault["credentials"].getCredentialExpirationDate(label)
        except Exception as e:
            raise e
            
    def setKeyExpiration(self, key, exp_date):
        """
        Set the expire on the related key
        param:key to configure and expiration date
        """
        if not isinstance(key, EncryptionKey):
            raise UnknownKeyType(key)
        try:
            self.current_vault["keys"].setKeyExpiration(key, exp_date)
        except Exception as e:
            raise e
            
    def getKey(self):
        """
        get the Key of the Credential
        """
        return self.owner_key

    def getCurrentCredentialsVault(self):
        """
        get the currentVault of the Credential
        """
        return self.current_vault["credentials"]
    
    def getCurrentTokensVault(self):
        """
        get the currentVault of the Tokens
        """
        return self.current_vault["tokens"]
    
    def getCurrentKeysVault(self):
        """
        get the currentVault of the Keys
        """
        return self.current_vault["keys"]

In [19]:
%%deploy credentialmanager/KeyChain.py
# KeyChain module for Credential Manager

from datetime import datetime
from .vault.KeyVault import *
from .EncryptionKey import *
import inspect


class KeyChain(object):
    """
    Keychain of EncryptionKey
    """

    def __init__(self, conn_db='sqlite:///./.credentials/localVault.sqlite'):
        # handle vault types
        self.vaults = {
            "keys"        :{}            
        }
        # only one vault is current for each type
        self.current_vault = {
            "keys"        :None
        }
        self.conn_db = conn_db
        # create default key vault
        self.attachVault(LocalKeyVault)
        

    def attachVault(self, vault_type, **kwargs):
        """
        Attach a vault into the keychain
        param: vault_type, the vault to be attached
        """
        vault_type_in_scope = inspect.isclass(vault_type)
        if vault_type_in_scope:
            vault = vault_type(self, **kwargs)
            vault_id = vault.getId()
            
            if isinstance(vault, AbstractKeyVault):
                self.vaults["keys"][vault_id] = vault
                self.current_vault["keys"] = vault
            else:
                raise VaultNotFound(str(vault_type))

        else:
            raise VaultNotFound(str(vault_type))

    def detachVault(self, vault_id):
        """
        Detach a vault from keychain
        param: vault_id, the id of the vault to be detach
        """
        
        if vault_id == "default":
            raise RuntimeError("Could not detach default vault")
        
        if vault_id in self.vaults["keys"]:
            del self.vaults["keys"][vault_id]            
            self.current_vault = self.vaults["keys"]["default"]
        else:
            raise VaultNotFound(vault_id)

    def retrieve(self, label, passphrase=None):
        """
        get the Key from the current vault by the label and a security passphrase
        param: passphrase: security passphrase for the key
               label, label of the key
        """
        key = self.current_vault["keys"].getKey(label=label, passphrase=passphrase)
        try: 
            status = self.current_vault["keys"].checkKeyExpiration(key)
        except Exception as e:
            raise e
        return key

    def store(self, key, passphrase=None):
        """
        store the Key on the current vault by the label and a security passphrase
        param: passphrase: security passphrase for the key
        label, label of the key
        """
        if not isinstance(key, EncryptionKey):
            raise UnknownKeyType(key)
        try:
            self.current_vault["keys"].storeKey(key, passphrase=passphrase)
        except Exception as e:
            raise e
    
    def getKeyList(self, active=True):
        """
        List the Key in the current vault
        """
        if not isinstance(active, bool):
            raise UnknownType(active)
        try:
            return self.current_vault["keys"].listKeys(active)
        except Exception as e:
            raise e
           
    def checkKeyExpiration(self, key):
        """
        Check the expire on the related key
        param: key, the key that's going to be checked
        """
        if not isinstance(key, EncryptionKey):
            raise UnknownKeyType(key)
        try:
            return self.current_vault["keys"].checkKeyExpiration(key)
        except Exception as e:
            raise e
    
    def getKeyExpirationDate(self, key):
        """
        Get Date expiration on the related key
        """
        if not isinstance(key, EncryptionKey):
            raise UnknownKeyType(key)
        try:
            return self.current_vault["keys"].getKeyExpirationDate(key)
        except Exception as e:
            raise e

    def getCurrentKeysVault(self):
        """
        get the current vault to use with the keychain
        """
        return self.current_vault["keys"]


In [20]:
%%deploy credentialmanager/__init__.py
# Credential Manager module 
# Juan Carlos Maureira
# Maycoll Catalan

import os

from .exceptions import *
from .RSAImplementation import *
from .ShamirImplementation import *
from .Credential import *
from .EncryptionKey import *
from .vault.AbstractSharedTokenVault import *
from .vault.AbstractKeyVault import *
from .vault.AbstractCredentialVault import *
from .CredentialManager import *
from .KeyChain import *
from .MyCredentialManager import *


In [21]:
%%deploy credentialmanager/MyCredentialManager.py
# My Credential Manager for personal credential administration
import os
import getpass
import pandas as pd

import parsedatetime
from datetime import datetime
from dotenv import load_dotenv

from .KeyChain import *
from .CredentialManager import *
from .Credential import *
from .EncryptionKey import *
from .Token import *
from .exceptions import *
from .loggers import BasicLogger

class MyCredentialManager(BasicLogger):
    """
    Credentials, Keys and tokens administration made easy
    """
    
    def handle_exception(self, error=None, kind=RuntimeError):
        if error is None:
            error = str(kind)
        if self.raise_exceptions:
            raise(kind(error))
        else:
            print("%s (%s)" % (error,kind))
    
    def __init__(self, keychain_path = None, credential_vault_path = None, key_label="my-master-key", exceptions=False):
        BasicLogger.__init__(self,self.__class__.__name__)
        
        load_dotenv()
        
        passphrase = None
        if "MYCREDENTIALMANAGER_PWD" in os.environ:
            print("using key passprhase from env")
            passphrase  = os.environ["MYCREDENTIALMANAGER_PWD"]
        else:
            print("Enter your key passphrase")
            passphrase = getpass.getpass()
        
        self.raise_exceptions = exceptions
        
        HOME = os.environ["HOME"]
        vault_name = "credentialVault"
        if "CREDENTIALVAULT_NAME" in os.environ:
            vault_name = os.environ["CREDENTIALVAULT_NAME"]
        
        if keychain_path == None:
            keychain_path = f"{HOME}/.credentials"
        
        if credential_vault_path == None:
            credential_vault_path       = f"sqlite:///{HOME}/.credentials/{vault_name}.sqlite"
        
        EncryptionKey.keychain_path = keychain_path
        self._crd_vault_path = credential_vault_path
        self._key = None
        self._keyChain = None
        # manager key creation.
        # this key is local and used to encrypt the credential locally in your credential vault
        # the key is lodaded from file, and when it does not exists, then it is created and saved
        try:
            self._key = EncryptionKey.load(key_label, passphrase=passphrase)
        except LocalKeyNotFound as e:
            print("creating a new key for this credential manager")
            self._key = EncryptionKey(key_label)
            self._key.save(passphrase=passphrase)
        except WrongKeyPassphrase as e:
            self.handle_exception(e)
            return
        except Exception as e:
            self.handle_exception(e)
            return
            
        self.info("Key loaded")
        # credential manager associated to my_master_key and with vault path at credential_vault_path
        self.credential_manager = CredentialManager(self._key, conn_db = self._crd_vault_path)
        # KeyChain
        self._keyChain = KeyChain(conn_db = self._crd_vault_path)    
    
    def store(self, credential, num_tokens=4, tokens_unlock=2, verbose=False):
        try:
            # store the credential in the local credential vault
            # here is when the credential is encrypted with the master key and the
            # shamir security layer is created
            if verbose:
                print("storing credential with %d tokens and a %d required tokens to unlock" % (num_tokens,tokens_unlock))
            self.credential_manager.store(credential,n_unlock=tokens_unlock, shared_users=num_tokens)
        except Exception as e:
            self.handle_exception(e)
            
    def retrieve(self, label, decrypt=False, token=None, verbose=True, whom=None):
        # we recover the credential only removing the master key encription and keeping the shamir security layer
        # the argument decrypt=False is used to retrieve the credential only with the master key decription
        my_credential = None
        try:
            my_credential = self.credential_manager.retrieve(label, decrypt=decrypt, token=token, whom=whom)
            self.info("Credential with label:%s has been retrieved"%(my_credential.getLabel()))
        except Exception as e:
            self.handle_exception(e)
        
        if my_credential is not None and my_credential.type_==2:
            if verbose:
                print("credential still encrypted since no enough tokens to decrypt")
        
        return my_credential

    def getCredentialsList(self, columns=["Label","uuid","type","creation","expiration"]):
        """
        get credentials as list
        """
        return self.credential_manager.getCredentialList()
    
    def getCredentials(self, columns=["Label","uuid","type","creation","expiration"]):
        """
        get credentials as a dataframe
        """
        c_lst = []

        for c in self.credential_manager.getCredentialList():
            c_lst.append([ c.label,c.uuid, c.nonce, c.tag, c.token, c.type_, c.creation, c.expiration])

        default_cols = ["Label","uuid","nonce","tag","token","type","creation","expiration"]
        if len(columns)>0:
            if not all(item in default_cols for item in columns):
                self.handle_exception(RuntimeError("Unknown column requested: default cols",default_cols))
        else:
            columns = default_cols
        
        df_credentials = pd.DataFrame(c_lst,columns=default_cols)
        return df_credentials[columns]
    
    def getTokenList(self, **kw_args):
        return self.credential_manager.getTokenList(**kw_args)    
    
    def getTokens(self,crd_label,whom=None):
        token = None
        if whom is None:
            try:
                token = self.credential_manager.retrieveTokens(crd_label)
            except Exception as e:
                self.handle_exception(e)
        else:
            try:
                token = self.credential_manager.getAssignedToken(crd_label, whom)
            except Exception as e:
                self.handle_exception(e)
        return token
    
    def getAvailableTokens(self):
        token_lst = self.getTokenList()
        token_df_lst = []
        for token in token_lst:
            token_df_lst.append([token.getLabel(), token.getType(), token.getWhom(), token.getComment(), token.getCreation(), token.getExpiration()])
            
        default_cols = ["Label","Type","Whom","Comment","Creation","Expiration"]
        return pd.DataFrame(token_df_lst, columns=default_cols)
    
    def getAssginedTokens(self):
        token_lst = self.credential_manager.getTokenList(active=True)
        token_df_lst = []
        for token in token_lst:
            token_df_lst.append([token.getLabel(), token.getType(), token.getWhom(), token.getComment(), token.getCreation(), token.getExpiration()])
            
        default_cols = ["Label","Type","Whom","Comment","Creation","Expiration"]
        return pd.DataFrame(token_df_lst, columns=default_cols)
    
    def getPublicKey(self):
        try:
            return self._key.exportPublicKey()
        except Exception as e:
            self.handle_exception(e)
        return None
    
    def assignToken(self, crd_label, whom=None,duration="365 days", comment=None, verbose=True):
        if whom is None:
            whom = self._key.getLabel()
            
        if comment is None:
            print("token assignation comment (required):")
            comment  = input()
        
        # compute expiration date 
        cal = parsedatetime.Calendar()
        time_struct, parse_status = cal.parse(duration)
        expiration_date = datetime(*time_struct[:6])

        asigned_token = None
        if verbose:
            print("assigning token to %s. expires in %s" % (whom,expiration_date))

            try:
                asigned_token = self.credential_manager.assignToken(whom=whom,label=crd_label, exp_date=expiration_date,comment=comment)
            except Exception as e:
                self.handle_exception(e)

        return asigned_token
    
    def export(self, what):
        if isinstance(what,Credential):
            print("exporting credential")
            if what.type_==1:
                self.handle_exception(RuntimeError("could not serialize a decrypted credential"))
            crd_ser = what.serialize()    
            return crd_ser
        
        elif isinstance(what,Token):
            print("exporting token")
            token_ser = what.serialize()
            return token_ser
        else:
            self.handle_exception(RuntimeError("Unknown object. Only accepted Credential or Token"))
            
    def imports(self, what_s):
        
        try:
            # try with credential
            crd = Credential.deserialize(what_s)
            self.store(crd)
            return True
        except Exception as e:
            # try with token
            try:
                token = Token.deserialize(what_s)
                
                crd_label = token.getLabel()
                try:
                    crd4token = self.retrieve(crd_label)
                    print("credential associated to token",crd4token)
                    try:
                        self.credential_manager.storeReceivedToken(crd4token, token)
                        return True
                    except Exception as e:
                        self.handle_exception(e)
                    
                except Exception as e:
                    self.handle_exception(e)
                
            except Exception as e:
                self.handle_exception(e)
        return False
        
    

In [22]:
raise StopExecution

# Testing base Functionalities

## Basic Functionality

### Initialize credential manager

In [None]:
# remove local .credential directory to test first initialization functionality
import shutil
if os.path.exists(".credentials"):
    shutil.rmtree('.credentials')

In [None]:
from credentialmanager import EncryptionKey, CredentialManager
from credentialmanager.exceptions import *

# paths where local key and credential vault will be stored
EncryptionKey.keychain_path = f"./.credentials"
credential_vault_path       = f"sqlite:///.credentials/testVault.sqlite"


In [None]:
# first initialization

manager_key_label       = "my-key"
manager_key_passphrase  = "12345"
manager_key             = None

print("Manager Key: ",manager_key_label)
# Create or load manager_key (password protected)
try:
    manager_key = EncryptionKey.load(manager_key_label, passphrase=manager_key_passphrase)
    print("  Loaded manager_key:")
    print(" ",manager_key)
    
except KeyAlreadyExists as e:
    print(e)
    raise StopExecution
    
except Exception as e:

    print("  Creating new manager key")
    # create a new key
    manager_key = EncryptionKey(manager_key_label)
    try:
        manager_key.save(passphrase=manager_key_passphrase)
        print("   manager_key label:",manager_key_label)
        print("  ",manager_key)
    except Exception as e:
        raise(e)
        
        
# credential manager associated to my_master_key and with vault path at credential_vault_path
mycm = CredentialManager(manager_key, conn_db = credential_vault_path)
credential_vault_path       = f"sqlite:///.credentials/testVault.sqlite"

In [None]:
# initialization from an already created key
try:
    manager_key = EncryptionKey.load(manager_key_label, passphrase=manager_key_passphrase)
    print("  Loaded manager_key:")
    print(" ",manager_key)
    
except KeyAlreadyExists as e:
    print(e)
    raise StopExecution
    
except Exception as e:

    print("  Creating new manager key")
    # create a new key
    manager_key = EncryptionKey(manager_key_label)
    try:
        manager_key.save(passphrase=manager_key_passphrase)
        print("   manager_key label:",manager_key_label)
        print("  ",manager_key)
    except Exception as e:
        raise(e)
        
        
# credential manager associated to my_master_key and with vault path at credential_vault_path
mycm = CredentialManager(manager_key, conn_db = credential_vault_path)


## create and store fully decrypted credential (as a new one)


In [None]:
from credentialmanager import Credential
from datetime import datetime
import traceback

crd = Credential("test-1",{
    "key-1" : "value1",
    "key-2" : "value2;dfwerwe",
    "key-3" : True,
    "key-4" : 43532454353,
})

print(crd)
if crd.isDecrypted():
    print("credential is decrypted")
else:
    print("credential is encrypted")

# store credential
try:
    ret = mycm.store(crd)
    print("credential stored")
    print(ret)
except Exception as e:
    traceback.print_exc()
    print(e)

print("credential after store")
print(crd)

In [None]:
crd = mycm.retrieve("test-1",decrypt=False)
print(crd)

In [None]:
# create a credential with higher number of tokens  
crd = Credential("test-2",{
    "key-1" : "value1",
    "key-2" : "value2;",
    "key-3" : True,
    "key-4" : 43532454353,
})
print(crd)
if crd.isDecrypted():
    print("credential is decrypted")
else:
    print("credential is encrypted")
    
# store credential
try:
    mycm.store(crd, n_unlock=4, shared_users=20)
    print("credential stored")
except Exception as e:
    print(e)

## list credentials

In [None]:
import pandas as pd
c_lst = []
for c in mycm.getCredentialList():
    c_lst.append([c.label,c.type_, c.creation, c.expiration])
    
df_credentials = pd.DataFrame(c_lst,columns=["Label","Type","creation","expiration"])
display(df_credentials)

## list tokens

In [None]:
# all tokens stored in vault (only available. assigned tokens are not listed)
token_list = mycm.getTokenList()
for token in token_list:
    print(token)

In [None]:
# available tokens for a given credential
crd_label="test-1"
token_list = mycm.retrieveTokens(label=crd_label)
for token in token_list:
    print(token)

In [None]:
# assigned tokens for a given credential
crd_label="test-1"
try:
    token_list = mycm.retrieveTokens(label=crd_label, active = True)
    for token in token_list:
        print(token)
except Exception as e:
    print(e)

## Token Assignments 

In [None]:
# assign to my key

from datetime import datetime
from datetime import timedelta

my_key_label  = manager_key_label
crd_label     = "test-1"
comment       = "assigned to my key"

exp_date_1y = datetime.now() + timedelta(days=365)

try:
    assigned_token = mycm.assignToken(whom=my_key_label, label=crd_label, exp_date = exp_date_1y, comment=comment)
    print(assigned_token)
except Exception as e:
    print(e)

In [None]:
# assignt to other use
to_whom       = "other_use_label"
crd_label     = "test-1"
comment       = "assigned to %s" % to_whom

exp_date_1y = datetime.now() + timedelta(days=365)

try:
    assigned_token = mycm.assignToken(whom=to_whom, label=crd_label, exp_date = exp_date_1y, comment=comment)
    print(assigned_token)
except Exception as e:
    print(e)

## retrieve assigned token

In [None]:
my_key_label  = manager_key_label
crd_label     = "test-1"

try:
    assgined_token = mycm.getAssignedToken(whom=my_key_label, label=crd_label)
    print(assgined_token)
except Exception as e:
    print(e)

In [None]:
# get the token serialized
my_key_label  = manager_key_label
crd_label     = "test-1"

try:
    assgined_token = mycm.getAssignedToken(whom=my_key_label, label=crd_label, serialize=True)
    print(assgined_token)
except Exception as e:
    print(e)

In [None]:
# attempt to get an inexisiting token
my_key_label  = manager_key_label
crd_label     = "test-2"

try:
    assgined_token = mycm.getAssignedToken(whom=my_key_label, label=crd_label)
    print(assgined_token)
except TokenNotFound as e:
    print("no assigned token to %s for credential %s" % (my_key_label, crd_label))
except Exception as e:
    # cath other types of errors
    print(e)
    print(type(e))

## decrypt credential

In [None]:
# for performing this operation it is required to have the minimum number of tokens
# by default the min number of tokens to unlock is 2. required tokens must be stored in the vault and assigned to the 
# credential manager key label in order to automatically decrypt the credential. Otherwise, you need to provide the 
# token list for decryption manually. Decrypted credential type is 1
# when the credential type is 4 is because it could not be decrypted due to some error

crd_label = "test-1"

crd_decrypted = mycm.retrieve(crd_label)

if crd_decrypted.isDecrypted():
    print("credential is decrypted")
else:
    print("credential is encrypted")

print(crd_decrypted)
print(crd_decrypted.content)

In [None]:
# obtain encrypted credential for sharing it 
# encrypted credential type is 2
crd_label = "test-1"

crd_encrypted = mycm.retrieve(crd_label, decrypt=False)

if crd_encrypted.isDecrypted():
    print("credential is decrypted")
else:
    print("credential is encrypted")

print(crd_encrypted)
print(crd_encrypted.content)
# serialize encypted credential

print(crd_encrypted.nonce)
print(crd_encrypted.tag)

crd_serialized = crd_encrypted.serialize()
print("--------------------- begin serialized credential ----------------------")
print(crd_serialized)
print("--------------------- end serialized credential ----------------------")

In [None]:
# recover credential from a serialized one
from credentialmanager import Credential, Token
import base64

crd_recovered = Credential.deserialize(crd_serialized)
print(crd_recovered)

token = Token.deserialize("eyJsYWJlbCI6ICJ0ZXN0LTEiLCAidG9rZW4iOiAiS0RJc0lHSW5NV1l5TUdVd1l6ZzROVEpoTXpreE1tSmlZekJsWkRsaVpHSTBNamd4WVRVbktRPT0iLCAidHlwZSI6IDEsICJ3aG9tIjogIm15LWtleSIsICJjb21tZW50IjogImFzc2lnbmVkIHRvIG15IGtleSIsICJjcmVhdGlvbiI6ICIyMDI0LTA0LTE2IDExOjE1OjQ2IiwgImV4cGlyYXRpb24iOiAiMjAyNS0wNC0xNiAxMToxNTo1NyJ9")

crd_recovered.decrypt([token])
print(crd_recovered)
print(crd_recovered.content)

## Import serialized credential and token in a new credential manager

### export credential and assigned token from the source credential manager

In [None]:
# obtain a serialized encypted credential from the source credential manager 

crd_label = "test-1"
crd_encrypted = mycm.retrieve(crd_label, decrypt=False)
print(crd_encrypted)
crd_serialized = crd_encrypted.serialize()


In [None]:
# create the destination credential manager with a passwordless key

target_key_label = "other_key"
target_key       = None

print("Creating new target key")
# create a new key without saving it
target_key = EncryptionKey(target_key_label)
print("   target_key label:",target_key)
print("  ",target_key)
        
# create a in-memory credential manager associated to my_master_key
target_cm = CredentialManager(target_key, conn_db = "sqlite://")


In [None]:
# assign a token for the other_key in the source credential manager
exp_date_1y = datetime.now() + timedelta(days=365)
assigned_token = mycm.assignToken(target_key_label,crd_label, exp_date=exp_date_1y, comment="assigned to other_key")
print(assigned_token)

In [None]:
# obtain the assigned token from the source credential manager
assigned_token = mycm.getAssignedToken(whom=target_key_label,label=crd_label)
print(assigned_token)

In [None]:
# serialize assgined token. notice the assigned token (may be more than one) is inside a list
assigned_token_serialized = [ t.serialize() for t in assigned_token]
print(assigned_token_serialized)

### import the credential and token in the target credential manager

In [None]:
# deserialize the credential
from credentialmanager import Credential
crd_encrypted = Credential.deserialize(crd_serialized)
print(crd_encrypted)

In [None]:
# deserialize token
from credentialmanager import Token
#assigned_tokens_serialized = ["eyJ...."] # here you must copy the token serialized
assigned_tokens = [ Token.deserialize(t) for t in assigned_token_serialized]
print(assigned_tokens)


In [None]:
# store the encypted credential in the target credential manager
try:
    ret = target_cm.store(crd_encrypted)
    print("credential stored",ret)
except Exception as e:
    print(e)
print("credential after store operation")
print(crd_encrypted)

In [None]:
# try to recover the decrypted credential from the target credential manager 
# this must fail since we have no token assigned yet

try:
    crd_recovered = target_cm.retrieve(crd_label)
    print("if you see this message is because the credential was decrypted therefore you have an assigned token stored into the target credential manager")
except Exception as e:
    print(e)

In [None]:
# recover the encrypted credential only removing the key security layer
# remember credentials are stored with 2 layer of encryption. first one is shamir and the other is the key 

try:
    crd_recovered = target_cm.retrieve(crd_label,decrypt=False)
    print(crd_recovered)
except Exception as e:
    print(e)
    
if crd_recovered.isDecrypted():
    print("credential is decrypted")
else:
    print("credential is encrypted")


In [None]:
# store assigned token in the target credential manager
print(assigned_tokens)
try:
    r=target_cm.storeReceivedToken(crd_recovered, assigned_tokens)
    print("token stored",r)
except Exception as e:
    print(e)

In [None]:
# list the credentials in the target credential manager
target_cm.getCredentialList()

In [None]:
# list tokens in the target credential manager
try:
    assgined_token = target_cm.getAssignedToken(whom=target_key_label, label=crd_label)
    print(assgined_token)
except Exception as e:
    print(e)

In [None]:
# recover the decrypted credential from the target credential manager 
# now this should retrieve the decrypted credential since there is an assigned token
# stored in the target credential manager
import traceback

try:
    crd_recovered = target_cm.retrieve(crd_label)
    print(crd_recovered)
except Exception as e:
    print(e)
    traceback.print_exc()

# Testing MyCredentialManager

## Base functionality

### creating a new instance for a user key

In [None]:
from credentialmanager import Credential, EncryptionKey
from credentialmanager import MyCredentialManager

mycm = MyCredentialManager(key_label="JcM-MasterKey")

### Display stored credentials and tokens

In [None]:
display(mycm.getCredentials())
display(mycm.getAvailableTokens())

In [None]:
df_tokens = mycm.getAvailableTokens()
df_tokens.loc[df_tokens.Label=="my_token"]

### Credential Creation

In [None]:
crd=Credential("test-crd",{
    "username" : "test_username",
    "password" : "test_passwd"
})

mycm.store(crd,num_tokens=10, verbose=True)

### Creadential retrieval

In [None]:
crd_rec = mycm.retrieve("test-crd",decrypt=False)
print(crd_rec)

### token assigment

In [None]:
mycm.assignToken("test-crd",duration="2 years")

In [None]:
display(mycm.getAvailableTokens())
display(mycm.getAssginedTokens())

### Export and Import credentials

In [None]:
print(crd_rec)
mycm.export(crd_rec)

In [None]:
tokens = mycm.getTokens("test-crd")
for token in tokens:
    print(token)

In [None]:
tokens = mycm.getTokens("test-crd",whom="JcM-MasterKey")
for token in tokens:
    print(token)
    print(mycm.export(token))

#### import

In [None]:
mycm.imports("eyJsYWJlbCI6ICJ0ZXN0LWNyZCIsICJjb250ZW50IjogIkRobWprcTJLU3JYY1NHMUhRVGxtMENvbmd6R3R0QXZMbU51WVA1TGV0clViMzR0am1uc1ZrMnZzd2F3R0N5QURtV3hiQjV6V0pJST0iLCAidXVpZCI6ICJkMzMwNzUxYy01ZjMwLTRkMjItYjFjNC0yNjFkMjI2NTRhNTYiLCAibm9uY2UiOiAiV01MWkpKYmZ3WTBDOG9pZks2am9Jdz09IiwgInRhZyI6ICJoOTlzbkNuZm1yWmtDWGJzQnJ2bmJnPT0iLCAidG9rZW4iOiAiS0RFc0lHSW5OamczTVRJMU9ESTFNMll3TW1OaE5UazRNV1F3TnpSalpUUTJPVE01TkdJbktRPT0iLCAidHlwZV8iOiAyLCAiY3JlYXRpb24iOiAiMjAyNC0wNC0xNiAxMToyOToxNCIsICJleHBpcmF0aW9uIjogIjIwMjUtMDQtMTYgMTE6Mjk6MTQifQ==")

In [None]:
mycm.imports("eyJsYWJlbCI6ICJ0ZXN0LWNyZCIsICJ0b2tlbiI6ICJLRElzSUdJbk5XUTNPR0ZpTkRGa016a3paRFptWmpWak9USmpZbVV4TVdKaU16aGtOalFuS1E9PSIsICJ0eXBlIjogMSwgIndob20iOiAiSmNNLU1hc3RlcktleSIsICJjb21tZW50IjogImRldiB0b2tlbiIsICJjcmVhdGlvbiI6ICIyMDI0LTA0LTE2IDExOjI5OjE0IiwgImV4cGlyYXRpb24iOiAiMjAyNi0wNC0xNiAxMTozMToxOCJ9")

## Credentials operation with orchestrator

In [31]:
from orch.api import Orchestrator
from credentialmanager import Credential

crd_label = "test-crd"

orch = Orchestrator(api_url="http://localhost:8020")
if orch.status()["status"]=="running":
    print("orchestrator running")
    crd = mycm.retrieve(crd_label,decrypt=False)
    print("registering credential")
    try:
        r = orch.registerCredential(crd)
        print(r)
    except Exception as e:
        print(e)
    
else:
    print("orchestrator NOT running")

Connection Error. Technical details given below.

HTTPConnectionPool(host='localhost', port=8020): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f95678517c0>: Failed to establish a new connection: [Errno 111] Connection refused'))


TypeError: 'NoneType' object is not subscriptable

# END