Search in sources :

Example 56 with ExceptionMetered

use of com.codahale.metrics.annotation.ExceptionMetered in project keywhiz by square.

the class SecretResource method resetSecretVersion.

/**
 * Reset the current version of the given secret to the given version index.
 *
 * @param request A request to update a given secret
 *
 * responseMessage 201 Secret series current version updated successfully
 * responseMessage 400 Invalid secret version specified
 * responseMessage 404 Secret series not found
 */
@Timed
@ExceptionMetered
@Path("{name}/setversion")
@POST
public Response resetSecretVersion(@Auth AutomationClient automationClient, @Valid SetSecretVersionRequestV2 request) {
    secretDAO.setCurrentSecretVersionByName(request.name(), request.version(), automationClient.getName());
    // If the secret wasn't found or the request was misformed, setCurrentSecretVersionByName
    // already threw an exception
    Map<String, String> extraInfo = new HashMap<>();
    extraInfo.put("new version", Long.toString(request.version()));
    auditLog.recordEvent(new Event(Instant.now(), EventTag.SECRET_CHANGEVERSION, automationClient.getName(), request.name(), extraInfo));
    return Response.status(Response.Status.CREATED).build();
}
Also used : HashMap(java.util.HashMap) Event(keywhiz.log.Event) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered)

Example 57 with ExceptionMetered

use of com.codahale.metrics.annotation.ExceptionMetered in project keywhiz by square.

the class SecretResource method backfillHmac.

/**
 * Backfill content hmac for this secret.
 */
@Timed
@ExceptionMetered
@Path("{name}/backfill-hmac")
@POST
@Consumes(APPLICATION_JSON)
@Produces(APPLICATION_JSON)
public boolean backfillHmac(@Auth AutomationClient automationClient, @PathParam("name") String name) {
    Optional<SecretSeriesAndContent> secret = secretDAO.getSecretByName(name);
    if (!secret.isPresent()) {
        return false;
    }
    logger.info("backfill-hmac {}: processing secret", name);
    SecretContent secretContent = secret.get().content();
    if (!secretContent.hmac().isEmpty()) {
        // No need to backfill
        return true;
    }
    String hmac = cryptographer.computeHmac(cryptographer.decrypt(secretContent.encryptedContent()).getBytes(UTF_8), "hmackey");
    // We expect only one row to be changed
    return secretSeriesDAO.setHmac(secretContent.id(), hmac) == 1;
}
Also used : SecretContent(keywhiz.api.model.SecretContent) SecretSeriesAndContent(keywhiz.api.model.SecretSeriesAndContent) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered)

Example 58 with ExceptionMetered

use of com.codahale.metrics.annotation.ExceptionMetered in project keywhiz by square.

the class SecretResource method modifySecretGroups.

/**
 * Modify the groups a secret is assigned to
 *
 * @param name Secret series name
 * @param request JSON request to modify groups
 *
 * responseMessage 201 Group membership changed
 * responseMessage 404 Secret series not found
 */
@Timed
@ExceptionMetered
@PUT
@Path("{name}/groups")
@Consumes(APPLICATION_JSON)
@Produces(APPLICATION_JSON)
public Iterable<String> modifySecretGroups(@Auth AutomationClient automationClient, @PathParam("name") String name, @Valid ModifyGroupsRequestV2 request) {
    // TODO: Use latest version instead of non-versioned
    Secret secret = secretController.getSecretByName(name).orElseThrow(NotFoundException::new);
    String user = automationClient.getName();
    long secretId = secret.getId();
    Set<String> oldGroups = aclDAO.getGroupsFor(secret).stream().map(Group::getName).collect(toSet());
    Set<String> groupsToAdd = Sets.difference(request.addGroups(), oldGroups);
    Set<String> groupsToRemove = Sets.intersection(request.removeGroups(), oldGroups);
    // TODO: should optimize AclDAO to use names and return only name column
    groupsToGroupIds(groupsToAdd).forEach((maybeGroupId) -> maybeGroupId.ifPresent((groupId) -> aclDAO.findAndAllowAccess(secretId, groupId, auditLog, user, new HashMap<>())));
    groupsToGroupIds(groupsToRemove).forEach((maybeGroupId) -> maybeGroupId.ifPresent((groupId) -> aclDAO.findAndRevokeAccess(secretId, groupId, auditLog, user, new HashMap<>())));
    return aclDAO.getGroupsFor(secret).stream().map(Group::getName).collect(toSet());
}
Also used : Secret(keywhiz.api.model.Secret) SanitizedSecret(keywhiz.api.model.SanitizedSecret) Secret(keywhiz.api.model.Secret) Produces(javax.ws.rs.Produces) Event(keywhiz.log.Event) Path(javax.ws.rs.Path) LoggerFactory(org.slf4j.LoggerFactory) GroupDAOFactory(keywhiz.service.daos.GroupDAO.GroupDAOFactory) Valid(javax.validation.Valid) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) Map(java.util.Map) DefaultValue(javax.ws.rs.DefaultValue) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered) ModifyGroupsRequestV2(keywhiz.api.automation.v2.ModifyGroupsRequestV2) BadRequestException(javax.ws.rs.BadRequestException) UriBuilder(javax.ws.rs.core.UriBuilder) APPLICATION_JSON(javax.ws.rs.core.MediaType.APPLICATION_JSON) ContentCryptographer(keywhiz.service.crypto.ContentCryptographer) GroupDAO(keywhiz.service.daos.GroupDAO) Collectors.toSet(java.util.stream.Collectors.toSet) DELETE(javax.ws.rs.DELETE) Group(keywhiz.api.model.Group) CreateSecretRequestV2(keywhiz.api.automation.v2.CreateSecretRequestV2) HOURS(java.time.temporal.ChronoUnit.HOURS) Set(java.util.Set) ConflictException(keywhiz.service.exceptions.ConflictException) Instant(java.time.Instant) Sets(com.google.common.collect.Sets) NotFoundException(javax.ws.rs.NotFoundException) String.format(java.lang.String.format) Timed(com.codahale.metrics.annotation.Timed) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) Optional(java.util.Optional) SanitizedSecret(keywhiz.api.model.SanitizedSecret) SecretDAOFactory(keywhiz.service.daos.SecretDAO.SecretDAOFactory) SecretContent(keywhiz.api.model.SecretContent) PathParam(javax.ws.rs.PathParam) SecretDetailResponseV2(keywhiz.api.automation.v2.SecretDetailResponseV2) AclDAO(keywhiz.service.daos.AclDAO) SanitizedSecretWithGroups(keywhiz.api.model.SanitizedSecretWithGroups) GET(javax.ws.rs.GET) Auth(io.dropwizard.auth.Auth) PartialUpdateSecretRequestV2(keywhiz.api.automation.v2.PartialUpdateSecretRequestV2) HashMap(java.util.HashMap) SecretSeriesDAO(keywhiz.service.daos.SecretSeriesDAO) ArrayList(java.util.ArrayList) Inject(javax.inject.Inject) AutomationClient(keywhiz.api.model.AutomationClient) ImmutableList(com.google.common.collect.ImmutableList) SecretDAO(keywhiz.service.daos.SecretDAO) SecretBuilder(keywhiz.service.daos.SecretController.SecretBuilder) AuditLog(keywhiz.log.AuditLog) SanitizedSecretWithGroupsListAndCursor(keywhiz.api.model.SanitizedSecretWithGroupsListAndCursor) DataAccessException(org.jooq.exception.DataAccessException) POST(javax.ws.rs.POST) Logger(org.slf4j.Logger) SecretSeriesDAOFactory(keywhiz.service.daos.SecretSeriesDAO.SecretSeriesDAOFactory) Readonly(keywhiz.service.config.Readonly) UTF_8(java.nio.charset.StandardCharsets.UTF_8) SecretRetrievalCursor(keywhiz.api.model.SecretRetrievalCursor) AclDAOFactory(keywhiz.service.daos.AclDAO.AclDAOFactory) SetSecretVersionRequestV2(keywhiz.api.automation.v2.SetSecretVersionRequestV2) SecretController(keywhiz.service.daos.SecretController) SecretContentsResponseV2(keywhiz.api.automation.v2.SecretContentsResponseV2) SecretContentsRequestV2(keywhiz.api.automation.v2.SecretContentsRequestV2) EventTag(keywhiz.log.EventTag) Collectors.toList(java.util.stream.Collectors.toList) CreateOrUpdateSecretRequestV2(keywhiz.api.automation.v2.CreateOrUpdateSecretRequestV2) SecretSeriesAndContent(keywhiz.api.model.SecretSeriesAndContent) PUT(javax.ws.rs.PUT) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered) PUT(javax.ws.rs.PUT)

Example 59 with ExceptionMetered

use of com.codahale.metrics.annotation.ExceptionMetered in project keywhiz by square.

the class AutomationSecretAccessResource method disallowAccess.

/**
 * Remove Secret from Group
 *
 * @param automationClient the client with automation access performing this operation
 * @param secretId the ID of the Secret to unassign
 * @param groupId the ID of the Group to be removed from
 * @return 200 on success, 404 if the secret or group is absent
 *
 * description Unassigns the Secret specified by the secretID from the Group specified by the groupID
 * responseMessage 200 Successfully removed Secret from Group
 * responseMessage 404 Could not find Secret or Group
 */
@Timed
@ExceptionMetered
@DELETE
public Response disallowAccess(@Auth AutomationClient automationClient, @PathParam("secretId") LongParam secretId, @PathParam("groupId") LongParam groupId) {
    logger.info("Client '{}' disallowing groupId={} access to secretId={}", automationClient, secretId, groupId);
    try {
        Map<String, String> extraInfo = new HashMap<>();
        extraInfo.put("deprecated", "true");
        aclDAO.findAndRevokeAccess(secretId.get(), groupId.get(), auditLog, automationClient.getName(), extraInfo);
    } catch (IllegalStateException e) {
        throw new NotFoundException();
    }
    return Response.ok().build();
}
Also used : HashMap(java.util.HashMap) NotFoundException(javax.ws.rs.NotFoundException) DELETE(javax.ws.rs.DELETE) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered)

Example 60 with ExceptionMetered

use of com.codahale.metrics.annotation.ExceptionMetered in project keywhiz by square.

the class AutomationSecretAccessResource method allowAccess.

/**
 * Assign Secret to Group
 *
 * @param automationClient the client with automation access performing this operation
 * @param secretId the ID of the Secret to assign
 * @param groupId the ID of the Group to be assigned to
 * @return 200 on success, 404 if the secret or group is absent
 *
 * description Assigns the Secret specified by the secretID to the Group specified by the groupID
 * responseMessage 200 Successfully enrolled Secret in Group
 * responseMessage 404 Could not find Secret or Group
 */
@Timed
@ExceptionMetered
@PUT
public Response allowAccess(@Auth AutomationClient automationClient, @PathParam("secretId") LongParam secretId, @PathParam("groupId") LongParam groupId) {
    logger.info("Client '{}' allowing groupId={} access to secretId={}", automationClient, secretId, groupId);
    try {
        Map<String, String> extraInfo = new HashMap<>();
        extraInfo.put("deprecated", "true");
        aclDAO.findAndAllowAccess(secretId.get(), groupId.get(), auditLog, automationClient.getName(), extraInfo);
    } catch (IllegalStateException e) {
        throw new NotFoundException();
    }
    return Response.ok().build();
}
Also used : HashMap(java.util.HashMap) NotFoundException(javax.ws.rs.NotFoundException) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered) PUT(javax.ws.rs.PUT)

Aggregations

ExceptionMetered (com.codahale.metrics.annotation.ExceptionMetered)68 Timed (com.codahale.metrics.annotation.Timed)66 Path (javax.ws.rs.Path)44 Event (keywhiz.log.Event)38 POST (javax.ws.rs.POST)36 HashMap (java.util.HashMap)34 NotFoundException (javax.ws.rs.NotFoundException)32 Consumes (javax.ws.rs.Consumes)28 Produces (javax.ws.rs.Produces)25 SanitizedSecret (keywhiz.api.model.SanitizedSecret)21 DELETE (javax.ws.rs.DELETE)19 GET (javax.ws.rs.GET)19 Group (keywhiz.api.model.Group)18 Response (javax.ws.rs.core.Response)16 ConflictException (keywhiz.service.exceptions.ConflictException)16 Secret (keywhiz.api.model.Secret)15 URI (java.net.URI)13 AutomationClient (keywhiz.api.model.AutomationClient)13 Client (keywhiz.api.model.Client)12 PUT (javax.ws.rs.PUT)9