Search in sources :

Example 41 with NotFoundException

use of javax.ws.rs.NotFoundException in project keywhiz by square.

the class SecretResource method backfillExpiration.

/**
   * Backfill expiration for this secret.
   */
@Timed
@ExceptionMetered
@Path("{name}/backfill-expiration")
@POST
@Consumes(APPLICATION_JSON)
@Produces(APPLICATION_JSON)
public boolean backfillExpiration(@Auth AutomationClient automationClient, @PathParam("name") String name, List<String> passwords) {
    Optional<Secret> secretOptional = secretController.getSecretByName(name);
    if (!secretOptional.isPresent()) {
        throw new NotFoundException("No such secret: " + name);
    }
    Secret secret = secretOptional.get();
    Optional<Instant> existingExpiry = Optional.empty();
    if (secret.getExpiry() > 0) {
        existingExpiry = Optional.of(Instant.ofEpochMilli(secret.getExpiry()));
    }
    String secretName = secret.getName();
    byte[] secretContent = Base64.getDecoder().decode(secret.getSecret());
    // Always try empty password
    passwords.add("");
    Instant expiry = null;
    if (secretName.endsWith(".crt") || secretName.endsWith(".pem") || secretName.endsWith(".key")) {
        expiry = ExpirationExtractor.expirationFromEncodedCertificateChain(secretContent);
    } else if (secretName.endsWith(".gpg") || secretName.endsWith(".pgp")) {
        expiry = ExpirationExtractor.expirationFromOpenPGP(secretContent);
    } else if (secretName.endsWith(".p12") || secretName.endsWith(".pfx")) {
        while (expiry == null && !passwords.isEmpty()) {
            String password = passwords.remove(0);
            expiry = ExpirationExtractor.expirationFromKeystore("PKCS12", password, secretContent);
        }
    } else if (secretName.endsWith(".jceks")) {
        while (expiry == null && !passwords.isEmpty()) {
            String password = passwords.remove(0);
            expiry = ExpirationExtractor.expirationFromKeystore("JCEKS", password, secretContent);
        }
    } else if (secretName.endsWith(".jks")) {
        while (expiry == null && !passwords.isEmpty()) {
            String password = passwords.remove(0);
            expiry = ExpirationExtractor.expirationFromKeystore("JKS", password, secretContent);
        }
    }
    if (expiry != null) {
        if (existingExpiry.isPresent()) {
            long offset = existingExpiry.get().until(expiry, HOURS);
            if (offset > 24 || offset < -24) {
                logger.warn("Extracted expiration of secret {} differs from actual by more than {} hours (extracted = {}, database = {}).", secretName, offset, expiry, existingExpiry.get());
            }
            // Do not overwrite existing expiry, we just want to check for differences and warn.
            return true;
        }
        logger.info("Found expiry for secret {}: {}", secretName, expiry.getEpochSecond());
        boolean success = secretDAO.setExpiration(name, expiry);
        if (success) {
            Map<String, String> extraInfo = new HashMap<>();
            extraInfo.put("backfilled expiry", Long.toString(expiry.getEpochSecond()));
            auditLog.recordEvent(new Event(Instant.now(), EventTag.SECRET_BACKFILLEXPIRY, automationClient.getName(), name, extraInfo));
        }
        return success;
    }
    logger.info("Unable to determine expiry for secret {}", secretName);
    return false;
}
Also used : Secret(keywhiz.api.model.Secret) SanitizedSecret(keywhiz.api.model.SanitizedSecret) HashMap(java.util.HashMap) Instant(java.time.Instant) NotFoundException(javax.ws.rs.NotFoundException) Event(keywhiz.log.Event) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered)

Example 42 with NotFoundException

use of javax.ws.rs.NotFoundException in project keywhiz by square.

the class SecretResource method secretListingExpiringForGroup.

/**
   * Retrieve listing of secrets expiring soon in a group
   *
   * @excludeParams automationClient
   * @param time timestamp for farthest expiry to include
   * @param name Group name
   * @responseMessage 200 List of secrets expiring soon in group
   */
@Timed
@ExceptionMetered
@Path("expiring/{time}/{name}")
@GET
@Produces(APPLICATION_JSON)
public Iterable<String> secretListingExpiringForGroup(@Auth AutomationClient automationClient, @PathParam("time") Long time, @PathParam("name") String name) {
    Group group = groupDAO.getGroup(name).orElseThrow(NotFoundException::new);
    List<SanitizedSecret> secrets = secretControllerReadOnly.getSanitizedSecrets(time, group);
    return secrets.stream().map(SanitizedSecret::name).collect(toSet());
}
Also used : Group(keywhiz.api.model.Group) SanitizedSecret(keywhiz.api.model.SanitizedSecret) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) GET(javax.ws.rs.GET) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered)

Example 43 with NotFoundException

use of javax.ws.rs.NotFoundException in project keywhiz by square.

the class SecretResource method deleteSecretSeries.

/**
   * Delete a secret series
   *
   * @excludeParams automationClient
   * @param name Secret series name
   *
   * @responseMessage 204 Secret series deleted
   * @responseMessage 404 Secret series not found
   */
@Timed
@ExceptionMetered
@DELETE
@Path("{name}")
public Response deleteSecretSeries(@Auth AutomationClient automationClient, @PathParam("name") String name) {
    Secret secret = secretController.getSecretByName(name).orElseThrow(() -> new NotFoundException("Secret series not found."));
    // Get the groups for this secret so they can be restored manually if necessary
    Set<String> groups = aclDAO.getGroupsFor(secret).stream().map(Group::getName).collect(toSet());
    secretDAO.deleteSecretsByName(name);
    // Record the deletion in the audit log
    Map<String, String> extraInfo = new HashMap<>();
    extraInfo.put("groups", groups.toString());
    extraInfo.put("current version", secret.getVersion().toString());
    auditLog.recordEvent(new Event(Instant.now(), EventTag.SECRET_DELETE, automationClient.getName(), name, extraInfo));
    return Response.noContent().build();
}
Also used : Secret(keywhiz.api.model.Secret) SanitizedSecret(keywhiz.api.model.SanitizedSecret) HashMap(java.util.HashMap) NotFoundException(javax.ws.rs.NotFoundException) Event(keywhiz.log.Event) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered)

Example 44 with NotFoundException

use of javax.ws.rs.NotFoundException in project keywhiz by square.

the class SecretResource method modifySecretGroups.

/**
   * Modify the groups a secret is assigned to
   *
   * @excludeParams automationClient
   * @param name Secret series name
   * @param request JSON request to modify groups
   *
   * @responseMessage 201 Group membership changed
   * @responseMessage 404 Secret series not found
   */
@Timed
@ExceptionMetered
@PUT
@Path("{name}/groups")
@Consumes(APPLICATION_JSON)
@Produces(APPLICATION_JSON)
public Iterable<String> modifySecretGroups(@Auth AutomationClient automationClient, @PathParam("name") String name, @Valid ModifyGroupsRequestV2 request) {
    // TODO: Use latest version instead of non-versioned
    Secret secret = secretController.getSecretByName(name).orElseThrow(NotFoundException::new);
    String user = automationClient.getName();
    long secretId = secret.getId();
    Set<String> oldGroups = aclDAO.getGroupsFor(secret).stream().map(Group::getName).collect(toSet());
    Set<String> groupsToAdd = Sets.difference(request.addGroups(), oldGroups);
    Set<String> groupsToRemove = Sets.intersection(request.removeGroups(), oldGroups);
    // TODO: should optimize AclDAO to use names and return only name column
    groupsToGroupIds(groupsToAdd).forEach((maybeGroupId) -> maybeGroupId.ifPresent((groupId) -> aclDAO.findAndAllowAccess(secretId, groupId, auditLog, user, new HashMap<>())));
    groupsToGroupIds(groupsToRemove).forEach((maybeGroupId) -> maybeGroupId.ifPresent((groupId) -> aclDAO.findAndRevokeAccess(secretId, groupId, auditLog, user, new HashMap<>())));
    return aclDAO.getGroupsFor(secret).stream().map(Group::getName).collect(toSet());
}
Also used : Secret(keywhiz.api.model.Secret) SanitizedSecret(keywhiz.api.model.SanitizedSecret) Secret(keywhiz.api.model.Secret) Produces(javax.ws.rs.Produces) Event(keywhiz.log.Event) Path(javax.ws.rs.Path) LoggerFactory(org.slf4j.LoggerFactory) GroupDAOFactory(keywhiz.service.daos.GroupDAO.GroupDAOFactory) Valid(javax.validation.Valid) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) Map(java.util.Map) DefaultValue(javax.ws.rs.DefaultValue) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered) ModifyGroupsRequestV2(keywhiz.api.automation.v2.ModifyGroupsRequestV2) BadRequestException(javax.ws.rs.BadRequestException) UriBuilder(javax.ws.rs.core.UriBuilder) APPLICATION_JSON(javax.ws.rs.core.MediaType.APPLICATION_JSON) ContentCryptographer(keywhiz.service.crypto.ContentCryptographer) GroupDAO(keywhiz.service.daos.GroupDAO) Collectors.toSet(java.util.stream.Collectors.toSet) DELETE(javax.ws.rs.DELETE) Group(keywhiz.api.model.Group) SecretVersion(keywhiz.api.model.SecretVersion) CreateSecretRequestV2(keywhiz.api.automation.v2.CreateSecretRequestV2) HOURS(java.time.temporal.ChronoUnit.HOURS) Set(java.util.Set) ConflictException(keywhiz.service.exceptions.ConflictException) Instant(java.time.Instant) Sets(com.google.common.collect.Sets) NotFoundException(javax.ws.rs.NotFoundException) String.format(java.lang.String.format) Timed(com.codahale.metrics.annotation.Timed) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) Optional(java.util.Optional) SanitizedSecret(keywhiz.api.model.SanitizedSecret) SecretDAOFactory(keywhiz.service.daos.SecretDAO.SecretDAOFactory) SecretContent(keywhiz.api.model.SecretContent) PathParam(javax.ws.rs.PathParam) SecretDetailResponseV2(keywhiz.api.automation.v2.SecretDetailResponseV2) AclDAO(keywhiz.service.daos.AclDAO) SanitizedSecretWithGroups(keywhiz.api.model.SanitizedSecretWithGroups) GET(javax.ws.rs.GET) Auth(io.dropwizard.auth.Auth) PartialUpdateSecretRequestV2(keywhiz.api.automation.v2.PartialUpdateSecretRequestV2) HashMap(java.util.HashMap) SecretSeriesDAO(keywhiz.service.daos.SecretSeriesDAO) Inject(javax.inject.Inject) AutomationClient(keywhiz.api.model.AutomationClient) ImmutableList(com.google.common.collect.ImmutableList) SecretDAO(keywhiz.service.daos.SecretDAO) SecretBuilder(keywhiz.service.daos.SecretController.SecretBuilder) AuditLog(keywhiz.log.AuditLog) DataAccessException(org.jooq.exception.DataAccessException) POST(javax.ws.rs.POST) Logger(org.slf4j.Logger) SecretSeriesDAOFactory(keywhiz.service.daos.SecretSeriesDAO.SecretSeriesDAOFactory) Readonly(keywhiz.service.config.Readonly) UTF_8(java.nio.charset.StandardCharsets.UTF_8) AclDAOFactory(keywhiz.service.daos.AclDAO.AclDAOFactory) SetSecretVersionRequestV2(keywhiz.api.automation.v2.SetSecretVersionRequestV2) SecretController(keywhiz.service.daos.SecretController) EventTag(keywhiz.log.EventTag) Collectors.toList(java.util.stream.Collectors.toList) CreateOrUpdateSecretRequestV2(keywhiz.api.automation.v2.CreateOrUpdateSecretRequestV2) SecretSeriesAndContent(keywhiz.api.model.SecretSeriesAndContent) PUT(javax.ws.rs.PUT) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) ExceptionMetered(com.codahale.metrics.annotation.ExceptionMetered) PUT(javax.ws.rs.PUT)

Example 45 with NotFoundException

use of javax.ws.rs.NotFoundException in project keywhiz by square.

the class SecretsResource method sanitizedSecretFromName.

private SanitizedSecret sanitizedSecretFromName(String name) {
    Optional<Secret> optionalSecret = secretController.getSecretByName(name);
    if (!optionalSecret.isPresent()) {
        throw new NotFoundException("Secret not found.");
    }
    Secret secret = optionalSecret.get();
    return SanitizedSecret.fromSecret(secret);
}
Also used : Secret(keywhiz.api.model.Secret) SanitizedSecret(keywhiz.api.model.SanitizedSecret) NotFoundException(javax.ws.rs.NotFoundException)

Aggregations

NotFoundException (javax.ws.rs.NotFoundException)68 Path (javax.ws.rs.Path)46 Timed (com.codahale.metrics.annotation.Timed)45 ApiOperation (io.swagger.annotations.ApiOperation)27 ExceptionMetered (com.codahale.metrics.annotation.ExceptionMetered)25 GET (javax.ws.rs.GET)22 ApiResponses (io.swagger.annotations.ApiResponses)20 DELETE (javax.ws.rs.DELETE)20 Produces (javax.ws.rs.Produces)18 AuditEvent (org.graylog2.audit.jersey.AuditEvent)16 HashMap (java.util.HashMap)15 PUT (javax.ws.rs.PUT)15 Group (keywhiz.api.model.Group)14 SanitizedSecret (keywhiz.api.model.SanitizedSecret)14 Event (keywhiz.log.Event)14 Consumes (javax.ws.rs.Consumes)12 Client (keywhiz.api.model.Client)11 POST (javax.ws.rs.POST)10 BadRequestException (javax.ws.rs.BadRequestException)9 InternalServerErrorException (javax.ws.rs.InternalServerErrorException)9