confidant.services package¶

Submodules¶

confidant.services.certificatemanager module¶

class confidant.services.certificatemanager.CAType(value)¶

Bases: Enum

Enum for CA types.

AWS_ACM_PCA = 'aws_acm_pca'¶

CUSTOM_CA = 'custom_ca'¶

confidant.services.certificatemanager.get_ca(ca)¶: get_ca returns a CertificateAuthority object for the given CA, based on the CA type in settings.

confidant.services.certificatemanager.list_cas()¶: Return detailed CA information for all CAs.

confidant.services.ciphermanager module¶

class confidant.services.ciphermanager.CipherManager(key, version=2)¶

Bases: object

Class for encrypting and decrypting strings.

cipher = CipherManager(key) encrypted_text = cipher.encrypt(‘hello world’) decrypted_text = cipher.decrypt(encrypted_text)

decrypt(enc)¶

encrypt(raw)¶

exception confidant.services.ciphermanager.CipherManagerError¶: Bases: Exception

confidant.services.credentialmanager module¶

confidant.services.credentialmanager._credential_in_service(_id, services)¶

confidant.services.credentialmanager._delete_credentials(credentials, force=False)¶

confidant.services.credentialmanager._save_credentials_to_archive(credentials_to_save, force=False)¶

confidant.services.credentialmanager.archive_credentials(credentials, force)¶

confidant.services.credentialmanager.check_credential_pair_values(credential_pairs)¶

confidant.services.credentialmanager.get_blind_credentials(credential_ids, metadata_only=False)¶

confidant.services.credentialmanager.get_credentials(credential_ids)¶

confidant.services.credentialmanager.get_latest_blind_credential_revision(id, revision)¶

confidant.services.credentialmanager.get_latest_credential_revision(id, revision)¶

confidant.services.credentialmanager.get_revision_ids_for_credential(credential)¶: For the given credential, return a list of archive credential IDs.

confidant.services.credentialmanager.lowercase_credential_pairs(credential_pairs)¶

confidant.services.credentialmanager.pair_key_conflicts_for_credentials(credential_ids, blind_credential_ids)¶

confidant.services.graphite module¶

confidant.services.graphite.send_event(services, msg)¶

confidant.services.iamrolemanager module¶

confidant.services.iamrolemanager._get_iam_roles()¶

confidant.services.iamrolemanager.get_iam_roles(purge=False)¶

confidant.services.iamrolemanager.refresh_cache()¶

confidant.services.jwkmanager module¶

class confidant.services.jwkmanager.JWKManager¶

Bases: object

_get_active_kids() → List[str]¶

_get_key(kid: str, environment: str)¶

_load_certificate_authorities() → None¶

get_active_key(environment: str) → Tuple[str, Optional[JWK]]¶

get_jwks(environment: str, algorithm: str = 'RS256') → List[Dict[str, str]]¶

get_jwt(environment: str, payload: dict, expiration_seconds: int = 3600, algorithm: str = 'RS256') → str¶

set_key(environment: str, kid: str, private_key: str, passphrase: Optional[str] = None, encoding: str = 'utf-8') → str¶

class confidant.services.jwkmanager.JwtCache¶

Bases: ABC

_abc_impl = <_abc._abc_data object>¶

abstract get_jwt(kid: str, requester: str, user: str) → str¶

abstract set_jwt(kid: str, requester: str, user: str, jwt: str) → None¶

class confidant.services.jwkmanager.LocalJwtCache¶

Bases: JwtCache

_abc_impl = <_abc._abc_data object>¶

cache_key(kid: str, requester: str, user: str) → str¶

get_jwt(kid: str, requester: str, user: str) → str¶

set_jwt(kid: str, requester: str, user: str, jwt: str) → None¶

class confidant.services.jwkmanager.RedisCache¶

Bases: JwtCache

_abc_impl = <_abc._abc_data object>¶

cache_key(kid: str, requester: str, user: str) → str¶

get_jwt(kid: str, requester: str, user: str) → str¶

set_jwt(kid: str, requester: str, user: str, jwt: str) → None¶

confidant.services.keymanager module¶

exception confidant.services.keymanager.ServiceCreateGrantError¶: Bases: Exception

exception confidant.services.keymanager.ServiceGetGrantError¶: Bases: Exception

confidant.services.keymanager._ensure_grants(role, grants)¶

confidant.services.keymanager._get_at_rest_kms_client()¶

confidant.services.keymanager._get_auth_kms_client()¶

confidant.services.keymanager._get_boto_config()¶

confidant.services.keymanager._grants_exist(role, grants)¶

confidant.services.keymanager.create_datakey(encryption_context)¶: Create a datakey from KMS.

confidant.services.keymanager.decrypt_datakey(data_key, encryption_context=None)¶: Decrypt a datakey.

confidant.services.keymanager.ensure_grants(service_name)¶

Add encryption and decryption grants for the service.

TODO: We should probably orchestrate this, rather than doing it in: confidant.

confidant.services.keymanager.get_grants()¶

confidant.services.keymanager.get_key_id(key_alias)¶

confidant.services.keymanager.grants_exist(service_name)¶

confidant.services.servicemanager module¶

confidant.services.servicemanager.get_latest_service_revision(id, revision)¶

confidant.services.servicemanager.get_service_map(services)¶

confidant.services.servicemanager.get_services_for_blind_credential(_id)¶

confidant.services.servicemanager.get_services_for_credential(_id)¶

confidant.services.servicemanager.pair_key_conflicts_for_services(_id, credential_keys, services)¶

confidant.services.servicemanager.send_service_mapping_graphite_event(new_service, old_service)¶

confidant.services.webhook module¶

confidant.services.webhook.send_event(event_type, services, credential_ids)¶