confidant.services package¶
Submodules¶
confidant.services.certificatemanager module¶
-
class
confidant.services.certificatemanager.
CachedCertificate
(lock=False, response=None)¶ Bases:
object
-
property
lock
¶
-
property
response
¶
-
property
-
class
confidant.services.certificatemanager.
CertificateAuthority
(ca)¶ Bases:
object
-
decode_csr
(pem_csr)¶ Return a csr object from the pem encoded csr.
-
encode_certificate
(cert)¶ Return the PEM string encoded version of the certificate object.
-
encode_csr
(csr)¶ Return a PEM string encoded version of the csr object.
-
encode_key
(key)¶ Return the PEM encoded version of the provided private RSA key object
-
encode_san_dns_names
(san)¶ Return a list of x509.DNSName attributes from a list of strings.
-
generate_csr
(key, cn, san=None)¶ Using the provided rsa key object, a string common name, and a list of string subject alternative names, generate and return a csr object.
-
generate_key
()¶ Generate and return a private RSA key object
-
generate_self_signed_certificate
(key, cn, validity, san=None)¶ Using the provided rsa key, a string common name, a validity (in number of days), and a list of subject alternative names (as strings), generate and return a signed certificate object.
-
generate_x509_name
(cn)¶ For the given common name string, generate and return an x509.Name, with attributes configured in the settings.
Return the PEM encoded CA certificate and certificate chain from the CA ARN.
-
get_certificate_from_arn
(certificate_arn)¶ Get the PEM encoded certificate from the provided ARN.
-
get_csr_common_name
(csr)¶ From the provided csr object, return the string value of the common name attribute.
-
get_csr_san
(csr)¶ From the provided csr object, return a list of the string values of the subjust alternative name extension.
-
issue_certificate
(csr, validity)¶ Given a PEM encoded csr, and a validity for the certificate (in number of days), issue a certificate from ACM Private CA, and return the ARN of the issued certificate.
-
issue_certificate_with_key
(cn, validity, san=None)¶ Given the string common name, the validity length of the certificate (in number of days), and a list of subject alternative names, return a dict with the PEM encoded certificate, certificate chain, and private RSA key.
-
-
exception
confidant.services.certificatemanager.
CertificateAuthorityNotFoundError
¶ Bases:
Exception
-
class
confidant.services.certificatemanager.
CertificateCache
(cache_size)¶ Bases:
object
-
get
(cache_id)¶ Get the CachedCertificate for the given cache_id.
-
get_cache_id
(cn, validity, san)¶ Return a unique string from the provided arguments, for use in the certificate cache. The current day is included in the id, to ensure cache invalidation (minumum validity is 1 day).
-
lock
(cache_id)¶ Lock the CachedCertificate for the given cache_id. If the id is not in the cache, create a CachedCertificate for the cache_id, add it to the cache, and lock it.
-
release
(cache_id)¶
-
set_response
(cache_id, response)¶
-
-
class
confidant.services.certificatemanager.
CertificateCacheNoOp
¶ Bases:
object
-
get
(cache_id)¶
-
get_cache_id
(cn, validity, san)¶
-
lock
(cache_id)¶
-
release
(cache_id)¶
-
set_response
(cache_id, response)¶
-
-
exception
confidant.services.certificatemanager.
CertificateNotReadyError
¶ Bases:
Exception
-
confidant.services.certificatemanager.
get_ca
(ca)¶
-
confidant.services.certificatemanager.
list_cas
()¶ Return detailed CA information for all CAs.
confidant.services.ciphermanager module¶
-
class
confidant.services.ciphermanager.
CipherManager
(key, version=2)¶ Bases:
object
Class for encrypting and decrypting strings.
cipher = CipherManager(key) encrypted_text = cipher.encrypt(‘hello world’) decrypted_text = cipher.decrypt(encrypted_text)
-
decrypt
(enc)¶
-
encrypt
(raw)¶
-
-
exception
confidant.services.ciphermanager.
CipherManagerError
¶ Bases:
Exception
confidant.services.credentialmanager module¶
-
confidant.services.credentialmanager.
archive_credentials
(credentials, force)¶
-
confidant.services.credentialmanager.
check_credential_pair_values
(credential_pairs)¶
-
confidant.services.credentialmanager.
get_blind_credentials
(credential_ids, metadata_only=False)¶
-
confidant.services.credentialmanager.
get_credentials
(credential_ids)¶
-
confidant.services.credentialmanager.
get_latest_blind_credential_revision
(id, revision)¶
-
confidant.services.credentialmanager.
get_latest_credential_revision
(id, revision)¶
-
confidant.services.credentialmanager.
get_revision_ids_for_credential
(credential)¶ For the given credential, return a list of archive credential IDs.
-
confidant.services.credentialmanager.
lowercase_credential_pairs
(credential_pairs)¶
-
confidant.services.credentialmanager.
pair_key_conflicts_for_credentials
(credential_ids, blind_credential_ids)¶
confidant.services.iamrolemanager module¶
-
confidant.services.iamrolemanager.
get_iam_roles
(purge=False)¶
-
confidant.services.iamrolemanager.
refresh_cache
()¶
confidant.services.jwkmanager module¶
-
class
confidant.services.jwkmanager.
JWKManager
¶ Bases:
object
-
get_active_key
(environment: str) → Tuple[str, Optional[jwcrypto.jwk.JWK]]¶
-
get_jwks
(environment: str, algorithm: str = 'RS256') → List[Dict[str, str]]¶
-
get_jwt
(environment: str, payload: dict, expiration_seconds: int = 3600, algorithm: str = 'RS256') → str¶
-
set_key
(environment: str, kid: str, private_key: str, passphrase: Optional[str] = None, encoding: str = 'utf-8') → str¶
-
-
class
confidant.services.jwkmanager.
JwtCache
¶ Bases:
abc.ABC
-
abstract
get_jwt
(kid: str, requester: str, user: str) → str¶
-
abstract
set_jwt
(kid: str, requester: str, user: str, jwt: str) → None¶
-
abstract
-
class
confidant.services.jwkmanager.
LocalJwtCache
¶ Bases:
confidant.services.jwkmanager.JwtCache
-
cache_key
(kid: str, requester: str, user: str) → str¶
-
get_jwt
(kid: str, requester: str, user: str) → str¶
-
set_jwt
(kid: str, requester: str, user: str, jwt: str) → None¶
-
-
class
confidant.services.jwkmanager.
RedisCache
¶ Bases:
confidant.services.jwkmanager.JwtCache
-
cache_key
(kid: str, requester: str, user: str) → str¶
-
get_jwt
(kid: str, requester: str, user: str) → str¶
-
set_jwt
(kid: str, requester: str, user: str, jwt: str) → None¶
-
confidant.services.keymanager module¶
-
exception
confidant.services.keymanager.
ServiceCreateGrantError
¶ Bases:
Exception
-
exception
confidant.services.keymanager.
ServiceGetGrantError
¶ Bases:
Exception
-
confidant.services.keymanager.
create_datakey
(encryption_context)¶ Create a datakey from KMS.
-
confidant.services.keymanager.
decrypt_datakey
(data_key, encryption_context=None)¶ Decrypt a datakey.
-
confidant.services.keymanager.
ensure_grants
(service_name)¶ Add encryption and decryption grants for the service.
- TODO: We should probably orchestrate this, rather than doing it in
confidant.
-
confidant.services.keymanager.
get_grants
()¶
-
confidant.services.keymanager.
get_key_id
(key_alias)¶
-
confidant.services.keymanager.
grants_exist
(service_name)¶
confidant.services.servicemanager module¶
-
confidant.services.servicemanager.
get_latest_service_revision
(id, revision)¶
-
confidant.services.servicemanager.
get_service_map
(services)¶
-
confidant.services.servicemanager.
get_services_for_blind_credential
(_id)¶
-
confidant.services.servicemanager.
get_services_for_credential
(_id)¶
-
confidant.services.servicemanager.
pair_key_conflicts_for_services
(_id, credential_keys, services)¶
-
confidant.services.servicemanager.
send_service_mapping_graphite_event
(new_service, old_service)¶
confidant.services.webhook module¶
-
confidant.services.webhook.
send_event
(event_type, services, credential_ids)¶