confidant.services package¶

Submodules¶

confidant.services.certificatemanager module¶

class confidant.services.certificatemanager.CachedCertificate(lock=False, response=None)¶

Bases: object

property lock¶

property response¶

class confidant.services.certificatemanager.CertificateAuthority(ca)¶

Bases: object

decode_csr(pem_csr)¶: Return a csr object from the pem encoded csr.

encode_certificate(cert)¶: Return the PEM string encoded version of the certificate object.

encode_csr(csr)¶: Return a PEM string encoded version of the csr object.

encode_key(key)¶: Return the PEM encoded version of the provided private RSA key object

encode_san_dns_names(san)¶: Return a list of x509.DNSName attributes from a list of strings.

generate_csr(key, cn, san=None)¶: Using the provided rsa key object, a string common name, and a list of string subject alternative names, generate and return a csr object.

generate_key()¶: Generate and return a private RSA key object

generate_self_signed_certificate(key, cn, validity, san=None)¶: Using the provided rsa key, a string common name, a validity (in number of days), and a list of subject alternative names (as strings), generate and return a signed certificate object.

generate_x509_name(cn)¶: For the given common name string, generate and return an x509.Name, with attributes configured in the settings.

get_certificate_authority_certificate()¶: Return the PEM encoded CA certificate and certificate chain from the CA ARN.

get_certificate_from_arn(certificate_arn)¶: Get the PEM encoded certificate from the provided ARN.

get_csr_common_name(csr)¶: From the provided csr object, return the string value of the common name attribute.

get_csr_san(csr)¶: From the provided csr object, return a list of the string values of the subjust alternative name extension.

issue_certificate(csr, validity)¶: Given a PEM encoded csr, and a validity for the certificate (in number of days), issue a certificate from ACM Private CA, and return the ARN of the issued certificate.

issue_certificate_with_key(cn, validity, san=None)¶: Given the string common name, the validity length of the certificate (in number of days), and a list of subject alternative names, return a dict with the PEM encoded certificate, certificate chain, and private RSA key.

exception confidant.services.certificatemanager.CertificateAuthorityNotFoundError¶: Bases: Exception

class confidant.services.certificatemanager.CertificateCache(cache_size)¶

Bases: object

get(cache_id)¶: Get the CachedCertificate for the given cache_id.

get_cache_id(cn, validity, san)¶: Return a unique string from the provided arguments, for use in the certificate cache. The current day is included in the id, to ensure cache invalidation (minumum validity is 1 day).

lock(cache_id)¶: Lock the CachedCertificate for the given cache_id. If the id is not in the cache, create a CachedCertificate for the cache_id, add it to the cache, and lock it.

release(cache_id)¶

set_response(cache_id, response)¶

class confidant.services.certificatemanager.CertificateCacheNoOp¶

Bases: object

get(cache_id)¶

get_cache_id(cn, validity, san)¶

lock(cache_id)¶

release(cache_id)¶

set_response(cache_id, response)¶

exception confidant.services.certificatemanager.CertificateNotReadyError¶: Bases: Exception

confidant.services.certificatemanager.get_ca(ca)¶

confidant.services.certificatemanager.list_cas()¶: Return detailed CA information for all CAs.

confidant.services.ciphermanager module¶

class confidant.services.ciphermanager.CipherManager(key, version=2)¶

Bases: object

Class for encrypting and decrypting strings.

cipher = CipherManager(key) encrypted_text = cipher.encrypt(‘hello world’) decrypted_text = cipher.decrypt(encrypted_text)

decrypt(enc)¶

encrypt(raw)¶

exception confidant.services.ciphermanager.CipherManagerError¶: Bases: Exception

confidant.services.credentialmanager module¶

confidant.services.credentialmanager.archive_credentials(credentials, force)¶

confidant.services.credentialmanager.check_credential_pair_values(credential_pairs)¶

confidant.services.credentialmanager.get_blind_credentials(credential_ids, metadata_only=False)¶

confidant.services.credentialmanager.get_credentials(credential_ids)¶

confidant.services.credentialmanager.get_latest_blind_credential_revision(id, revision)¶

confidant.services.credentialmanager.get_latest_credential_revision(id, revision)¶

confidant.services.credentialmanager.get_revision_ids_for_credential(credential)¶: For the given credential, return a list of archive credential IDs.

confidant.services.credentialmanager.lowercase_credential_pairs(credential_pairs)¶

confidant.services.credentialmanager.pair_key_conflicts_for_credentials(credential_ids, blind_credential_ids)¶

confidant.services.graphite module¶

confidant.services.graphite.send_event(services, msg)¶

confidant.services.iamrolemanager module¶

confidant.services.iamrolemanager.get_iam_roles(purge=False)¶

confidant.services.iamrolemanager.refresh_cache()¶

confidant.services.jwkmanager module¶

class confidant.services.jwkmanager.JWKManager¶

Bases: object

get_active_key(environment: str) → Tuple[str, Optional[jwcrypto.jwk.JWK]]¶

get_jwks(environment: str, algorithm: str = 'RS256') → List[Dict[str, str]]¶

get_jwt(environment: str, payload: dict, expiration_seconds: int = 3600, algorithm: str = 'RS256') → str¶

set_key(environment: str, kid: str, private_key: str, passphrase: Optional[str] = None, encoding: str = 'utf-8') → str¶

class confidant.services.jwkmanager.JwtCache¶

Bases: abc.ABC

abstract get_jwt(kid: str, requester: str, user: str) → str¶

abstract set_jwt(kid: str, requester: str, user: str, jwt: str) → None¶

class confidant.services.jwkmanager.LocalJwtCache¶

Bases: confidant.services.jwkmanager.JwtCache

cache_key(kid: str, requester: str, user: str) → str¶

get_jwt(kid: str, requester: str, user: str) → str¶

set_jwt(kid: str, requester: str, user: str, jwt: str) → None¶

class confidant.services.jwkmanager.RedisCache¶

Bases: confidant.services.jwkmanager.JwtCache

cache_key(kid: str, requester: str, user: str) → str¶

get_jwt(kid: str, requester: str, user: str) → str¶

set_jwt(kid: str, requester: str, user: str, jwt: str) → None¶

confidant.services.keymanager module¶

exception confidant.services.keymanager.ServiceCreateGrantError¶: Bases: Exception

exception confidant.services.keymanager.ServiceGetGrantError¶: Bases: Exception

confidant.services.keymanager.create_datakey(encryption_context)¶: Create a datakey from KMS.

confidant.services.keymanager.decrypt_datakey(data_key, encryption_context=None)¶: Decrypt a datakey.

confidant.services.keymanager.ensure_grants(service_name)¶

Add encryption and decryption grants for the service.

TODO: We should probably orchestrate this, rather than doing it in: confidant.

confidant.services.keymanager.get_grants()¶

confidant.services.keymanager.get_key_id(key_alias)¶

confidant.services.keymanager.grants_exist(service_name)¶

confidant.services.servicemanager module¶

confidant.services.servicemanager.get_latest_service_revision(id, revision)¶

confidant.services.servicemanager.get_service_map(services)¶

confidant.services.servicemanager.get_services_for_blind_credential(_id)¶

confidant.services.servicemanager.get_services_for_credential(_id)¶

confidant.services.servicemanager.pair_key_conflicts_for_services(_id, credential_keys, services)¶

confidant.services.servicemanager.send_service_mapping_graphite_event(new_service, old_service)¶

confidant.services.webhook module¶

confidant.services.webhook.send_event(event_type, services, credential_ids)¶

confidant.services package¶

Submodules¶

confidant.services.certificatemanager module¶

confidant.services.ciphermanager module¶

confidant.services.credentialmanager module¶

confidant.services.graphite module¶

confidant.services.iamrolemanager module¶

confidant.services.jwkmanager module¶

confidant.services.keymanager module¶

confidant.services.servicemanager module¶

confidant.services.webhook module¶

Module contents¶