Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credstash - Upstream changes #144

Open
wants to merge 50 commits into
base: master
Choose a base branch
from
Open

Credstash - Upstream changes #144

wants to merge 50 commits into from

Conversation

nathan-muir
Copy link
Contributor

@nathan-muir nathan-muir commented Mar 13, 2017
edited
Loading

Hi there,

I started a fork of credstash a few months ago, so I could quickly iterate on a few concepts.

I've been using it in production for a while now, and thought it would be good to contribute back some of the features that were developed.

The main goal for the fork:

  • Allow the KMS & DynamoDB config to persist in a config file; eg. /etc/credsmash.cfg
  • Add support for template interpolation with secret data (see credsmash render-templates)

On the way: (See History.md)

  • Add support for binary data
  • Switch from pycrypto to cryptography & fix a few issues in aes_ctr (already upstreamed in Cryptography - Switch from pycrypto to cryptography #116 )
  • Added support for aes-gcm
  • Converted the CLI from argparse to click
  • Pluggable Key Services
  • Pluggable Storage Services
  • Created a better API for using directly in python

Obviously there was a big departure from the credstash codebase, so I did start work on re-using the argparse implementation with the new internal api's - 3stack-software#4

So there's a lot going on here, it would be great to discuss and see what can be made suitable to upstream.

My biggest fear would be for a change like #136 to cause unnecessary divergence.

@nathan-muir
Initial refactor of credstash => credsmash
a838f19 
The goal was to clean up some of the CLI, and to modularise
the api for calling kms/dynamodb.

This will let us add new features like setting default options
from a configuration file, and writing configuration templates.

Fixes fugue#93 allowing boto3/botocore to configure itself.

Fixes fugue#79 as file input is the default for put/put-many

Closes fugue#88 as `put` only allows for files , so you
 must use `printf`/`echo` to put any value.
@nathan-muir
CLI - Allow options to override configuration file
ed8912d 
Providing `--table-name` or `--key-id` will take
precedence over the `credsmash.cfg`.
@nathan-muir
CLI - Allow encryption-context to be read from configuration file.
f50c662 
Manually adding `--context key value` will only append each key-value pair.
@nathan-muir
Cryptography - Extract encryption scheme into credsmash.aes_ctr
031db4e 
This was necessary so we can add support for other encryption
schemes, and fix-up support for binary files; without breaking
existing stored secrets.
@nathan-muir
Cryptography - Switch from pycrypto to cryptography
2299a05 
Fixes fugue#96

Also, we now expose the `nonce` being used for CTR
mode- see fugue#75. To be resolved in a future update.
@nathan-muir
Cleanup get_secret
4e06ac4
@nathan-muir
Cryptography - Add new aes-ctr mode that supports binary & uses ran…
dc9db5a 
…dom nonces.

Fixes fugue#73 by no longer treating all values as unicode.

Fixes fugue#75 by generating & storing a unique nonce.
@nathan-muir
Cryptography - Add new aes-gcm mode.
7021485 
Also move configuration of encryption to `credsmash.cfg`,
so the `--digest` parameter has been removed from `put`.
@nathan-muir
Update requirements.txt
228d8c8
@nathan-muir
credsmash put - Ensure that unicode is converted to bytes / str
5409d4a
@nathan-muir
Support writing shell & json script templates, directly from `credsma…
63547d3 
…sh` data.

Adds the new `render-template` and `render-templates` commands.
@nathan-muir
Improve setup.py and add deployment configuration to travis-ci
88e124e
@nathan-muir
Add test to show crypto working
1245e0a
@nathan-muir
Travis-CI - Upgrade pip
4cdb88a
@nathan-muir
Bump version: 2.0.0rc.0 → 2.0.0
2348e9d
@nathan-muir
CLI - use stdout for list
881a34d
@nathan-muir
CLI - Autodetect input & output formats where possible (from filename)
1b99568
@nathan-muir
YAML - Use safe_dump to prevent !!python/unicode annotations.
7651966
@nathan-muir
Bring highest_version lookup into put.
a3eb7ee
@nathan-muir
Move seal/open code into credsmash.crypto
c7491fa
@nathan-muir
Allow for alternative key services via the entry point `credsmash.key…
cfc7a2f 
…_service`.
@nathan-muir
Allow for alternative storage services via the entry point `credsmash…
081ae66 
….storage_service`.
@nathan-muir
CLI - credsmash put will only auto-increment a secret if the value …
c7a9fb4 
…has changed.

You can avoid this behaviour by using `--version`, or `--no-compare`.
@nathan-muir
Use entry points to allow additional cli commands to be loaded.
0f26134
@nathan-muir
Bump version: 2.0.0 → 2.1.0
d56796a
@nathan-muir
Ensure render-templates only creates/truncates the "destination" if…
b15a1e8 
… the template renders successfully.
@nathan-muir
Allow render-templates to write binary secrets.
7608380
@nathan-muir
Rename option --data-file to --secrets-file on render-template
f2fda49 
The new naming makes it's purpose clearer.
@nathan-muir
Add option --template-vars to render-template.
d4adced 
You can now have full control over the output of your templates.
@nathan-muir
Templates - Add support for in operator.
e402afb
@davbo
Copy link

davbo commented Mar 22, 2017

@nathan-muir Thanks for flagging up the risk of backward incompatibility from #136.

Let me know if I can contribute anything to your fork to allow for such a change. I'm keen to see some default authenticated data included in credstash, either directly contributed to credstash or by way adding it to your fork.

@nathan-muir
Copy link
Contributor Author

nathan-muir commented Mar 23, 2017
edited
Loading

@davbo Initially I was a little hesitant to rely on another AWS/KMS feature - in favour of supporting AEAD in AES-GCM directly, but after some thought there isn't any substantial reasons to suggest that change.

After a bit of review, I would only suggest the following changes:

  1. Don't use a padded-int for the version field. (In this fork) it is an implementation detail of DynamoDB storage, and the rest of the code sees a regular int.

  2. Rather than using try/except to detect the format of secrets, consider adding an attribute to the object, eg. {"aead": "v1"}/ {"protocol": "2"} which tells us how to properly decode it.

    Relying on exceptions in a specific component becomes hard to refactor later into clean/separate components.

@collisdigital
Copy link

We're looking to use credstash and support for AES-GCM-256 would be very welcome along with some of the other changes from this fork. @alex-luminal this is quite a large PR; is it likely to merge in the near future or would we be better splitting out some specific things (like GCM support) into a smaller PR to get those things in sooner?

@nathan-muir
Remove version constraints from setup.py
aa93d67 
`pip` can behave unexpectedly with some version constraints.
  1. It will abort when constraints aren't satisfiable using the highest version
  2. It will not consider multiple constraints on a single dependency

In general, it is safer to remove constraints from setup.py, and allow
users to ensure install which-ever dependencies work.
@nathan-muir
Bump version: 2.2.2 → 2.2.3
1eb37df
@gene1wood
Copy link
Contributor

@collisdigital I would suspect the new features in this PR would be much more likely to get merged if they were pulled out into their own PRs. If there's a feature in this PR that you'd like to see, breaking it into it's own PR is probably a good path.

@collisdigital
Copy link

@gene1wood thanks, to be honest this has fallen off our radar now as we decided to go with a different solution in the end.

@wayne-luminal
Copy link
Contributor

@nathan-muir Apologies for taking so long to get back to you. Thanks for the awesome work! I'm in the process of reviewing all these PRs and my gameplan for all these PRs is basically to bring everything into an integration branch (assuming it's suitable to merge upstream) and ultimately release a new major version of credstash. I am documenting breaking changes like you correctly pointed out for #136 and intend to provide upgrade instructions.

Overall your PR looks like it's something we can pull most of as it has a few things I intended to do anyway.

This was referenced Oct 31, 2017
Open
Open
@nathan-muir
Fix python3 compatibility issues
b29a909
@nathan-muir
Bump version: 2.2.5 → 2.3.0
ca49f10
@nathan-muir
Move the core/configuration out of the CLI.
efdbee2 
Consolidate api/cli into a single core module.

It's now much easier to load & call credsmash via python.

Core - Perform version/compare before sealing new secret.

DynamoDB - Create separate `get_one` and `get_latest`.

This also removes the `name` & `version` from the ciphertext output,
as it is an implementation detail of how DynamoDB stores data.
@nathan-muir
Update KMS to support Additional Authenticated Data
b232908 
Crypto - Support additional authenticated data on key service
@nathan-muir
Create a credstash command that is compatible with the original CLI
6d26ce3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nathan-muir @davbo @collisdigital @gene1wood @wayne-luminal