Add a new feature to enable transit protection

thevickypedia · Sep 19, 2024 · 6b62751 · 6b62751
1 parent 40c3cfc
commit 6b62751
Show file tree

Hide file tree

Showing 17 changed files with 360 additions and 57 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,7 +6,7 @@ venv/
 __pycache__/
 
 build/
-PyNinja.egg-info/
+VaultAPI.egg-info/
 
 doc_gen/_*
 

diff --git a/README.md b/README.md
@@ -57,13 +57,23 @@ vaultapi start
 > _By default, `VaultAPI` will look for a `.env` file in the current working directory._
 </details>
 
-- **HOST** - Hostname for the API server.
-- **PORT** - Port number for the API server.
-- **WORKERS** - Number of workers for the uvicorn server.
+**Mandatory**
 - **APIKEY** - API Key for authentication.
 - **SECRET** - Secret access key to encode/decode the secrets in Datastore.
-- **DATABASE** - FilePath to store the secrets' database.
+
+**Optional (with defaults)**
+- **TRANSIT_KEY_LENGTH** - AES key length for transit encryption. Defaults to `32`
+- **DATABASE** - FilePath to store the secrets' database. Defaults to `secrets.db`
+- **HOST** - Hostname for the API server. Defaults to `0.0.0.0` [OR] `localhost`
+- **PORT** - Port number for the API server. Defaults to `9010`
+- **WORKERS** - Number of workers for the uvicorn server. Defaults to `1`
 - **RATE_LIMIT** - List of dictionaries with `max_requests` and `seconds` to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s
+
+**Optional (without defaults)**
+- **LOG_CONFIG** - FilePath or dictionary of key-value pairs for log config.
+- **ALLOWED_ORIGINS** - Origins that are allowed to retrieve secrets.
+- **ALLOWED_IP_RANGE** - IP range that is allowed to retrieve secrets. _(eg: `10.112.8.10-210`)_
 
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary>

diff --git a/doc_gen/index.rst b/doc_gen/index.rst
@@ -76,6 +76,11 @@ Squire
 
 .. automodule:: vaultapi.squire
 
+Transmitter
+===========
+
+.. automodule:: vaultapi.transit
+
 Util
 ====
 

diff --git a/docs/README.html b/docs/README.html
@@ -92,14 +92,26 @@ <h2>Environment Variables<a class="headerlink" href="#environment-variables" tit
 <summary><strong>Sourcing environment variables from an env file</strong></summary><blockquote>
 <div><p><em>By default, <code class="docutils literal notranslate"><span class="pre">VaultAPI</span></code> will look for a <code class="docutils literal notranslate"><span class="pre">.env</span></code> file in the current working directory.</em></p>
 </div></blockquote>
-</details><ul class="simple">
-<li><p><strong>HOST</strong> - Hostname for the API server.</p></li>
-<li><p><strong>PORT</strong> - Port number for the API server.</p></li>
-<li><p><strong>WORKERS</strong> - Number of workers for the uvicorn server.</p></li>
+</details><p><strong>Mandatory</strong></p>
+<ul class="simple">
 <li><p><strong>APIKEY</strong> - API Key for authentication.</p></li>
 <li><p><strong>SECRET</strong> - Secret access key to encode/decode the secrets in Datastore.</p></li>
-<li><p><strong>DATABASE</strong> - FilePath to store the secrets’ database.</p></li>
-<li><p><strong>RATE_LIMIT</strong> - List of dictionaries with <code class="docutils literal notranslate"><span class="pre">max_requests</span></code> and <code class="docutils literal notranslate"><span class="pre">seconds</span></code> to apply as rate limit.</p></li>
+</ul>
+<p><strong>Optional (with defaults)</strong></p>
+<ul class="simple">
+<li><p><strong>TRANSIT_KEY_LENGTH</strong> - AES key length for transit encryption. Defaults to <code class="docutils literal notranslate"><span class="pre">32</span></code></p></li>
+<li><p><strong>DATABASE</strong> - FilePath to store the secrets’ database. Defaults to <code class="docutils literal notranslate"><span class="pre">secrets.db</span></code></p></li>
+<li><p><strong>HOST</strong> - Hostname for the API server. Defaults to <code class="docutils literal notranslate"><span class="pre">0.0.0.0</span></code> [OR] <code class="docutils literal notranslate"><span class="pre">localhost</span></code></p></li>
+<li><p><strong>PORT</strong> - Port number for the API server. Defaults to <code class="docutils literal notranslate"><span class="pre">9010</span></code></p></li>
+<li><p><strong>WORKERS</strong> - Number of workers for the uvicorn server. Defaults to <code class="docutils literal notranslate"><span class="pre">1</span></code></p></li>
+<li><p><strong>RATE_LIMIT</strong> - List of dictionaries with <code class="docutils literal notranslate"><span class="pre">max_requests</span></code> and <code class="docutils literal notranslate"><span class="pre">seconds</span></code> to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s</p></li>
+</ul>
+<p><strong>Optional (without defaults)</strong></p>
+<ul class="simple">
+<li><p><strong>LOG_CONFIG</strong> - FilePath or dictionary of key-value pairs for log config.</p></li>
+<li><p><strong>ALLOWED_ORIGINS</strong> - Origins that are allowed to retrieve secrets.</p></li>
+<li><p><strong>ALLOWED_IP_RANGE</strong> - IP range that is allowed to retrieve secrets. <em>(eg: <code class="docutils literal notranslate"><span class="pre">10.112.8.10-210</span></code>)</em></p></li>
 </ul>
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary><p>This value will be used to encrypt/decrypt the secrets stored in the database.</p>

diff --git a/docs/README.md b/docs/README.md
@@ -57,13 +57,23 @@ vaultapi start
 > _By default, `VaultAPI` will look for a `.env` file in the current working directory._
 </details>
 
-- **HOST** - Hostname for the API server.
-- **PORT** - Port number for the API server.
-- **WORKERS** - Number of workers for the uvicorn server.
+**Mandatory**
 - **APIKEY** - API Key for authentication.
 - **SECRET** - Secret access key to encode/decode the secrets in Datastore.
-- **DATABASE** - FilePath to store the secrets' database.
+
+**Optional (with defaults)**
+- **TRANSIT_KEY_LENGTH** - AES key length for transit encryption. Defaults to `32`
+- **DATABASE** - FilePath to store the secrets' database. Defaults to `secrets.db`
+- **HOST** - Hostname for the API server. Defaults to `0.0.0.0` [OR] `localhost`
+- **PORT** - Port number for the API server. Defaults to `9010`
+- **WORKERS** - Number of workers for the uvicorn server. Defaults to `1`
 - **RATE_LIMIT** - List of dictionaries with `max_requests` and `seconds` to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s
+
+**Optional (without defaults)**
+- **LOG_CONFIG** - FilePath or dictionary of key-value pairs for log config.
+- **ALLOWED_ORIGINS** - Origins that are allowed to retrieve secrets.
+- **ALLOWED_IP_RANGE** - IP range that is allowed to retrieve secrets. _(eg: `10.112.8.10-210`)_
 
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary>

diff --git a/docs/_sources/README.md.txt b/docs/_sources/README.md.txt
@@ -57,13 +57,23 @@ vaultapi start
 > _By default, `VaultAPI` will look for a `.env` file in the current working directory._
 </details>
 
-- **HOST** - Hostname for the API server.
-- **PORT** - Port number for the API server.
-- **WORKERS** - Number of workers for the uvicorn server.
+**Mandatory**
 - **APIKEY** - API Key for authentication.
 - **SECRET** - Secret access key to encode/decode the secrets in Datastore.
-- **DATABASE** - FilePath to store the secrets' database.
+
+**Optional (with defaults)**
+- **TRANSIT_KEY_LENGTH** - AES key length for transit encryption. Defaults to `32`
+- **DATABASE** - FilePath to store the secrets' database. Defaults to `secrets.db`
+- **HOST** - Hostname for the API server. Defaults to `0.0.0.0` [OR] `localhost`
+- **PORT** - Port number for the API server. Defaults to `9010`
+- **WORKERS** - Number of workers for the uvicorn server. Defaults to `1`
 - **RATE_LIMIT** - List of dictionaries with `max_requests` and `seconds` to apply as rate limit.
+Defaults to 5req/2s [AND] 10req/30s
+
+**Optional (without defaults)**
+- **LOG_CONFIG** - FilePath or dictionary of key-value pairs for log config.
+- **ALLOWED_ORIGINS** - Origins that are allowed to retrieve secrets.
+- **ALLOWED_IP_RANGE** - IP range that is allowed to retrieve secrets. _(eg: `10.112.8.10-210`)_
 
 <details>
 <summary>Auto generate a <code>SECRET</code> value</summary>

diff --git a/docs/_sources/index.rst.txt b/docs/_sources/index.rst.txt
@@ -76,6 +76,11 @@ Squire
 
 .. automodule:: vaultapi.squire
 
+Transmitter
+===========
+
+.. automodule:: vaultapi.transit
+
 Util
 ====
 

diff --git a/docs/genindex.html b/docs/genindex.html
@@ -73,6 +73,8 @@ <h2 id="_">_</h2>
 <h2 id="A">A</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
+      <li><a href="index.html#vaultapi.models.Session.aes_key">aes_key (vaultapi.models.Session attribute)</a>
+</li>
       <li><a href="index.html#vaultapi.models.EnvConfig.allowed_ip_range">allowed_ip_range (vaultapi.models.EnvConfig attribute)</a>
 </li>
       <li><a href="index.html#vaultapi.models.EnvConfig.allowed_origins">allowed_origins (vaultapi.models.EnvConfig attribute)</a>
@@ -123,10 +125,12 @@ <h2 id="D">D</h2>
         <li><a href="index.html#vaultapi.models.EnvConfig.database">(vaultapi.models.EnvConfig attribute)</a>
 </li>
       </ul></li>
-      <li><a href="index.html#vaultapi.routes.delete_secret">delete_secret() (in module vaultapi.routes)</a>
+      <li><a href="index.html#vaultapi.transit.decrypt">decrypt() (in module vaultapi.transit)</a>
 </li>
   </ul></td>
   <td style="width: 33%; vertical-align: top;"><ul>
+      <li><a href="index.html#vaultapi.routes.delete_secret">delete_secret() (in module vaultapi.routes)</a>
+</li>
       <li><a href="index.html#vaultapi.payload.DeleteSecret">DeleteSecret (class in vaultapi.payload)</a>
 </li>
       <li><a href="index.html#vaultapi.routes.docs">docs() (in module vaultapi.routes)</a>
@@ -142,6 +146,8 @@ <h2 id="E">E</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.main.enable_cors">enable_cors() (in module vaultapi.main)</a>
+</li>
+      <li><a href="index.html#vaultapi.transit.encrypt">encrypt() (in module vaultapi.transit)</a>
 </li>
       <li><a href="index.html#vaultapi.models.env">env (in module vaultapi.models)</a>
 </li>
@@ -270,6 +276,8 @@ <h2 id="M">M</h2>
         <li><a href="index.html#module-vaultapi.routes">vaultapi.routes</a>
 </li>
         <li><a href="index.html#module-vaultapi.squire">vaultapi.squire</a>
+</li>
+        <li><a href="index.html#module-vaultapi.transit">vaultapi.transit</a>
 </li>
         <li><a href="index.html#module-vaultapi.util">vaultapi.util</a>
 </li>
@@ -279,16 +287,6 @@ <h2 id="M">M</h2>
 
 <h2 id="P">P</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
-  <td style="width: 33%; vertical-align: top;"><ul>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_allowed_ip_range">parse_allowed_ip_range() (vaultapi.models.EnvConfig class method)</a>
-</li>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_allowed_origins">parse_allowed_origins() (vaultapi.models.EnvConfig class method)</a>
-</li>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_api_secret">parse_api_secret() (vaultapi.models.EnvConfig class method)</a>
-</li>
-      <li><a href="index.html#vaultapi.models.EnvConfig.parse_apikey">parse_apikey() (vaultapi.models.EnvConfig class method)</a>
-</li>
-  </ul></td>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.models.EnvConfig.port">port (vaultapi.models.EnvConfig attribute)</a>
 </li>
@@ -298,6 +296,8 @@ <h2 id="P">P</h2>
         <li><a href="index.html#vaultapi.routes.put_secret">(in module vaultapi.routes)</a>
 </li>
       </ul></li>
+  </ul></td>
+  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.routes.put_secrets">put_secrets() (in module vaultapi.routes)</a>
 </li>
       <li><a href="index.html#vaultapi.payload.PutSecret">PutSecret (class in vaultapi.payload)</a>
@@ -334,13 +334,15 @@ <h2 id="S">S</h2>
 </li>
       <li><a href="index.html#vaultapi.models.EnvConfig.secret">secret (vaultapi.models.EnvConfig attribute)</a>
 </li>
-  </ul></td>
-  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.models.Session">Session (class in vaultapi.models)</a>
 </li>
+  </ul></td>
+  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.models.Session.Config">Session.Config (class in vaultapi.models)</a>
 </li>
       <li><a href="index.html#vaultapi.main.start">start() (in module vaultapi.main)</a>
+</li>
+      <li><a href="index.html#vaultapi.transit.string_to_aes_key">string_to_aes_key() (in module vaultapi.transit)</a>
 </li>
   </ul></td>
 </tr></table>
@@ -350,21 +352,33 @@ <h2 id="T">T</h2>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.database.table_exists">table_exists() (in module vaultapi.database)</a>
 </li>
-  </ul></td>
-  <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.payload.DeleteSecret.table_name">table_name (vaultapi.payload.DeleteSecret attribute)</a>
 
       <ul>
         <li><a href="index.html#vaultapi.payload.PutSecret.table_name">(vaultapi.payload.PutSecret attribute)</a>
 </li>
       </ul></li>
   </ul></td>
+  <td style="width: 33%; vertical-align: top;"><ul>
+      <li><a href="index.html#vaultapi.util.transit_decrypt">transit_decrypt() (in module vaultapi.util)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.transit_key_length">transit_key_length (vaultapi.models.EnvConfig attribute)</a>
+</li>
+  </ul></td>
 </tr></table>
 
 <h2 id="V">V</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
       <li><a href="index.html#vaultapi.auth.validate">validate() (in module vaultapi.auth)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_allowed_ip_range">validate_allowed_ip_range() (vaultapi.models.EnvConfig class method)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_allowed_origins">validate_allowed_origins() (vaultapi.models.EnvConfig class method)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_api_secret">validate_api_secret() (vaultapi.models.EnvConfig class method)</a>
+</li>
+      <li><a href="index.html#vaultapi.models.EnvConfig.validate_apikey">validate_apikey() (vaultapi.models.EnvConfig class method)</a>
 </li>
       <li><a href="index.html#vaultapi.payload.PutSecret.value">value (vaultapi.payload.PutSecret attribute)</a>
 </li>
@@ -424,6 +438,13 @@ <h2 id="V">V</h2>
 
       <ul>
         <li><a href="index.html#module-vaultapi.squire">module</a>
+</li>
+      </ul></li>
+      <li>
+    vaultapi.transit
+
+      <ul>
+        <li><a href="index.html#module-vaultapi.transit">module</a>
 </li>
       </ul></li>
       <li>