174e356214
I recently received a request to add additional features to Pegleg's generate passphrases command. The desire was to support multiple types of secrets: 1. passphrases (24+ characters, including characters from upper, lower, number, symbol). 2. base64 encoded passphrases. 3. UUID4. As well as adding an additional flag to prevent Pegleg from regenerating specific passphrases that are sensitive to rotation. Finally, responding to an enhancement request interactive passphrase generation can now be specified via the command line for all passphrases, or by specifying 'prompt': True for specific passphrases in passphrase-catalog.yaml These objectives were completed by: 1. Updating passphrase_catalog.py to support a type field. If a type is not specified, default to existing passphrase generation. If an invalid value is specified, raise an exception. 2. Updating passphrase_catalog.py to support a regenerable field. If the regenerable field is not specified, default to True. If an invalid value is specified, raise an exception. When regenerable is determined, secrets of 'uuid' type always use regenerable=False as they should be one time values created at time of deployment but not rotated. 3. Updating passphrase_catalog.py to support a prompt field. If the prompt field is not specified, default to False. If an invalid value is specified, raise an exception. 4. Adding appropriate exceptions. 5. Updating passphrase_generator.py to handle the new type checks, UUID will use UUID4, base64 uses the existing logic of generating a random passphrase and base64 encoding it, and existing logic remains for generating a random passphrase. 6. Updating passphrase_generator.py to handle the regenerable field. It checks if a file is present at the expected save path, and if regenerable=False. If both are true, the passphrase is skipped so the passphrase is not overwritten. 7. Updating unit tests to validate the new type checks. NOTE: # nosec is used in passphrase_generator.py on the 'if passphrase_type == <special type>' statements. These are not a security concern, but do cause Bandit error B105. See documentation for B105 in [0] Local testing of the generate passphrase command with the following passphrase types: passphrase_b64 : base64 passphrase_uuid : uuid passphrase_specified : passphrase (specified) passphrase_defaulted : passphrase (defaulted) Resulted in the following data for each: passphrase_b64.yaml:data: !!binary | UDI1SGFFZHFlbWhITjBrdGJHZGFWRkp6UlZWdFdVNUQ= passphrase_uuid.yaml:data: 5ce7c6bc-00d2-4b2c-9222-54891f075656 passphrase_specified.yaml:data: cYTenMYXFHUKn6ppYjx#+Hdx passphrase_defaulted.yaml:data: 13ryjaM?I@sP#3&YQXuQEik4 [0] https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html Change-Id: I389316c5194ffa06f3df5114f7ac5f4f2887b319
17 lines
525 B
Plaintext
17 lines
525 B
Plaintext
gitpython==2.1.11
|
|
click==6.7
|
|
jsonschema==2.6.0
|
|
pyyaml==5.1
|
|
cryptography==2.3.1
|
|
python-dateutil==2.7.3
|
|
docker==3.7.2
|
|
requests==2.20.0
|
|
urllib3==1.24.3
|
|
chardet==3.0.4
|
|
oslo.utils==3.41.0
|
|
|
|
# External dependencies
|
|
git+https://opendev.org/airship/deckhand.git@134c55805b13b2d3f430a7c0fee840990c55c0aa
|
|
git+https://opendev.org/airship/shipyard.git@aeb0c198b196dbc69190299fe98df4137faf0333#egg=shipyard_client&subdirectory=src/bin/shipyard_client
|
|
git+https://opendev.org/airship/promenade.git@32a6c15ffd6c283375bfd1cc9ae82f9232a9b501
|