Browse Source

Serve keys from canonical project name

Rather than asking users to know the 'source' name in order to
retrieve the project's public key, use the tenant and canonical
project name.  The tenant already appears in most web urls, and
the project name should be known to the user.

Change-Id: Icd1269ffdd8879bd177fd452978a2c88b2f1b205
changes/07/504807/5
James E. Blair 4 years ago
committed by Tobias Henkel
parent
commit
3f42c532df
4 changed files with 8 additions and 14 deletions
  1. +2
    -3
      doc/source/user/encryption.rst
  2. +1
    -5
      tools/encrypt_secret.py
  3. +2
    -3
      zuul/rpclistener.py
  4. +3
    -3
      zuul/web/__init__.py

+ 2
- 3
doc/source/user/encryption.rst View File

@ -15,9 +15,8 @@ Each project in Zuul has its own automatically generated RSA keypair
which can be used by anyone to encrypt a secret and only Zuul is able
to decrypt it. Zuul serves each project's public key using its
build-in webserver. They can be fetched at the path
``/keys/<source>/<project>.pub`` where ``<project>`` is the name of a
project and ``<source>`` is the name of that project's connection in
the main Zuul configuration file.
``/<tenant>/<project>.pub`` where ``<project>`` is the canonical name
of a project and ``<tenant>`` is the name of a tenant with that project.
Zuul currently supports one encryption scheme, PKCS#1 with OAEP, which
can not store secrets longer than the 3760 bits (derived from the key


+ 1
- 5
tools/encrypt_secret.py View File

@ -43,10 +43,7 @@ def main():
parser.add_argument('url',
help="The base URL of the zuul server and tenant. "
"E.g., https://zuul.example.com/tenant-name")
# TODO(jeblair,mordred): When projects have canonical names, use that here.
# TODO(jeblair): Throw a fit if SSL is not used.
parser.add_argument('source',
help="The Zuul source of the project.")
parser.add_argument('project',
help="The name of the project.")
parser.add_argument('--infile',
@ -61,8 +58,7 @@ def main():
"to standard output.")
args = parser.parse_args()
req = Request("%s/keys/%s/%s.pub" % (
args.url, args.source, args.project))
req = Request("%s/%s.pub" % (args.url, args.project))
pubkey = urlopen(req)
if args.infile:


+ 2
- 3
zuul/rpclistener.py View File

@ -303,8 +303,7 @@ class RPCListener(object):
def handle_key_get(self, job):
args = json.loads(job.arguments)
source_name, project_name = args.get("source"), args.get("project")
source = self.sched.connections.getSource(source_name)
project = source.getProject(project_name)
tenant = self.sched.abide.tenants.get(args.get("tenant"))
(trusted, project) = tenant.getProject(args.get("project"))
job.sendWorkComplete(
encryption.serialize_rsa_public_key(project.public_key))

+ 3
- 3
zuul/web/__init__.py View File

@ -193,9 +193,9 @@ class GearmanHandler(object):
return web.json_response(json.loads(job.data[0]))
def key_get(self, request):
source = request.match_info["source"]
tenant = request.match_info["tenant"]
project = request.match_info["project"]
job = self.rpc.submitJob('zuul:key_get', {'source': source,
job = self.rpc.submitJob('zuul:key_get', {'tenant': tenant,
'project': project})
return web.Response(body=job.data[0])
@ -375,7 +375,7 @@ class ZuulWeb(object):
('GET', '/{tenant}/status.json', self._handleStatusRequest),
('GET', '/{tenant}/jobs.json', self._handleJobsRequest),
('GET', '/{tenant}/console-stream', self._handleWebsocket),
('GET', '/{source}/{project}.pub', self._handleKeyRequest),
('GET', '/{tenant}/{project}.pub', self._handleKeyRequest),
('GET', '/{tenant}/status.html', self._handleStaticRequest),
('GET', '/{tenant}/jobs.html', self._handleStaticRequest),
('GET', '/{tenant}/stream.html', self._handleStaticRequest),


Loading…
Cancel
Save