Skip to content

Decrypt oracle #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 37 commits into from
Oct 12, 2018
Merged

Decrypt oracle #87

merged 37 commits into from
Oct 12, 2018

Conversation

mattsb42-aws
Copy link
Member

Description of changes:

This provides the initial iteration of the decrypt oracle.

Not addressed in this PR is how we plan to handle CD for this API. I'll tackle that separately.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mattsb42-aws
initial draft of decrypt oracle
75d177f
@mattsb42-aws
lock chalice environments to Python 3.6
23c558a
@mattsb42-aws
set v0/decrypt to binary content type
2d44a19
@mattsb42-aws
add custom policy for decrypt oracle Lambda
57cf967
@mattsb42-aws
add logging to decrypt oracle
c8fb677
@mattsb42-aws
do not let Chalice generate the IAM policy for the decrypt oracle
23ae278
@mattsb42-aws
move chalice policy to the right location
9a2094e
@mattsb42-aws
add logging permissions to decrypt oracle policy
f9dd0a4
@mattsb42-aws
switch to using the log handler provided in Chalice app
2d655e1
@mattsb42-aws
switch to Chalice response objects that should take care of ther base…
0020b9f 
…64 dance
@mattsb42-aws
convert to using request raw_body
954a34f
@mattsb42-aws
remove old code and add raw body debug logging
7e653cd
@mattsb42-aws
* turn down error response to only include message and not stacktrace
9d54f58 
* add documentation describing the API
@mattsb42-aws
add plaintext decryption logging
68a0f85
@mattsb42-aws
add environment variable controlled debug flag in Chalice decryption …
ba17fd3 
…oracle
@mattsb42-aws
communicate potential binary contents to response logger
2f12ab4
@mattsb42-aws
comments, formatting, and tests
aec5a8f
@mattsb42-aws
add comments for build-requirements
c0d80a6
@mattsb42-aws
add local/integ/generate split testenvs
65055a1
@mattsb42-aws
add missing docstrings for special master keys
79d1093
@mattsb42-aws
add decrypto oracle tests to Travis CI
9eec522
@mattsb42-aws
fix issues with Travis config
85f9710
@mattsb42-aws
fix bash loop fail
9178dc2
@mattsb42-aws
add minimal readme for decrypt oracle
e03c076
@mattsb42-aws
rename from decryption oracle to decrypt oracle
6caffb9
@mattsb42-aws mattsb42-aws requested a review from a team September 27, 2018 01:56
karlw00t
karlw00t reviewed Sep 27, 2018
View reviewed changes
karlw00t
karlw00t reviewed Sep 27, 2018
View reviewed changes
decrypt_oracle/test/integration/integration_test_utils.py
if arn.startswith("arn:") and ":alias/" not in arn:
return arn

raise ValueError("KMS CMK ARN provided for integration tests must be a key not an alias")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we raise a custom exception type here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would that add value? The problem that this exception is identifying is that a user-provided value is incorrect. That seems to me to be the definition of ValueError.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you expect something to catch this exception, then yes. Its cheap to provide a custom exception, and we aren't giving up anything that ValueError provides.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only place this error will manifest is in pytest error logs.

karlw00t
karlw00t reviewed Sep 27, 2018
View reviewed changes
@mattsb42-aws
add license notices
5d590c2
@mattsb42-aws
add path for v0 API to readme
7d47a32
@mattsb42-aws
more missed name conversions
e30e19c
@mattsb42-aws
we only need to care about Python 3.6 for the decrypt oracle
f1011a6 
* remove import safeguards to allow 3.5.0 and 3.5.1 to not fail
* convert from comment-style typehints to inline
SalusaSecondus
SalusaSecondus reviewed Oct 1, 2018
View reviewed changes
Copy link
Contributor

@SalusaSecondus SalusaSecondus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IANAPD

decrypt_oracle/.chalice/policy-dev.json
]
},
{
"Effect": "Deny",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this statement, I think you need to split it into two, because the NotAction and the NotResource are joined by an AND. So the statement as written says "DENY if and only if it is NOT an approved action AND it is NOT an approved resource." That means you won't get an explicit DENY if it is an unapproved action for an approved resource (or vice-versa).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not 100% on the policy combination, but splitting them into two (Action * with NotResource specifics and NotAction specifics with Resource *) made everything fail, including the CloudWatch logging. Reverted back to the (NotAction specifics with NotResource specifics) for now.

@mattsb42-aws mattsb42-aws merged commit 1d0e40d into aws:master Oct 12, 2018
@mattsb42-aws mattsb42-aws deleted the decrypt-oracle branch October 12, 2018 22:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SalusaSecondus SalusaSecondus SalusaSecondus left review comments

@karlw00t karlw00t karlw00t approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattsb42-aws @karlw00t @SalusaSecondus