Now that zuul-client's encrypt subcommand covers the same
functionalities as encrypt_secret.py, add a deprecation
message when running the script. Document the zuul-client
encrypt command in the doc section about secrets.
Change-Id: Id5437ffbb688cb80b2744db3beeaa28c97080d90
Depends-On: https://review.opendev.org/765313
Trailing whitespace (newlines) in secrets is almost
never what people want, but it's easy to leave them in
and then wind up with hard to debug issues. Switch the
defaut - make a new option "--no-strip" that will disable
the behavior.
Change-Id: I46947e38807b55e5cc3bacc060f5d41a63b564b8
When the project or tenant is misspelled, an exception is raised
with little informations. This change adds an error message to
print the used url.
Change-Id: Ifba7b02204894b41b6d4573c0ac1d40e17bd09b8
Fixes this:
Traceback (most recent call last):
File "zuul/tools/encrypt_secret.py", line 192, in <module>
main()
File "zuul/tools/encrypt_secret.py", line 109, in main
pubkey = urlopen(req, context=ssl_ctx)
When using a file://<path> URL for the project key.
Change-Id: Ide5031eb95fda0d8932e20c178e46ba488ac1783
In case of a non production Zuul deployment this option is handy
as usually such deployment are made with a self-signed certificate.
Change-Id: I063357dba33161bdb721304d89e6051b768a60c8
With OpenSSL, the format of 'openssl rsa -text' has changed a bit, now
the Public-Key is prefixed by RSA.
$ openssl rsa -text -pubin -in foo | head -n1
writing RSA key
RSA Public-Key: (4096 bit)
The change was introduce by this commit:
https://github.com/openssl/openssl/commit/9503ed8#diff-dbf726cfa20d03251a1eb72683972640R316
This patch ensures the bit length is still detected properly.
Change-Id: I1b956b207ac97a1ac700363605414834a81ad16a
The existing structure with the API and HTML interleaved makes it hard
to have apache do html offloading for whitelabeled deploys (like
openstack's) where the api and web are served from the same host.
Similarly, the tenant selector in the url for the html content being bare
and not prefixed by anything makes it harder to pull routing information
javascript-side.
Introduce an 'api' prefix to the REST API calls so that we can apply
rewrite rules differently for things starting with /api than things that
don't. Add the word 'tenant' before each tenant subpath.
Also add a '/t/' to the url for the html, so that we have anchors for
routing regexes but the urls don't get too long and unweildy.
Finally, also add /key as a prefix to the key route for similar reasons.
Change-Id: I0cbbf6f1958e91b5910738da9b4fb4c563d48dd4
When encrypting secrets we use a public key retrieved from zuul. If we
get this key from an unencrypted url a man in the middle attack could
replace this encryption key. To make the user aware of this we should
emit a warning when using untrusted key sources.
Change-Id: I7f26e93d863be710a558e15fa1d086b223f465bf
Sometimes you're storing a password in a file by editting it, but you
want it to be raw without newlines/whitespace/etc. This lets you do
that easily.
Change-Id: Idc961b89a5ec3fb639e70a321b4ea587cf743b9d
Rather than asking users to know the 'source' name in order to
retrieve the project's public key, use the tenant and canonical
project name. The tenant already appears in most web urls, and
the project name should be known to the user.
Change-Id: Icd1269ffdd8879bd177fd452978a2c88b2f1b205
The format was changed in 1.0. This enables Mac OS's default openssl CLI
tool to work with encrypt_secret.py
Change-Id: Ib5d7a0c5cc6a729bed6fa4a64193444bb48022fb
We have run into a case where we need to store a secret longer
than 3760 bits. We may eventually support a hybrid encryption
scheme, but for now, let's also support the alt.zuul.secrets protocol
where we split the secret into 3760 bit chunks and recombine it.
The encrypt_secret utility is updated to output a copy-pastable
YAML data structure to simplify dealing with long secrets.
Change-Id: Ied372572e5aa29fddfb7043bf07df4cd3e39566c
This fixes the encrypt_secret tool for use with python3. This needs
some minor changes to imports, encodings and base64 encoding.
Change-Id: Id29ebedab2115d0d5d47049f2a0412e8c75aa8ef
It exists only for py2/py3 compat. We do not need it any more.
This will explicitly break Zuul v3 for python2, which is different than
simply ceasing to test it and no longer declaring we support it. Since
we're not testing it any longer, it's bound to degrade overtime without
us noticing, so hopefully a clean and explicit break will prevent people
from running under python2 and it working for a minute, then breaking
later.
Change-Id: Ia16bb399a2869ab37a183f3f2197275bb3acafee