VaultAPI 0.1.1__py3-none-any.whl

vaultapi/routes.py

@@ -0,0 +1,413 @@
+import logging
+import sqlite3
+from http import HTTPStatus
+from typing import Dict, List
+
+from fastapi import Depends, Request
+from fastapi.responses import RedirectResponse
+from fastapi.routing import APIRoute
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from . import auth, database, exceptions, models, payload, rate_limit, transit
+
+LOGGER = logging.getLogger("uvicorn.default")
+security = HTTPBearer()
+
+
+async def retrieve_secret(key: str, table_name: str) -> str | None:
+    """Retrieve an existing secret from a table in the database.
+
+    Args:
+        key: Name of the secret to retrieve.
+        table_name: Name of the table where the secret is stored.
+
+    Returns:
+        str:
+        Returns the secret value.
+    """
+    try:
+        return database.get_secret(key=key, table_name=table_name)
+    except sqlite3.OperationalError as error:
+        LOGGER.error(error)
+        raise exceptions.APIResponse(
+            status_code=HTTPStatus.BAD_REQUEST.real, detail=error.args[0]
+        )
+
+
+async def retrieve_secrets(table_name: str, keys: List[str] = None) -> Dict[str, str]:
+    """Retrieve multiple secrets from a table or retrieve the table as a whole.
+
+    Args:
+        table_name: Name of the table where the secret is stored.
+        keys: List of keys for which the values have to be retrieved.
+
+    Returns:
+        Dict[str, str]:
+        Returns the key-value pairs for secret key and it's value.
+    """
+    if keys:
+        values = {}
+        for key in keys:
+            if value := await retrieve_secret(key, table_name):
+                values[key] = value
+        return values
+    else:
+        try:
+            return dict(database.get_table(table_name))
+        except sqlite3.OperationalError as error:
+            LOGGER.error(error)
+            raise exceptions.APIResponse(
+                status_code=HTTPStatus.BAD_REQUEST.real, detail=error.args[0]
+            )
+
+
+async def get_secret(
+    request: Request,
+    key: str,
+    table_name: str = "default",
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to retrieve a secret.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        key: Name of the secret to be retrieved.
+        table_name: Name of the table where the secret is stored.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    if value := await retrieve_secret(key, table_name):
+        LOGGER.info("Secret value for '%s' was retrieved", key)
+        decrypted = models.session.fernet.decrypt(value).decode(encoding="UTF-8")
+        raise exceptions.APIResponse(
+            status_code=HTTPStatus.OK.real, detail=transit.encrypt({key: decrypted})
+        )
+    LOGGER.info("Secret value for '%s' NOT found in the datastore", key)
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.NOT_FOUND.real, detail=HTTPStatus.NOT_FOUND.phrase
+    )
+
+
+async def get_secrets(
+    request: Request,
+    keys: str,
+    table_name: str = "default",
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to retrieve multiple secrets at a time.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        key: Comma separated list of secret names to be retrieved.
+        table_name: Name of the table where the secrets are stored.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    # keys = [key.strip() for key in keys.split(",") if key.strip()]
+    keys = list(filter(None, map(str.strip, keys.split(","))))
+    keys_ct = len(keys)
+    try:
+        assert keys_ct >= 1, f"Expected at least one key, received {keys_ct}"
+    except AssertionError as error:
+        LOGGER.error(error)
+        raise exceptions.APIResponse(
+            status_code=HTTPStatus.BAD_REQUEST.real, detail=error.args[0]
+        )
+    if values := await retrieve_secrets(table_name, keys):
+        values_ct = len(values)
+        try:
+            assert (
+                values_ct == keys_ct
+            ), f"Number of keys [{keys_ct}] requested didn't match the number of values [{values_ct}] retrieved."
+            LOGGER.info("Secret value for %d (%s) were retrieved", keys_ct, keys)
+            code = HTTPStatus.OK.real
+        except AssertionError as error:
+            LOGGER.warning(error)
+            code = HTTPStatus.PARTIAL_CONTENT.real
+        decrypted = {
+            key: models.session.fernet.decrypt(value).decode(encoding="UTF-8")
+            for key, value in values.items()
+        }
+        raise exceptions.APIResponse(
+            status_code=code, detail=transit.encrypt(decrypted)
+        )
+    if keys_ct == 1:
+        LOGGER.info("Secret value for '%s' NOT found in the datastore", keys[0])
+    else:
+        LOGGER.info(
+            "Secret values for %d keys %s were NOT found in the datastore",
+            keys_ct,
+            keys,
+        )
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.NOT_FOUND.real, detail=HTTPStatus.NOT_FOUND.phrase
+    )
+
+
+async def list_tables(
+    request: Request,
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to retrieve ALL available tables.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=database.list_tables()
+    )
+
+
+async def get_table(
+    request: Request,
+    table_name: str = "default",
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to retrieve ALL the key-value pairs stored in a particular table.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        table_name: Name of the table where the secrets are stored.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    table_content = await retrieve_secrets(table_name)
+    decrypted = {
+        key: models.session.fernet.decrypt(value).decode(encoding="UTF-8")
+        for key, value in table_content.items()
+    }
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=transit.encrypt(decrypted)
+    )
+
+
+async def put_secret(
+    request: Request,
+    data: payload.PutSecret,
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to add secrets to database.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        data: Payload with ``key``, ``value``, and ``table_name`` as body.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    if await retrieve_secret(data.key, data.table_name):
+        LOGGER.info("Secret value for '%s' will be overridden", data.key)
+    else:
+        LOGGER.info(
+            "Storing a secret value for '%s' to the table '%s' in the datastore",
+            data.key,
+            data.table_name,
+        )
+    encrypted = models.session.fernet.encrypt(data.value.encode(encoding="UTF-8"))
+    database.put_secret(key=data.key, value=encrypted, table_name=data.table_name)
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=HTTPStatus.OK.phrase
+    )
+
+
+async def put_secrets(
+    request: Request,
+    data: payload.PutSecrets,
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to add multiple secrets to a table in the database.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        data: Payload with ``key``, ``value``, and ``table_name`` as body.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    for key, value in data.secrets.items():
+        encrypted = models.session.fernet.encrypt(value.encode(encoding="UTF-8"))
+        database.put_secret(key=key, value=encrypted, table_name=data.table_name)
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=HTTPStatus.OK.phrase
+    )
+
+
+async def delete_secret(
+    request: Request,
+    data: payload.DeleteSecret,
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to delete secrets from database.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        data: Payload with ``key`` and ``table_name`` as body.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    if await retrieve_secret(data.key, data.table_name):
+        LOGGER.info("Secret value for '%s' will be removed", data.key)
+    else:
+        LOGGER.warning("Secret value for '%s' NOT found", data.key)
+        raise exceptions.APIResponse(
+            status_code=HTTPStatus.NOT_FOUND.real, detail=HTTPStatus.NOT_FOUND.phrase
+        )
+    database.remove_secret(key=data.key, table_name=data.table_name)
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=HTTPStatus.OK.phrase
+    )
+
+
+async def create_table(
+    request: Request,
+    table_name: str,
+    apikey: HTTPAuthorizationCredentials = Depends(security),
+):
+    """**API function to create a new table in the database.**
+
+    **Args:**
+
+        request: Reference to the FastAPI request object.
+        table_name: Name of the table to be created.
+        apikey: API Key to authenticate the request.
+
+    **Raises:**
+
+        APIResponse:
+        Raises the HTTPStatus object with a status code and detail as response.
+    """
+    await auth.validate(request, apikey)
+    try:
+        database.create_table(table_name, ["key", "value"])
+    except sqlite3.OperationalError as error:
+        LOGGER.error(error)
+        raise exceptions.APIResponse(
+            status_code=HTTPStatus.EXPECTATION_FAILED.real, detail=error.args[0]
+        )
+    raise exceptions.APIResponse(
+        status_code=HTTPStatus.OK.real, detail=HTTPStatus.OK.phrase
+    )
+
+
+async def health() -> Dict[str, str]:
+    """Healthcheck endpoint.
+
+    Returns:
+        Dict[str, str]:
+        Returns the health response.
+    """
+    return {"STATUS": "OK"}
+
+
+async def docs() -> RedirectResponse:
+    """Redirect to docs page.
+
+    Returns:
+        RedirectResponse:
+        Redirects the user to ``/docs`` page.
+    """
+    return RedirectResponse("/docs")
+
+
+def get_all_routes() -> List[APIRoute]:
+    """Get all the routes to be added for the API server.
+
+    Returns:
+        List[APIRoute]:
+        Returns the routes as a list of APIRoute objects.
+    """
+    dependencies = [
+        Depends(dependency=rate_limit.RateLimiter(each_rate_limit).init)
+        for each_rate_limit in models.env.rate_limit
+    ]
+    routes = [
+        APIRoute(path="/", endpoint=docs, methods=["GET"], include_in_schema=False),
+        APIRoute(
+            path="/health", endpoint=health, methods=["GET"], include_in_schema=False
+        ),
+        APIRoute(
+            path="/get-secret",
+            endpoint=get_secret,
+            methods=["GET"],
+            dependencies=dependencies,
+        ),
+        APIRoute(
+            path="/get-secrets",
+            endpoint=get_secrets,
+            methods=["GET"],
+            dependencies=dependencies,
+        ),
+        APIRoute(
+            path="/get-table",
+            endpoint=get_table,
+            methods=["GET"],
+            dependencies=dependencies,
+        ),
+        APIRoute(
+            path="/list-tables",
+            endpoint=list_tables,
+            methods=["GET"],
+            dependencies=dependencies,
+        ),
+        APIRoute(
+            path="/put-secret",
+            endpoint=put_secret,
+            methods=["PUT"],
+            dependencies=dependencies,
+        ),
+        APIRoute(
+            path="/delete-secret",
+            endpoint=delete_secret,
+            methods=["DELETE"],
+            dependencies=dependencies,
+        ),
+        APIRoute(
+            path="/create-table",
+            endpoint=create_table,
+            methods=["POST"],
+            dependencies=dependencies,
+        ),
+    ]
+    return routes

vaultapi/server.py

@@ -0,0 +1,20 @@
+import pathlib
+
+import uvicorn
+
+from . import database, models
+
+
+def start() -> None:
+    """Starter function for the API, which uses uvicorn server as trigger."""
+    database.create_table("default", ["key", "value"])
+    module_name = pathlib.Path(__file__)
+    kwargs = dict(
+        host=models.env.host,
+        port=models.env.port,
+        workers=models.env.workers,
+        app=f"{module_name.parent.stem}.api:VaultAPI",
+    )
+    if models.env.log_config:
+        kwargs["log_config"] = models.env.log_config
+    uvicorn.run(**kwargs)

vaultapi/transit.py

@@ -0,0 +1,85 @@
+"""Module that performs transit encryption/decryption.
+
+This allows the server to securely transmit the retrieved secret to be decrypted at the client side using the API key.
+"""
+
+import base64
+import hashlib
+import json
+import secrets
+import time
+from typing import Any, ByteString, Dict
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+from . import models
+
+
+def string_to_aes_key(input_string: str, key_length: int) -> ByteString:
+    """Hashes the string.
+
+    Args:
+        input_string: String for which an AES hash has to be generated.
+        key_length: AES key size used during encryption.
+
+    See Also:
+        AES supports three key lengths:
+            - 128 bits (16 bytes)
+            - 192 bits (24 bytes)
+            - 256 bits (32 bytes)
+
+    Returns:
+        str:
+        Return the first 16 bytes for the AES key
+    """
+    hash_object = hashlib.sha256(input_string.encode())
+    return hash_object.digest()[:key_length]
+
+
+def encrypt(payload: Dict[str, Any], url_safe: bool = True) -> ByteString | str:
+    """Encrypt a message using GCM mode with 12 fresh bytes.
+
+    Args:
+        payload: Payload to be encrypted.
+        url_safe: Boolean flag to perform base64 encoding to perform JSON serialization.
+
+    Returns:
+        ByteString | str:
+        Returns the ciphertext as a string or bytes based on the ``url_safe`` flag.
+    """
+    nonce = secrets.token_bytes(12)
+    encoded = json.dumps(payload).encode()
+    epoch = int(time.time()) // models.env.transit_time_bucket
+    aes_key = string_to_aes_key(
+        f"{epoch}.{models.env.apikey}", models.env.transit_key_length
+    )
+    ciphertext = nonce + AESGCM(aes_key).encrypt(nonce, encoded, b"")
+    if url_safe:
+        return base64.b64encode(ciphertext).decode("utf-8")
+    return ciphertext
+
+
+def decrypt(ciphertext: ByteString | str) -> Dict[str, Any]:
+    """Decrypt the ciphertext.
+
+    Raises:
+        Raises ``InvalidTag`` if using wrong key or corrupted ciphertext.
+
+    Returns:
+        Dict[str, Any]:
+        Returns the JSON serialized decrypted payload.
+    """
+    if isinstance(ciphertext, str):
+        ciphertext = base64.b64decode(ciphertext)
+    epoch = int(time.time()) // models.env.transit_time_bucket
+    aes_key = string_to_aes_key(
+        f"{epoch}.{models.env.apikey}", models.env.transit_key_length
+    )
+    decrypted = AESGCM(aes_key).decrypt(ciphertext[:12], ciphertext[12:], b"")
+    return json.loads(decrypted)
+
+
+if __name__ == "__main__":
+    encrypted = encrypt({"key": "value"})
+    b64_encoded = base64.b64encode(encrypted).decode("utf-8")
+    print(decrypt(b64_encoded))

vaultapi/util.py

@@ -0,0 +1,86 @@
+import base64
+import hashlib
+import importlib
+import json
+import logging
+import sqlite3
+import time
+from typing import Any, ByteString, Dict
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from dotenv import dotenv_values
+
+from . import database, models
+
+importlib.reload(logging)
+LOGGER = logging.getLogger(__name__)
+LOGGER.setLevel(logging.DEBUG)
+HANDLER = logging.StreamHandler()
+DEFAULT_FORMATTER = logging.Formatter(
+    datefmt="%b-%d-%Y %I:%M:%S %p",
+    fmt="%(asctime)s - %(levelname)s - [%(module)s:%(lineno)d] - %(funcName)s - %(message)s",
+)
+HANDLER.setFormatter(DEFAULT_FORMATTER)
+LOGGER.addHandler(HANDLER)
+
+
+def dotenv_to_table(
+    table_name: str, dotenv_file: str, drop_existing: bool = False
+) -> None:
+    """Store all the env vars from a .env file into the database.
+
+    Args:
+        table_name: Name of the table to store secrets.
+        dotenv_file: Dot env filename.
+        drop_existing: Boolean flag to drop existing table.
+    """
+    if drop_existing and database.table_exists(table_name):
+        LOGGER.info("Dropping table '%s' from '%s'", table_name, models.env.database)
+        database.drop_table(table_name)
+        database.create_table(table_name, ["key", "value"])
+    else:
+        try:
+            if existing := database.get_table(table_name):
+                LOGGER.warning(
+                    "Table '%s' exists already in %s. %d secrets will be overwritten",
+                    table_name,
+                    models.env.database,
+                    len(existing),
+                )
+        except sqlite3.OperationalError as error:
+            if str(error) == f"no such table: {table_name}":
+                LOGGER.info(
+                    "Creating a new table '%s' in '%s'", table_name, models.env.database
+                )
+                database.create_table(table_name, ["key", "value"])
+            else:
+                raise
+    env_vars = dotenv_values(dotenv_file)
+    for key, value in env_vars.items():
+        encrypted = models.session.fernet.encrypt(value.encode(encoding="UTF-8"))
+        database.put_secret(key, encrypted, table_name)
+    LOGGER.info(
+        "%d secrets stored in the table %s, in the database %s.",
+        len(env_vars),
+        table_name,
+        models.env.database,
+    )
+
+
+def transit_decrypt(ciphertext: str | ByteString) -> Dict[str, Any]:
+    """Decrypts the ciphertext into an appropriate payload.
+
+    Args:
+        ciphertext: Encrypted ciphertext.
+
+    Returns:
+        Dict[str, Any]:
+        Returns the decrypted payload.
+    """
+    epoch = int(time.time()) // models.env.transit_time_bucket
+    hash_object = hashlib.sha256(f"{epoch}.{models.env.apikey}".encode())
+    aes_key = hash_object.digest()[: models.env.transit_key_length]
+    if isinstance(ciphertext, str):
+        ciphertext = base64.b64decode(ciphertext)
+    decrypted = AESGCM(aes_key).decrypt(ciphertext[:12], ciphertext[12:], b"")
+    return json.loads(decrypted)

vaultapi/version.py

@@ -0,0 +1 @@
+__version__ = "0.1.1"