sovereign 0.24.6__py3-none-any.whl → 0.25.0__py3-none-any.whl

sovereign/__init__.py

@@ -1,27 +1,22 @@
 import os
 from contextvars import ContextVar
-from typing import Type, Any, Mapping
 from importlib.metadata import version
+from typing import Any, Mapping, Type
 
 from fastapi.responses import JSONResponse
-from starlette.templating import Jinja2Templates
 from pydantic.error_wrappers import ValidationError
+from starlette.templating import Jinja2Templates
 
-from sovereign.schemas import (
-    SovereignAsgiConfig,
-    SovereignConfig,
-    SovereignConfigv2,
-)
 from sovereign import config_loader
+from sovereign.context import TemplateContext
 from sovereign.logging.bootstrapper import LoggerBootstrapper
+from sovereign.schemas import SovereignAsgiConfig, SovereignConfig, SovereignConfigv2
+from sovereign.sources import SourcePoller
 from sovereign.statistics import configure_statsd
+from sovereign.utils.crypto.crypto import CipherContainer
 from sovereign.utils.dictupdate import merge  # type: ignore
-from sovereign.sources import SourcePoller
-from sovereign.context import TemplateContext
-from sovereign.utils.crypto import CipherContainer, create_cipher_suite
 from sovereign.utils.resources import get_package_file
 
-
 json_response_class: Type[JSONResponse] = JSONResponse
 try:
     import orjson
@@ -69,6 +64,8 @@ asgi_config = SovereignAsgiConfig()
 XDS_TEMPLATES = config.xds_templates()
 
 logs = LoggerBootstrapper(config)
+application_logger = logs.application_logger.logger
+
 stats = configure_statsd(config=config.statsd)
 poller = SourcePoller(
     sources=config.sources,
@@ -76,17 +73,13 @@ poller = SourcePoller(
     node_match_key=config.matching.node_key,
     source_match_key=config.matching.source_key,
     source_refresh_rate=config.source_config.refresh_rate,
-    logger=logs.application_logger.logger,
+    logger=application_logger,
     stats=stats,
 )
 
-fernet_keys = config.authentication.encryption_key
-encryption_keys = fernet_keys.get_secret_value().encode().split()
-cipher_suite = CipherContainer(
-    [
-        create_cipher_suite(key=key, logger=logs.application_logger.logger)
-        for key in encryption_keys
-    ]
+encryption_configs = config.authentication.encryption_configs
+server_cipher_container = CipherContainer.from_encryption_configs(
+    encryption_configs, logger=application_logger
 )
 
 template_context = TemplateContext(
@@ -96,9 +89,8 @@ template_context = TemplateContext(
     refresh_retry_interval_secs=config.template_context.refresh_retry_interval_secs,
     configured_context=config.template_context.context,
     poller=poller,
-    encryption_suite=cipher_suite,
-    disabled_suite=create_cipher_suite(b"", logs.application_logger.logger),
-    logger=logs.application_logger.logger,
+    encryption_suite=server_cipher_container,
+    logger=application_logger,
     stats=stats,
 )
 poller.lazy_load_modifiers(config.modifiers)

sovereign/configuration.py

@@ -3,17 +3,13 @@ from typing import Any, Mapping
 
 from pydantic.error_wrappers import ValidationError
 
-from sovereign.schemas import (
-    SovereignAsgiConfig,
-    SovereignConfig,
-    SovereignConfigv2,
-)
+from sovereign import config_loader
+from sovereign.context import TemplateContext
 from sovereign.logging.bootstrapper import LoggerBootstrapper
-from sovereign.statistics import configure_statsd
+from sovereign.schemas import SovereignAsgiConfig, SovereignConfig, SovereignConfigv2
 from sovereign.sources import SourcePoller
-from sovereign.context import TemplateContext
-from sovereign.utils.crypto import CipherContainer, create_cipher_suite
-from sovereign import config_loader
+from sovereign.statistics import configure_statsd
+from sovereign.utils.crypto.crypto import CipherContainer
 from sovereign.utils.dictupdate import merge  # type: ignore
 
 
@@ -40,13 +36,10 @@ XDS_TEMPLATES = CONFIG.xds_templates()
 
 LOGS = LoggerBootstrapper(CONFIG)
 STATS = configure_statsd(config=CONFIG.statsd)
-FERNET_KEYS = CONFIG.authentication.encryption_key
-ENCRYPTION_KEYS = FERNET_KEYS.get_secret_value().encode().split()
-CIPHER_SUITE = CipherContainer(
-    [
-        create_cipher_suite(key=key, logger=LOGS.application_logger.logger)
-        for key in ENCRYPTION_KEYS
-    ]
+ENCRYPTION_CONFIGS = CONFIG.authentication.encryption_configs
+CIPHER_CONTAINER = CipherContainer.from_encryption_configs(
+    encryption_configs=ENCRYPTION_CONFIGS,
+    logger=LOGS.application_logger.logger,
 )
 
 POLLER = SourcePoller(
@@ -65,8 +58,7 @@ TEMPLATE_CONTEXT = TemplateContext(
     refresh_retry_interval_secs=CONFIG.template_context.refresh_retry_interval_secs,
     configured_context=CONFIG.template_context.context,
     poller=POLLER,
-    encryption_suite=CIPHER_SUITE,
-    disabled_suite=create_cipher_suite(b"", LOGS.application_logger.logger),
+    encryption_suite=CIPHER_CONTAINER,
     logger=LOGS.application_logger.logger,
     stats=STATS,
 )

sovereign/context.py

@@ -16,9 +16,10 @@ from fastapi import HTTPException
 from structlog.stdlib import BoundLogger
 
 from sovereign.config_loader import Loadable
-from sovereign.schemas import DiscoveryRequest, XdsTemplate
+from sovereign.schemas import DiscoveryRequest, EncryptionConfig, XdsTemplate
 from sovereign.sources import SourcePoller
-from sovereign.utils.crypto import CipherContainer, CipherSuite
+from sovereign.utils.crypto.crypto import CipherContainer
+from sovereign.utils.crypto.suites import EncryptionType
 from sovereign.utils.timer import poll_forever, poll_forever_cron
 
 
@@ -38,7 +39,6 @@ class TemplateContext:
         configured_context: Dict[str, Loadable],
         poller: SourcePoller,
         encryption_suite: Optional[CipherContainer],
-        disabled_suite: CipherSuite,
         logger: BoundLogger,
         stats: Any,
     ) -> None:
@@ -48,8 +48,7 @@ class TemplateContext:
         self.refresh_num_retries = refresh_num_retries
         self.refresh_retry_interval_secs = refresh_retry_interval_secs
         self.configured_context = configured_context
-        self.crypto = encryption_suite
-        self.disabled_suite = disabled_suite
+        self.crypto: CipherContainer | None = encryption_suite
         self.logger = logger
         self.stats = stats
         # initial load
@@ -164,7 +163,10 @@ class TemplateContext:
             node_value=self.poller.extract_node_key(request.node),
         )
         if request.hide_private_keys:
-            ret["crypto"] = self.disabled_suite
+            ret["crypto"] = CipherContainer.from_encryption_configs(
+                encryption_configs=[EncryptionConfig("", EncryptionType.DISABLED)],
+                logger=self.logger,
+            )
         if not template.is_python_source:
             keys_to_remove = self.unused_variables(list(ret), template.jinja_variables)
             for key in keys_to_remove:

sovereign/schemas.py

@@ -1,23 +1,27 @@
-from os import getenv
-import warnings
 import multiprocessing
+import warnings
 from collections import defaultdict
+from dataclasses import dataclass
 from enum import Enum
+from os import getenv
+from types import ModuleType
+from typing import Any, Dict, List, Optional, Tuple, Type, Union
+
+from croniter import CroniterBadCronError, croniter
+from fastapi.responses import JSONResponse
+from jinja2 import Template, meta
 from pydantic import (
     BaseModel,
-    Field,
     BaseSettings,
+    Field,
     SecretStr,
-    validator,
     root_validator,
+    validator,
 )
-from typing import List, Any, Dict, Union, Optional, Tuple, Type
-from types import ModuleType
-from jinja2 import meta, Template
-from fastapi.responses import JSONResponse
-from sovereign.config_loader import jinja_env, Serialization, Protocol, Loadable
+
+from sovereign.config_loader import Loadable, Protocol, Serialization, jinja_env
+from sovereign.utils.crypto.suites import EncryptionType
 from sovereign.utils.version_info import compute_hash
-from croniter import croniter, CroniterBadCronError
 
 missing_arguments = {"missing", "positional", "arguments:"}
 
@@ -494,11 +498,36 @@ class NodeMatching(BaseSettings):
         }
 
 
+@dataclass
+class EncryptionConfig:
+    encryption_key: str
+    encryption_type: EncryptionType
+
+
 class AuthConfiguration(BaseSettings):
     enabled: bool = False
     auth_passwords: SecretStr = SecretStr("")
     encryption_key: SecretStr = SecretStr("")
 
+    @staticmethod
+    def _create_encryption_config(encryption_key_setting: str) -> EncryptionConfig:
+        encryption_key, _, encryption_type_raw = encryption_key_setting.partition(":")
+        if encryption_type_raw:
+            encryption_type = EncryptionType(encryption_type_raw)
+        else:
+            encryption_type = EncryptionType.FERNET
+        return EncryptionConfig(encryption_key, encryption_type)
+
+    @property
+    def encryption_configs(self) -> tuple[EncryptionConfig, ...]:
+        secret_values = self.encryption_key.get_secret_value().split()
+
+        configs = tuple(
+            self._create_encryption_config(encryption_key_setting)
+            for encryption_key_setting in secret_values
+        )
+        return configs
+
     class Config:
         fields = {
             "enabled": {"env": "SOVEREIGN_AUTH_ENABLED"},

sovereign/utils/auth.py

@@ -1,6 +1,7 @@
-from fastapi.exceptions import HTTPException
 from cryptography.fernet import InvalidToken
-from sovereign import config, stats, cipher_suite
+from fastapi.exceptions import HTTPException
+
+from sovereign import config, server_cipher_container, stats
 from sovereign.schemas import DiscoveryRequest
 
 AUTH_ENABLED = config.authentication.enabled
@@ -8,7 +9,7 @@ AUTH_ENABLED = config.authentication.enabled
 
 def validate_authentication_string(s: str) -> bool:
     try:
-        password = cipher_suite.decrypt(s)
+        password = server_cipher_container.decrypt(s)
     except Exception:
         stats.increment("discovery.auth.failed")
         raise
@@ -23,12 +24,10 @@ def validate_authentication_string(s: str) -> bool:
 def authenticate(request: DiscoveryRequest) -> None:
     if not AUTH_ENABLED:
         return
-    if not cipher_suite.key_available:
+    if not server_cipher_container.key_available:
         raise RuntimeError(
-            "No Fernet key loaded, and auth is enabled. "
-            "A fernet key must be provided via SOVEREIGN_ENCRYPTION_KEY. "
-            "See https://vsyrakis.bitbucket.io/sovereign/docs/html/guides/encryption.html "
-            "for more details"
+            "No encryption key loaded, and auth is enabled. "
+            "An encryption key must be provided via SOVEREIGN_ENCRYPTION_KEY. "
         )
     try:
         encrypted_auth = request.node.metadata["auth"]

sovereign/utils/crypto/crypto.py

@@ -0,0 +1,133 @@
+from typing import Literal, Self, Sequence
+
+from cachetools import TTLCache, cached
+from fastapi.exceptions import HTTPException
+from structlog.stdlib import BoundLogger
+from typing_extensions import TypedDict
+
+from sovereign.schemas import EncryptionConfig
+from sovereign.utils.crypto.suites import (
+    AESGCMCipher,
+    CipherSuite,
+    DisabledCipher,
+    EncryptionType,
+    FernetCipher,
+)
+
+
+class EncryptOutput(TypedDict):
+    encrypted_data: str
+    encryption_type: str
+
+
+class DecryptOutput(TypedDict):
+    decrypted_data: str
+    encryption_type: str
+
+
+class CipherContainer:
+    """
+    Object which intercepts encrypt/decryptions
+    Tries to decrypt data using the ciphers provided in order
+    Encrypts with the first suite available.
+    """
+
+    def __init__(self, suites: Sequence[CipherSuite], logger: BoundLogger) -> None:
+        self.suites: Sequence[CipherSuite] = suites
+        self.logger = logger
+
+    def encrypt(self, data: str) -> EncryptOutput:
+        try:
+            # Use the first cipher suite to encrypt the data
+            encrypted_data = self.suites[0].encrypt(data)
+            return {
+                "encrypted_data": encrypted_data,
+                "encryption_type": str(self.suites[0]),
+            }
+        # pylint: disable=broad-except
+        except Exception as e:
+            self.logger.exception(str(e))
+            # TODO: defer this http error to later, return a normal error here
+            raise HTTPException(status_code=400, detail="Encryption failed")
+
+    def decrypt_with_type(self, data: str) -> DecryptOutput:
+        return self._decrypt(data)
+
+    def decrypt(self, data: str) -> str:
+        return self._decrypt(data)["decrypted_data"]
+
+    @cached(cache=TTLCache(maxsize=128, ttl=600))
+    def _decrypt(self, data: str) -> DecryptOutput:
+        try:
+            for suite in self.suites:
+                try:
+                    decrypted_data = suite.decrypt(data)
+                    return {
+                        "decrypted_data": decrypted_data,
+                        "encryption_type": str(suite),
+                    }
+                # pylint: disable=broad-except
+                except Exception as e:
+                    self.logger.exception(str(e))
+                    self.logger.debug(f"Failed to decrypt with suite {suite}")
+            else:
+                raise ValueError("Could not decrypt with any suite")
+        except Exception as e:
+            self.logger.exception(str(e))
+            # TODO: defer this http error to later, return a normal error here
+            raise HTTPException(status_code=400, detail="Decryption failed")
+
+    @property
+    def key_available(self) -> bool:
+        return self.suites[0].key_available
+
+    AVAILABLE_CIPHERS: dict[EncryptionType | Literal["default"], type[CipherSuite]] = {
+        EncryptionType.DISABLED: DisabledCipher,
+        EncryptionType.AESGCM: AESGCMCipher,
+        EncryptionType.FERNET: FernetCipher,
+        "default": FernetCipher,
+    }
+
+    @classmethod
+    def get_cipher_suite(cls, encryption_type: EncryptionType) -> type[CipherSuite]:
+        SelectedCipher = cls.AVAILABLE_CIPHERS.get(
+            encryption_type, cls.AVAILABLE_CIPHERS["default"]
+        )
+        return SelectedCipher
+
+    @classmethod
+    def create_cipher_suite(
+        cls,
+        encryption_type: EncryptionType,
+        key: str,
+        logger: BoundLogger,
+    ) -> CipherSuite:
+        kwargs = {
+            "secret_key": key,
+        }
+        try:
+            SelectedCipher = cls.get_cipher_suite(encryption_type)
+            return SelectedCipher(**kwargs)
+        except TypeError:
+            pass
+        except ValueError as e:
+            if key not in (b"", ""):
+                logger.error(
+                    f"Encryption key was provided, but appears to be invalid: {repr(e)}"
+                )
+        return DisabledCipher(**kwargs)
+
+    @classmethod
+    def from_encryption_configs(
+        cls, encryption_configs: Sequence[EncryptionConfig], logger: BoundLogger
+    ) -> Self:
+        cipher_suites: list[CipherSuite] = []
+        for encryption_config in encryption_configs:
+            cipher_suites.append(
+                cls.create_cipher_suite(
+                    key=encryption_config.encryption_key,
+                    encryption_type=encryption_config.encryption_type,
+                    logger=logger,
+                )
+            )
+        return cls(suites=cipher_suites, logger=logger)

sovereign/utils/crypto/suites/__init__.py

@@ -0,0 +1,21 @@
+from enum import StrEnum
+
+from sovereign.utils.crypto.suites.aes_gcm_cipher import AESGCMCipher
+from sovereign.utils.crypto.suites.base_cipher import CipherSuite
+from sovereign.utils.crypto.suites.disabled_cipher import DisabledCipher
+from sovereign.utils.crypto.suites.fernet_cipher import FernetCipher
+
+
+class EncryptionType(StrEnum):
+    FERNET = "fernet"
+    AESGCM = "aesgcm"
+    DISABLED = "disabled"
+
+
+__all__ = [
+    "AESGCMCipher",
+    "CipherSuite",
+    "DisabledCipher",
+    "FernetCipher",
+    "EncryptionType",
+]

sovereign/utils/crypto/suites/aes_gcm_cipher.py

@@ -0,0 +1,42 @@
+import base64
+import os
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+from .base_cipher import CipherSuite
+
+
+class AESGCMCipher(CipherSuite):
+    AUTHENTICATE_DATA = "sovereign".encode()
+    NONCE_LEN = 12
+
+    def __str__(self) -> str:
+        return "aesgcm"
+
+    def __init__(self, secret_key: str):
+        self.secret_key = base64.urlsafe_b64decode(secret_key)
+
+    def encrypt(self, data: str) -> str:
+        aesgcm = AESGCM(self.secret_key)
+        nonce = os.urandom(self.NONCE_LEN)
+        ct = aesgcm.encrypt(nonce, data.encode(), self.AUTHENTICATE_DATA)
+        return base64.b64encode(nonce + ct).decode("utf-8")
+
+    def decrypt(self, data: str) -> str:
+        decoded_data = base64.b64decode(data)
+        nonce, ct = (
+            decoded_data[: self.NONCE_LEN],
+            decoded_data[self.NONCE_LEN :],
+        )
+        aesgcm = AESGCM(self.secret_key)
+        decrypted_output = aesgcm.decrypt(nonce, ct, self.AUTHENTICATE_DATA)
+        return decrypted_output.decode("utf-8")
+
+    @property
+    def key_available(self) -> bool:
+        return True
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        # Generate 256 bit length key
+        return base64.urlsafe_b64encode(os.urandom(32))

sovereign/utils/crypto/suites/base_cipher.py

@@ -0,0 +1,26 @@
+from abc import ABC, abstractmethod
+from typing import Any
+
+
+class CipherSuite(ABC):
+    @abstractmethod
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        ...
+
+    @abstractmethod
+    def encrypt(self, data: str) -> str:
+        ...
+
+    @abstractmethod
+    def decrypt(self, data: str) -> str:
+        ...
+
+    @property
+    @abstractmethod
+    def key_available(self) -> bool:
+        ...
+
+    @classmethod
+    @abstractmethod
+    def generate_key(cls) -> bytes:
+        ...

sovereign/utils/crypto/suites/disabled_cipher.py

@@ -0,0 +1,25 @@
+from typing import Any
+
+from .base_cipher import CipherSuite
+
+
+class DisabledCipher(CipherSuite):
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        pass
+
+    def __str__(self) -> str:
+        return "disabled"
+
+    def encrypt(self, _: str) -> str:
+        return "Unavailable (No Secret Key)"
+
+    def decrypt(self, _: str) -> str:
+        return "Unavailable (No Secret Key)"
+
+    @property
+    def key_available(self) -> bool:
+        return False
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        return b"Unavailable (No key to generate)"

sovereign/utils/crypto/suites/fernet_cipher.py

@@ -0,0 +1,29 @@
+import base64
+import os
+
+from cryptography.fernet import Fernet
+
+from .base_cipher import CipherSuite
+
+
+class FernetCipher(CipherSuite):
+    def __str__(self) -> str:
+        return "fernet"
+
+    def __init__(self, secret_key: str):
+        self.fernet = Fernet(secret_key)
+
+    def encrypt(self, data: str) -> str:
+        return self.fernet.encrypt(data.encode()).decode("utf-8")
+
+    def decrypt(self, data: str) -> str:
+        return self.fernet.decrypt(data).decode("utf-8")
+
+    @property
+    def key_available(self) -> bool:
+        return True
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        # Generate 256 bit length key
+        return base64.urlsafe_b64encode(os.urandom(32))

sovereign/views/crypto.py

@@ -1,31 +1,37 @@
-from typing import Dict
-from pydantic import BaseModel, Field
+from typing import Any, Dict, Optional
+
 from fastapi import APIRouter, Body
 from fastapi.responses import JSONResponse
-from sovereign import json_response_class, cipher_suite
-from sovereign.utils.crypto import generate_key
+from pydantic import BaseModel, Field
+
+from sovereign import json_response_class, logs, server_cipher_container
+from sovereign.schemas import EncryptionConfig
+from sovereign.utils.crypto.crypto import CipherContainer
+from sovereign.utils.crypto.suites import EncryptionType
 
 router = APIRouter()
 
 
 class EncryptionRequest(BaseModel):
     data: str = Field(..., title="Text to be encrypted", min_length=1, max_length=65535)
-    key: str = Field(
+    key: Optional[str] = Field(
         None,
-        title="Optional Fernet encryption key to use to encrypt",
+        title="Optional encryption key to use to encrypt",
         min_length=44,
         max_length=44,
     )
+    encryption_type: str = Field(default="fernet", title="Encryption type to be used")
 
 
 class DecryptionRequest(BaseModel):
     data: str = Field(..., title="Text to be decrypted", min_length=1, max_length=65535)
     key: str = Field(
         ...,
-        title="Fernet encryption key to use to decrypt",
+        title="Encryption key to use to decrypt",
         min_length=44,
         max_length=44,
     )
+    encryption_type: str = Field(default="fernet", title="Encryption type to be used")
 
 
 class DecryptableRequest(BaseModel):
@@ -37,17 +43,37 @@ class DecryptableRequest(BaseModel):
     summary="Decrypt provided encrypted data using a provided key",
     response_class=json_response_class,
 )
-async def _decrypt(request: DecryptionRequest = Body(None)) -> Dict[str, str]:
-    return {"result": cipher_suite.decrypt(request.data, request.key)}
+async def _decrypt(request: DecryptionRequest = Body(None)) -> dict[str, Any]:
+    user_cipher_container = CipherContainer.from_encryption_configs(
+        encryption_configs=[
+            EncryptionConfig(
+                encryption_key=request.key,
+                encryption_type=EncryptionType(request.encryption_type),
+            )
+        ],
+        logger=logs.application_logger.logger,
+    )
+    return {**user_cipher_container.decrypt_with_type(request.data)}
 
 
 @router.post(
     "/encrypt",
-    summary="Encrypt provided data using this servers key",
+    summary="Encrypt provided data using this servers key or provided key",
     response_class=json_response_class,
 )
-async def _encrypt(request: EncryptionRequest = Body(None)) -> Dict[str, str]:
-    return {"result": cipher_suite.encrypt(data=request.data, key=request.key)}
+async def _encrypt(request: EncryptionRequest = Body(None)) -> dict[str, Any]:
+    if request.key:
+        user_cipher_container = CipherContainer.from_encryption_configs(
+            encryption_configs=[
+                EncryptionConfig(
+                    encryption_key=request.key,
+                    encryption_type=EncryptionType(request.encryption_type),
+                )
+            ],
+            logger=logs.application_logger.logger,
+        )
+        return {**user_cipher_container.encrypt(request.data)}
+    return {**server_cipher_container.encrypt(request.data)}
 
 
 @router.post(
@@ -56,7 +82,7 @@ async def _encrypt(request: EncryptionRequest = Body(None)) -> Dict[str, str]:
     response_class=json_response_class,
 )
 async def _decryptable(request: DecryptableRequest = Body(None)) -> JSONResponse:
-    cipher_suite.decrypt(request.data)
+    server_cipher_container.decrypt(request.data)
     return json_response_class({})
 
 
@@ -65,5 +91,9 @@ async def _decryptable(request: DecryptableRequest = Body(None)) -> JSONResponse
     summary="Generate a new asymmetric encryption key",
     response_class=json_response_class,
 )
-def _generate_key() -> Dict[str, str]:
-    return {"result": generate_key()}
+def _generate_key(encryption_type: str = "fernet") -> Dict[str, str]:
+    cipher_suite = CipherContainer.get_cipher_suite(EncryptionType(encryption_type))
+    return {
+        "key": cipher_suite.generate_key().decode(),
+        "encryption_type": encryption_type,
+    }

sovereign/views/discovery.py

@@ -1,17 +1,13 @@
 from typing import Dict
 
 from fastapi import Body, Header
-from fastapi.routing import APIRouter
 from fastapi.responses import Response
+from fastapi.routing import APIRouter
 
-from sovereign import discovery, logs, config
+from sovereign import config, discovery, logs
+from sovereign.schemas import DiscoveryRequest, DiscoveryResponse, ProcessedTemplate
 from sovereign.utils.auth import authenticate
 from sovereign.utils.version_info import compute_hash
-from sovereign.schemas import (
-    DiscoveryRequest,
-    DiscoveryResponse,
-    ProcessedTemplate,
-)
 
 discovery_cache = config.discovery_cache
 
@@ -151,7 +147,7 @@ async def perform_discovery(
             value=template,
             expire=discovery_cache.ttl,
         )
-    return template  # type: ignore[no-any-return]
+    return template
 
 
 def not_modified(headers: Dict[str, str]) -> Response:

{sovereign-0.24.6.dist-info → sovereign-0.25.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sovereign
-Version: 0.24.6
+Version: 0.25.0
 Summary: Envoy Proxy control-plane written in Python
 Home-page: https://pypi.org/project/sovereign/
 License: Apache-2.0
@@ -34,6 +34,7 @@ Requires-Dist: PyYAML (>=6.0.1,<7.0.0)
 Requires-Dist: aiofiles (>=23.2.1,<24.0.0)
 Requires-Dist: boto3 (>=1.28.62,<2.0.0) ; extra == "boto"
 Requires-Dist: cachelib (>=0.10.2,<0.11.0)
+Requires-Dist: cachetools (>=5.3.2,<6.0.0)
 Requires-Dist: cashews[redis] (>=6.3.0,<7.0.0) ; extra == "caching"
 Requires-Dist: croniter (>=1.4.1,<2.0.0)
 Requires-Dist: cryptography (>=41.0.4,<42.0.0)

{sovereign-0.24.6.dist-info → sovereign-0.25.0.dist-info}/RECORD

@@ -1,9 +1,9 @@
-sovereign/__init__.py,sha256=IJscxrxp9cWH85Ee1x_5joMR0b-31l1-sXi6E6wgxOI,3436
+sovereign/__init__.py,sha256=a8bCatvhtIQEw3_gZCdAbzXKP3fwA1AtyPlez-wQvGE,3274
 sovereign/app.py,sha256=uozeEQJjefBUV6dZfIooTBJgDhEE4bd2ozRxWVdVMK4,4085
 sovereign/config_loader.py,sha256=ZLKlyuvJ8Wqhsg6xZI-zp_5ABslB3Tc9zEdpds7-d7Q,6349
-sovereign/configuration.py,sha256=rpZWNgn5ySNO1bdHlUix02yzo3wOefJaWkif5_4HjyE,2665
+sovereign/configuration.py,sha256=thiNe_6x3wR8wc4Jy0aeBlQe3kSsIqpTOIlOoxp5UJg,2497
 sovereign/constants.py,sha256=qdWD1lTvkaW5JGF7TmZhfksQHlRAJFVqbG7v6JQA9k8,46
-sovereign/context.py,sha256=dsKEUK7yrOpXGMY_YzxuaoBDmGXIh0fvtVBoh3Dd8SY,6509
+sovereign/context.py,sha256=gY9q6rjfPaGKJzCM4BavaFHvRlmYR08TkvutK4wM0XA,6675
 sovereign/discovery.py,sha256=TPecAoUDHx6SbS5hE2K73uEgDro0Uzz3qsvOQMpFtGI,5899
 sovereign/error_info.py,sha256=r2KXBYq9Fo7AI2pmIpATWFm0pykr2MqfrKH0WWW5Sfk,1488
 sovereign/logging/access_logger.py,sha256=JMMzQvi7doFJGA__YYqyasdfAT9W31Ycu_oZ2ovAMis,2565
@@ -16,7 +16,7 @@ sovereign/modifiers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSu
 sovereign/modifiers/lib.py,sha256=DbXsxrrjnFE4Y7rbwpeiM5tS5w5NBwSdYH58AtDTP0I,2884
 sovereign/modifiers/test.py,sha256=7_c2hWXn_sYJ6997N1_uSWtClOikcOzu1yRCY56-l-4,361
 sovereign/response_class.py,sha256=beMAFV-4L6DwyWzJzy71GkEW4gb7fzH1jd8-Tul13cU,427
-sovereign/schemas.py,sha256=ylUlHeaLzpsNJnOQCfdcVKt5kaNh0oo8nkDwRuchIWk,27775
+sovereign/schemas.py,sha256=JsL_qL5dMhiAH2FB9UHb9nkRT4sUcT5qwuk129pNm3o,28718
 sovereign/server.py,sha256=z8Uz1UYIZix0S40Srk774WIMDN2jl2SozO8irib0wc4,1402
 sovereign/sources/__init__.py,sha256=g9hEpFk8j5i1ApHQpbc9giTyJW41Ppgsqv5P9zGxOJk,78
 sovereign/sources/file.py,sha256=A4UWoRU39v2Ex5Mtdl_uw53iMkslYylF4CiiwW7LOpk,689
@@ -31,8 +31,14 @@ sovereign/templates/err.html,sha256=a3cEzOqyqWOIe3YxfTEjkxbTfxBxq1knD6GwzEFljfs,
 sovereign/templates/resources.html,sha256=NnrnamWg_vJjY88efsMcjNsldg-K9TZnp6tFS5tkZOU,6366
 sovereign/templates/ul_filter.html,sha256=LrzZv5408Qq5UP4lcHVRwY2G6lXd3IiSNiJn1aH7Yqo,666
 sovereign/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sovereign/utils/auth.py,sha256=9rruWP-Ok8ec9l_MzWY3oUZKI8s7jt0Dmx3kHWnTRgQ,1772
-sovereign/utils/crypto.py,sha256=Xf6eBFOVDy1MWiOAmZTMYllOaSxi_JCGg6dFrceywvg,3465
+sovereign/utils/auth.py,sha256=sQC8eLPWtk0RIXKwwxnYqILUvUCOaEGtGrtdJflat8E,1692
+sovereign/utils/crypto/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sovereign/utils/crypto/crypto.py,sha256=ONfMoFy0pFgS6LqdS85FxPqtDfMUhk3juTXpJxrhTpA,4473
+sovereign/utils/crypto/suites/__init__.py,sha256=smMvNa1VsQ0PvsNj6lnRNh4ktB7dMnas1CqeTOFqgGA,526
+sovereign/utils/crypto/suites/aes_gcm_cipher.py,sha256=Yjfj1LCQDGTzHBjrZR3-koh29L_N34v65kPoIfta0aw,1239
+sovereign/utils/crypto/suites/base_cipher.py,sha256=xJWey-Wy7RFnIH6E3yBSSnn3OAi9PZEZNSJEY9R5ftQ,494
+sovereign/utils/crypto/suites/disabled_cipher.py,sha256=0_vzydVdVIUlX4pYEAMgB_RvHpyZ25uDC4pz1jRJ5wE,573
+sovereign/utils/crypto/suites/fernet_cipher.py,sha256=rP6M5ys1vctyadOxDGNFoyerWPUOunLQdZ2jjS1pxzc,701
 sovereign/utils/dictupdate.py,sha256=JkDjg16u7sW6A_4Q2oX1PY_MtJU7m1VivZWn9VLZ9V8,2559
 sovereign/utils/eds.py,sha256=sCEDj1y-0Crs40cHZLiPGVb7ed1f8vFqgHLY5R2LMbw,4377
 sovereign/utils/entry_point_loader.py,sha256=BEVodk-um70RvT1nSOu_IB-hr1K4ppthXod0VZEiZJ8,526
@@ -44,12 +50,12 @@ sovereign/utils/version_info.py,sha256=vbAiUyz6v3-zSOoS-7HwrvJie729RgIKy0Bt091Z6
 sovereign/utils/weighted_clusters.py,sha256=bPzuRE7Qgvv04HcR2AhMDvBrFlZ8AfteweLKhY9SvWg,1166
 sovereign/views/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 sovereign/views/admin.py,sha256=GtjSipSfLwrvU1axX3pJfJXiSO82e2pkw8izykZNtGA,4306
-sovereign/views/crypto.py,sha256=nxp6bkPU9GZw_zOk0fsJdz_XRQPXxPI6cXQDL9-cigU,2041
-sovereign/views/discovery.py,sha256=DzFfG8fdFHKAZzmWZi9YzFP2PYLCf3tPlEAY3udNyNg,5980
+sovereign/views/crypto.py,sha256=o8NSyiUBy7v1pMOXt_1UBi68FNcGkXSlEVg9C18y8kY,3324
+sovereign/views/discovery.py,sha256=TVvWTMzWydsC-SNKL9WsSss_Hfnt2Ed4SVC2A8Na7Jo,5932
 sovereign/views/healthchecks.py,sha256=_WkMunlrFpqGTLgtNtRr7gCsDCv5kiuYxCyTi-dMEKM,1357
 sovereign/views/interface.py,sha256=Y2fbR26cSF8eKQHfTbnv5WKEdgqaGNwys0lEGUTjXqw,7041
-sovereign-0.24.6.dist-info/LICENSE.txt,sha256=2X125zvAb9AYLjCgdMDQZuufhm0kwcg31A8pGKj_-VY,560
-sovereign-0.24.6.dist-info/METADATA,sha256=g_JPBObGtgSbJgimhZdP_3Q9dS6gKZ_E__KiTcgFSKc,6420
-sovereign-0.24.6.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-sovereign-0.24.6.dist-info/entry_points.txt,sha256=kOn848ucVbNvtsGABDuwzOHmNiOb0Ey8dV85Z3dLv3Y,222
-sovereign-0.24.6.dist-info/RECORD,,
+sovereign-0.25.0.dist-info/LICENSE.txt,sha256=2X125zvAb9AYLjCgdMDQZuufhm0kwcg31A8pGKj_-VY,560
+sovereign-0.25.0.dist-info/METADATA,sha256=vIWzrbn5aJUnPeNtlqJkGvb3bdJBO_f-SDOT07TRjYU,6463
+sovereign-0.25.0.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+sovereign-0.25.0.dist-info/entry_points.txt,sha256=kOn848ucVbNvtsGABDuwzOHmNiOb0Ey8dV85Z3dLv3Y,222
+sovereign-0.25.0.dist-info/RECORD,,

sovereign/utils/crypto.py

@@ -1,103 +0,0 @@
-from functools import partial
-from collections import namedtuple
-from typing import Optional, List
-from cryptography.fernet import Fernet, InvalidToken
-from fastapi.exceptions import HTTPException
-from structlog.stdlib import BoundLogger
-
-CipherSuite = namedtuple("CipherSuite", "encrypt decrypt key_available")
-
-
-class CipherContainer:
-    """
-    Object which intercepts encrypt/decryptions
-    Tries to decrypt data using the ciphers provided in order
-    Encrypts with the first suite available.
-    """
-
-    def __init__(self, suites: List[CipherSuite]) -> None:
-        self.suites = suites
-
-    def encrypt(self, data: str, key: Optional[str] = None) -> str:
-        if key is not None:
-            return encrypt(Fernet(key.encode()), data)
-        return self.suites[0].encrypt(data)  # type: ignore
-
-    def decrypt(self, data: str, key: Optional[str] = None) -> str:
-        if key is not None:
-            return decrypt(Fernet(key.encode()), data)
-        success = False
-        decrypted = None
-        error = ValueError("Unable to decrypt value, unknown error")
-        for suite in self.suites:
-            try:
-                decrypted = suite.decrypt(data)
-                success = True
-                break
-            except (InvalidToken, AttributeError, HTTPException) as e:
-                error = e  # type: ignore
-                continue
-        if not success:
-            raise error
-        else:
-            return decrypted  # type: ignore
-
-    @property
-    def key_available(self) -> bool:
-        return self.suites[0].key_available  # type: ignore
-
-
-class DisabledSuite:
-    @staticmethod
-    def encrypt(_: bytes) -> bytes:
-        return b"Unavailable (No Secret Key)"
-
-    @staticmethod
-    def decrypt(*_: bytes) -> str:
-        return "Unavailable (No Secret Key)"
-
-
-def create_cipher_suite(key: bytes, logger: BoundLogger) -> CipherSuite:
-    try:
-        fernet = Fernet(key)
-        return CipherSuite(partial(encrypt, fernet), partial(decrypt, fernet), True)
-    except TypeError:
-        pass
-    except ValueError as e:
-        if key not in (b"", ""):
-            logger.error(
-                f"Fernet key was provided, but appears to be invalid: {repr(e)}"
-            )
-    return CipherSuite(DisabledSuite.encrypt, DisabledSuite.decrypt, False)
-
-
-def generate_key() -> str:
-    secret: bytes = Fernet.generate_key()
-    return secret.decode()
-
-
-def encrypt(cipher_suite: Fernet, data: str, key: Optional[str] = None) -> str:
-    _local_cipher_suite = cipher_suite
-    if isinstance(key, str):
-        _local_cipher_suite = Fernet(key.encode())
-    try:
-        encrypted: bytes = _local_cipher_suite.encrypt(data.encode())
-    except (InvalidToken, AttributeError):
-        # TODO: defer this http error to later, return a normal error here
-        raise HTTPException(status_code=400, detail="Encryption failed")
-    return encrypted.decode()
-
-
-def decrypt(cipher_suite: Fernet, data: str, key: Optional[str] = None) -> str:
-    _local_cipher_suite = cipher_suite
-    if key is not None:
-        _local_cipher_suite = Fernet(key.encode())
-    try:
-        decrypted = _local_cipher_suite.decrypt(data.encode())
-    except (InvalidToken, AttributeError):
-        # TODO: defer this http error to later, return a normal error here
-        raise HTTPException(status_code=400, detail="Decryption failed")
-    if isinstance(decrypted, bytes):
-        return decrypted.decode()
-    else:
-        return decrypted