sovereign 0.24.6__tar.gz → 0.25.0__tar.gz

{sovereign-0.24.6 → sovereign-0.25.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sovereign
-Version: 0.24.6
+Version: 0.25.0
 Summary: Envoy Proxy control-plane written in Python
 Home-page: https://pypi.org/project/sovereign/
 License: Apache-2.0
@@ -34,6 +34,7 @@ Requires-Dist: PyYAML (>=6.0.1,<7.0.0)
 Requires-Dist: aiofiles (>=23.2.1,<24.0.0)
 Requires-Dist: boto3 (>=1.28.62,<2.0.0) ; extra == "boto"
 Requires-Dist: cachelib (>=0.10.2,<0.11.0)
+Requires-Dist: cachetools (>=5.3.2,<6.0.0)
 Requires-Dist: cashews[redis] (>=6.3.0,<7.0.0) ; extra == "caching"
 Requires-Dist: croniter (>=1.4.1,<2.0.0)
 Requires-Dist: cryptography (>=41.0.4,<42.0.0)

{sovereign-0.24.6 → sovereign-0.25.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "sovereign"
-version = "0.24.6"
+version = "0.25.0"
 description = "Envoy Proxy control-plane written in Python"
 license = "Apache-2.0"
 packages = [
@@ -62,6 +62,7 @@ croniter = "^1.4.1"
 cashews = {extras = ["redis"], version = "^6.3.0", optional = true}
 redis = {version = "<= 5.0.0", optional = true}
 httptools = {version = "^0.6.0", optional = true}
+cachetools = "^5.3.2"
 
 [tool.poetry.extras]
 sentry = ["sentry-sdk"]
@@ -73,7 +74,7 @@ caching = ["cashews"]
 httptools = ["httptools"]
 
 [tool.poetry.group.dev.dependencies]
-pytest = "^6.2.5"
+pytest = "^7.0.0"
 "ruamel.yaml" = "^0.17.32"
 pytest-asyncio = "^0.20.0"
 pytest-mock = "^3.10.0"
@@ -82,10 +83,10 @@ pytest-timeout = "^2.1.0"
 coverage = "^7.3.1"
 invoke = "^2.2.0"
 pylint = "^2.17.6"
-tavern = "^1.24.1"
+tavern = "^2.9.2"
 twine = "^4.0.2"
 poethepoet = "^0.23.0"
-mypy = "^1.5.1"
+mypy = "^1.8.0"
 black = "^23.9.1"
 freezegun = "^1.2.2"
 moto = "^4.2.4"
@@ -98,6 +99,7 @@ types-PyYAML = "^6.0.12.12"
 pylama = "^8.4.1"
 prospector = "^1.10.2"
 toml = "^0.10.2"
+types-cachetools = "^5.3.0.7"
 
 [tool.poe.tasks]
 types       = { cmd = "mypy src/sovereign --ignore-missing-imports", help = "Check types with mypy" }

{sovereign-0.24.6 → sovereign-0.25.0}/src/sovereign/__init__.py

@@ -1,27 +1,22 @@
 import os
 from contextvars import ContextVar
-from typing import Type, Any, Mapping
 from importlib.metadata import version
+from typing import Any, Mapping, Type
 
 from fastapi.responses import JSONResponse
-from starlette.templating import Jinja2Templates
 from pydantic.error_wrappers import ValidationError
+from starlette.templating import Jinja2Templates
 
-from sovereign.schemas import (
-    SovereignAsgiConfig,
-    SovereignConfig,
-    SovereignConfigv2,
-)
 from sovereign import config_loader
+from sovereign.context import TemplateContext
 from sovereign.logging.bootstrapper import LoggerBootstrapper
+from sovereign.schemas import SovereignAsgiConfig, SovereignConfig, SovereignConfigv2
+from sovereign.sources import SourcePoller
 from sovereign.statistics import configure_statsd
+from sovereign.utils.crypto.crypto import CipherContainer
 from sovereign.utils.dictupdate import merge  # type: ignore
-from sovereign.sources import SourcePoller
-from sovereign.context import TemplateContext
-from sovereign.utils.crypto import CipherContainer, create_cipher_suite
 from sovereign.utils.resources import get_package_file
 
-
 json_response_class: Type[JSONResponse] = JSONResponse
 try:
     import orjson
@@ -69,6 +64,8 @@ asgi_config = SovereignAsgiConfig()
 XDS_TEMPLATES = config.xds_templates()
 
 logs = LoggerBootstrapper(config)
+application_logger = logs.application_logger.logger
+
 stats = configure_statsd(config=config.statsd)
 poller = SourcePoller(
     sources=config.sources,
@@ -76,17 +73,13 @@ poller = SourcePoller(
     node_match_key=config.matching.node_key,
     source_match_key=config.matching.source_key,
     source_refresh_rate=config.source_config.refresh_rate,
-    logger=logs.application_logger.logger,
+    logger=application_logger,
     stats=stats,
 )
 
-fernet_keys = config.authentication.encryption_key
-encryption_keys = fernet_keys.get_secret_value().encode().split()
-cipher_suite = CipherContainer(
-    [
-        create_cipher_suite(key=key, logger=logs.application_logger.logger)
-        for key in encryption_keys
-    ]
+encryption_configs = config.authentication.encryption_configs
+server_cipher_container = CipherContainer.from_encryption_configs(
+    encryption_configs, logger=application_logger
 )
 
 template_context = TemplateContext(
@@ -96,9 +89,8 @@ template_context = TemplateContext(
     refresh_retry_interval_secs=config.template_context.refresh_retry_interval_secs,
     configured_context=config.template_context.context,
     poller=poller,
-    encryption_suite=cipher_suite,
-    disabled_suite=create_cipher_suite(b"", logs.application_logger.logger),
-    logger=logs.application_logger.logger,
+    encryption_suite=server_cipher_container,
+    logger=application_logger,
     stats=stats,
 )
 poller.lazy_load_modifiers(config.modifiers)

{sovereign-0.24.6 → sovereign-0.25.0}/src/sovereign/configuration.py

@@ -3,17 +3,13 @@ from typing import Any, Mapping
 
 from pydantic.error_wrappers import ValidationError
 
-from sovereign.schemas import (
-    SovereignAsgiConfig,
-    SovereignConfig,
-    SovereignConfigv2,
-)
+from sovereign import config_loader
+from sovereign.context import TemplateContext
 from sovereign.logging.bootstrapper import LoggerBootstrapper
-from sovereign.statistics import configure_statsd
+from sovereign.schemas import SovereignAsgiConfig, SovereignConfig, SovereignConfigv2
 from sovereign.sources import SourcePoller
-from sovereign.context import TemplateContext
-from sovereign.utils.crypto import CipherContainer, create_cipher_suite
-from sovereign import config_loader
+from sovereign.statistics import configure_statsd
+from sovereign.utils.crypto.crypto import CipherContainer
 from sovereign.utils.dictupdate import merge  # type: ignore
 
 
@@ -40,13 +36,10 @@ XDS_TEMPLATES = CONFIG.xds_templates()
 
 LOGS = LoggerBootstrapper(CONFIG)
 STATS = configure_statsd(config=CONFIG.statsd)
-FERNET_KEYS = CONFIG.authentication.encryption_key
-ENCRYPTION_KEYS = FERNET_KEYS.get_secret_value().encode().split()
-CIPHER_SUITE = CipherContainer(
-    [
-        create_cipher_suite(key=key, logger=LOGS.application_logger.logger)
-        for key in ENCRYPTION_KEYS
-    ]
+ENCRYPTION_CONFIGS = CONFIG.authentication.encryption_configs
+CIPHER_CONTAINER = CipherContainer.from_encryption_configs(
+    encryption_configs=ENCRYPTION_CONFIGS,
+    logger=LOGS.application_logger.logger,
 )
 
 POLLER = SourcePoller(
@@ -65,8 +58,7 @@ TEMPLATE_CONTEXT = TemplateContext(
     refresh_retry_interval_secs=CONFIG.template_context.refresh_retry_interval_secs,
     configured_context=CONFIG.template_context.context,
     poller=POLLER,
-    encryption_suite=CIPHER_SUITE,
-    disabled_suite=create_cipher_suite(b"", LOGS.application_logger.logger),
+    encryption_suite=CIPHER_CONTAINER,
     logger=LOGS.application_logger.logger,
     stats=STATS,
 )

{sovereign-0.24.6 → sovereign-0.25.0}/src/sovereign/context.py

@@ -16,9 +16,10 @@ from fastapi import HTTPException
 from structlog.stdlib import BoundLogger
 
 from sovereign.config_loader import Loadable
-from sovereign.schemas import DiscoveryRequest, XdsTemplate
+from sovereign.schemas import DiscoveryRequest, EncryptionConfig, XdsTemplate
 from sovereign.sources import SourcePoller
-from sovereign.utils.crypto import CipherContainer, CipherSuite
+from sovereign.utils.crypto.crypto import CipherContainer
+from sovereign.utils.crypto.suites import EncryptionType
 from sovereign.utils.timer import poll_forever, poll_forever_cron
 
 
@@ -38,7 +39,6 @@ class TemplateContext:
         configured_context: Dict[str, Loadable],
         poller: SourcePoller,
         encryption_suite: Optional[CipherContainer],
-        disabled_suite: CipherSuite,
         logger: BoundLogger,
         stats: Any,
     ) -> None:
@@ -48,8 +48,7 @@ class TemplateContext:
         self.refresh_num_retries = refresh_num_retries
         self.refresh_retry_interval_secs = refresh_retry_interval_secs
         self.configured_context = configured_context
-        self.crypto = encryption_suite
-        self.disabled_suite = disabled_suite
+        self.crypto: CipherContainer | None = encryption_suite
         self.logger = logger
         self.stats = stats
         # initial load
@@ -164,7 +163,10 @@ class TemplateContext:
             node_value=self.poller.extract_node_key(request.node),
         )
         if request.hide_private_keys:
-            ret["crypto"] = self.disabled_suite
+            ret["crypto"] = CipherContainer.from_encryption_configs(
+                encryption_configs=[EncryptionConfig("", EncryptionType.DISABLED)],
+                logger=self.logger,
+            )
         if not template.is_python_source:
             keys_to_remove = self.unused_variables(list(ret), template.jinja_variables)
             for key in keys_to_remove:

{sovereign-0.24.6 → sovereign-0.25.0}/src/sovereign/schemas.py

@@ -1,23 +1,27 @@
-from os import getenv
-import warnings
 import multiprocessing
+import warnings
 from collections import defaultdict
+from dataclasses import dataclass
 from enum import Enum
+from os import getenv
+from types import ModuleType
+from typing import Any, Dict, List, Optional, Tuple, Type, Union
+
+from croniter import CroniterBadCronError, croniter
+from fastapi.responses import JSONResponse
+from jinja2 import Template, meta
 from pydantic import (
     BaseModel,
-    Field,
     BaseSettings,
+    Field,
     SecretStr,
-    validator,
     root_validator,
+    validator,
 )
-from typing import List, Any, Dict, Union, Optional, Tuple, Type
-from types import ModuleType
-from jinja2 import meta, Template
-from fastapi.responses import JSONResponse
-from sovereign.config_loader import jinja_env, Serialization, Protocol, Loadable
+
+from sovereign.config_loader import Loadable, Protocol, Serialization, jinja_env
+from sovereign.utils.crypto.suites import EncryptionType
 from sovereign.utils.version_info import compute_hash
-from croniter import croniter, CroniterBadCronError
 
 missing_arguments = {"missing", "positional", "arguments:"}
 
@@ -494,11 +498,36 @@ class NodeMatching(BaseSettings):
         }
 
 
+@dataclass
+class EncryptionConfig:
+    encryption_key: str
+    encryption_type: EncryptionType
+
+
 class AuthConfiguration(BaseSettings):
     enabled: bool = False
     auth_passwords: SecretStr = SecretStr("")
     encryption_key: SecretStr = SecretStr("")
 
+    @staticmethod
+    def _create_encryption_config(encryption_key_setting: str) -> EncryptionConfig:
+        encryption_key, _, encryption_type_raw = encryption_key_setting.partition(":")
+        if encryption_type_raw:
+            encryption_type = EncryptionType(encryption_type_raw)
+        else:
+            encryption_type = EncryptionType.FERNET
+        return EncryptionConfig(encryption_key, encryption_type)
+
+    @property
+    def encryption_configs(self) -> tuple[EncryptionConfig, ...]:
+        secret_values = self.encryption_key.get_secret_value().split()
+
+        configs = tuple(
+            self._create_encryption_config(encryption_key_setting)
+            for encryption_key_setting in secret_values
+        )
+        return configs
+
     class Config:
         fields = {
             "enabled": {"env": "SOVEREIGN_AUTH_ENABLED"},

{sovereign-0.24.6 → sovereign-0.25.0}/src/sovereign/utils/auth.py

@@ -1,6 +1,7 @@
-from fastapi.exceptions import HTTPException
 from cryptography.fernet import InvalidToken
-from sovereign import config, stats, cipher_suite
+from fastapi.exceptions import HTTPException
+
+from sovereign import config, server_cipher_container, stats
 from sovereign.schemas import DiscoveryRequest
 
 AUTH_ENABLED = config.authentication.enabled
@@ -8,7 +9,7 @@ AUTH_ENABLED = config.authentication.enabled
 
 def validate_authentication_string(s: str) -> bool:
     try:
-        password = cipher_suite.decrypt(s)
+        password = server_cipher_container.decrypt(s)
     except Exception:
         stats.increment("discovery.auth.failed")
         raise
@@ -23,12 +24,10 @@ def validate_authentication_string(s: str) -> bool:
 def authenticate(request: DiscoveryRequest) -> None:
     if not AUTH_ENABLED:
         return
-    if not cipher_suite.key_available:
+    if not server_cipher_container.key_available:
         raise RuntimeError(
-            "No Fernet key loaded, and auth is enabled. "
-            "A fernet key must be provided via SOVEREIGN_ENCRYPTION_KEY. "
-            "See https://vsyrakis.bitbucket.io/sovereign/docs/html/guides/encryption.html "
-            "for more details"
+            "No encryption key loaded, and auth is enabled. "
+            "An encryption key must be provided via SOVEREIGN_ENCRYPTION_KEY. "
         )
     try:
         encrypted_auth = request.node.metadata["auth"]

sovereign-0.25.0/src/sovereign/utils/crypto/crypto.py

@@ -0,0 +1,133 @@
+from typing import Literal, Self, Sequence
+
+from cachetools import TTLCache, cached
+from fastapi.exceptions import HTTPException
+from structlog.stdlib import BoundLogger
+from typing_extensions import TypedDict
+
+from sovereign.schemas import EncryptionConfig
+from sovereign.utils.crypto.suites import (
+    AESGCMCipher,
+    CipherSuite,
+    DisabledCipher,
+    EncryptionType,
+    FernetCipher,
+)
+
+
+class EncryptOutput(TypedDict):
+    encrypted_data: str
+    encryption_type: str
+
+
+class DecryptOutput(TypedDict):
+    decrypted_data: str
+    encryption_type: str
+
+
+class CipherContainer:
+    """
+    Object which intercepts encrypt/decryptions
+    Tries to decrypt data using the ciphers provided in order
+    Encrypts with the first suite available.
+    """
+
+    def __init__(self, suites: Sequence[CipherSuite], logger: BoundLogger) -> None:
+        self.suites: Sequence[CipherSuite] = suites
+        self.logger = logger
+
+    def encrypt(self, data: str) -> EncryptOutput:
+        try:
+            # Use the first cipher suite to encrypt the data
+            encrypted_data = self.suites[0].encrypt(data)
+            return {
+                "encrypted_data": encrypted_data,
+                "encryption_type": str(self.suites[0]),
+            }
+        # pylint: disable=broad-except
+        except Exception as e:
+            self.logger.exception(str(e))
+            # TODO: defer this http error to later, return a normal error here
+            raise HTTPException(status_code=400, detail="Encryption failed")
+
+    def decrypt_with_type(self, data: str) -> DecryptOutput:
+        return self._decrypt(data)
+
+    def decrypt(self, data: str) -> str:
+        return self._decrypt(data)["decrypted_data"]
+
+    @cached(cache=TTLCache(maxsize=128, ttl=600))
+    def _decrypt(self, data: str) -> DecryptOutput:
+        try:
+            for suite in self.suites:
+                try:
+                    decrypted_data = suite.decrypt(data)
+                    return {
+                        "decrypted_data": decrypted_data,
+                        "encryption_type": str(suite),
+                    }
+                # pylint: disable=broad-except
+                except Exception as e:
+                    self.logger.exception(str(e))
+                    self.logger.debug(f"Failed to decrypt with suite {suite}")
+            else:
+                raise ValueError("Could not decrypt with any suite")
+        except Exception as e:
+            self.logger.exception(str(e))
+            # TODO: defer this http error to later, return a normal error here
+            raise HTTPException(status_code=400, detail="Decryption failed")
+
+    @property
+    def key_available(self) -> bool:
+        return self.suites[0].key_available
+
+    AVAILABLE_CIPHERS: dict[EncryptionType | Literal["default"], type[CipherSuite]] = {
+        EncryptionType.DISABLED: DisabledCipher,
+        EncryptionType.AESGCM: AESGCMCipher,
+        EncryptionType.FERNET: FernetCipher,
+        "default": FernetCipher,
+    }
+
+    @classmethod
+    def get_cipher_suite(cls, encryption_type: EncryptionType) -> type[CipherSuite]:
+        SelectedCipher = cls.AVAILABLE_CIPHERS.get(
+            encryption_type, cls.AVAILABLE_CIPHERS["default"]
+        )
+        return SelectedCipher
+
+    @classmethod
+    def create_cipher_suite(
+        cls,
+        encryption_type: EncryptionType,
+        key: str,
+        logger: BoundLogger,
+    ) -> CipherSuite:
+        kwargs = {
+            "secret_key": key,
+        }
+        try:
+            SelectedCipher = cls.get_cipher_suite(encryption_type)
+            return SelectedCipher(**kwargs)
+        except TypeError:
+            pass
+        except ValueError as e:
+            if key not in (b"", ""):
+                logger.error(
+                    f"Encryption key was provided, but appears to be invalid: {repr(e)}"
+                )
+        return DisabledCipher(**kwargs)
+
+    @classmethod
+    def from_encryption_configs(
+        cls, encryption_configs: Sequence[EncryptionConfig], logger: BoundLogger
+    ) -> Self:
+        cipher_suites: list[CipherSuite] = []
+        for encryption_config in encryption_configs:
+            cipher_suites.append(
+                cls.create_cipher_suite(
+                    key=encryption_config.encryption_key,
+                    encryption_type=encryption_config.encryption_type,
+                    logger=logger,
+                )
+            )
+        return cls(suites=cipher_suites, logger=logger)

sovereign-0.25.0/src/sovereign/utils/crypto/suites/__init__.py

@@ -0,0 +1,21 @@
+from enum import StrEnum
+
+from sovereign.utils.crypto.suites.aes_gcm_cipher import AESGCMCipher
+from sovereign.utils.crypto.suites.base_cipher import CipherSuite
+from sovereign.utils.crypto.suites.disabled_cipher import DisabledCipher
+from sovereign.utils.crypto.suites.fernet_cipher import FernetCipher
+
+
+class EncryptionType(StrEnum):
+    FERNET = "fernet"
+    AESGCM = "aesgcm"
+    DISABLED = "disabled"
+
+
+__all__ = [
+    "AESGCMCipher",
+    "CipherSuite",
+    "DisabledCipher",
+    "FernetCipher",
+    "EncryptionType",
+]

sovereign-0.25.0/src/sovereign/utils/crypto/suites/aes_gcm_cipher.py

@@ -0,0 +1,42 @@
+import base64
+import os
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+from .base_cipher import CipherSuite
+
+
+class AESGCMCipher(CipherSuite):
+    AUTHENTICATE_DATA = "sovereign".encode()
+    NONCE_LEN = 12
+
+    def __str__(self) -> str:
+        return "aesgcm"
+
+    def __init__(self, secret_key: str):
+        self.secret_key = base64.urlsafe_b64decode(secret_key)
+
+    def encrypt(self, data: str) -> str:
+        aesgcm = AESGCM(self.secret_key)
+        nonce = os.urandom(self.NONCE_LEN)
+        ct = aesgcm.encrypt(nonce, data.encode(), self.AUTHENTICATE_DATA)
+        return base64.b64encode(nonce + ct).decode("utf-8")
+
+    def decrypt(self, data: str) -> str:
+        decoded_data = base64.b64decode(data)
+        nonce, ct = (
+            decoded_data[: self.NONCE_LEN],
+            decoded_data[self.NONCE_LEN :],
+        )
+        aesgcm = AESGCM(self.secret_key)
+        decrypted_output = aesgcm.decrypt(nonce, ct, self.AUTHENTICATE_DATA)
+        return decrypted_output.decode("utf-8")
+
+    @property
+    def key_available(self) -> bool:
+        return True
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        # Generate 256 bit length key
+        return base64.urlsafe_b64encode(os.urandom(32))

sovereign-0.25.0/src/sovereign/utils/crypto/suites/base_cipher.py

@@ -0,0 +1,26 @@
+from abc import ABC, abstractmethod
+from typing import Any
+
+
+class CipherSuite(ABC):
+    @abstractmethod
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        ...
+
+    @abstractmethod
+    def encrypt(self, data: str) -> str:
+        ...
+
+    @abstractmethod
+    def decrypt(self, data: str) -> str:
+        ...
+
+    @property
+    @abstractmethod
+    def key_available(self) -> bool:
+        ...
+
+    @classmethod
+    @abstractmethod
+    def generate_key(cls) -> bytes:
+        ...

sovereign-0.25.0/src/sovereign/utils/crypto/suites/disabled_cipher.py

@@ -0,0 +1,25 @@
+from typing import Any
+
+from .base_cipher import CipherSuite
+
+
+class DisabledCipher(CipherSuite):
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        pass
+
+    def __str__(self) -> str:
+        return "disabled"
+
+    def encrypt(self, _: str) -> str:
+        return "Unavailable (No Secret Key)"
+
+    def decrypt(self, _: str) -> str:
+        return "Unavailable (No Secret Key)"
+
+    @property
+    def key_available(self) -> bool:
+        return False
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        return b"Unavailable (No key to generate)"

sovereign-0.25.0/src/sovereign/utils/crypto/suites/fernet_cipher.py

@@ -0,0 +1,29 @@
+import base64
+import os
+
+from cryptography.fernet import Fernet
+
+from .base_cipher import CipherSuite
+
+
+class FernetCipher(CipherSuite):
+    def __str__(self) -> str:
+        return "fernet"
+
+    def __init__(self, secret_key: str):
+        self.fernet = Fernet(secret_key)
+
+    def encrypt(self, data: str) -> str:
+        return self.fernet.encrypt(data.encode()).decode("utf-8")
+
+    def decrypt(self, data: str) -> str:
+        return self.fernet.decrypt(data).decode("utf-8")
+
+    @property
+    def key_available(self) -> bool:
+        return True
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        # Generate 256 bit length key
+        return base64.urlsafe_b64encode(os.urandom(32))

sovereign-0.25.0/src/sovereign/views/crypto.py

@@ -0,0 +1,99 @@
+from typing import Any, Dict, Optional
+
+from fastapi import APIRouter, Body
+from fastapi.responses import JSONResponse
+from pydantic import BaseModel, Field
+
+from sovereign import json_response_class, logs, server_cipher_container
+from sovereign.schemas import EncryptionConfig
+from sovereign.utils.crypto.crypto import CipherContainer
+from sovereign.utils.crypto.suites import EncryptionType
+
+router = APIRouter()
+
+
+class EncryptionRequest(BaseModel):
+    data: str = Field(..., title="Text to be encrypted", min_length=1, max_length=65535)
+    key: Optional[str] = Field(
+        None,
+        title="Optional encryption key to use to encrypt",
+        min_length=44,
+        max_length=44,
+    )
+    encryption_type: str = Field(default="fernet", title="Encryption type to be used")
+
+
+class DecryptionRequest(BaseModel):
+    data: str = Field(..., title="Text to be decrypted", min_length=1, max_length=65535)
+    key: str = Field(
+        ...,
+        title="Encryption key to use to decrypt",
+        min_length=44,
+        max_length=44,
+    )
+    encryption_type: str = Field(default="fernet", title="Encryption type to be used")
+
+
+class DecryptableRequest(BaseModel):
+    data: str = Field(..., title="Text to be decrypted", min_length=1, max_length=65535)
+
+
+@router.post(
+    "/decrypt",
+    summary="Decrypt provided encrypted data using a provided key",
+    response_class=json_response_class,
+)
+async def _decrypt(request: DecryptionRequest = Body(None)) -> dict[str, Any]:
+    user_cipher_container = CipherContainer.from_encryption_configs(
+        encryption_configs=[
+            EncryptionConfig(
+                encryption_key=request.key,
+                encryption_type=EncryptionType(request.encryption_type),
+            )
+        ],
+        logger=logs.application_logger.logger,
+    )
+    return {**user_cipher_container.decrypt_with_type(request.data)}
+
+
+@router.post(
+    "/encrypt",
+    summary="Encrypt provided data using this servers key or provided key",
+    response_class=json_response_class,
+)
+async def _encrypt(request: EncryptionRequest = Body(None)) -> dict[str, Any]:
+    if request.key:
+        user_cipher_container = CipherContainer.from_encryption_configs(
+            encryption_configs=[
+                EncryptionConfig(
+                    encryption_key=request.key,
+                    encryption_type=EncryptionType(request.encryption_type),
+                )
+            ],
+            logger=logs.application_logger.logger,
+        )
+        return {**user_cipher_container.encrypt(request.data)}
+    return {**server_cipher_container.encrypt(request.data)}
+
+
+@router.post(
+    "/decryptable",
+    summary="Check whether data is decryptable by this server",
+    response_class=json_response_class,
+)
+async def _decryptable(request: DecryptableRequest = Body(None)) -> JSONResponse:
+    server_cipher_container.decrypt(request.data)
+    return json_response_class({})
+
+
+@router.get(
+    "/generate_key",
+    summary="Generate a new asymmetric encryption key",
+    response_class=json_response_class,
+)
+def _generate_key(encryption_type: str = "fernet") -> Dict[str, str]:
+    cipher_suite = CipherContainer.get_cipher_suite(EncryptionType(encryption_type))
+    return {
+        "key": cipher_suite.generate_key().decode(),
+        "encryption_type": encryption_type,
+    }

{sovereign-0.24.6 → sovereign-0.25.0}/src/sovereign/views/discovery.py

@@ -1,17 +1,13 @@
 from typing import Dict
 
 from fastapi import Body, Header
-from fastapi.routing import APIRouter
 from fastapi.responses import Response
+from fastapi.routing import APIRouter
 
-from sovereign import discovery, logs, config
+from sovereign import config, discovery, logs
+from sovereign.schemas import DiscoveryRequest, DiscoveryResponse, ProcessedTemplate
 from sovereign.utils.auth import authenticate
 from sovereign.utils.version_info import compute_hash
-from sovereign.schemas import (
-    DiscoveryRequest,
-    DiscoveryResponse,
-    ProcessedTemplate,
-)
 
 discovery_cache = config.discovery_cache
 
@@ -151,7 +147,7 @@ async def perform_discovery(
             value=template,
             expire=discovery_cache.ttl,
         )
-    return template  # type: ignore[no-any-return]
+    return template
 
 
 def not_modified(headers: Dict[str, str]) -> Response:

sovereign-0.24.6/src/sovereign/utils/crypto.py

@@ -1,103 +0,0 @@
-from functools import partial
-from collections import namedtuple
-from typing import Optional, List
-from cryptography.fernet import Fernet, InvalidToken
-from fastapi.exceptions import HTTPException
-from structlog.stdlib import BoundLogger
-
-CipherSuite = namedtuple("CipherSuite", "encrypt decrypt key_available")
-
-
-class CipherContainer:
-    """
-    Object which intercepts encrypt/decryptions
-    Tries to decrypt data using the ciphers provided in order
-    Encrypts with the first suite available.
-    """
-
-    def __init__(self, suites: List[CipherSuite]) -> None:
-        self.suites = suites
-
-    def encrypt(self, data: str, key: Optional[str] = None) -> str:
-        if key is not None:
-            return encrypt(Fernet(key.encode()), data)
-        return self.suites[0].encrypt(data)  # type: ignore
-
-    def decrypt(self, data: str, key: Optional[str] = None) -> str:
-        if key is not None:
-            return decrypt(Fernet(key.encode()), data)
-        success = False
-        decrypted = None
-        error = ValueError("Unable to decrypt value, unknown error")
-        for suite in self.suites:
-            try:
-                decrypted = suite.decrypt(data)
-                success = True
-                break
-            except (InvalidToken, AttributeError, HTTPException) as e:
-                error = e  # type: ignore
-                continue
-        if not success:
-            raise error
-        else:
-            return decrypted  # type: ignore
-
-    @property
-    def key_available(self) -> bool:
-        return self.suites[0].key_available  # type: ignore
-
-
-class DisabledSuite:
-    @staticmethod
-    def encrypt(_: bytes) -> bytes:
-        return b"Unavailable (No Secret Key)"
-
-    @staticmethod
-    def decrypt(*_: bytes) -> str:
-        return "Unavailable (No Secret Key)"
-
-
-def create_cipher_suite(key: bytes, logger: BoundLogger) -> CipherSuite:
-    try:
-        fernet = Fernet(key)
-        return CipherSuite(partial(encrypt, fernet), partial(decrypt, fernet), True)
-    except TypeError:
-        pass
-    except ValueError as e:
-        if key not in (b"", ""):
-            logger.error(
-                f"Fernet key was provided, but appears to be invalid: {repr(e)}"
-            )
-    return CipherSuite(DisabledSuite.encrypt, DisabledSuite.decrypt, False)
-
-
-def generate_key() -> str:
-    secret: bytes = Fernet.generate_key()
-    return secret.decode()
-
-
-def encrypt(cipher_suite: Fernet, data: str, key: Optional[str] = None) -> str:
-    _local_cipher_suite = cipher_suite
-    if isinstance(key, str):
-        _local_cipher_suite = Fernet(key.encode())
-    try:
-        encrypted: bytes = _local_cipher_suite.encrypt(data.encode())
-    except (InvalidToken, AttributeError):
-        # TODO: defer this http error to later, return a normal error here
-        raise HTTPException(status_code=400, detail="Encryption failed")
-    return encrypted.decode()
-
-
-def decrypt(cipher_suite: Fernet, data: str, key: Optional[str] = None) -> str:
-    _local_cipher_suite = cipher_suite
-    if key is not None:
-        _local_cipher_suite = Fernet(key.encode())
-    try:
-        decrypted = _local_cipher_suite.decrypt(data.encode())
-    except (InvalidToken, AttributeError):
-        # TODO: defer this http error to later, return a normal error here
-        raise HTTPException(status_code=400, detail="Decryption failed")
-    if isinstance(decrypted, bytes):
-        return decrypted.decode()
-    else:
-        return decrypted

sovereign-0.24.6/src/sovereign/views/crypto.py

@@ -1,69 +0,0 @@
-from typing import Dict
-from pydantic import BaseModel, Field
-from fastapi import APIRouter, Body
-from fastapi.responses import JSONResponse
-from sovereign import json_response_class, cipher_suite
-from sovereign.utils.crypto import generate_key
-
-router = APIRouter()
-
-
-class EncryptionRequest(BaseModel):
-    data: str = Field(..., title="Text to be encrypted", min_length=1, max_length=65535)
-    key: str = Field(
-        None,
-        title="Optional Fernet encryption key to use to encrypt",
-        min_length=44,
-        max_length=44,
-    )
-
-
-class DecryptionRequest(BaseModel):
-    data: str = Field(..., title="Text to be decrypted", min_length=1, max_length=65535)
-    key: str = Field(
-        ...,
-        title="Fernet encryption key to use to decrypt",
-        min_length=44,
-        max_length=44,
-    )
-
-
-class DecryptableRequest(BaseModel):
-    data: str = Field(..., title="Text to be decrypted", min_length=1, max_length=65535)
-
-
-@router.post(
-    "/decrypt",
-    summary="Decrypt provided encrypted data using a provided key",
-    response_class=json_response_class,
-)
-async def _decrypt(request: DecryptionRequest = Body(None)) -> Dict[str, str]:
-    return {"result": cipher_suite.decrypt(request.data, request.key)}
-
-
-@router.post(
-    "/encrypt",
-    summary="Encrypt provided data using this servers key",
-    response_class=json_response_class,
-)
-async def _encrypt(request: EncryptionRequest = Body(None)) -> Dict[str, str]:
-    return {"result": cipher_suite.encrypt(data=request.data, key=request.key)}
-
-
-@router.post(
-    "/decryptable",
-    summary="Check whether data is decryptable by this server",
-    response_class=json_response_class,
-)
-async def _decryptable(request: DecryptableRequest = Body(None)) -> JSONResponse:
-    cipher_suite.decrypt(request.data)
-    return json_response_class({})
-
-
-@router.get(
-    "/generate_key",
-    summary="Generate a new asymmetric encryption key",
-    response_class=json_response_class,
-)
-def _generate_key() -> Dict[str, str]:
-    return {"result": generate_key()}