strongdm 15.41.0__tar.gz → 15.43.0__tar.gz

{strongdm-15.41.0 → strongdm-15.43.0}/PKG-INFO

@@ -1,12 +1,12 @@
 Metadata-Version: 2.1
 Name: strongdm
-Version: 15.41.0
+Version: 15.43.0
 Summary: strongDM SDK for the Python programming language.
 Home-page: https://github.com/strongdm/strongdm-sdk-python
 Author: strongDM Team
 Author-email: sdk-feedback@strongdm.com
 License: apache-2.0
-Download-URL: https://github.com/strongdm/strongdm-sdk-python/archive/v15.41.0.tar.gz
+Download-URL: https://github.com/strongdm/strongdm-sdk-python/archive/v15.43.0.tar.gz
 Keywords: strongDM,sdm,api,automation,security,audit,database,server,ssh,rdp
 Platform: UNKNOWN
 Classifier: Development Status :: 4 - Beta

{strongdm-15.41.0 → strongdm-15.43.0}/setup.py

@@ -23,7 +23,7 @@ from setuptools import setup
 setup(
     name='strongdm',
     packages=['strongdm'],
-    version='15.41.0',
+    version='15.43.0',
     license='apache-2.0',
     description='strongDM SDK for the Python programming language.',
     long_description=long_description,
@@ -32,14 +32,14 @@ setup(
     author_email='sdk-feedback@strongdm.com',
     url='https://github.com/strongdm/strongdm-sdk-python',
     download_url=
-    'https://github.com/strongdm/strongdm-sdk-python/archive/v15.41.0.tar.gz',
+    'https://github.com/strongdm/strongdm-sdk-python/archive/v15.43.0.tar.gz',
     keywords=[
         'strongDM', 'sdm', 'api', 'automation', 'security', 'audit',
         'database', 'server', 'ssh', 'rdp'
     ],
     install_requires=[
-        'grpcio>=1.42.0',
-        'googleapis-common-protos>1.56.2,<2',
+        'grpcio >= 1.42.0', 'googleapis-common-protos>1.56.2,<2',
+        'cryptography >= 46.0.0'
     ],
     classifiers=[
         'Development Status :: 4 - Beta',  # Chose either "3 - Alpha", "4 - Beta" or "5 - Production/Stable" as the current state of your package

{strongdm-15.41.0 → strongdm-15.43.0}/strongdm/client.py

@@ -16,17 +16,23 @@
 # Code generated by protogen. DO NOT EDIT.
 
 import base64
+import collections
 import copy
 import datetime
+import functools
 import grpc
 import hashlib
 import hmac
 import random
+import re
 import time
 from . import errors
 from . import plumbing
 from . import svc
 
+from cryptography.hazmat.primitives.asymmetric import rsa, padding
+from cryptography.hazmat.primitives import serialization, hashes
+
 # These defaults are taken from AWS. Customization of these values
 # is a future step in the API.
 DEFAULT_BASE_RETRY_DELAY = 1  # 1 second
@@ -34,7 +40,131 @@ DEFAULT_MAX_RETRY_DELAY = 120  # 120 seconds
 DEFAULT_RETRY_FACTOR = 1.6
 DEFAULT_RETRY_JITTER = 0.2
 API_VERSION = '2025-04-14'
-USER_AGENT = 'strongdm-sdk-python/15.41.0'
+USER_AGENT = 'strongdm-sdk-python/15.43.0'
+
+method_regexp = re.compile(r'\W+')
+
+
+class _ClientCallDetails(
+        collections.namedtuple(
+            "_ClientCallDetails",
+            ("method", "timeout", "metadata", "credentials")),
+        grpc.ClientCallDetails,
+):
+    """ _ClientCallDetails is used to override some of the attributes of the client_call_details in the interceptors"""
+    pass
+
+
+class _EncryptionInterceptor(grpc.UnaryUnaryClientInterceptor):
+    """ _EncryptionInterceptor is used to add transparent encryption/decryption support for managed secrets"""
+    def __init__(self, client):
+        self.client = client
+        self.public_key_cache = {}
+
+    def intercept_unary_unary(self, continuation, client_call_details,
+                              request):
+        method = method_regexp.sub("_", client_call_details.method.lower())
+        callback = getattr(self, method, None)
+        if callback is not None:
+            return callback(continuation, client_call_details, request)
+        return continuation(client_call_details, request)
+
+    @functools.cached_property
+    def private_key(self):
+        return rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=4096,
+        )
+
+    def _encrypt_secret(self, method, continuation, client_call_details,
+                        request):
+        secret = request.managed_secret
+        if len(secret.value) != 0:
+            if secret.secret_engine_id not in self.public_key_cache:
+                try:
+                    # fetch secret engine details to fill up self.public_key_cache
+                    # if it fails the call to create/update will fail as well
+                    self.client.secret_engines.get(secret.secret_engine_id)
+                except errors.RPCError:
+                    pass
+            key = self.public_key_cache.get(secret.secret_engine_id)
+            if key is not None:
+                encrypted = key.encrypt(
+                    secret.value,
+                    padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
+                                 algorithm=hashes.SHA256(),
+                                 label=None))
+                secret.value = encrypted
+            client_call_details = _ClientCallDetails(
+                method=client_call_details.method,
+                timeout=client_call_details.timeout,
+                metadata=self.client.get_metadata(method, request),
+                credentials=client_call_details.credentials)
+        return continuation(client_call_details, request)
+
+    def _v1_managedsecrets_create(self, continuation, client_call_details,
+                                  request):
+        return self._encrypt_secret("ManagedSecrets.Create", continuation,
+                                    client_call_details, request)
+
+    def _v1_managedsecrets_update(self, continuation, client_call_details,
+                                  request):
+        return self._encrypt_secret("ManagedSecrets.Update", continuation,
+                                    client_call_details, request)
+
+    def _v1_managedsecrets_retrieve(self, continuation, client_call_details,
+                                    request):
+        if len(request.public_key) != 0:
+            return continuation(client_call_details, request)
+
+        privKey = self.private_key
+        request.public_key = privKey.public_key().public_bytes(
+            serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo)
+        client_call_details = _ClientCallDetails(
+            method=client_call_details.method,
+            timeout=client_call_details.timeout,
+            metadata=self.client.get_metadata("ManagedSecrets.Retrieve",
+                                              request),
+            credentials=client_call_details.credentials)
+        resp = continuation(client_call_details, request)
+        if resp.code() != grpc.StatusCode.OK:
+            return resp
+        result = resp.result()
+        plaintext = privKey.decrypt(
+            result.managed_secret.value,
+            padding.OAEP(
+                mgf=padding.MGF1(algorithm=hashes.SHA256()),
+                algorithm=hashes.SHA256(),
+                label=None,
+            ))
+        result.managed_secret.value = plaintext
+        return resp
+
+    def _v1_secretengines_get(self, continuation, client_call_details,
+                              request):
+        response = continuation(client_call_details, request)
+        if response.code() != grpc.StatusCode.OK:
+            return response
+        result = response.result()
+        engine = plumbing.convert_secret_engine_to_porcelain(
+            result.secret_engine)
+        engineKey = serialization.load_pem_public_key(engine.public_key)
+        self.public_key_cache[engine.id] = engineKey
+        return response
+
+    def _v1_secretengines_list(self, continuation, client_call_details,
+                               request):
+        response = continuation(client_call_details, request)
+        if response.code() != grpc.StatusCode.OK:
+            return response
+        result = response.result()
+        for plumbing_engine in result.secret_engines:
+            engine = plumbing.convert_secret_engine_to_porcelain(
+                plumbing_engine)
+            engineKey = serialization.load_pem_public_key(engine.public_key)
+            self.public_key_cache[engine.id] = engineKey
+        return response
 
 
 class Client:
@@ -70,6 +200,7 @@ class Client:
                 channel = grpc.secure_channel(host, creds)
         except Exception as e:
             raise plumbing.convert_error_to_porcelain(e) from e
+        channel = grpc.intercept_channel(channel, _EncryptionInterceptor(self))
         self.channel = channel
         self.access_requests = svc.AccessRequests(channel, self)
         '''

{strongdm-15.41.0 → strongdm-15.43.0}/strongdm/constants.py

@@ -332,6 +332,7 @@ class ActivityVerb:
     RESOURCE_LOCKED = "user locked a resource"
     RESOURCE_UNLOCKED = "user unlocked a resource"
     RESOURCE_FORCE_UNLOCKED = "admin force-unlocked a resource"
+    RESOURCE_LOCK_REJECTED = "user lock rejected for a resource"
     CONCURRENT_AUTHENTICATION_REVOKED_PER_ORG_SETTING = "concurrent authentications revoked per organization settings"
     PEERING_GROUP_TOGGLED = "peering group toggled"
     PEERING_GROUP_CREATED = "peering group created"

{strongdm-15.41.0 → strongdm-15.43.0}/strongdm.egg-info/PKG-INFO

@@ -1,12 +1,12 @@
 Metadata-Version: 2.1
 Name: strongdm
-Version: 15.41.0
+Version: 15.43.0
 Summary: strongDM SDK for the Python programming language.
 Home-page: https://github.com/strongdm/strongdm-sdk-python
 Author: strongDM Team
 Author-email: sdk-feedback@strongdm.com
 License: apache-2.0
-Download-URL: https://github.com/strongdm/strongdm-sdk-python/archive/v15.41.0.tar.gz
+Download-URL: https://github.com/strongdm/strongdm-sdk-python/archive/v15.43.0.tar.gz
 Keywords: strongDM,sdm,api,automation,security,audit,database,server,ssh,rdp
 Platform: UNKNOWN
 Classifier: Development Status :: 4 - Beta

{strongdm-15.41.0 → strongdm-15.43.0}/strongdm.egg-info/requires.txt

@@ -1,2 +1,3 @@
+cryptography>=46.0.0
 googleapis-common-protos<2,>1.56.2
 grpcio>=1.42.0