Skip to main content

Security helper for the OpenAlchemy package service

Project description

Security

Performs calculations for creating pubic and secret keys. A credential is made up of a public and secret key, a salt and a hash of the secret key that is safe to store.

Service Secret

For certain operations, such as the creation of secret keys, a service secret is retrieved which required access to AWS secrets manager.

Create

Create a new credential.

Input:

  • sub: unique identifier for the user.

Output:

  • public_key: a unique public identifier for the key,
  • secret_key: a secret key for the public key,
  • salt: a random value used to create the credential and
  • secret_key_hash: a value derived from the secret key that is safe to store.

Retrieve Secret

Re-calculates the secret key based on known values.

Input:

  • sub and
  • salt.

Output:

  • secret_key.

Calculate Secret Hash

Calculate the secret key has for a secret.

Input:

  • secret_key and
  • salt.

Output:

  • secret_key_hash.

Compare Secret Hashes

Safely compare two secret key hashes

Input:

  • left: a secret_key_hash and
  • right: a secret_key_hash.

Output:

  • Whether left == right.

Algorithm:

  1. use https://docs.python.org/3/library/hmac.html#hmac.compare_digest to compare the secret key hashes.

Salt

A salt is a random string generated using https://docs.python.org/3/library/secrets.html#secrets.token_bytes.

Public Key

The public key is a hash based on the sub of the user and a salt. The following algorithm is used:

  1. create a message by combining the sub and a random salt created using https://docs.python.org/3/library/secrets.html#secrets.token_bytes,
  2. digest the message using sha256 using https://docs.python.org/3/library/hashlib.html#hash-algorithms and
  3. convert to string using https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode decoding and and pre-pending it with pk_.

Secret Key

The secret key is a hash based on the sub, salt and a secret associated with the service. The following algorithm is used:

  1. retrieve the service secret,
  2. create a message by combining sub, salt and the service secret,
  3. digest the message using sha256 using https://docs.python.org/3/library/hashlib.html#hash-algorithms and
  4. convert to string using https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode decoding and and pre-pending it with sk_.

Secret Key Hash

The secret key itself is not stored but a value that is derived from it but hard to reverse is. The following function is used to calculate it: https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac where:

  • hash_name is sha256,
  • password is the secret_key,
  • salt is the credential salt,
  • iterations is 10k.

CI-CD

The workflow is defined here: ../.github/workflows/ci-cd-security.yaml.

There are a few groups of jobs in the CI-CD:

  • test: runs the tests for the package in supported python versions,
  • build: builds the security package,
  • deploy: deploys security infrastructure to AWS,
  • release-required: determines whether a release to PyPI is required and
  • release: a combination of deploying to test and production PyPI and executing tests on the published packages

test

Executes the tests defined at tests.

build

Builds the security package defined at ..

release-required

Has 2 outputs:

  • result: whether a release to PyPI is required based on the latest released version and the version configured in the project and
  • project-version: the version configured in the code base.

deploy

Deploys the CloudFormation stack for the security defined at ../infrastructure/lib/security-stack.ts.

release

If the result output from release-required is true, the package is deployed to both test and production PyPI.

Irrespective of whether the release was executed, the version of the package defined in the code base is installed from both test and production PyPI and the tests defined at ../test/security/tests are executed against the deployed infrastructure on AWS.

Periodic Production Tests

The workflow is defined here: ../.github/workflows/production-test-security.yaml.

Executes the tests defined at ../test/security/tests against a configured version of the package and against the currently deployed infrastructure on AWS.

Pytest Plugin

A pytest plugin is made available to make testing easier. It is defined at open_alchemy/package_security/pytest_plugin.py.

Fixtures

All fixtures that have an effect but yield None are prefixed with _ so that tools like pylint do not complain about unused arguments for test functions.

service_secret

Configures the package to use a dummy service secret and yields it.

_service_secret

The same as service_secret except that it is prefix with a leading _.

access_token

Provides an access token with admin access to the package api. Requires the following environment variables:

  • TEST_USERNAME: a username from the user pool.
  • TEST_PASSWORD: the password for the user.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

open-alchemy.package-security-1.2.1.tar.gz (6.0 kB view details)

Uploaded Source

Built Distribution

File details

Details for the file open-alchemy.package-security-1.2.1.tar.gz.

File metadata

  • Download URL: open-alchemy.package-security-1.2.1.tar.gz
  • Upload date:
  • Size: 6.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.1 setuptools/51.1.0 requests-toolbelt/0.9.1 tqdm/4.55.1 CPython/3.8.7

File hashes

Hashes for open-alchemy.package-security-1.2.1.tar.gz
Algorithm Hash digest
SHA256 d97db2201126f626f86ef732a7ea914c7fdd527d117b879ee2c35f7e068aa8d1
MD5 82f1563f45c1468275094ed05723b212
BLAKE2b-256 d51b942295fb05d33976a673449c6092b58f3a352f0e8ec075204289909989ac

See more details on using hashes here.

File details

Details for the file open_alchemy.package_security-1.2.1-py3-none-any.whl.

File metadata

  • Download URL: open_alchemy.package_security-1.2.1-py3-none-any.whl
  • Upload date:
  • Size: 6.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.1 setuptools/51.1.0 requests-toolbelt/0.9.1 tqdm/4.55.1 CPython/3.8.7

File hashes

Hashes for open_alchemy.package_security-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 f1afa88362829cb3dcd14907596ff8d6b41d10bc4cd92050d43a1b30f00e3565
MD5 c90be939a7f9e7c6446944c58e4d7454
BLAKE2b-256 729f53b327204922c6a4fd48e3adc6f3b23dad03ed32c213e779d9882005643e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page