)]}'
{"barbican/templates/bin/_db-sync.sh.tpl":[{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"77472f68fe25709ac1dd937574142389727bf0d5","unresolved":true,"context_lines":[{"line_number":19,"context_line":"barbican-db-manage upgrade"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"{{- if .Values.simple_crypto_kek_rewrap.rotate }}"},{"line_number":22,"context_line":"/tmp/simple_crypto_kek_rewrap.py --old-kek\u003d{{ .Values.simple_crypto_kek_rewrap.old_kek | quote }}"},{"line_number":23,"context_line":"{{- end }}"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"8839b19e_f37433c0","line":22,"updated":"2021-06-07 05:54:48.000000000","message":"probably worth doing \u0027set +x\u0027 to avoid logging the old kek","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":17896,"name":"Rick Bartra","email":"rickbartra@microsoft.com","username":"rb560u"},"change_message_id":"c80e7d9183d929ca50683c373f8d48ffdad1deef","unresolved":true,"context_lines":[{"line_number":19,"context_line":"barbican-db-manage upgrade"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"{{- if .Values.simple_crypto_kek_rewrap.rotate }}"},{"line_number":22,"context_line":"/tmp/simple_crypto_kek_rewrap.py --old-kek\u003d{{ .Values.simple_crypto_kek_rewrap.old_kek | quote }}"},{"line_number":23,"context_line":"{{- end }}"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"ad2ba5a1_345846b6","line":22,"in_reply_to":"8839b19e_f37433c0","updated":"2021-06-07 14:02:11.000000000","message":"I agree, I read that if old backups of the DB are available, then the old key could still be used to decrypt the project-specific keys, so probably better to avoid logging it.","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"fc816c2cbb64d59d238f2220b13a176d9961b85c","unresolved":false,"context_lines":[{"line_number":19,"context_line":"barbican-db-manage upgrade"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"{{- if .Values.simple_crypto_kek_rewrap.rotate }}"},{"line_number":22,"context_line":"/tmp/simple_crypto_kek_rewrap.py --old-kek\u003d{{ .Values.simple_crypto_kek_rewrap.old_kek | quote }}"},{"line_number":23,"context_line":"{{- end }}"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"f47e844c_14919f26","line":22,"in_reply_to":"ad2ba5a1_345846b6","updated":"2021-06-07 22:44:06.000000000","message":"Done","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":23928,"name":"Pete Birley","email":"petebirley@gmail.com","username":"portdirect"},"change_message_id":"188aeedeac33d8880c74e909723200e4a68ef459","unresolved":true,"context_lines":[{"line_number":17,"context_line":"set -ex"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"barbican-db-manage upgrade"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"{{- $kek :\u003d (index (index .Values.conf.barbican \"simple_crypto_plugin\" | default dict) \"kek\") | default \"\" }}"},{"line_number":22,"context_line":"{{- $old_kek :\u003d index .Values.simple_crypto_kek_rewrap \"old_kek\" | default \"\"}}"},{"line_number":23,"context_line":"{{- if and (not (empty $old_kek)) (not (empty $kek)) }}"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"e03007c5_984a0dfc","line":20,"updated":"2021-06-08 02:15:06.000000000","message":"what about cases where simple_crypto is not being used, and an alternate backend is in play?","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"ed9cbfd9f44db12276d321b055130d25040bd400","unresolved":true,"context_lines":[{"line_number":17,"context_line":"set -ex"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"barbican-db-manage upgrade"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"{{- $kek :\u003d (index (index .Values.conf.barbican \"simple_crypto_plugin\" | default dict) \"kek\") | default \"\" }}"},{"line_number":22,"context_line":"{{- $old_kek :\u003d index .Values.simple_crypto_kek_rewrap \"old_kek\" | default \"\"}}"},{"line_number":23,"context_line":"{{- if and (not (empty $old_kek)) (not (empty $kek)) }}"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"72a40cfc_30ff837c","line":20,"in_reply_to":"e03007c5_984a0dfc","updated":"2021-06-08 04:37:20.000000000","message":"I did try to handle this .. on l21, if the config section for [simple_crypto_plugin] is not present, or kek is not set, then $kek will be \"\", and the check on l23 will fail, so the script won\u0027t run.\n\nIf the kek is set (even if the simple_crypto backend isn\u0027t explicitly enabled in [crypto] enabled_crypto_plugins), then it the script will run, which I think is fair, since it is enabled by default.\n\nIt will only look for project keys that use the simple_crypto plugin, and if it doesn\u0027t find any, it will consider that a success.\n\nDo you think there is a gap?","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":23928,"name":"Pete Birley","email":"petebirley@gmail.com","username":"portdirect"},"change_message_id":"188aeedeac33d8880c74e909723200e4a68ef459","unresolved":true,"context_lines":[{"line_number":21,"context_line":"{{- $kek :\u003d (index (index .Values.conf.barbican \"simple_crypto_plugin\" | default dict) \"kek\") | default \"\" }}"},{"line_number":22,"context_line":"{{- $old_kek :\u003d index .Values.simple_crypto_kek_rewrap \"old_kek\" | default \"\"}}"},{"line_number":23,"context_line":"{{- if and (not (empty $old_kek)) (not (empty $kek)) }}"},{"line_number":24,"context_line":"set +x"},{"line_number":25,"context_line":"echo \"Ensuring that project KEKs are wrapped with the current KEK\""},{"line_number":26,"context_line":"/tmp/simple_crypto_kek_rewrap.py --old-kek\u003d{{ .Values.simple_crypto_kek_rewrap.old_kek | quote }}"},{"line_number":27,"context_line":"{{- end }}"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"07eb6681_4372f65b","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":6},"updated":"2021-06-08 02:15:06.000000000","message":"i know you are setting this to supress the old kek being output to stdout, but this approach will write it to a configmap (l26)/ It would be petter to inject this as an env var, or read from a secret if we are concerned about leaking the old kek.","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"ed9cbfd9f44db12276d321b055130d25040bd400","unresolved":true,"context_lines":[{"line_number":21,"context_line":"{{- $kek :\u003d (index (index .Values.conf.barbican \"simple_crypto_plugin\" | default dict) \"kek\") | default \"\" }}"},{"line_number":22,"context_line":"{{- $old_kek :\u003d index .Values.simple_crypto_kek_rewrap \"old_kek\" | default \"\"}}"},{"line_number":23,"context_line":"{{- if and (not (empty $old_kek)) (not (empty $kek)) }}"},{"line_number":24,"context_line":"set +x"},{"line_number":25,"context_line":"echo \"Ensuring that project KEKs are wrapped with the current KEK\""},{"line_number":26,"context_line":"/tmp/simple_crypto_kek_rewrap.py --old-kek\u003d{{ .Values.simple_crypto_kek_rewrap.old_kek | quote }}"},{"line_number":27,"context_line":"{{- end }}"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"7f7d7111_ba683a06","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":6},"in_reply_to":"07eb6681_4372f65b","updated":"2021-06-08 04:37:20.000000000","message":"will fix","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"0aadbb167e4e21f9422d2bb0b65d295015e131ba","unresolved":true,"context_lines":[{"line_number":21,"context_line":"{{- $kek :\u003d (index (index .Values.conf.barbican \"simple_crypto_plugin\" | default dict) \"kek\") | default \"\" }}"},{"line_number":22,"context_line":"{{- $old_kek :\u003d index .Values.simple_crypto_kek_rewrap \"old_kek\" | default \"\"}}"},{"line_number":23,"context_line":"{{- if and (not (empty $old_kek)) (not (empty $kek)) }}"},{"line_number":24,"context_line":"set +x"},{"line_number":25,"context_line":"echo \"Ensuring that project KEKs are wrapped with the current KEK\""},{"line_number":26,"context_line":"/tmp/simple_crypto_kek_rewrap.py --old-kek\u003d{{ .Values.simple_crypto_kek_rewrap.old_kek | quote }}"},{"line_number":27,"context_line":"{{- end }}"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"50f1ebfe_9565f33f","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":6},"in_reply_to":"7f7d7111_ba683a06","updated":"2021-06-08 06:03:07.000000000","message":"Added the old_kek to the configmap-etc secret, and mounted the secret as a file. Let me know if that looks ok, or if you would prefer something different.","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"}],"barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl":[{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"77472f68fe25709ac1dd937574142389727bf0d5","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    def rewrap_kek(self, project, kek):"},{"line_number":49,"context_line":"        with self.db_session.begin():"},{"line_number":50,"context_line":"            plugin_meta \u003d kek.plugin_meta"},{"line_number":51,"context_line":"            decrypted_plugin_meta \u003d self.decryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027))"},{"line_number":52,"context_line":"            new_plugin_meta \u003d self.encryptor.encrypt(decrypted_plugin_meta).decode(\u0027utf-8\u0027)"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"            if self.dry_run:"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"a6111d26_5ce4bb6e","line":51,"range":{"start_line":51,"start_character":36,"end_line":51,"end_character":87},"updated":"2021-06-07 05:54:48.000000000","message":"The decryption with the old KEK fails if the key is already wrapped with the new KEK. (This is fine, the nothing is changed in the database, and life goes on.) Is it worth explicitly checking for this?","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"fc816c2cbb64d59d238f2220b13a176d9961b85c","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    def rewrap_kek(self, project, kek):"},{"line_number":49,"context_line":"        with self.db_session.begin():"},{"line_number":50,"context_line":"            plugin_meta \u003d kek.plugin_meta"},{"line_number":51,"context_line":"            decrypted_plugin_meta \u003d self.decryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027))"},{"line_number":52,"context_line":"            new_plugin_meta \u003d self.encryptor.encrypt(decrypted_plugin_meta).decode(\u0027utf-8\u0027)"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"            if self.dry_run:"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"0f147013_6b156c26","line":51,"range":{"start_line":51,"start_character":36,"end_line":51,"end_character":87},"in_reply_to":"a6111d26_5ce4bb6e","updated":"2021-06-07 22:44:06.000000000","message":"Done","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":17896,"name":"Rick Bartra","email":"rickbartra@microsoft.com","username":"rb560u"},"change_message_id":"c80e7d9183d929ca50683c373f8d48ffdad1deef","unresolved":true,"context_lines":[{"line_number":54,"context_line":"            if self.dry_run:"},{"line_number":55,"context_line":"                print(\u0027Would have updated KEKDatum in db {}\u0027.format(kek.id))"},{"line_number":56,"context_line":"                print(\u0027Existing plugin_meta: {}\u0027.format(plugin_meta))"},{"line_number":57,"context_line":"                print(\u0027New plugin_meta: {}\u0027.format(new_plugin_meta))"},{"line_number":58,"context_line":"                return"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"            # Update KEK metadata in DB"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"087f131e_abf3596a","line":57,"range":{"start_line":57,"start_character":16,"end_line":57,"end_character":68},"updated":"2021-06-07 14:02:11.000000000","message":"I know this is for when the dry run flag is enabled, but would it be better to avoid printing/logging the new project plugin_meta (which I believe it to be the new project-specific key - if not then ignore this question) in case the subsequent attempt is made without the dry-run flag enabled but everything else the same? If someone were going to maliciously attempt to decrypt the secrets, looking at the dry-run output maybe a place to start.","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"fc816c2cbb64d59d238f2220b13a176d9961b85c","unresolved":false,"context_lines":[{"line_number":54,"context_line":"            if self.dry_run:"},{"line_number":55,"context_line":"                print(\u0027Would have updated KEKDatum in db {}\u0027.format(kek.id))"},{"line_number":56,"context_line":"                print(\u0027Existing plugin_meta: {}\u0027.format(plugin_meta))"},{"line_number":57,"context_line":"                print(\u0027New plugin_meta: {}\u0027.format(new_plugin_meta))"},{"line_number":58,"context_line":"                return"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"            # Update KEK metadata in DB"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"d0cad660_edefa013","line":57,"range":{"start_line":57,"start_character":16,"end_line":57,"end_character":68},"in_reply_to":"087f131e_abf3596a","updated":"2021-06-07 22:44:06.000000000","message":"Done","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"77472f68fe25709ac1dd937574142389727bf0d5","unresolved":true,"context_lines":[{"line_number":56,"context_line":"                print(\u0027Existing plugin_meta: {}\u0027.format(plugin_meta))"},{"line_number":57,"context_line":"                print(\u0027New plugin_meta: {}\u0027.format(new_plugin_meta))"},{"line_number":58,"context_line":"                return"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"            # Update KEK metadata in DB"},{"line_number":61,"context_line":"            kek.plugin_meta \u003d new_plugin_meta"},{"line_number":62,"context_line":""}],"source_content_type":"text/x-smarty","patch_set":5,"id":"78fccc09_e747b9f5","line":59,"updated":"2021-06-07 05:54:48.000000000","message":"What logging do want for the non-dry-run case?","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"fc816c2cbb64d59d238f2220b13a176d9961b85c","unresolved":false,"context_lines":[{"line_number":56,"context_line":"                print(\u0027Existing plugin_meta: {}\u0027.format(plugin_meta))"},{"line_number":57,"context_line":"                print(\u0027New plugin_meta: {}\u0027.format(new_plugin_meta))"},{"line_number":58,"context_line":"                return"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"            # Update KEK metadata in DB"},{"line_number":61,"context_line":"            kek.plugin_meta \u003d new_plugin_meta"},{"line_number":62,"context_line":""}],"source_content_type":"text/x-smarty","patch_set":5,"id":"5c190279_355916ea","line":59,"in_reply_to":"25d694fe_ef70d915","updated":"2021-06-07 22:44:06.000000000","message":"Done","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":17896,"name":"Rick Bartra","email":"rickbartra@microsoft.com","username":"rb560u"},"change_message_id":"c80e7d9183d929ca50683c373f8d48ffdad1deef","unresolved":true,"context_lines":[{"line_number":56,"context_line":"                print(\u0027Existing plugin_meta: {}\u0027.format(plugin_meta))"},{"line_number":57,"context_line":"                print(\u0027New plugin_meta: {}\u0027.format(new_plugin_meta))"},{"line_number":58,"context_line":"                return"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"            # Update KEK metadata in DB"},{"line_number":61,"context_line":"            kek.plugin_meta \u003d new_plugin_meta"},{"line_number":62,"context_line":""}],"source_content_type":"text/x-smarty","patch_set":5,"id":"25d694fe_ef70d915","line":59,"in_reply_to":"78fccc09_e747b9f5","updated":"2021-06-07 14:02:11.000000000","message":"I think just a log statement stating that the project-specific key has been re-wrapped with a master key.","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"77472f68fe25709ac1dd937574142389727bf0d5","unresolved":true,"context_lines":[{"line_number":94,"context_line":"        for project in projects:"},{"line_number":95,"context_line":"            keks \u003d self.get_keks_for_project(project)"},{"line_number":96,"context_line":"            for kek in keks:"},{"line_number":97,"context_line":"                try:"},{"line_number":98,"context_line":"                    self.rewrap_kek(project, kek)"},{"line_number":99,"context_line":"                except Exception:"},{"line_number":100,"context_line":"                    print(\u0027Error occurred! SQLAlchemy automatically rolled-\u0027"},{"line_number":101,"context_line":"                          \u0027back the transaction\u0027)"},{"line_number":102,"context_line":"                    traceback.print_exc()"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"def main():"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"5f601f3d_8f91dd3a","line":102,"range":{"start_line":97,"start_character":0,"end_line":102,"end_character":41},"updated":"2021-06-07 05:54:48.000000000","message":"Do we need better error handling? This is somewhat \"best effort\", which is probably ok - if we have a new KEK, and the old KEK doesn\u0027t work, there isn\u0027t much we can do about it.","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"fc816c2cbb64d59d238f2220b13a176d9961b85c","unresolved":true,"context_lines":[{"line_number":94,"context_line":"        for project in projects:"},{"line_number":95,"context_line":"            keks \u003d self.get_keks_for_project(project)"},{"line_number":96,"context_line":"            for kek in keks:"},{"line_number":97,"context_line":"                try:"},{"line_number":98,"context_line":"                    self.rewrap_kek(project, kek)"},{"line_number":99,"context_line":"                except Exception:"},{"line_number":100,"context_line":"                    print(\u0027Error occurred! SQLAlchemy automatically rolled-\u0027"},{"line_number":101,"context_line":"                          \u0027back the transaction\u0027)"},{"line_number":102,"context_line":"                    traceback.print_exc()"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"def main():"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"bccdcbd7_92ff4e7d","line":102,"range":{"start_line":97,"start_character":0,"end_line":102,"end_character":41},"in_reply_to":"106d8261_d3494da1","updated":"2021-06-07 22:44:06.000000000","message":"traceback.print_exc() was doing that, but I removed it, I\u0027m not sure if it really adds much value.","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":17896,"name":"Rick Bartra","email":"rickbartra@microsoft.com","username":"rb560u"},"change_message_id":"c80e7d9183d929ca50683c373f8d48ffdad1deef","unresolved":true,"context_lines":[{"line_number":94,"context_line":"        for project in projects:"},{"line_number":95,"context_line":"            keks \u003d self.get_keks_for_project(project)"},{"line_number":96,"context_line":"            for kek in keks:"},{"line_number":97,"context_line":"                try:"},{"line_number":98,"context_line":"                    self.rewrap_kek(project, kek)"},{"line_number":99,"context_line":"                except Exception:"},{"line_number":100,"context_line":"                    print(\u0027Error occurred! SQLAlchemy automatically rolled-\u0027"},{"line_number":101,"context_line":"                          \u0027back the transaction\u0027)"},{"line_number":102,"context_line":"                    traceback.print_exc()"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"def main():"}],"source_content_type":"text/x-smarty","patch_set":5,"id":"106d8261_d3494da1","line":102,"range":{"start_line":97,"start_character":0,"end_line":102,"end_character":41},"in_reply_to":"5f601f3d_8f91dd3a","updated":"2021-06-07 14:02:11.000000000","message":"should we print the actual exception as well?","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":23928,"name":"Pete Birley","email":"petebirley@gmail.com","username":"portdirect"},"change_message_id":"188aeedeac33d8880c74e909723200e4a68ef459","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"31cea715_58b741cc","line":55,"range":{"start_line":55,"start_character":66,"end_line":55,"end_character":70},"updated":"2021-06-08 02:15:06.000000000","message":"KEK?","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":23928,"name":"Pete Birley","email":"petebirley@gmail.com","username":"portdirect"},"change_message_id":"188aeedeac33d8880c74e909723200e4a68ef459","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"493aebcd_d4fc4a28","line":55,"range":{"start_line":55,"start_character":58,"end_line":55,"end_character":65},"updated":"2021-06-08 02:15:06.000000000","message":"target (current is ambiguous in this context)","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":23928,"name":"Pete Birley","email":"petebirley@gmail.com","username":"portdirect"},"change_message_id":"d26caff68c6f4ae6b4ebebb5ef8609809ec2ed96","unresolved":false,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"edfa89e4_5afc9291","line":55,"range":{"start_line":55,"start_character":66,"end_line":55,"end_character":70},"in_reply_to":"31cea715_58b741cc","updated":"2021-06-08 13:25:48.000000000","message":"Oh - Master KEK, much less fun than KEKEK though :)","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"ed9cbfd9f44db12276d321b055130d25040bd400","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"7cde7f5c_8c80b7e3","line":55,"range":{"start_line":55,"start_character":66,"end_line":55,"end_character":70},"in_reply_to":"31cea715_58b741cc","updated":"2021-06-08 04:37:20.000000000","message":"The terminology in Barbican is a bit ambiguous.\n\nI was using MKEK trying to distinguish between the \"master key encryption key\" (which is what appears in the config file as \"kek\") and the project-specific keys, which are called KEKs in the database.\n\nI could just refer to \u0027KEK {}\u0027 .. \u0027Key {}\u0027 throughout, if that is better?","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"0aadbb167e4e21f9422d2bb0b65d295015e131ba","unresolved":false,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"821b8568_9420e92e","line":55,"range":{"start_line":55,"start_character":58,"end_line":55,"end_character":65},"in_reply_to":"4755b7d3_b228f6de","updated":"2021-06-08 06:03:07.000000000","message":"Done","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"ed9cbfd9f44db12276d321b055130d25040bd400","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"4755b7d3_b228f6de","line":55,"range":{"start_line":55,"start_character":58,"end_line":55,"end_character":65},"in_reply_to":"493aebcd_d4fc4a28","updated":"2021-06-08 04:37:20.000000000","message":"agreed, will update","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"0aadbb167e4e21f9422d2bb0b65d295015e131ba","unresolved":false,"context_lines":[{"line_number":52,"context_line":"            # try to unwrap with the current (new) kek, and if successful, skip"},{"line_number":53,"context_line":"            try:"},{"line_number":54,"context_line":"                if self.encryptor.decrypt(plugin_meta.encode(\u0027utf-8\u0027)):"},{"line_number":55,"context_line":"                    print(\u0027KEK {} is already wrapped with current MKEK, skipping\u0027.format(kek.id))"},{"line_number":56,"context_line":"                    return"},{"line_number":57,"context_line":"            except fernet.InvalidToken:"},{"line_number":58,"context_line":"                pass"}],"source_content_type":"text/x-smarty","patch_set":6,"id":"7e2041d1_f052603e","line":55,"range":{"start_line":55,"start_character":66,"end_line":55,"end_character":70},"in_reply_to":"7cde7f5c_8c80b7e3","updated":"2021-06-08 06:03:07.000000000","message":"Changed to \"Project KEK\" throughout when referring to project keys, and just KEK (or \"global KEK\") when talking about the master KEK.","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"}],"barbican/templates/job-db-sync.yaml":[{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"0aadbb167e4e21f9422d2bb0b65d295015e131ba","unresolved":true,"context_lines":[{"line_number":19,"context_line":"{{- end }}"},{"line_number":20,"context_line":"{{- end }}"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"{{- $podVolMounts :\u003d .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumeMounts | default list }}"},{"line_number":23,"context_line":"{{- $podVolMounts \u003d concat $podVolMounts (list (dict \"name\" \"db-sync-sh\" \"mountPath\" \"/tmp/simple_crypto_kek_rewrap.py\" \"subPath\" \"simple_crypto_kek_rewrap.py\" \"readOnly\" true) (dict \"name\" \"db-sync-conf\" \"mountPath\" \"/tmp/old_kek\" \"subPath\" \"old_kek\" \"readOnly\" true)) }} }}"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"{{- if .Values.manifests.job_db_sync }}"},{"line_number":26,"context_line":"{{- $dbSyncJob :\u003d dict \"envAll\" . \"serviceName\" \"barbican\" \"podVolMounts\" $podVolMounts \"podVols\" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes \"jobAnnotations\" (include \"metadata.annotations.job.db_sync\" . | fromYaml) -}}"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"6998ad7a_30016e1d","line":23,"range":{"start_line":22,"start_character":0,"end_line":23,"end_character":36},"updated":"2021-06-08 06:03:07.000000000","message":"I don\u0027t really love adding the mounts like this, but I\u0027m not sure whether it\u0027s safe to update.Values.pod.mounts.barbican_db_sync.barbican_db_sync directly - I worry that they may get clobbered if a user has existing values.yaml overrides.","commit_id":"cb8b262e16ecad6b86a84a8cdc06f418898eb35c"}],"barbican/values.yaml":[{"author":{"_account_id":17896,"name":"Rick Bartra","email":"rickbartra@microsoft.com","username":"rb560u"},"change_message_id":"c80e7d9183d929ca50683c373f8d48ffdad1deef","unresolved":true,"context_lines":[{"line_number":503,"context_line":"    #       - simple_crypto"},{"line_number":504,"context_line":"    #   simple_crypto_plugin:"},{"line_number":505,"context_line":"    #     # The kek should be a 32-byte value which is base64 encoded."},{"line_number":506,"context_line":"    #     kek: \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\""},{"line_number":507,"context_line":"  logging:"},{"line_number":508,"context_line":"    loggers:"},{"line_number":509,"context_line":"      keys:"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"82509a08_c570d2dc","line":506,"updated":"2021-06-07 14:02:11.000000000","message":"I like this approach better of this being the preferred/only location to set the kek, vs setting it in the \u0027simple_crypto_kek_rewrap\u0027 section.","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"fc816c2cbb64d59d238f2220b13a176d9961b85c","unresolved":false,"context_lines":[{"line_number":503,"context_line":"    #       - simple_crypto"},{"line_number":504,"context_line":"    #   simple_crypto_plugin:"},{"line_number":505,"context_line":"    #     # The kek should be a 32-byte value which is base64 encoded."},{"line_number":506,"context_line":"    #     kek: \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\""},{"line_number":507,"context_line":"  logging:"},{"line_number":508,"context_line":"    loggers:"},{"line_number":509,"context_line":"      keys:"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"4f648de6_1e1b7ba3","line":506,"in_reply_to":"82509a08_c570d2dc","updated":"2021-06-07 22:44:06.000000000","message":"Done","commit_id":"0c760122ecb9bd0973b55dacb392230eb1c8c2c9"},{"author":{"_account_id":23928,"name":"Pete Birley","email":"petebirley@gmail.com","username":"portdirect"},"change_message_id":"188aeedeac33d8880c74e909723200e4a68ef459","unresolved":true,"context_lines":[{"line_number":279,"context_line":"        - endpoint: internal"},{"line_number":280,"context_line":"          service: oslo_messaging"},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"# KEK rotation for the simple_crypto plugin"},{"line_number":283,"context_line":"simple_crypto_kek_rewrap:"},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"  # To allow for chart upgrades when modifying the Key Encryption Key, the"},{"line_number":286,"context_line":"  # db-sync job can rewrap the existing project keys with the new kek, leaving"},{"line_number":287,"context_line":"  # each secret’s encrypted data unchanged."},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"  # This feature is enabled automatically, if a kek is specified at:"},{"line_number":290,"context_line":"  #   .conf.barbican.simple_crypto_plugin.kek"},{"line_number":291,"context_line":"  # and the previous kek is also specified at:"},{"line_number":292,"context_line":"  #   .simple_crypto_kek_rewrap.old_kek"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"  # The project keys are decrypted with \u0027old_kek\u0027 and re-encrypted with the"},{"line_number":295,"context_line":"  # current kek (as defined in barbican.conf)."},{"line_number":296,"context_line":"  # This resembles the lightweight rotation described here, which was never"},{"line_number":297,"context_line":"  # implemented for the simple crypto plugin:"},{"line_number":298,"context_line":"  # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html"},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"  # The KEK value \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\" matches the"},{"line_number":301,"context_line":"  # plugin default, and is retained here for convenience, in case the chart was"},{"line_number":302,"context_line":"  # previously installed without explicitly specifying a kek."},{"line_number":303,"context_line":"  old_kek: \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\""},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"conf:"},{"line_number":306,"context_line":"  paste:"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"8418e4bb_26e7d7ab","line":303,"range":{"start_line":282,"start_character":0,"end_line":303,"end_character":57},"updated":"2021-06-08 02:15:06.000000000","message":"i think this probably belongs under wither the \u0027conf\u0027 key - until recently at least we have strived to keep the number of top level keys to a stable set across charts","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"ed9cbfd9f44db12276d321b055130d25040bd400","unresolved":true,"context_lines":[{"line_number":279,"context_line":"        - endpoint: internal"},{"line_number":280,"context_line":"          service: oslo_messaging"},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"# KEK rotation for the simple_crypto plugin"},{"line_number":283,"context_line":"simple_crypto_kek_rewrap:"},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"  # To allow for chart upgrades when modifying the Key Encryption Key, the"},{"line_number":286,"context_line":"  # db-sync job can rewrap the existing project keys with the new kek, leaving"},{"line_number":287,"context_line":"  # each secret’s encrypted data unchanged."},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"  # This feature is enabled automatically, if a kek is specified at:"},{"line_number":290,"context_line":"  #   .conf.barbican.simple_crypto_plugin.kek"},{"line_number":291,"context_line":"  # and the previous kek is also specified at:"},{"line_number":292,"context_line":"  #   .simple_crypto_kek_rewrap.old_kek"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"  # The project keys are decrypted with \u0027old_kek\u0027 and re-encrypted with the"},{"line_number":295,"context_line":"  # current kek (as defined in barbican.conf)."},{"line_number":296,"context_line":"  # This resembles the lightweight rotation described here, which was never"},{"line_number":297,"context_line":"  # implemented for the simple crypto plugin:"},{"line_number":298,"context_line":"  # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html"},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"  # The KEK value \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\" matches the"},{"line_number":301,"context_line":"  # plugin default, and is retained here for convenience, in case the chart was"},{"line_number":302,"context_line":"  # previously installed without explicitly specifying a kek."},{"line_number":303,"context_line":"  old_kek: \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\""},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"conf:"},{"line_number":306,"context_line":"  paste:"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"dce5b04c_221d09fd","line":303,"range":{"start_line":282,"start_character":0,"end_line":303,"end_character":57},"in_reply_to":"8418e4bb_26e7d7ab","updated":"2021-06-08 04:37:20.000000000","message":"will move","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"0aadbb167e4e21f9422d2bb0b65d295015e131ba","unresolved":false,"context_lines":[{"line_number":279,"context_line":"        - endpoint: internal"},{"line_number":280,"context_line":"          service: oslo_messaging"},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"# KEK rotation for the simple_crypto plugin"},{"line_number":283,"context_line":"simple_crypto_kek_rewrap:"},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"  # To allow for chart upgrades when modifying the Key Encryption Key, the"},{"line_number":286,"context_line":"  # db-sync job can rewrap the existing project keys with the new kek, leaving"},{"line_number":287,"context_line":"  # each secret’s encrypted data unchanged."},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"  # This feature is enabled automatically, if a kek is specified at:"},{"line_number":290,"context_line":"  #   .conf.barbican.simple_crypto_plugin.kek"},{"line_number":291,"context_line":"  # and the previous kek is also specified at:"},{"line_number":292,"context_line":"  #   .simple_crypto_kek_rewrap.old_kek"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"  # The project keys are decrypted with \u0027old_kek\u0027 and re-encrypted with the"},{"line_number":295,"context_line":"  # current kek (as defined in barbican.conf)."},{"line_number":296,"context_line":"  # This resembles the lightweight rotation described here, which was never"},{"line_number":297,"context_line":"  # implemented for the simple crypto plugin:"},{"line_number":298,"context_line":"  # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html"},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"  # The KEK value \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\" matches the"},{"line_number":301,"context_line":"  # plugin default, and is retained here for convenience, in case the chart was"},{"line_number":302,"context_line":"  # previously installed without explicitly specifying a kek."},{"line_number":303,"context_line":"  old_kek: \"dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg\u003d\""},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"conf:"},{"line_number":306,"context_line":"  paste:"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"8a6a002c_f970ced8","line":303,"range":{"start_line":282,"start_character":0,"end_line":303,"end_character":57},"in_reply_to":"dce5b04c_221d09fd","updated":"2021-06-08 06:03:07.000000000","message":"Done","commit_id":"756d62f390a70984f0b570177e86b47fab28ef3a"}]}