From 0c2a049276189b017b7e95eb4f6d5c038712ebd1 Mon Sep 17 00:00:00 2001 From: Alex Schoof Date: Wed, 4 Nov 2015 08:47:24 -0500 Subject: [PATCH 1/3] pad auto-generated version numbers --- credstash.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/credstash.py b/credstash.py index 85e8312..79045f9 100755 --- a/credstash.py +++ b/credstash.py @@ -44,6 +44,7 @@ from Crypto.Util import Counter DEFAULT_REGION = "us-east-1" +PAD_LEN = 19 # number of digits in sys.maxint WILDCARD_CHAR = "*" @@ -124,6 +125,14 @@ def csv_dump(dictionary): return csvfile.getvalue() +def paddedInt(i): + ''' + return a string that contains `i`, left-padded with 0's up to PAD_LEN digits + ''' + i_str = str(i) + pad = PAD_LEN - len(i_str) + return (pad * "0") + i_str + def getHighestVersion(name, region="us-east-1", table="credential-store"): ''' Return the highest version of `name` in the table @@ -187,7 +196,7 @@ def putSecret(name, secret, version, kms_key="alias/credstash", data = {} data['name'] = name - data['version'] = version if version != "" else "1" + data['version'] = version if version != "" else paddedInt(1) data['key'] = b64encode(wrapped_key).decode('utf-8') data['contents'] = b64encode(c_text).decode('utf-8') data['hmac'] = b64hmac @@ -470,7 +479,7 @@ def main(): latestVersion = getHighestVersion(args.credential, region, args.table) try: - version = str(int(latestVersion) + 1) + version = paddedInt(int(latestVersion) + 1) except ValueError: printStdErr("Can not autoincrement version. The current " "version: %s is not an int" % latestVersion) From 6ed776684cdd0133ea89b6a36c8c51de7574bd96 Mon Sep 17 00:00:00 2001 From: dom-at-luminal Date: Thu, 5 Nov 2015 21:02:19 -0500 Subject: [PATCH 2/3] first cut at migration script --- credstash-migrate-autoversion.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 credstash-migrate-autoversion.py diff --git a/credstash-migrate-autoversion.py b/credstash-migrate-autoversion.py new file mode 100644 index 0000000..983d780 --- /dev/null +++ b/credstash-migrate-autoversion.py @@ -0,0 +1,32 @@ +import boto3 +import credstash +import copy + + +def updateVersions(region="us-east-1", table="credential-store"): + ''' + do a full-table scan of the credential-store, + and update the version format of every credential if it is an integer + ''' + dynamodb = boto3.resource('dynamodb', region_name=region) + secrets = dynamodb.Table(table) + + response = secrets.scan(ProjectionExpression="#N, version, #K, contents, hmac", + ExpressionAttributeNames={"#N": "name", "#K": "key"}) + + items = response["Items"] + + for old_item in items: + try: + int(old_item['version']) + new_item = copy.copy(old_item) + new_item['version'] = credstash.paddedInt(new_item['version']) + if new_item['version'] != old_item['version']: + secrets.put_item(Item=new_item) + secrets.delete_item(Key={'name': old_item['name'], 'version': old_item['version']}) + except: + print "Skipping item: %s, %s" % (old_item['name'], old_item['version']) + + +if __name__ == "__main__": + updateVersions() From 1eb4d83b0f6c41c0ecf2d6de3ef45aa91bda2c35 Mon Sep 17 00:00:00 2001 From: dom-at-luminal Date: Fri, 6 Nov 2015 07:31:03 -0500 Subject: [PATCH 3/3] moving the terrible flow control to an isolated function --- credstash-migrate-autoversion.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/credstash-migrate-autoversion.py b/credstash-migrate-autoversion.py index 983d780..7e5c706 100644 --- a/credstash-migrate-autoversion.py +++ b/credstash-migrate-autoversion.py @@ -3,6 +3,14 @@ import copy +def isInt(s): + try: + int(s) + return True + except ValueError: + return False + + def updateVersions(region="us-east-1", table="credential-store"): ''' do a full-table scan of the credential-store, @@ -17,14 +25,13 @@ def updateVersions(region="us-east-1", table="credential-store"): items = response["Items"] for old_item in items: - try: - int(old_item['version']) + if isInt(old_item['version']): new_item = copy.copy(old_item) new_item['version'] = credstash.paddedInt(new_item['version']) if new_item['version'] != old_item['version']: secrets.put_item(Item=new_item) secrets.delete_item(Key={'name': old_item['name'], 'version': old_item['version']}) - except: + else: print "Skipping item: %s, %s" % (old_item['name'], old_item['version'])