bretth / sera Goto Github PK

We need to be able to handle a bad or malicious payload that doesn't decrypt successfully.

A malicious user could run a compromised version of sera and receive commands and potentially the sera watcher's password.

When I want to issue a command adding sera -w [watcher] before each command is tedious so I want to create a shortcut or simple alias for that watcher so that I can issue a command directly.

When I want to change an environment variable in a program other than sera I want to export that variable to an env file on a path.

Create the signing key:

sera create signature

Create the public private keypair:

sera create keypair

Create the watcher aws api keypair

sera create access

When a watcher receives a public key swap the first time it must reply by signing it's public key with a signing key known by the client so that the client knows that it is not a malicious watcher.

As an added security measure the signing key is only used the once to add the watcher after which it is removed.

1. Watcher starts up with signed-queue name in env
2. Watcher polls signed queue name (signed-queue)
3. Client determines that watcher queue doesn't exist
   a) if the client doesn't have a signing key it bails
4. Client sends public key to signed-queue
5. Watcher receives client public key on signed-queue, and replies on client queue, signing the response.
6. Client receives signed response.
7. Signed response validates so watcher queue is created.
8. Watcher unsets signed-queue from env.
9. Client deletes signed-queue

A .allowed_sera_clients file defines what clients can issue commands.

The file contains a list of public keys.

When putting environment variables into a public repository I need to encrypt them and have them unencrypted on the server before use.

On the client git ignore *.secret then:

$ sera encrypt -R *.secret
$ enter password: ****** < creates *.nacl files > $ git add *.nacl`

On the server:

$ sera -w ubuntu1 decrypt -R /path/to/files
$ enter password: *****

Register with:
entry_points = {
'sera.command': [
'main.some_command = myns.mypkg.mymodule:the_command'
]
},

entry_points = {
'sera.group': [
'some_group = myns.mypkg.mymodule:the_group'
]
},

entry_points = {
'sera.collection': [
'some_cli_collection = myns.mypkg.mymodule:the_cli'
]

Override:
SERA_COLLECTION=myns.mypkg.mymodule:the_cli;...
SERA_GROUP=

To use them
import pkg_resources

named_objects = {}
for ep in pkg_resources.iter_entry_points(group='sera.collection'):
...

The underlying provider needs to handle messages that haven't been deleted in the system