def _get_decrypted_pairs(self, credential):
"""
From credential, get decrypted blind credential pairs.
Given a region => data_key dict of data keys, a region => context dict
of KMS encryption context, a dict of encrypted credential pairs, a
cipher and a cipher version, return decrypted credential_pairs.
"""
region = self.config['region']
_context = credential['metadata']['context'][region]
if self.aws_creds:
_kms_client = confidant_client.services.get_boto_client(
'kms',
region=self.config['region'],
aws_access_key_id=self.aws_creds['AccessKeyId'],
aws_secret_access_key=self.aws_creds['SecretAccessKey'],
aws_session_token=self.aws_creds['SessionToken']
)
else:
_kms_client = self.kms_client
_data_key = cryptolib.decrypt_datakey(
base64.b64decode(
ensure_bytes(credential['data_key'][region])
),
_context,
_kms_client
)
_credential_pair = credential['credential_pairs'][region]
f = Fernet(_data_key)
return json.loads(f.decrypt(_credential_pair.encode('utf-8')))
评论列表
文章目录
