Acquire.Service._service module¶

class Service(service_type=None, service_url=None)[source]¶

Bases: object

This class represents a service in the system. Services will either be identity services, access services, storage services or accounting services.

assert_admin_authorised(authorisation, resource=None)[source]¶: Validate that the passed authorisation is valid for the (optionally) specified resource, and that this has been authorised by one of the admin accounts of this service

assert_unlocked()[source]¶: Assert that this service object is unlocked

bucket()[source]¶: Return the bucket you can use to read/write data to the object store associated with this service account

call_function(function, args=None)[source]¶: Call the function ‘func’ on this service, optionally passing in the arguments ‘args’. This is a simple wrapper around Acquire.Service.call_function which automatically gets the correct URL, encrypts the arguments using the service’s public key, and supplies a key to encrypt the response (and automatically then decrypts the response)

can_identify_users()[source]¶: Return whether or not this service can identify users. Most services can, at a minimum, identify their admin users. However, only true Identity Services can register and manage normal users

canonical_url()[source]¶: Return the canonical URL for this service (this is the URL the service thinks it has, and which it has used to register itself with all other services)

decrypt(message)[source]¶: Decrypt the passed message

decrypt_data(data)[source]¶: Decrypt the passed data that has been encrypted and sent to this service (encrypted via the ‘encrypt_data’ function). This will return a json-deserialisable dictionary. Note that the ‘service_uid’ should match the UID of this service. The data should also contain the fingerprint of the key used to encrypt the data, enabling the service to perform key rotation and management.

dump_keys(include_old_keys=False)[source]¶: Return a dump of the current key and certificate, so that we can keep a record of all keys that have been used. The returned json-serialisable dictionary contains the keys, their fingerprints, and the datetime when they were generated. If this is run on the service, then the keys are encrypted the password which is encrypted using the master key

encrypt(message)[source]¶: Encrypt the passed message

encrypt_data(data)[source]¶

Encrypt the passed data, ready for transport to the service. Data should be a json-serialisable dictionary. This will return a new json-serialisable dictionary, which will contain the UID of the service this should be sent to (together with the canonical URL, which enables this data to be forwarded to where it needs to go), and the encrypted data, e.g. as;

data = {“service_uid” : “SERVICE_UID”,: “canonical_url” : “CANONICAL_URL”, “fingerprint” : “KEY_FINGERPRINT”, “encrypted_data” : “ENCRYPTED_DATA”}

static from_data(data, password=None, verify_data=False)[source]¶

Deserialise this object from the passed data. This will only deserialise the private key and private certificate if the password is supplied.

If ‘verify_data’ is True, then extract the signature of the data and verify that that signature is correct. You should always verify data that has been transmitted over a network.

get_trusted_service(service_url=None, service_uid=None)[source]¶: Return the trusted service info for the service with specified service_url or service_uid

hostname()[source]¶: Return the hostname of the canonical URL that provides this service

is_access_service()[source]¶: Return whether or not this is an access service

is_accounting_service()[source]¶: Return whether or not this is an accounting service

is_compute_service()[source]¶: Return whether or not this is a compute service

is_evolution_of(other)[source]¶: Return whether or not this service is an evolution of ‘other’. Evolving means that this service is the same service as ‘other’, but at a later point in time with newer keys

is_identity_service()[source]¶: Return whether or not this is an identity service

is_locked()[source]¶: Return whether or not this service object is locked. Locked service objects don’t contain copies of any private keys, and can be safely shared as a means of distributing public keys and certificates

is_storage_service()[source]¶: Return whether or not this is a storage service

is_unlocked()[source]¶: Return whether or not this service object is unlocked. Unlocked service objects have access to the skeleton key and other private keys. They should only run on the service. Locked service objects are what are returned by services to provide public keys and public certificates

key_update_interval()[source]¶: Return the time delta between server key updates

last_certificate()[source]¶: Return the old public certificate for this service. This was the certificate used before the last key update, and we store it in case we need to verify data signed using the old private certificate

last_key()[source]¶: Return the old private key for this service (if it has been unlocked). This was the key used before the last key update, and we store it in case we have to decrypt data that was recently encrypted using the old public key

last_key_update()[source]¶: Return the datetime when the key and certificate of this service were last updated

load_keys(data)[source]¶: Return the keys that were dumped by ‘self.dump_keys()’. This returns a dictionary of the keys and datetime that they were created, indexed by their key fingerprints

login_service_user()[source]¶: Return a logged in Acquire.Client.User for the service user. This can only be called inside the service, and when you have unlocked this service object

private_certificate()[source]¶: Return the private signing certificate (if it has been unlocked)

private_key()[source]¶: Return the private key (if it has been unlocked)

public_certificate()[source]¶: Return the public signing certificate for this service

public_key()[source]¶: Return the public key for this service

refresh_keys()[source]¶: Refresh the keys and certificates

service_type()[source]¶: Return the type of this service

service_url()[source]¶: Return the URL used to access this service

service_user_account_uid(accounting_service_url=None, accounting_service=None)[source]¶: Return the UID of the financial account associated with this service on the passed accounting service

service_user_name()[source]¶: Return the name of the service user account for this service

service_user_secrets()[source]¶: Return the (encrypted) secrets for the service user account. These will only be returned if you have unlocked this service. You need access to the skeleton key to decrypt these secrets

service_user_uid()[source]¶: Return the UID of the service user account for this service

should_refresh_keys()[source]¶: Return whether the keys and certificates need to be refreshed - i.e. more than ‘key_update_interval’ has passed since the last key update

sign(message)[source]¶: Sign the specified message

sign_data(data)[source]¶

Sign the passed data, ready for transport. Data should be a json-serialisable dictionary. This will return a new json-serialisable dictionary, which will contain the signature and json-serialised original data, e.g. as;

data = {“service_uid” : “SERVICE_UID”,: “fingerprint” : “KEY_FINGERPRINT”, “signed_data” : “JSON_ENCODED_DATA”, “signature” : “SIG OF JSON_ENCODED_DATA”}

skeleton_key()[source]¶: Return the skeleton key used by this service. This is an unchanging key which is stored internally, should never be shared outside the service, and which is used to encrypt all data. Unlocking the service involves loading and decrypting this skeleton key

to_data(password=None)[source]¶: Serialise this key to a dictionary, using the supplied password to encrypt the private key and certificate

uid()[source]¶: Return the uuid of this service. This MUST NEVER change, as the UID uniquely identifies this service to all other services

update_service_url(service_url)[source]¶: Update the service url to be ‘service_url’

uses_https()[source]¶: Return whether or not the canonical URL of this service is connected to via https

uuid()[source]¶: Synonym for uid

validation_string()[source]¶: Return a string created from this object that can be signed to verify that all information was transmitted correctly

verify(signature, message)[source]¶: Verify that this service signed the message

verify_data(data)[source]¶: Verify the passed data has been signed by this service. The passed data should have the same format as that produced by ‘sign_data’. If the data is verified then this will return a json-deserialised dictionary of the verified data. Note that the ‘service_uid’ should match the UID of this service. The data should also contain the fingerprint of the key used to encrypt the data, enabling the service to perform key rotation and management.

whois(username=None, user_uid=None, session_uid=None)[source]¶

Do a whois lookup to map from username to user_uid or vice versa. If ‘session_uid’ is provided, then also validate that this is a correct login session, and return also the public key and signing certificate for this login session.

This should return a dictionary with the following keys optionally contained;

username = name of the user user_uid = uid of the user public_key = public key for the session with uid ‘session_uid’ public_cert = public certificate for that login session