swh.alter.recovery_bundle module

class swh.alter.recovery_bundle.Manifest(version: int, removal_identifier: str, created: datetime, swhids: List[str], decryption_key_shares: Dict[str, str], reason: str | None = None, expire: datetime | None = None)

Bases: object

Method generated by attrs for class Manifest.

version: int

removal_identifier: str

created: datetime

swhids: List[str]

decryption_key_shares: Dict[str, str]

reason: str | None

expire: datetime | None

dump(stream: TextIO | None = None) → str | None

classmethod load(str_or_stream: str | TextIO) → Manifest

exception swh.alter.recovery_bundle.WrongDecryptionKey

Bases: Exception

swh.alter.recovery_bundle.age_encrypt(public_key: str, cleartext: bytes, armored_output=False) → bytes

swh.alter.recovery_bundle.age_encrypt_armored(public_key: str, cleartext: bytes) → str

swh.alter.recovery_bundle.age_decrypt(secret_key: str, ciphertext: bytes | str) → bytes

swh.alter.recovery_bundle.age_decrypt_from_identity(identity_file: str, ciphertext: bytes | str) → bytes

swh.alter.recovery_bundle.generate_age_keypair() → Tuple[str, str]

swh.alter.recovery_bundle.list_yubikey_identities() → List[Tuple[str, str]]

class swh.alter.recovery_bundle.SecretSharing(minimum_required_groups: int, groups: Dict[str, _SecretSharingGroup])

Bases: object

Method generated by attrs for class SecretSharing.

minimum_required_groups: int

groups: Dict[str, _SecretSharingGroup]

classmethod from_dict(d: dict) → Self

property share_ids: Set[str]

generate_encrypted_shares(identifier: str, secret_key: str) → Dict[str, str]

exception swh.alter.recovery_bundle.SecretRecoveryError

Bases: Exception

swh.alter.recovery_bundle.recover_object_decryption_key_from_encrypted_shares(encrypted_shares: Dict[str, str], share_decryption_keys_provider: Callable[[], Iterator[Tuple[str, str]]], decrypted_mnemonic_processor: Callable[[str, str | None], None] | None = None, known_mnemonics: List[str] | None = None) → str

class swh.alter.recovery_bundle.RecoveryBundle(path: str, object_decryption_key_provider: Callable[[Manifest], str] | None = None)

Bases: object

property removal_identifier: str

property created: datetime

property swhids: List[str]

property reason: str | None

property expire: datetime | None

property share_ids: Set[str]

property object_decryption_key: str

encrypted_secret(share_id: str) → str

dump_manifest() → str

get_dict(swhid: ExtendedSWHID) → Dict[str, Any]

write_content_data(swhid: ExtendedSWHID, dest: BinaryIO)

contents() → Iterator[Content]

skipped_contents() → Iterator[SkippedContent]

directories() → Iterator[Directory]

revisions() → Iterator[Revision]

releases() → Iterator[Release]

snapshots() → Iterator[Snapshot]

origins() → Iterator[Origin]

origin_visits(origin: Origin) → Iterator[OriginVisit]

origin_visit_statuses(origin: Origin) → Iterator[OriginVisitStatus]

restore(storage: StorageInterface) → Dict[str, int]

rollover(secret_sharing: SecretSharing)

Update the recovery bundle encrypted shared secrets using the given configuration.

It is useful when a secret holder needs to be added or removed, or to switch to an entirely new scheme.

This method splits the decryption key into new encrypted shares. The decryption key stays the same. The mnemonics will be new.

A new recovery bundle file is created with an updated manifest which then atomically replaces the existing file.

class swh.alter.recovery_bundle.HasUniqueKey(*args, **kwargs)

Bases: Protocol

property object_type: str

abstract unique_key() → Dict[str, str] | Dict[str, bytes] | bytes

class swh.alter.recovery_bundle.HasSwhid(*args, **kwargs)

Bases: HasUniqueKey

abstract swhid() → CoreSWHID | None | ExtendedSWHID

class swh.alter.recovery_bundle.RecoveryBundleCreator(path: str, storage: StorageInterface, removal_identifier: str, object_public_key: str, decryption_key_shares: Dict[str, str], registration_callback: Callable[[HasSwhid | HasUniqueKey], None] | None = None)

Bases: object

set_reason(reason: str)

set_expire(expire: datetime)

backup_swhids(swhids: Iterable[ExtendedSWHID])