def validate_stored_key_rsa_container(project_id, container_ref, req):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get_container_by_id(entity_id=container_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
ctxt = controllers._get_barbican_context(req)
inst = controllers.containers.ContainerController(container)
controllers._do_enforce_rbac(inst, req,
controllers.containers.CONTAINER_GET,
ctxt)
def validate_stored_key_rsa_container(project_id, container_ref, req):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get_container_by_id(entity_id=container_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
ctxt = controllers._get_barbican_context(req)
inst = controllers.containers.ContainerController(container)
controllers._do_enforce_rbac(inst, req,
controllers.containers.CONTAINER_GET,
ctxt)
def _get_container_from_order_meta(order_model, project_model):
container_ref = order_model.meta.get("container_ref")
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id, project_model.external_id, suppress_exception=True)
return container_id, container
def _get_container_from_order_meta(order_model, project_model):
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
return container_id, container
def validate_stored_key_rsa_container(project_id, container_ref):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get(container_id,
external_project_id=project_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
def _generate_csr(order_model, project_model):
"""Generate a CSR from the public key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == 'private_key':
private_key_model = secret_repo.get(cs.secret_id,
project_model.external_id)
private_key = plugin.get_secret('application/pkcs8',
private_key_model, project_model)
elif cs.name == 'private_key_passphrase':
passphrase_model = secret_repo.get(cs.secret_id,
project_model.external_id)
passphrase = plugin.get_secret('text/plain;charset=utf-8',
passphrase_model, project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container_id)
if passphrase is None:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
else:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key,
passphrase)
subject_name = order_model.meta.get('subject_dn')
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get('extensions', None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, 'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
def test_get_container_id_passes(self):
test_ref = 'https://localhost/v1/containers/good_container_ref'
result = hrefs.get_container_id_from_ref(test_ref)
self.assertEqual('good_container_ref', result)
def test_get_container_id_passes(self):
test_ref = 'https://localhost/v1/containers/good_container_ref'
result = hrefs.get_container_id_from_ref(test_ref)
self.assertEqual('good_container_ref', result)
def _generate_csr(order_model, project_model):
"""Generate a CSR from the public key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == 'private_key':
private_key_model = secret_repo.get(
cs.secret_id,
project_model.external_id)
private_key = plugin.get_secret(
'application/pkcs8',
private_key_model,
project_model)
elif cs.name == 'private_key_passphrase':
passphrase_model = secret_repo.get(
cs.secret_id,
project_model.external_id)
passphrase = plugin.get_secret(
'text/plain;charset=utf-8',
passphrase_model,
project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container_id)
if passphrase is None:
pkey = crypto.load_privatekey(
crypto.FILETYPE_PEM,
private_key
)
else:
pkey = crypto.load_privatekey(
crypto.FILETYPE_PEM,
private_key,
passphrase
)
subject_name = order_model.meta.get('subject_dn')
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get('extensions', None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, 'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
