def __init__(self): self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.secret_repo = repo.get_secret_repository() self.validator = validators.ContainerValidator() self.quota_enforcer = quota.QuotaEnforcer('containers', self.container_repo)
def validate_stored_key_rsa_container(project_id, container_ref, req): try: container_id = hrefs.get_container_id_from_ref(container_ref) except Exception: reason = u._("Bad Container Reference {ref}").format( ref=container_ref ) raise exception.InvalidContainer(reason=reason) container_repo = repo.get_container_repository() container = container_repo.get_container_by_id(entity_id=container_id, suppress_exception=True) if not container: reason = u._("Container Not Found") raise exception.InvalidContainer(reason=reason) if container.type != 'rsa': reason = u._("Container Wrong Type") raise exception.InvalidContainer(reason=reason) ctxt = controllers._get_barbican_context(req) inst = controllers.containers.ContainerController(container) controllers._do_enforce_rbac(inst, req, controllers.containers.CONTAINER_GET, ctxt)
def __init__(self): self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.secret_repo = repo.get_secret_repository() self.validator = validators.ContainerValidator() self.quota_enforcer = quota.QuotaEnforcer('containers', self.container_repo)
def __init__(self, container): self.container = container self.container_id = container.id self.acl_repo = repo.get_container_acl_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ACLValidator() self.container_project_id = container.project.external_id
def __init__(self, container): self.container = container self.container_id = container.id self.acl_repo = repo.get_container_acl_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ACLValidator() self.container_project_id = container.project.external_id
def _save_container(spec, project_model, private_secret_model, public_secret_model, passphrase_secret_model): container_model = models.Container() container_model.name = spec.get('name') container_model.type = spec.get('algorithm', '').lower() container_model.status = models.States.ACTIVE container_model.project_id = project_model.id container_model.creator_id = spec.get('creator_id') container_repo = repos.get_container_repository() container_repo.create_from(container_model) # create container_secret for private_key _create_container_secret_association('private_key', private_secret_model, container_model) # create container_secret for public_key _create_container_secret_association('public_key', public_secret_model, container_model) if spec.get('passphrase'): # create container_secret for passphrase _create_container_secret_association('private_key_passphrase', passphrase_secret_model, container_model) return container_model
def __init__(self, container_id): self.container_id = container_id self.container = None self.acl_repo = repo.get_container_acl_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ACLValidator() self.container_project_id = None
def validate_stored_key_rsa_container(project_id, container_ref, req): try: container_id = hrefs.get_container_id_from_ref(container_ref) except Exception: reason = u._("Bad Container Reference {ref}").format( ref=container_ref ) raise exception.InvalidContainer(reason=reason) container_repo = repo.get_container_repository() container = container_repo.get_container_by_id(entity_id=container_id, suppress_exception=True) if not container: reason = u._("Container Not Found") raise exception.InvalidContainer(reason=reason) if container.type != 'rsa': reason = u._("Container Wrong Type") raise exception.InvalidContainer(reason=reason) ctxt = controllers._get_barbican_context(req) inst = controllers.containers.ContainerController(container) controllers._do_enforce_rbac(inst, req, controllers.containers.CONTAINER_GET, ctxt)
def __init__(self, container_id): self.container_id = container_id self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.project_repo = repo.get_project_repository() self.validator = validators.ContainerConsumerValidator() self.quota_enforcer = quota.QuotaEnforcer('consumers', self.consumer_repo)
def __init__(self, container_id): self.container_id = container_id self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.project_repo = repo.get_project_repository() self.validator = validators.ContainerConsumerValidator() self.quota_enforcer = quota.QuotaEnforcer('consumers', self.consumer_repo)
def __init__(self, container): self.container = container self.container_id = container.id self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ContainerValidator() self.consumers = consumers.ContainerConsumersController( self.container_id) self.acls = acls.ContainerACLsController(self.container_id)
def __init__(self, container): self.container = container self.container_id = container.id self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ContainerValidator() self.consumers = consumers.ContainerConsumersController( self.container_id) self.acl = acls.ContainerACLsController(self.container)
def _get_container_from_order_meta(order_model, project_model): container_ref = order_model.meta.get("container_ref") # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) return container_id, container
def _get_container_from_order_meta(order_model, project_model): container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) return container_id, container
def _save_secrets(result, project_model, request_type, order_model): cert_secret_model, transport_key_model = plugin.store_secret( unencrypted_raw=result.certificate, content_type_raw='application/pkix-cert', content_encoding='base64', secret_model=models.Secret(), project_model=project_model) # save the certificate chain as a secret. if result.intermediates: intermediates_secret_model, transport_key_model = plugin.store_secret( unencrypted_raw=result.intermediates, content_type_raw='application/pkix-cert', content_encoding='base64', secret_model=models.Secret(), project_model=project_model ) else: intermediates_secret_model = None container_model = models.Container() container_model.type = "certificate" container_model.status = models.States.ACTIVE container_model.project_id = project_model.id container_repo = repos.get_container_repository() container_repo.create_from(container_model) # create container_secret for certificate new_consec_assoc = models.ContainerSecret() new_consec_assoc.name = 'certificate' new_consec_assoc.container_id = container_model.id new_consec_assoc.secret_id = cert_secret_model.id container_secret_repo = repos.get_container_secret_repository() container_secret_repo.create_from(new_consec_assoc) if intermediates_secret_model: # create container_secret for intermediate certs new_consec_assoc = models.ContainerSecret() new_consec_assoc.name = 'intermediates' new_consec_assoc.container_id = container_model.id new_consec_assoc.secret_id = intermediates_secret_model.id container_secret_repo.create_from(new_consec_assoc) if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST: _add_private_key_to_generated_cert_container(container_model.id, order_model, project_model) return container_model
def _create_base_container(self): # Setup the container and needed base relationship container_repo = repositories.get_container_repository() session = container_repo.get_session() project = models.Project() project.external_id = "keystone_project_id" project.save(session=session) container = models.Container() container.project_id = project.id container.save(session=session) session.commit() return container
def _create_base_container(self, project_id=None): # Setup the container and needed base relationship container_repo = repositories.get_container_repository() session = container_repo.get_session() if project_id is None: project = models.Project() project.external_id = "keystone_project_id" project.save(session=session) project_id = project.id container = models.Container() container.project_id = project_id container.save(session=session) session.commit() return container
def _save_asymmetric_secret_in_repo(container_model, private_secret_model, public_secret_model, passphrase_secret_model): container_repo = repos.get_container_repository() container_repo.create_from(container_model) # create container_secret for private_key _create_container_secret_association('private_key', private_secret_model, container_model) # create container_secret for public_key _create_container_secret_association('public_key', public_secret_model, container_model) if passphrase_secret_model: # create container_secret for passphrase _create_container_secret_association('private_key_passphrase', passphrase_secret_model, container_model)
def validate_stored_key_rsa_container(project_id, container_ref): try: container_id = hrefs.get_container_id_from_ref(container_ref) except Exception: reason = u._("Bad Container Reference {ref}").format( ref=container_ref ) raise exception.InvalidContainer(reason=reason) container_repo = repo.get_container_repository() container = container_repo.get(container_id, external_project_id=project_id, suppress_exception=True) if not container: reason = u._("Container Not Found") raise exception.InvalidContainer(reason=reason) if container.type != 'rsa': reason = u._("Container Wrong Type") raise exception.InvalidContainer(reason=reason)
def _save_asymmetric_secret_in_repo(container_model, private_secret_model, public_secret_model, passphrase_secret_model): container_repo = repos.get_container_repository() container_repo.create_from(container_model) # create container_secret for private_key _create_container_secret_association('private_key', private_secret_model, container_model) # create container_secret for public_key _create_container_secret_association('public_key', public_secret_model, container_model) if passphrase_secret_model: # create container_secret for passphrase _create_container_secret_association('private_key_passphrase', passphrase_secret_model, container_model)
import uuid import mock from barbican.common import resources from barbican.model import models from barbican.model import repositories from barbican.tests.api.controllers import test_acls from barbican.tests.api import test_resources_policy as test_policy from barbican.tests import utils order_repo = repositories.get_order_repository() project_repo = repositories.get_project_repository() ca_repo = repositories.get_ca_repository() project_ca_repo = repositories.get_project_ca_repository() container_repo = repositories.get_container_repository() generic_key_meta = { 'name': 'secretname', 'algorithm': 'AES', 'bit_length': 256, 'mode': 'cbc', 'payload_content_type': 'application/octet-stream' } class WhenCreatingOrdersUsingOrdersResource(utils.BarbicanAPIBaseTestCase): def test_can_create_a_new_order(self): resp, order_uuid = create_order(self.app, order_type='key', meta=generic_key_meta)
def __init__(self): self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.secret_repo = repo.get_secret_repository() self.validator = validators.ContainerValidator()
def __init__(self, container_id): self.container_id = container_id self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ContainerConsumerValidator()
class Container(base.BarbicanObject, base.BarbicanPersistentObject, object_base.VersionedObjectDictCompat): fields = { 'name': fields.StringField(nullable=True, default=None), 'type': fields.EnumField(nullable=True, valid_values=TYPE_VALUE), 'project_id': fields.StringField(nullable=True, default=None), 'creator_id': fields.StringField(nullable=True, default=None), 'consumers': fields.ListOfObjectsField('ContainerConsumerMetadatum', default=list()), 'container_secrets': fields.ListOfObjectsField('ContainerSecret', default=list()), 'container_acls': fields.ListOfObjectsField('ContainerACL', default=list()), 'project': fields.ObjectField('Project', nullable=True, default=None) } db_model = models.Container db_repo = repos.get_container_repository() synthetic_fields = [ 'consumers', 'container_secrets', 'container_acls', 'project' ] def __init__(self, context=None, parsed_request=None, **kwargs): super(Container, self).__init__(context=context, **kwargs) if parsed_request: self.name = parsed_request.get('name') self.type = parsed_request.get('type') self.status = base.States.ACTIVE self.creator_id = parsed_request.get('creator_id') secret_refs = parsed_request.get('secret_refs') if secret_refs: for secret_ref in parsed_request.get('secret_refs'): container_secret = con_se.ContainerSecret() container_secret.name = secret_ref.get('name') secret_id = secret_ref.get('secret_ref') if secret_id.endswith('/'): secret_id = secret_id.rsplit('/', 2)[1] elif '/' in secret_id: secret_id = secret_id.rsplit('/', 1)[1] else: secret_id = secret_id container_secret.secret_id = secret_id self.container_secrets.append(container_secret) def _get_db_entity(self, data=None): return self.db_model(parsed_request=data, check_exc=False) def _attach_container_secret(self, container_secrets, container_id, session): if container_secrets: for container_secret in container_secrets: container_secret.container_id = container_id if container_secret.id is None: self.container_secrets.append( container_secret.create(session=session)) else: self.container_secrets.append( container_secret.save(session=session)) def _attach_consumers(self, consumers, container_id, session): if consumers: for consumer in consumers: consumer.container_id = container_id if consumer.id is None: self.consumers.append(consumer.create(session=session)) else: self.consumers.append(consumer.save(session=session)) def create(self, session=None): fields = self.obj_get_changes() super(Container, self).create(session=session) if 'container_secrets' in fields: self._attach_container_secret(fields['container_secrets'], container_id=self.id, session=session) if 'consumers' in fields: self._attach_consumers(fields['consumers'], container_id=self.id, session=session) def save(self, session=None): fields = self.obj_get_changes() super(Container, self).save(session=session) if 'consumers' in fields: self._attach_consumers(fields['consumers'], container_id=self.id, session=session) @classmethod def get_by_create_date(cls, external_project_id, offset_arg=None, limit_arg=None, name_arg=None, suppress_exception=False, session=None): entities_db, offset, limit, total = cls.db_repo.get_by_create_date( external_project_id, offset_arg, limit_arg, name_arg, suppress_exception, session) entities_obj = [ cls()._from_db_object(entity_db) for entity_db in entities_db ] return entities_obj, offset, limit, total @classmethod def get_container_by_id(cls, entity_id, suppress_exception=False, session=None): entity_db = cls.db_repo.get_container_by_id(entity_id, suppress_exception, session) return cls()._from_db_object(entity_db)
def __init__(self, container_id): self.container_id = container_id self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.validator = validators.ContainerConsumerValidator()
def _generate_csr(order_model, project_model): """Generate a CSR from the public key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == 'private_key': private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret('application/pkcs8', private_key_model, project_model) elif cs.name == 'private_key_passphrase': passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret('text/plain;charset=utf-8', passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container_id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase) subject_name = order_model.meta.get('subject_dn') subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get('extensions', None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, 'sha256') csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def _generate_csr(order_model, project_model): """Generate a CSR from the public key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == 'private_key': private_key_model = secret_repo.get( cs.secret_id, project_model.external_id) private_key = plugin.get_secret( 'application/pkcs8', private_key_model, project_model) elif cs.name == 'private_key_passphrase': passphrase_model = secret_repo.get( cs.secret_id, project_model.external_id) passphrase = plugin.get_secret( 'text/plain;charset=utf-8', passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container_id) if passphrase is None: pkey = crypto.load_privatekey( crypto.FILETYPE_PEM, private_key ) else: pkey = crypto.load_privatekey( crypto.FILETYPE_PEM, private_key, passphrase ) subject_name = order_model.meta.get('subject_dn') subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get('extensions', None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, 'sha256') csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def __init__(self): self.consumer_repo = repo.get_container_consumer_repository() self.container_repo = repo.get_container_repository() self.secret_repo = repo.get_secret_repository() self.validator = validators.ContainerValidator()
# # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. import os import uuid from barbican.common import exception from barbican.model import repositories from barbican.tests.api.controllers import test_secrets as secret_helper from barbican.tests import utils containers_repo = repositories.get_container_repository() class SuccessfulContainerCreateMixin(object): def _assert_successful_container_create(self, resp, container_uuid): self.assertEqual(201, resp.status_int) # this will raise if the container uuid is not proper uuid.UUID(container_uuid) class WhenCreatingContainersUsingContainersResource( utils.BarbicanAPIBaseTestCase, SuccessfulContainerCreateMixin): def test_should_add_new_empty_container(self): container_name = 'test container name'
def create_container(project=None, session=None): container = models.Container() container.project_id = project.id container_repo = repositories.get_container_repository() container_repo.create_from(container, session=session) return container
def create_container(project=None, session=None): container = models.Container() container.project_id = project.id container_repo = repositories.get_container_repository() container_repo.create_from(container, session=session) return container