def _get_cert_plugin(barbican_meta, barbican_meta_for_plugins_dto,
order_model, project_model):
cert_plugin_name = barbican_meta.get('plugin_name')
if cert_plugin_name:
return cert.CertificatePluginManager().get_plugin_by_name(
cert_plugin_name)
ca_id = _get_ca_id(order_model.meta, project_model.id)
if ca_id:
barbican_meta_for_plugins_dto.plugin_ca_id = ca_id
return cert.CertificatePluginManager().get_plugin_by_ca_id(ca_id)
else:
return cert.CertificatePluginManager().get_plugin(order_model.meta)
def check_certificate_request(order_model, project_model, result_follow_on):
"""Check the status of a certificate request with the CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if the
request has been completed. None otherwise.
"""
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) See note above about DTO's name.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
barbican_meta.get('plugin_name'))
result = cert_plugin.check_certificate_status(
order_model.id, order_model.meta,
plugin_meta, barbican_meta_for_plugins_dto)
# Save plugin order plugin state
_save_plugin_metadata(order_model, plugin_meta)
request_type = order_model.meta.get(cert.REQUEST_TYPE)
return _handle_task_result(
result, result_follow_on, order_model, project_model, request_type,
unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_CHECK)
def issue_certificate_request(order_model, project_model, result_follow_on):
"""Create the initial order with CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order
# and not shown to plugins) with barbican_meta_dto (shared with plugins).
# As a minimum we should change the name of the DTO to something like
# 'extended_meta_dto' or some such.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
# refresh the CA table. This is mostly a no-op unless the entries
# for a plugin are expired.
cert.CertificatePluginManager().refresh_ca_table()
cert_plugin = _get_cert_plugin(barbican_meta,
barbican_meta_for_plugins_dto, order_model,
project_model)
barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin)
# Generate CSR if needed.
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
csr = barbican_meta.get('generated_csr')
if csr is None:
# TODO(alee) Fix this to be a non-project specific call once
# the ACL patches go in.
csr = _generate_csr_from_private_key(order_model, project_model)
barbican_meta['generated_csr'] = csr
barbican_meta_for_plugins_dto.generated_csr = csr
result = cert_plugin.issue_certificate_request(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin and barbican metadata for this order.
_save_plugin_metadata(order_model, plugin_meta)
_save_barbican_metadata(order_model, barbican_meta)
# Handle result
return _handle_task_result(
result,
result_follow_on,
order_model,
project_model,
request_type,
unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE)
def check_certificate_request(order_model, project_model, result_follow_on):
"""Check the status of a certificate request with the CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if the
request has been completed. None otherwise.
"""
container_model = None
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) See note above about DTO's name.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
barbican_meta.get('plugin_name'))
result = cert_plugin.check_certificate_status(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin order plugin state
_save_plugin_metadata(order_model, plugin_meta)
# Handle result
if cert.CertificateStatus.WAITING_FOR_CA == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_REQUEST_PENDING,
retry_task=common.RetryTasks.INVOKE_CERT_STATUS_CHECK_TASK,
retry_msec=result.retry_msec)
elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status:
_update_result_follow_on(result_follow_on,
order_status=ORDER_STATUS_CERT_GENERATED)
container_model = _save_secrets(result, project_model)
elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status:
raise cert.CertificateStatusClientDataIssue(result.status_message)
elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_CA_UNAVAIL_FOR_CHECK,
retry_task=common.RetryTasks.INVOKE_SAME_TASK,
retry_msec=cert.ERROR_RETRY_MSEC)
_notify_ca_unavailable(order_model, result)
elif cert.CertificateStatus.INVALID_OPERATION == result.status:
raise cert.CertificateStatusInvalidOperation(result.status_message)
else:
raise cert.CertificateStatusNotSupported(result.status)
return container_model
def issue_certificate_request(order_model, project_model, repos):
"""Create the initial order with CA.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: repos - repos (to be removed)
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
container_model = None
plugin_meta = _get_plugin_meta(order_model, repos)
# Locate a suitable plugin to issue a certificate.
cert_plugin = cert.CertificatePluginManager().get_plugin(order_model.meta)
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
_generate_csr(order_model, repos)
result = cert_plugin.issue_certificate_request(order_model.id,
order_model.meta,
plugin_meta)
# Save plugin order plugin state
_save_plugin_metadata(order_model, plugin_meta, repos)
# Handle result
if cert.CertificateStatus.WAITING_FOR_CA == result.status:
# TODO(alee-3): Add code to set sub status of "waiting for CA"
_update_order_status(ORDER_STATUS_REQUEST_PENDING)
_schedule_check_cert_request(cert_plugin, order_model, plugin_meta,
repos, result, project_model,
cert.RETRY_MSEC)
elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status:
_update_order_status(ORDER_STATUS_CERT_GENERATED)
container_model = _save_secrets(result, project_model, repos)
elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status:
_update_order_status(ORDER_STATUS_DATA_INVALID)
raise cert.CertificateStatusClientDataIssue(result.status_message)
elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status:
# TODO(alee-3): set retry counter and error out if retries are exceeded
_update_order_status(ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE)
_schedule_issue_cert_request(cert_plugin, order_model, plugin_meta,
repos, result, project_model,
cert.ERROR_RETRY_MSEC)
_notify_ca_unavailable(order_model, result)
elif cert.CertificateStatus.INVALID_OPERATION == result.status:
_update_order_status(ORDER_STATUS_INVALID_OPERATION)
raise cert.CertificateStatusInvalidOperation(result.status_message)
else:
_update_order_status(ORDER_STATUS_INTERNAL_ERROR)
raise cert.CertificateStatusNotSupported(result.status)
return container_model
def setUp(self):
super(WhenTestingCertificatePluginManager, self).setUp()
self.cert_spec = {}
self.plugin_returned = mock.MagicMock()
self.plugin_name = common_utils.generate_fullname_for(
self.plugin_returned)
types_list = [
cm.CertificateRequestType.SIMPLE_CMC_REQUEST,
cm.CertificateRequestType.CUSTOM_REQUEST
]
self.plugin_returned.supported_request_types.return_value = types_list
self.plugin_returned.supports.return_value = True
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
expiration = (
datetime.datetime.utcnow() +
datetime.timedelta(days=cm.CA_INFO_DEFAULT_EXPIRATION_DAYS))
ca_info = {
cm.INFO_NAME: "my_ca",
cm.INFO_DESCRIPTION: "Certificate Authority my_ca",
cm.INFO_CA_SIGNING_CERT: "Undefined",
cm.INFO_INTERMEDIATES: "Undefined",
cm.INFO_EXPIRATION: expiration.isoformat()
}
self.plugin_returned.get_ca_info.return_value = {
'plugin_ca_id1': ca_info
}
parsed_ca = {
'plugin_name': self.plugin_name,
'plugin_ca_id': 'plugin_ca_id1',
'name': self.plugin_name,
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'ZZZZZ',
'intermediates': 'YYYYY'
}
self.ca = models.CertificateAuthority(parsed_ca)
self.ca.id = 'ca_id'
self.ca_repo = mock.MagicMock()
self.ca_repo.get_by_create_date.return_value = (self.ca, 0, 1, 1)
self.ca_repo.create_from.return_value = None
self.ca_repo.get.return_value = self.ca
self.project = models.Project()
self.project.id = '12345'
self.setup_ca_repository_mock(self.ca_repo)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.CertificatePluginManager()
self.manager.extensions = [self.plugin_loaded]
def delete_subordinate_ca(external_project_id, ca):
"""Deletes a subordinate CA and any related artifacts
:param external_project_id: external project ID
:param ca: class:`models.CertificateAuthority` to be deleted
:return: None
"""
# TODO(alee) See if the checks below can be moved to the RBAC code
# Check that this CA is a subCA
if ca.project_id is None:
raise excep.CannotDeleteBaseCA()
# Check that the user's project owns this subCA
project = res.get_or_create_project(external_project_id)
if ca.project_id != project.id:
raise excep.UnauthorizedSubCA()
project_ca_repo = repos.get_project_ca_repository()
(project_cas, _, _,
_) = project_ca_repo.get_by_create_date(project_id=project.id,
ca_id=ca.id,
suppress_exception=True)
preferred_ca_repo = repos.get_preferred_ca_repository()
(preferred_cas, _, _,
_) = preferred_ca_repo.get_by_create_date(project_id=project.id,
ca_id=ca.id,
suppress_exception=True)
# Can not delete a project preferred CA, if other project CAs exist. One
# of those needs to be designated as the preferred CA first.
if project_cas and preferred_cas and not is_last_project_ca(project.id):
raise excep.CannotDeletePreferredCA()
# Remove the CA as preferred
if preferred_cas:
preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id,
external_project_id)
# Remove the CA from project list
if project_cas:
project_ca_repo.delete_entity_by_id(project_cas[0].id,
external_project_id)
# Delete the CA entry from plugin
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
ca.plugin_name)
cert_plugin.delete_ca(ca.plugin_ca_id)
# Finally, delete the CA entity from the CA repository
ca_repo = repos.get_ca_repository()
ca_repo.delete_entity_by_id(entity_id=ca.id,
external_project_id=external_project_id)
def create_subordinate_ca(project_model, name, description, subject_dn,
parent_ca_ref, creator_id):
"""Create a subordinate CA
:param name - name of the subordinate CA
:param: description - description of the subordinate CA
:param: subject_dn - subject DN of the subordinate CA
:param: parent_ca_ref - Barbican URL reference to the parent CA
:param: creator_id - id for creator of the subordinate CA
:return: :class models.CertificateAuthority model object for new sub CA
"""
# check that the parent ref exists and is accessible
parent_ca_id = hrefs.get_ca_id_from_ref(parent_ca_ref)
ca_repo = repos.get_ca_repository()
parent_ca = ca_repo.get(entity_id=parent_ca_id, suppress_exception=True)
if not parent_ca:
raise excep.InvalidParentCA(parent_ca_ref=parent_ca_ref)
# Parent CA must be a base CA or a subCA owned by this project
if (parent_ca.project_id is not None and
parent_ca.project_id != project_model.id):
raise excep.UnauthorizedSubCA()
# get the parent plugin, raises CertPluginNotFound if missing
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
parent_ca.plugin_name)
# confirm that the plugin supports creating subordinate CAs
if not cert_plugin.supports_create_ca():
raise excep.SubCAsNotSupported()
# make call to create the subordinate ca
create_ca_dto = cert.CACreateDTO(
name=name,
description=description,
subject_dn=subject_dn,
parent_ca_id=parent_ca.plugin_ca_id)
new_ca_dict = cert_plugin.create_ca(create_ca_dto)
if not new_ca_dict:
raise excep.SubCANotCreated(name=name)
# create and store the subordinate CA as a new certificate authority object
new_ca_dict['plugin_name'] = parent_ca.plugin_name
new_ca_dict['creator_id'] = creator_id
new_ca_dict['project_id'] = project_model.id
new_ca = models.CertificateAuthority(new_ca_dict)
ca_repo.create_from(new_ca)
return new_ca
def check_certificate_request(order_model, project_model, plugin_name, repos):
"""Check the status of a certificate request with the CA.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: plugin_name - plugin the issued the certificate request
:param; repos - repos (to be removed)
:returns: container_model - container with the relevant cert if the
request has been completed. None otherwise.
"""
container_model = None
plugin_meta = _get_plugin_meta(order_model, repos)
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
plugin_name)
result = cert_plugin.check_certificate_request(order_model.id,
order_model.meta,
plugin_meta)
# Save plugin order plugin state
_save_plugin_metadata(order_model, plugin_meta, repos)
# Handle result
if cert.CertificateStatus.WAITING_FOR_CA == result.status:
_update_order_status(ORDER_STATUS_REQUEST_PENDING)
_schedule_check_cert_request(cert_plugin, order_model, plugin_meta,
repos, result, project_model,
cert.RETRY_MSEC)
elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status:
_update_order_status(ORDER_STATUS_CERT_GENERATED)
container_model = _save_secrets(result, project_model, repos)
elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status:
_update_order_status(cert.ORDER_STATUS_DATA_INVALID)
raise cert.CertificateStatusClientDataIssue(result.status_message)
elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status:
# TODO(alee-3): decide what to do about retries here
_update_order_status(ORDER_STATUS_CA_UNAVAIL_FOR_CHECK)
_schedule_check_cert_request(cert_plugin, order_model, plugin_meta,
repos, result, project_model,
cert.ERROR_RETRY_MSEC)
elif cert.CertificateStatus.INVALID_OPERATION == result.status:
_update_order_status(ORDER_STATUS_INVALID_OPERATION)
raise cert.CertificateStatusInvalidOperation(result.status_message)
else:
_update_order_status(ORDER_STATUS_INTERNAL_ERROR)
raise cert.CertificateStatusNotSupported(result.status)
return container_model
def setUp(self):
super(WhenTestingCertificatePluginManager, self).setUp()
self.cert_spec = {}
self.plugin_returned = mock.MagicMock()
self.plugin_name = 'mock.MagicMock'
types_list = [
cm.CertificateRequestType.SIMPLE_CMC_REQUEST,
cm.CertificateRequestType.CUSTOM_REQUEST
]
self.plugin_returned.supported_request_types.return_value = types_list
self.plugin_returned.supports.return_value = True
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.CertificatePluginManager()
self.manager.extensions = [self.plugin_loaded]
def test_support_request_types(self):
manager = cm.CertificatePluginManager()
manager.extensions = [mock.MagicMock(obj=self.plugin)]
cert_spec = {
cm.REQUEST_TYPE: cm.CertificateRequestType.CUSTOM_REQUEST}
self.assertEqual(self.plugin, manager.get_plugin(cert_spec))
self.assertTrue(self.plugin.supports(cert_spec))
cert_spec = {
cm.REQUEST_TYPE: cm.CertificateRequestType.STORED_KEY_REQUEST}
self.assertEqual(self.plugin, manager.get_plugin(cert_spec))
self.assertTrue(self.plugin.supports(cert_spec))
cert_spec = {
cm.REQUEST_TYPE: cm.CertificateRequestType.FULL_CMC_REQUEST}
self.assertRaises(cm.CertificatePluginNotFound,
manager.get_plugin, cert_spec)
self.assertFalse(self.plugin.supports(cert_spec))
def issue_certificate_request(order_model, project_model, result_follow_on):
"""Create the initial order with CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
container_model = None
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order
# and not shown to plugins) with barbican_meta_dto (shared with plugins).
# As a minimum we should change the name of the DTO to something like
# 'extended_meta_dto' or some such.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
# refresh the CA table. This is mostly a no-op unless the entries
# for a plugin are expired.
cert.CertificatePluginManager().refresh_ca_table()
# Locate the required certificate plugin.
cert_plugin_name = barbican_meta.get('plugin_name')
if cert_plugin_name:
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
cert_plugin_name)
else:
ca_id = _get_ca_id(order_model.meta, project_model.id)
if ca_id:
barbican_meta_for_plugins_dto.plugin_ca_id = ca_id
cert_plugin = cert.CertificatePluginManager().get_plugin_by_ca_id(
ca_id)
else:
cert_plugin = cert.CertificatePluginManager().get_plugin(
order_model.meta)
barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin)
# Generate CSR if needed.
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
csr = barbican_meta.get('generated_csr')
if csr is None:
# TODO(alee) Fix this to be a non-project specific call once
# the ACL patches go in.
csr = _generate_csr(order_model, project_model)
barbican_meta['generated_csr'] = csr
barbican_meta_for_plugins_dto.generated_csr = csr
result = cert_plugin.issue_certificate_request(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin and barbican metadata for this order.
_save_plugin_metadata(order_model, plugin_meta)
_save_barbican_metadata(order_model, barbican_meta)
# Handle result
if cert.CertificateStatus.WAITING_FOR_CA == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_REQUEST_PENDING,
retry_task=common.RetryTasks.INVOKE_CERT_STATUS_CHECK_TASK,
retry_msec=result.retry_msec)
elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status:
_update_result_follow_on(result_follow_on,
order_status=ORDER_STATUS_CERT_GENERATED)
container_model = _save_secrets(result, project_model)
elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status:
raise cert.CertificateStatusClientDataIssue(result.status_message)
elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE,
retry_task=common.RetryTasks.INVOKE_SAME_TASK,
retry_msec=cert.ERROR_RETRY_MSEC)
_notify_ca_unavailable(order_model, result)
elif cert.CertificateStatus.INVALID_OPERATION == result.status:
raise cert.CertificateStatusInvalidOperation(result.status_message)
else:
raise cert.CertificateStatusNotSupported(result.status)
return container_model
def refresh_certificate_resources():
# Before CA operations can be performed, the CA table must be populated
cert.CertificatePluginManager().refresh_ca_table()
