def _generate_csr_from_private_key(order_model, project_model):
"""Generate a CSR from the private key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_id, container = _get_container_from_order_meta(order_model, project_model)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == "private_key":
private_key_model = secret_repo.get(cs.secret_id, project_model.external_id)
private_key = plugin.get_secret("application/pkcs8", private_key_model, project_model)
elif cs.name == "private_key_passphrase":
passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id)
passphrase = plugin.get_secret("text/plain;charset=utf-8", passphrase_model, project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container.id)
if passphrase is None:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
else:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase)
subject_name = order_model.meta.get("subject_dn")
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get("extensions", None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, "sha256")
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project.external_id
project = res.get_or_create_project(external_project_id)
# default to application/octet-stream if there is no Accept header
if (type(pecan.request.accept) is accept.NoHeaderType
or not pecan.request.accept.header_value):
accept_header = 'application/octet-stream'
else:
accept_header = pecan.request.accept.header_value
pecan.override_template('', accept_header)
# check if payload exists before proceeding
if not secret.encrypted_data and not secret.secret_store_metadata:
_secret_payload_not_found()
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(accept_header, secret, project, twsk,
transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project.external_id
project = res.get_or_create_project(external_project_id)
# default to application/octet-stream if there is no Accept header
accept_header = getattr(pecan.request.accept, 'header_value',
'application/octet-stream')
pecan.override_template('', accept_header)
# check if payload exists before proceeding
if not secret.encrypted_data and not secret.secret_store_metadata:
_secret_payload_not_found()
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(accept_header,
secret,
project,
twsk,
transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project.external_id
project = res.get_or_create_project(external_project_id)
# default to application/octet-stream if there is no Accept header
accept_header = getattr(pecan.request.accept, 'header_value',
'application/octet-stream')
pecan.override_template('', accept_header)
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(accept_header,
secret,
project,
twsk,
transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
project = res.get_or_create_project(external_project_id,
self.repos.project_repo)
pecan.override_template('', pecan.request.accept.header_value)
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(pecan.request.accept.header_value, secret,
project, self.repos, twsk, transport_key)
def index(self, keystone_id, **kwargs):
secret = self.repos.secret_repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if controllers.is_json_request_accept(pecan.request):
# Metadata-only response, no secret retrieval is necessary.
pecan.override_template('json', 'application/json')
secret_fields = putil.mime_types.augment_fields_with_content_types(
secret)
transport_key_needed = kwargs.get('transport_key_needed',
'false').lower() == 'true'
if transport_key_needed:
transport_key_id = plugin.get_transport_key_id_for_retrieval(
secret)
if transport_key_id is not None:
secret_fields['transport_key_id'] = transport_key_id
return hrefs.convert_to_hrefs(secret_fields)
else:
project = res.get_or_create_project(keystone_id,
self.repos.project_repo)
pecan.override_template('', pecan.request.accept.header_value)
transport_key = None
twsk = kwargs.get('trans_wrapped_session_key', None)
if twsk is not None:
transport_key_id = kwargs.get('transport_key_id', None)
if transport_key_id is None:
_request_has_twsk_but_no_transport_key_id()
transport_key_model = self.repos.transport_key_repo.get(
entity_id=transport_key_id,
suppress_exception=True)
transport_key = transport_key_model.transport_key
return plugin.get_secret(pecan.request.accept.header_value,
secret,
project,
self.repos,
twsk,
transport_key)
def index(self, keystone_id):
secret = self.repos.secret_repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if controllers.is_json_request_accept(pecan.request):
# Metadata-only response, no secret retrieval is necessary.
pecan.override_template('json', 'application/json')
secret_fields = putil.mime_types.augment_fields_with_content_types(
secret)
return hrefs.convert_to_hrefs(keystone_id, secret_fields)
else:
tenant = res.get_or_create_tenant(keystone_id,
self.repos.tenant_repo)
pecan.override_template('', pecan.request.accept.header_value)
return plugin.get_secret(pecan.request.accept.header_value,
secret,
tenant)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project_assocs[0].projects.external_id
project = res.get_or_create_project(external_project_id)
pecan.override_template('', pecan.request.accept.header_value)
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(pecan.request.accept.header_value,
secret,
project,
twsk,
transport_key)
def _generate_csr(order_model, project_model):
"""Generate a CSR from the public key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == 'private_key':
private_key_model = secret_repo.get(cs.secret_id,
project_model.external_id)
private_key = plugin.get_secret('application/pkcs8',
private_key_model, project_model)
elif cs.name == 'private_key_passphrase':
passphrase_model = secret_repo.get(cs.secret_id,
project_model.external_id)
passphrase = plugin.get_secret('text/plain;charset=utf-8',
passphrase_model, project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container_id)
if passphrase is None:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
else:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key,
passphrase)
subject_name = order_model.meta.get('subject_dn')
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get('extensions', None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, 'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
