def secdel_get_barbican_manager_and_ctxt(output_manager, conf, api_class): try: # FIXME: Parameters have different names if passed as options # to swift-client user_domain_name = conf.get('os_user_domain_name') if user_domain_name is None: user_domain_name = 'Default' project_domain_name = conf.get('os_project_domain_name') if project_domain_name is None: project_domain_name = 'Default' ctxt = keystone_password.KeystonePassword( username=conf.get('os_username'), password=conf.get('os_password'), project_name=conf.get('os_project_name'), user_domain_name=user_domain_name, project_domain_name=project_domain_name, user_id=conf.get('os_user_id'), user_domain_id=conf.get('os_user_domain_id'), trust_id=conf.get('os_trust_id'), domain_id=conf.get('os_domain_id'), domain_name=conf.get('os_domain_name'), project_id=conf.get('os_project_id'), project_domain_id=conf.get('os_project_domain_id'), reauthenticate=conf.get('reauthenticate')) oslo_conf = cfg.ConfigOpts() # FIXME: os_auth_url and not auth_endpoint? options.set_defaults( oslo_conf, auth_endpoint=conf.get('os_auth_url'), api_class=conf.get('api_class', api_class) ) options.enable_logging() manager = key_manager.API(oslo_conf) return manager, ctxt except SwiftError as e: output_manager.error(e.value)
def test___eq__(self): self.assertTrue( self.ks_password_credential == self.ks_password_credential) self.assertTrue( self.ks_password_credential is self.ks_password_credential) self.assertFalse(self.ks_password_credential is None) self.assertFalse(None == self.ks_password_credential) other_ks_password_credential = keystone_password.KeystonePassword( self.password, username=self.username, user_id=self.user_id, user_domain_id=self.user_domain_id, user_domain_name=self.user_domain_name, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=self.reauthenticate) self.assertTrue( self.ks_password_credential == other_ks_password_credential) self.assertFalse( self.ks_password_credential is other_ks_password_credential)
def generate_tacker_service_context(): return keystone_password.KeystonePassword( password=CONF.keystone_authtoken.password, auth_url=CONF.keystone_authtoken.auth_url, username=CONF.keystone_authtoken.username, user_domain_name=CONF.keystone_authtoken.user_domain_name, project_name=CONF.keystone_authtoken.project_name, project_domain_name=CONF.keystone_authtoken.project_domain_name)
def _get_root_secret(self, conf): """ Retrieve the root encryption secret from an external key management system using Castellan. :param conf: the keymaster config section from proxy-server.conf :type conf: dict :return: the encryption root secret binary bytes :rtype: bytearray """ ctxt = keystone_password.KeystonePassword( auth_url=conf.get('auth_endpoint'), username=conf.get('username'), password=conf.get('password'), project_name=conf.get('project_name'), user_domain_name=conf.get('user_domain_name'), project_domain_name=conf.get('project_domain_name'), user_id=conf.get('user_id'), user_domain_id=conf.get('user_domain_id'), trust_id=conf.get('trust_id'), domain_id=conf.get('domain_id'), domain_name=conf.get('domain_name'), project_id=conf.get('project_id'), project_domain_id=conf.get('project_domain_id'), reauthenticate=conf.get('reauthenticate')) oslo_conf = cfg.ConfigOpts() options.set_defaults(oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class')) options.enable_logging() manager = key_manager.API(oslo_conf) key = manager.get(ctxt, conf.get('key_id')) if key is None: raise ValueError("Retrieval of encryption root secret with key_id " "'%s' returned None." % conf.get('key_id')) try: if (key.bit_length < 256) or (key.algorithm.lower() != "aes"): raise ValueError('encryption root secret stored in the ' 'external KMS must be an AES key of at least ' '256 bits (provided key length: %d, provided ' 'key algorithm: %s)' % (key.bit_length, key.algorithm)) if (key.format != 'RAW'): raise ValueError('encryption root secret stored in the ' 'external KMS must be in RAW format and not ' 'e.g., as a base64 encoded string (format of ' 'key with uuid %s: %s)' % (conf.get('key_id'), key.format)) except Exception: raise ValueError("Secret with key_id '%s' is not a symmetric key " "(type: %s)" % (conf.get('key_id'), str(type(key)))) return key.get_encoded()
def setUp(self): super(BarbicanKeyManagerKSPasswordTestCase, self).setUp() username = CONF.identity.username password = CONF.identity.password project_name = CONF.identity.project_name user_domain_name = CONF.identity.user_domain_name project_domain_name = CONF.identity.project_domain_name self.ctxt = keystone_password.KeystonePassword( username=username, password=password, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name)
def get_context(self): username = CONF.identity.username password = CONF.identity.password project_name = CONF.identity.project_name user_domain_name = CONF.identity.user_domain_name project_domain_name = CONF.identity.project_domain_name ctxt = keystone_password.KeystonePassword( username=username, password=password, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) return ctxt
def _create_ks_password_credential(self): return keystone_password.KeystonePassword( self.password, username=self.username, user_id=self.user_id, user_domain_id=self.user_domain_id, user_domain_name=self.user_domain_name, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=self.reauthenticate)
def test___ne___reauthenticate(self): other_reauthenticate = False other_ks_password_credential = keystone_password.KeystonePassword( self.password, username=self.username, user_id=self.user_id, user_domain_id=self.user_domain_id, user_domain_name=self.user_domain_name, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=other_reauthenticate) self.assertTrue( self.ks_password_credential != other_ks_password_credential)
def delete_encryption_key(context, key_manager, encryption_key_id): try: key_manager.delete(context, encryption_key_id) except castellan_exception.ManagedObjectNotFoundError: pass except castellan_exception.KeyManagerError: LOG.info("First attempt to delete key id %s failed, retrying with " "cinder's service context.", encryption_key_id) conf = CONF ks_loading.register_auth_conf_options(conf, 'keystone_authtoken') service_context = keystone_password.KeystonePassword( password=conf.keystone_authtoken.password, auth_url=conf.keystone_authtoken.auth_url, username=conf.keystone_authtoken.username, user_domain_name=conf.keystone_authtoken.user_domain_name, project_name=conf.keystone_authtoken.project_name, project_domain_name=conf.keystone_authtoken.project_domain_name) try: castellan_key_manager.API(conf).delete(service_context, encryption_key_id) except castellan_exception.ManagedObjectNotFoundError: pass
def credential_factory(conf=None, context=None): """This function provides a factory for credentials. It is used to create an appropriare credential object from a passed configuration. This should be called before making any calls to a key manager. :param conf: Configuration file which this factory method uses to generate a credential object. Note: In the future it will become a required field. :param context: Context used for authentication. It can be used in conjunction with the configuration file. If no conf is passed, then the context object will be converted to a KeystoneToken and returned. If a conf is passed then only the 'token' is grabbed from the context for the authentication types that require a token. :returns: A credential object used for authenticating with the Castellan key manager. Type of credential returned depends on config and/or context passed. """ if conf: conf.register_opts(credential_opts, group=OPT_GROUP) if conf.key_manager.auth_type == 'token': if conf.key_manager.token: auth_token = conf.key_manager.token elif context: auth_token = context.auth_token else: raise exception.InsufficientCredentialDataError() return token.Token(auth_token) elif conf.key_manager.auth_type == 'password': return password.Password(conf.key_manager.username, conf.key_manager.password) elif conf.key_manager.auth_type == 'keystone_password': return keystone_password.KeystonePassword( conf.key_manager.password, username=conf.key_manager.username, user_id=conf.key_manager.user_id, user_domain_id=conf.key_manager.user_domain_id, user_domain_name=conf.key_manager.user_domain_name, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, project_id=conf.key_manager.project_id, project_name=conf.key_manager.project_name, project_domain_id=conf.key_manager.domain_id, project_domain_name=conf.key_manager.domain_name, reauthenticate=conf.key_manager.reauthenticate) elif conf.key_manager.auth_type == 'keystone_token': if conf.key_manager.token: auth_token = conf.key_manager.token elif context: auth_token = context.auth_token else: raise exception.InsufficientCredentialDataError() return keystone_token.KeystoneToken( auth_token, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, project_id=conf.key_manager.project_id, project_name=conf.key_manager.project_name, project_domain_id=conf.key_manager.domain_id, project_domain_name=conf.key_manager.domain_name, reauthenticate=conf.key_manager.reauthenticate) else: LOG.error(_LE("Invalid auth_type specified.")) raise exception.AuthTypeInvalidError( type=conf.key_manager.auth_type) # for compatibility between _TokenData and RequestContext if hasattr(context, 'tenant') and context.tenant: project_id = context.tenant elif hasattr(context, 'project_id') and context.project_id: project_id = context.project_id return keystone_token.KeystoneToken(context.auth_token, project_id=project_id)