def create_key(self, context, algorithm=None, length=0, expiration=None, **kwargs): """creates a key algorithm, length, and expiration are unused by sahara keys. """ return key.Passphrase(passphrase=kwargs.get('passphrase', ''))
def data_source_update(self, context, id, values): """Update the Data Source or raise if it does not exist.""" values = copy.deepcopy(values) values["id"] = id # in cases where the credentials to access the data source are # stored with the record and the external key manager is being # used, we need to delete the old key from the manager and # create a new one. the other option here would be to retrieve # the previous key and check to see if it has changed, but it # seems less expensive to just delete the old and create a new # one. # it should be noted that the jsonschema validation ensures that # if the proxy domain is not in use then credentials must be # sent with this record. if (CONF.use_barbican_key_manager and not CONF.use_domain_for_proxy_users): # first we retrieve the original record to get the old key # uuid, and delete it. ds_record = self.data_source_get(context, id) if (ds_record.get('credentials') and ds_record['credentials'].get('password')): key_manager.API().delete(context, ds_record['credentials']['password']) # next we create the new key. if (values.get('credentials') and values['credentials'].get('password')): key = passphrase.Passphrase(values['credentials']['password']) password = key_manager.API().store(context, key) values['credentials']['password'] = password return self.db.data_source_update(context, values)
def job_binary_update(self, context, id, values): """Update a JobBinary from the values dictionary.""" values = copy.deepcopy(values) values['id'] = id # in cases where the credentials to access the job binary are # stored with the record and the external key manager is being # used, we need to delete the old key from the manager and # create a new one. the other option here would be to retrieve # the previous key and check to see if it has changed, but it # seems less expensive to just delete the old and create a new # one. if (CONF.use_barbican_key_manager and not CONF.use_domain_for_proxy_users): # first we retrieve the original record to get the old key # uuid, and delete it. jb_record = self.job_binary_get(context, id) if jb_record.get('extra') and jb_record['extra'].get('password'): key_manager.API().delete(context, jb_record['extra']['password']) # next we create the new key. if values.get('extra') and values['extra'].get('password'): key = passphrase.Passphrase(values['extra']['password']) password = key_manager.API().store(context, key) values['extra']['password'] = password return self.db.job_binary_update(context, values)
def get(self, context, key_id, **kwargs): """get a key since sahara is not actually storing key UUIDs the key_id to this function should actually be the key payload. this function will simply return a new SaharaKey based on that value. """ return key.Passphrase(passphrase=key_id)
def test___eq__(self): self.assertTrue(self.passphrase == self.passphrase) self.assertTrue(self.passphrase is self.passphrase) self.assertFalse(self.passphrase is None) self.assertFalse(None == self.passphrase) other_passphrase = passphrase.Passphrase(self.passphrase_data) self.assertTrue(self.passphrase == other_passphrase) self.assertFalse(self.passphrase is other_passphrase)
def ensure_vtpm_secret( context: nova_context.RequestContext, instance: 'objects.Instance', ) -> ty.Tuple[str, str]: """Communicates with the key manager service to retrieve or create a secret for an instance's emulated TPM. When creating a secret, its UUID is saved to the instance's system_metadata as ``vtpm_secret_uuid``. :param context: Nova auth context. :param instance: Instance object. :return: A tuple comprising (secret_uuid, passphrase). :raise: castellan_exception.ManagedObjectNotFoundError if communication with the key manager API fails, or if a vtpm_secret_uuid was present in the instance's system metadata but could not be found in the key manager service. """ key_mgr = _get_key_manager() secret_uuid = instance.system_metadata.get('vtpm_secret_uuid') if secret_uuid is not None: # Try to retrieve the secret from the key manager try: secret = key_mgr.get(context, secret_uuid) # assert secret_uuid == secret.id ? LOG.debug("Found existing vTPM secret with UUID %s.", secret_uuid, instance=instance) return secret.id, secret.get_encoded() except castellan_exception.ManagedObjectNotFoundError: LOG.warning( "Despite being set on the instance, failed to find a vTPM " "secret with UUID %s. This should only happen if the secret " "was manually deleted from the key manager service. Your vTPM " "is likely to be unrecoverable.", secret_uuid, instance=instance) raise # If we get here, the instance has no vtpm_secret_uuid. Create a new one # and register it with the key manager. secret = base64.b64encode(os.urandom(_VTPM_SECRET_BYTE_LENGTH)) # Castellan ManagedObject cmo = passphrase.Passphrase(secret, name="vTPM secret for instance %s" % instance.uuid) secret_uuid = key_mgr.store(context, cmo) LOG.debug("Created vTPM secret with UUID %s", secret_uuid, instance=instance) instance.system_metadata['vtpm_secret_uuid'] = secret_uuid instance.save() return secret_uuid, secret
def store_secret(secret, ctx=None): """store a secret and return its identifier :param secret: The secret to store, this should be a string :param ctx: The context, and associated authentication, to use with this operation (defaults to the current context) """ if ctx is None: ctx = context.current() key = passphrase.Passphrase(secret) return key_manager.API().store(ctx, key)
def job_binary_create(self, context, values): """Create a JobBinary from the values dictionary.""" values = copy.deepcopy(values) values = _apply_defaults(values, JOB_BINARY_DEFAULTS) values['tenant_id'] = context.tenant_id # if credentials are being passed in, we use the key_manager # to store the password. if values.get('extra') and values['extra'].get('password'): key = passphrase.Passphrase(values['extra']['password']) password = key_manager.API().store(context, key) values['extra']['password'] = password return self.db.job_binary_create(context, values)
def data_source_create(self, context, values): """Create a Data Source from the values dictionary.""" values = copy.deepcopy(values) values = _apply_defaults(values, DATA_SOURCE_DEFAULTS) values['tenant_id'] = context.tenant_id # if credentials are being passed in, we use the key_manager # to store the password. if (values.get('credentials') and values['credentials'].get('password')): key = passphrase.Passphrase(values['credentials']['password']) password = key_manager.API().store(context, key) values['credentials']['password'] = password return self.db.data_source_create(context, values)
def create_proxy_user_for_job_execution(job_execution): '''Creates a proxy user and adds the credentials to the job execution :param job_execution: The job execution model to update ''' username = '******'.format(job_execution.id) key = passphrase.Passphrase(proxy_user_create(username)) password = key_manager.API().store(context.current(), key) current_user = k.auth() proxy_user = k.auth_for_proxy(username, password) trust_id = t.create_trust(trustor=current_user, trustee=proxy_user, role_names=CONF.proxy_user_role_names) update = {'job_configs': job_execution.job_configs.to_dict()} update['job_configs']['proxy_configs'] = { 'proxy_username': username, 'proxy_password': password, 'proxy_trust_id': trust_id } conductor.job_execution_update(context.ctx(), job_execution, update)
def create_proxy_user_for_cluster(cluster): '''Creates a proxy user and adds the credentials to the cluster :param cluster: The cluster model to update ''' if cluster.cluster_configs.get('proxy_configs'): return cluster username = '******'.format(cluster.id) key = passphrase.Passphrase(proxy_user_create(username)) password = key_manager.API().store(context.current(), key) current_user = k.auth() proxy_user = k.auth_for_proxy(username, password) trust_id = t.create_trust(trustor=current_user, trustee=proxy_user, role_names=CONF.proxy_user_role_names) update = {'cluster_configs': cluster.cluster_configs.to_dict()} update['cluster_configs']['proxy_configs'] = { 'proxy_username': username, 'proxy_password': password, 'proxy_trust_id': trust_id } return conductor.cluster_update(context.ctx(), cluster, update)
def _create_passphrase(self): return passphrase.Passphrase(self.passphrase_data, self.name, self.created)
def _get_test_passphrase(): data = bytes(b'passphrase') passphrase_object = passphrase.Passphrase(data) return passphrase_object
def test___ne___data(self): other_phrase = passphrase.Passphrase(b"other passphrase", self.name) self.assertTrue(self.passphrase != other_phrase)
def test_store(self): k = key.Passphrase(passphrase='super_secret') k_id = self.k_m.store(self.ctx, k) self.assertEqual('super_secret', k_id)
def test_get_created_none(self): created = None phrase = passphrase.Passphrase(self.passphrase_data, self.name, created) self.assertEqual(created, phrase.created)
def test_is_only_metadata(self): p = passphrase.Passphrase(None, self.name, self.created) self.assertTrue(p.is_metadata_only())
def _store_secret(secret): key = passphrase.Passphrase(secret) password = key_manager.API().store(context.current(), key) return password
def test___ne__name(self): other_phrase = passphrase.Passphrase(self.passphrase_data, "other phrase") self.assertTrue(self.passphrase != other_phrase)