def secdel_get_barbican_manager_and_ctxt(output_manager, conf, api_class):
try:
# FIXME: Parameters have different names if passed as options
# to swift-client
user_domain_name = conf.get('os_user_domain_name')
if user_domain_name is None:
user_domain_name = 'Default'
project_domain_name = conf.get('os_project_domain_name')
if project_domain_name is None:
project_domain_name = 'Default'
ctxt = keystone_password.KeystonePassword(
username=conf.get('os_username'),
password=conf.get('os_password'),
project_name=conf.get('os_project_name'),
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
user_id=conf.get('os_user_id'),
user_domain_id=conf.get('os_user_domain_id'),
trust_id=conf.get('os_trust_id'),
domain_id=conf.get('os_domain_id'),
domain_name=conf.get('os_domain_name'),
project_id=conf.get('os_project_id'),
project_domain_id=conf.get('os_project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
# FIXME: os_auth_url and not auth_endpoint?
options.set_defaults(
oslo_conf, auth_endpoint=conf.get('os_auth_url'),
api_class=conf.get('api_class', api_class)
)
options.enable_logging()
manager = key_manager.API(oslo_conf)
return manager, ctxt
except SwiftError as e:
output_manager.error(e.value)
def _get_root_secret(self, conf):
"""
Retrieve the root encryption secret from an external key management
system using Castellan.
:param conf: the keymaster config section from proxy-server.conf
:type conf: dict
:return: the encryption root secret binary bytes
:rtype: bytearray
"""
ctxt = keystone_password.KeystonePassword(
auth_url=conf.get('auth_endpoint'),
username=conf.get('username'),
password=conf.get('password'),
project_name=conf.get('project_name'),
user_domain_name=conf.get('user_domain_name'),
project_domain_name=conf.get(
'project_domain_name'),
user_id=conf.get('user_id'),
user_domain_id=conf.get('user_domain_id'),
trust_id=conf.get('trust_id'),
domain_id=conf.get('domain_id'),
domain_name=conf.get('domain_name'),
project_id=conf.get('project_id'),
project_domain_id=conf.get('project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
options.set_defaults(
oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class')
)
options.enable_logging()
manager = key_manager.API(oslo_conf)
key = manager.get(ctxt, conf.get('key_id'))
if key is None:
raise ValueError("Retrieval of encryption root secret with key_id "
"'%s' returned None." % conf.get('key_id'))
try:
if (key.bit_length < 256) or (key.algorithm.lower() != "aes"):
raise ValueError('encryption root secret stored in the '
'external KMS must be an AES key of at least '
'256 bits (provided key length: %d, provided '
'key algorithm: %s)'
% (key.bit_length, key.algorithm))
if (key.format != 'RAW'):
raise ValueError('encryption root secret stored in the '
'external KMS must be in RAW format and not '
'e.g., as a base64 encoded string (format of '
'key with uuid %s: %s)' %
(conf.get('key_id'), key.format))
except Exception:
raise ValueError("Secret with key_id '%s' is not a symmetric key "
"(type: %s)" % (conf.get('key_id'),
str(type(key))))
return key.get_encoded()
def _get_root_secret(self, conf):
"""
Retrieve the root encryption secret from an external key management
system using Castellan.
:param conf: the keymaster config section from proxy-server.conf
:type conf: dict
:return: the encryption root secret binary bytes
:rtype: bytearray
"""
ctxt = keystone_password.KeystonePassword(
auth_url=conf.get('auth_endpoint'),
username=conf.get('username'),
password=conf.get('password'),
project_name=conf.get('project_name'),
user_domain_name=conf.get('user_domain_name'),
project_domain_name=conf.get('project_domain_name'),
user_id=conf.get('user_id'),
user_domain_id=conf.get('user_domain_id'),
trust_id=conf.get('trust_id'),
domain_id=conf.get('domain_id'),
domain_name=conf.get('domain_name'),
project_id=conf.get('project_id'),
project_domain_id=conf.get('project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
key = manager.get(ctxt, conf.get('key_id'))
if key is None:
raise ValueError("Retrieval of encryption root secret with key_id "
"'%s' returned None." % conf.get('key_id'))
try:
if (key.bit_length < 256) or (key.algorithm.lower() != "aes"):
raise ValueError('encryption root secret stored in the '
'external KMS must be an AES key of at least '
'256 bits (provided key length: %d, provided '
'key algorithm: %s)' %
(key.bit_length, key.algorithm))
if (key.format != 'RAW'):
raise ValueError('encryption root secret stored in the '
'external KMS must be in RAW format and not '
'e.g., as a base64 encoded string (format of '
'key with uuid %s: %s)' %
(conf.get('key_id'), key.format))
except Exception:
raise ValueError("Secret with key_id '%s' is not a symmetric key "
"(type: %s)" %
(conf.get('key_id'), str(type(key))))
return key.get_encoded()
def get_user_root_secret_by_id(self, account, user_token, key_id):
"""
Retrieve the user's root encryption secret with the specified ID from
an external key management system using Castellan.
:param account: the name of the account
:type account: string
:param user_token: the keystone token of the user from the request
:type user_token: string
:param key_id: the ID of the user's root encryption secret to retrieve
:return: the binary bytes of the user's root encryption secret with the
specified ID
:rtype: bytearray
"""
user_root_secrets = self._user_root_secrets.get(account)
if user_root_secrets is None:
user_root_secrets = dict()
else:
encoded_key = user_root_secrets.get(key_id)
if ROOT_SECRET_CACHE_TIME > 0:
if encoded_key is not None:
return encoded_key
conf = self.conf
if self.keymaster_config_path is not None:
if any(opt in conf for opt in ('key_id', )):
raise ValueError('keymaster_config_path is set, but there '
'are other config options specified!')
conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
user_ctxt = keystone_token.KeystoneToken(token=user_token)
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
# Get the latest key from Barbican. If no keymanager class has been
# specified (using 'api_class'), or the keymaster does not have a
# 'get_latest_key()' method, an exception will be raised.
key = manager.get(user_ctxt, key_id)
if key is None:
raise ValueError("Could not find user '%s' with key_id '%s'" %
(account, key_id))
user_root_secrets[key_id] = key.get_encoded()
self._user_root_secrets[account] = user_root_secrets
return key.get_encoded()
def get_latest_user_root_secret_and_id(self, account, user_token):
"""
Retrieve the user's latest root encryption secret from an external key
management system using Castellan.
:param account: the name of the account
:type account: string
:param user_token: the keystone token of the user from the request
:type user_token: string
:return: a tuple containing the binary bytes of the latest encryption
root secret, and the id of the latest root encryption secret
:rtype: (bytearray, string)
"""
conf = self.conf
if self.keymaster_config_path is not None:
if any(opt in conf for opt in ('key_id', )):
raise ValueError('keymaster_config_path is set, but there '
'are other config options specified!')
conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
user_ctxt = keystone_token.KeystoneToken(token=user_token)
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
# Get the latest key from Barbican. If no keymanager class has been
# specified (using 'api_class'), or the keymaster does not have a
# 'get_latest_key()' method, an exception will be raised.
latest_user_root_secret_id, key = manager.get_latest_key(
user_ctxt, bits=256, algorithm='aes', name='swift_root_secret')
self.logger.log(
SECDEL_LOG_LEVEL_DEBUG,
"ID of latest user root secret is %s" % latest_user_root_secret_id)
if latest_user_root_secret_id is None or key is None:
return None, None
user_root_secrets = self._user_root_secrets.get(account)
if user_root_secrets is None:
user_root_secrets = dict()
user_root_secrets[latest_user_root_secret_id] = key.get_encoded()
self._user_root_secrets[account] = user_root_secrets
return key.get_encoded(), latest_user_root_secret_id