Example #1
0
def delete_proxy_user_for_job_execution(job_execution):
    '''Delete a proxy user based on a JobExecution

    :param job_execution: The job execution with proxy user information
    :returns: An updated job_configs dictionary or None

    '''
    proxy_configs = job_execution.job_configs.get('proxy_configs')
    if proxy_configs is not None:
        proxy_username = proxy_configs.get('proxy_username')
        key = key_manager.API().get(
            context.current(), proxy_configs.get('proxy_password'))
        proxy_password = key.get_encoded()
        proxy_trust_id = proxy_configs.get('proxy_trust_id')
        proxy_user = k.auth_for_proxy(proxy_username,
                                      proxy_password,
                                      proxy_trust_id)
        t.delete_trust(proxy_user, proxy_trust_id)
        proxy_user_delete(proxy_username)
        key_manager.API().delete(context.current(),
                                 proxy_configs.get('proxy_password'))
        update = job_execution.job_configs.to_dict()
        del update['proxy_configs']
        return update
    return None
Example #2
0
    def data_source_update(self, context, id, values):
        """Update the Data Source or raise if it does not exist."""

        values = copy.deepcopy(values)
        values["id"] = id
        # in cases where the credentials to access the data source are
        # stored with the record and the external key manager is being
        # used, we need to delete the old key from the manager and
        # create a new one. the other option here would be to retrieve
        # the previous key and check to see if it has changed, but it
        # seems less expensive to just delete the old and create a new
        # one.
        # it should be noted that the jsonschema validation ensures that
        # if the proxy domain is not in use then credentials must be
        # sent with this record.
        if (CONF.use_barbican_key_manager
                and not CONF.use_domain_for_proxy_users):
            # first we retrieve the original record to get the old key
            # uuid, and delete it.
            ds_record = self.data_source_get(context, id)
            if (ds_record.get('credentials')
                    and ds_record['credentials'].get('password')):
                key_manager.API().delete(context,
                                         ds_record['credentials']['password'])
            # next we create the new key.
            if (values.get('credentials')
                    and values['credentials'].get('password')):
                key = passphrase.Passphrase(values['credentials']['password'])
                password = key_manager.API().store(context, key)
                values['credentials']['password'] = password
        return self.db.data_source_update(context, values)
Example #3
0
    def job_binary_update(self, context, id, values):
        """Update a JobBinary from the values dictionary."""

        values = copy.deepcopy(values)
        values['id'] = id
        # in cases where the credentials to access the job binary are
        # stored with the record and the external key manager is being
        # used, we need to delete the old key from the manager and
        # create a new one. the other option here would be to retrieve
        # the previous key and check to see if it has changed, but it
        # seems less expensive to just delete the old and create a new
        # one.
        if (CONF.use_barbican_key_manager
                and not CONF.use_domain_for_proxy_users):
            # first we retrieve the original record to get the old key
            # uuid, and delete it.
            jb_record = self.job_binary_get(context, id)
            if jb_record.get('extra') and jb_record['extra'].get('password'):
                key_manager.API().delete(context,
                                         jb_record['extra']['password'])
            # next we create the new key.
            if values.get('extra') and values['extra'].get('password'):
                key = passphrase.Passphrase(values['extra']['password'])
                password = key_manager.API().store(context, key)
                values['extra']['password'] = password
        return self.db.job_binary_update(context, values)
Example #4
0
def secdel_get_barbican_manager_and_ctxt(output_manager, conf, api_class):
    try:
        # FIXME: Parameters have different names if passed as options
        # to swift-client
        user_domain_name = conf.get('os_user_domain_name')
        if user_domain_name is None:
            user_domain_name = 'Default'
        project_domain_name = conf.get('os_project_domain_name')
        if project_domain_name is None:
            project_domain_name = 'Default'
        ctxt = keystone_password.KeystonePassword(
            username=conf.get('os_username'),
            password=conf.get('os_password'),
            project_name=conf.get('os_project_name'),
            user_domain_name=user_domain_name,
            project_domain_name=project_domain_name,
            user_id=conf.get('os_user_id'),
            user_domain_id=conf.get('os_user_domain_id'),
            trust_id=conf.get('os_trust_id'),
            domain_id=conf.get('os_domain_id'),
            domain_name=conf.get('os_domain_name'),
            project_id=conf.get('os_project_id'),
            project_domain_id=conf.get('os_project_domain_id'),
            reauthenticate=conf.get('reauthenticate'))
        oslo_conf = cfg.ConfigOpts()
        # FIXME: os_auth_url and not auth_endpoint?
        options.set_defaults(
            oslo_conf, auth_endpoint=conf.get('os_auth_url'),
            api_class=conf.get('api_class', api_class)
        )
        options.enable_logging()
        manager = key_manager.API(oslo_conf)
        return manager, ctxt
    except SwiftError as e:
        output_manager.error(e.value)
Example #5
0
def _encrypt_data(context, data):
    try:
        # TODO(pbourke): move auth construction into common area if it ends up
        # been required in other areas
        auth = identity.V3Password(
            auth_url=settings.KEY_MANAGER['auth_url'],
            username=settings.KEY_MANAGER['username'],
            user_domain_name=settings.KEY_MANAGER['user_domain_name'],
            password=settings.KEY_MANAGER['password'],
            project_name=settings.KEY_MANAGER['project_name'],
            project_domain_name=settings.KEY_MANAGER['project_domain_name']
        )
    except (KeyError, AttributeError) as e:
        LOG.exception(e)
        msg = ('Could not find valid key manager credentials in the '
               'murano-dashboard config. encryptData yaql function not '
               'available')
        raise castellan_exception.KeyManagerError(message_arg=msg)
    sess = session.Session(auth=auth)
    auth_context = _oslo_context.RequestContext(
        auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess))
    options.set_defaults(cfg.CONF,
                         auth_endpoint=settings.KEY_MANAGER['auth_url'])

    manager = key_manager.API()
    try:
        # TODO(pbourke): while we feel opaque data should cover the most common
        # use case, we may want to add support for other secret types in the
        # future (see https://goo.gl/tZhfqe)
        stored_key_id = manager.store(auth_context,
                                      opaque_data.OpaqueData(data))
    except castellan_exception.KeyManagerError as e:
        LOG.exception(e)
        raise
    return stored_key_id
Example #6
0
    def test_set_defaults(self):
        conf = cfg.ConfigOpts()

        self.assertTrue(
            isinstance(key_manager.API(conf), bkm.BarbicanKeyManager))

        cls = mock_key_manager.MockKeyManager
        backend = '%s.%s' % (cls.__module__, cls.__name__)
        options.set_defaults(conf, backend=backend)
        self.assertEqual(backend, conf.key_manager.backend)
        self.assertIsInstance(key_manager.API(conf),
                              mock_key_manager.MockKeyManager)

        barbican_endpoint = 'http://test-server.org:9311/'
        options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
        self.assertEqual(barbican_endpoint,
                         conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)

        barbican_api_version = 'vSomething'
        options.set_defaults(conf, barbican_api_version=barbican_api_version)
        self.assertEqual(barbican_api_version,
                         conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)

        auth_endpoint = 'http://test-server.org/identity'
        options.set_defaults(conf, auth_endpoint=auth_endpoint)
        self.assertEqual(auth_endpoint,
                         conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint)

        retry_delay = 3
        options.set_defaults(conf, retry_delay=retry_delay)
        self.assertEqual(retry_delay,
                         conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay)

        number_of_retries = 10
        options.set_defaults(conf, number_of_retries=number_of_retries)
        self.assertEqual(number_of_retries,
                         conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)

        verify_ssl = True
        options.set_defaults(conf, verify_ssl=True)
        self.assertEqual(verify_ssl,
                         conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)

        barbican_endpoint_type = 'internal'
        options.set_defaults(conf, barbican_endpoint_type='internal')
        result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type
        self.assertEqual(barbican_endpoint_type, result_type)
Example #7
0
def key_manager():
    conf = cfg.ConfigOpts()
    auth_endpoint = settings.OPENSTACK_KEYSTONE_URL
    insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
    options.set_defaults(conf,
                         auth_endpoint=auth_endpoint,
                         verify_ssl=not insecure)
    return key_manager_api.API(conf)
Example #8
0
def get_secret():
    """Authenticates user and obtains the one time use key"""
    ctxt = kmgr_auth.get_context()
    config = get_config()
    kmgr = key_manager.API(config)
    secret_uuid = os.getenv('OS_SECRET_UUID', None)
    secret = kmgr.get(ctxt, secret_uuid)
    return secret.get_encoded()
Example #9
0
def brick_get_encryptor(connection_info, *args, **kwargs):
    """Wrapper to get a brick encryptor object."""

    root_helper = get_root_helper()
    km = key_manager.API(CONF)
    return encryptors.get_volume_encryptor(root_helper=root_helper,
                                           connection_info=connection_info,
                                           keymgr=km,
                                           *args, **kwargs)
 def test_no_fixed_key(self):
     conf = self.conf
     conf.set_override('fixed_key', None, group='key_manager')
     key_mgr = key_manager.API(conf)
     self.assertNotEqual('MigrationKeyManager', type(key_mgr).__name__)
     self.assertRaises(exception.KeyManagerError,
                       key_mgr.get,
                       context=self.ctxt,
                       managed_object_id=self.fixed_key_id)
Example #11
0
def get_raw_data(job_binary, proxy_configs=None):
    conn_kwargs = {}
    if proxy_configs:
        key = key_manager.API().get(context.current(),
                                    proxy_configs.get('proxy_password'))
        password = key.get_encoded()
        conn_kwargs.update(username=proxy_configs.get('proxy_username'),
                           password=password,
                           trust_id=proxy_configs.get('proxy_trust_id'))
    else:
        key = key_manager.API().get(context.current(),
                                    job_binary.extra.get('password'))
        password = key.get_encoded()
        conn_kwargs.update(username=job_binary.extra.get('user'),
                           password=password)

    conn = sw.client(**conn_kwargs)
    return _get_raw_data(job_binary, conn)
Example #12
0
    def __init__(self, group_name, config_file, mapping_file):
        conf = cfg.ConfigOpts()
        conf(args=[], default_config_files=[config_file])

        self._name = group_name
        self._mngr = key_manager.API(conf)
        self._mapping = {}

        cfg.ConfigParser(mapping_file, self._mapping).parse()
Example #13
0
def delete_secret(id, ctx=None):
    """delete a secret from the external key manager

    :param id: The identifier of the secret to delete
    :param ctx: The context, and associated authentication, to use with
                this operation (defaults to the current context)
    """
    if ctx is None:
        ctx = context.current()
    key_manager.API().delete(ctx, id)
Example #14
0
def get_secret(id, ctx=None):
    """get a secret associated with an id

    :param id: The identifier of the secret to retrieve
    :param ctx: The context, and associated authentication, to use with
                this operation (defaults to the current context)
    """
    if ctx is None:
        ctx = context.current()
    key = key_manager.API().get(ctx, id)
    return key.get_encoded()
Example #15
0
    def _get_root_secret(self, conf):
        """
        Retrieve the root encryption secret from an external key management
        system using Castellan.

        :param conf: the keymaster config section from proxy-server.conf
        :type conf: dict

        :return: the encryption root secret binary bytes
        :rtype: bytearray
        """
        ctxt = keystone_password.KeystonePassword(
            auth_url=conf.get('auth_endpoint'),
            username=conf.get('username'),
            password=conf.get('password'),
            project_name=conf.get('project_name'),
            user_domain_name=conf.get('user_domain_name'),
            project_domain_name=conf.get('project_domain_name'),
            user_id=conf.get('user_id'),
            user_domain_id=conf.get('user_domain_id'),
            trust_id=conf.get('trust_id'),
            domain_id=conf.get('domain_id'),
            domain_name=conf.get('domain_name'),
            project_id=conf.get('project_id'),
            project_domain_id=conf.get('project_domain_id'),
            reauthenticate=conf.get('reauthenticate'))
        oslo_conf = cfg.ConfigOpts()
        options.set_defaults(oslo_conf,
                             auth_endpoint=conf.get('auth_endpoint'),
                             api_class=conf.get('api_class'))
        options.enable_logging()
        manager = key_manager.API(oslo_conf)
        key = manager.get(ctxt, conf.get('key_id'))
        if key is None:
            raise ValueError("Retrieval of encryption root secret with key_id "
                             "'%s' returned None." % conf.get('key_id'))
        try:
            if (key.bit_length < 256) or (key.algorithm.lower() != "aes"):
                raise ValueError('encryption root secret stored in the '
                                 'external KMS must be an AES key of at least '
                                 '256 bits (provided key length: %d, provided '
                                 'key algorithm: %s)' %
                                 (key.bit_length, key.algorithm))
            if (key.format != 'RAW'):
                raise ValueError('encryption root secret stored in the '
                                 'external KMS must be in RAW format and not '
                                 'e.g., as a base64 encoded string (format of '
                                 'key with uuid %s: %s)' %
                                 (conf.get('key_id'), key.format))
        except Exception:
            raise ValueError("Secret with key_id '%s' is not a symmetric key "
                             "(type: %s)" %
                             (conf.get('key_id'), str(type(key))))
        return key.get_encoded()
Example #16
0
    def _run_backup(self, context, backup, volume):
        # Save a copy of the encryption key ID in case the volume is deleted.
        if (volume.encryption_key_id is not None
                and backup.encryption_key_id is None):
            backup.encryption_key_id = volume_utils.clone_encryption_key(
                context, key_manager.API(CONF), volume.encryption_key_id)
            backup.save()

        backup_service = self.service(context)

        properties = volume_utils.brick_get_connector_properties()

        # NOTE(geguileo): Not all I/O disk operations properly do greenthread
        # context switching and may end up blocking the greenthread, so we go
        # with native threads proxy-wrapping the device file object.
        try:
            backup_device = self.volume_rpcapi.get_backup_device(
                context, backup, volume)
            attach_info = self._attach_device(context,
                                              backup_device.device_obj,
                                              properties,
                                              backup_device.is_snapshot)
            try:
                device_path = attach_info['device']['path']
                if (isinstance(device_path, str)
                        and not os.path.isdir(device_path)):
                    if backup_device.secure_enabled:
                        with open(device_path, 'rb') as device_file:
                            updates = backup_service.backup(
                                backup, tpool.Proxy(device_file))
                    else:
                        with utils.temporary_chown(device_path):
                            with open(device_path, 'rb') as device_file:
                                updates = backup_service.backup(
                                    backup, tpool.Proxy(device_file))
                # device_path is already file-like so no need to open it
                else:
                    updates = backup_service.backup(backup,
                                                    tpool.Proxy(device_path))

            finally:
                self._detach_device(context,
                                    attach_info,
                                    backup_device.device_obj,
                                    properties,
                                    backup_device.is_snapshot,
                                    force=True,
                                    ignore_errors=True)
        finally:
            with backup.as_read_deleted():
                backup.refresh()
            self._cleanup_temp_volumes_snapshots_when_backup_created(
                context, backup)
        return updates
 def test_using_conf_key_manager(self):
     conf = self.conf
     ckm_backend = 'castellan.tests.unit.key_manager.' \
                   'test_migration_key_manager.ConfKeyManager'
     conf.set_override('backend', ckm_backend, group='key_manager')
     key_mgr = key_manager.API(conf)
     self.assertNotEqual('MigrationKeyManager', type(key_mgr).__name__)
     self.assertRaises(NotImplementedError,
                       key_mgr.get,
                       context=self.ctxt,
                       managed_object_id=self.fixed_key_id)
 def _create_key_manager(self):
     self.fixed_key = '1' * 64
     try:
         self.conf.register_opt(cfg.StrOpt('fixed_key'),
                                group='key_manager')
     except cfg.DuplicateOptError:
         pass
     self.conf.set_override('fixed_key',
                            self.fixed_key,
                            group='key_manager')
     return key_manager.API(self.conf)
Example #19
0
def store_secret(secret, ctx=None):
    """store a secret and return its identifier

    :param secret: The secret to store, this should be a string
    :param ctx: The context, and associated authentication, to use with
                this operation (defaults to the current context)
    """
    if ctx is None:
        ctx = context.current()
    key = passphrase.Passphrase(secret)
    return key_manager.API().store(ctx, key)
Example #20
0
    def job_binary_create(self, context, values):
        """Create a JobBinary from the values dictionary."""

        values = copy.deepcopy(values)
        values = _apply_defaults(values, JOB_BINARY_DEFAULTS)
        values['tenant_id'] = context.tenant_id
        # if credentials are being passed in, we use the key_manager
        # to store the password.
        if values.get('extra') and values['extra'].get('password'):
            key = passphrase.Passphrase(values['extra']['password'])
            password = key_manager.API().store(context, key)
            values['extra']['password'] = password
        return self.db.job_binary_create(context, values)
Example #21
0
    def job_binary_destroy(self, context, job_binary):
        """Destroy the JobBinary or raise if it does not exist."""

        # in cases where the credentials to access the job binary are
        # stored with the record and the external key manager is being
        # used, we need to delete the key from the external manager.
        if (CONF.use_barbican_key_manager
                and not CONF.use_domain_for_proxy_users):
            jb_record = self.job_binary_get(context, job_binary)
            if jb_record.get('extra') and jb_record['extra'].get('password'):
                key_manager.API().delete(context,
                                         jb_record['extra']['password'])
        self.db.job_binary_destroy(context, job_binary)
Example #22
0
    def data_source_destroy(self, context, data_source):
        """Destroy the Data Source or raise if it does not exist."""

        # in cases where the credentials to access the data source are
        # stored with the record and the external key manager is being
        # used, we need to delete the key from the external manager.
        if (CONF.use_barbican_key_manager
                and not CONF.use_domain_for_proxy_users):
            ds_record = self.data_source_get(context, data_source)
            if (ds_record.get('credentials')
                    and ds_record['credentials'].get('password')):
                key_manager.API().delete(context,
                                         ds_record['credentials']['password'])
        return self.db.data_source_destroy(context, data_source)
Example #23
0
    def data_source_create(self, context, values):
        """Create a Data Source from the values dictionary."""

        values = copy.deepcopy(values)
        values = _apply_defaults(values, DATA_SOURCE_DEFAULTS)
        values['tenant_id'] = context.tenant_id
        # if credentials are being passed in, we use the key_manager
        # to store the password.
        if (values.get('credentials')
                and values['credentials'].get('password')):
            key = passphrase.Passphrase(values['credentials']['password'])
            password = key_manager.API().store(context, key)
            values['credentials']['password'] = password
        return self.db.data_source_create(context, values)
Example #24
0
def delete_proxy_user_for_cluster(cluster):
    '''Delete a proxy user based on a Cluster

    :param cluster: The cluster model with proxy user information

    '''
    proxy_configs = cluster.cluster_configs.get('proxy_configs')
    if proxy_configs is not None:
        proxy_username = proxy_configs.get('proxy_username')
        key = key_manager.API().get(
            context.current(), proxy_configs.get('proxy_password'))
        proxy_password = key.get_encoded()
        proxy_trust_id = proxy_configs.get('proxy_trust_id')
        proxy_user = k.auth_for_proxy(proxy_username,
                                      proxy_password,
                                      proxy_trust_id)
        t.delete_trust(proxy_user, proxy_trust_id)
        proxy_user_delete(proxy_username)
        key_manager.API().delete(context.current(),
                                 proxy_configs.get('proxy_password'))
        update = {'cluster_configs': cluster.cluster_configs.to_dict()}
        del update['cluster_configs']['proxy_configs']
        conductor.cluster_update(context.ctx(), cluster, update)
Example #25
0
def decrypt_data(value):
    manager = key_manager.API()
    try:
        context = castellan_utils.credential_factory(conf=cfg.CONF)
    except castellan_exception.AuthTypeInvalidError as e:
        LOG.exception(e)
        LOG.error("Castellan must be correctly configured in order to use "
                  "decryptData()")
        raise
    try:
        data = manager.get(context, value).get_encoded()
    except castellan_exception.KeyManagerError as e:
        LOG.exception(e)
        raise
    return data
Example #26
0
    def get_configs(self, input_data, output_data, proxy_configs=None):
        configs = {}

        if proxy_configs:
            key = key_manager.API().get(context.current(),
                                        proxy_configs.get('proxy_password'))
            configs[sw.HADOOP_SWIFT_USERNAME] = proxy_configs.get(
                'proxy_username')
            configs[sw.HADOOP_SWIFT_PASSWORD] = key.get_encoded()
            configs[sw.HADOOP_SWIFT_TRUST_ID] = proxy_configs.get(
                'proxy_trust_id')
            configs[sw.HADOOP_SWIFT_DOMAIN_NAME] = CONF.proxy_user_domain_name
            return configs

        for src in (input_data, output_data):
            if src.type == "swift" and hasattr(src, "credentials"):
                if "user" in src.credentials:
                    configs[sw.HADOOP_SWIFT_USERNAME] = src.credentials['user']
                if "password" in src.credentials:
                    key = key_manager.API().get(context.current(),
                                                src.credentials['password'])
                    configs[sw.HADOOP_SWIFT_PASSWORD] = key.get_encoded()
                break
        return configs
Example #27
0
    def get_user_root_secret_by_id(self, account, user_token, key_id):
        """
        Retrieve the user's root encryption secret with the specified ID from
        an external key management system using Castellan.

        :param account: the name of the account
        :type account: string

        :param user_token: the keystone token of the user from the request
        :type user_token: string

        :param key_id: the ID of the user's root encryption secret to retrieve

        :return: the binary bytes of the user's root encryption secret with the
                 specified ID
        :rtype: bytearray
        """
        user_root_secrets = self._user_root_secrets.get(account)
        if user_root_secrets is None:
            user_root_secrets = dict()
        else:
            encoded_key = user_root_secrets.get(key_id)
            if ROOT_SECRET_CACHE_TIME > 0:
                if encoded_key is not None:
                    return encoded_key
        conf = self.conf
        if self.keymaster_config_path is not None:
            if any(opt in conf for opt in ('key_id', )):
                raise ValueError('keymaster_config_path is set, but there '
                                 'are other config options specified!')
            conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
        user_ctxt = keystone_token.KeystoneToken(token=user_token)
        oslo_conf = cfg.ConfigOpts()
        options.set_defaults(oslo_conf,
                             auth_endpoint=conf.get('auth_endpoint'),
                             api_class=conf.get('api_class'))
        options.enable_logging()
        manager = key_manager.API(oslo_conf)
        # Get the latest key from Barbican. If no keymanager class has been
        # specified (using 'api_class'), or the keymaster does not have a
        # 'get_latest_key()' method, an exception will be raised.
        key = manager.get(user_ctxt, key_id)
        if key is None:
            raise ValueError("Could not find user '%s' with key_id '%s'" %
                             (account, key_id))
        user_root_secrets[key_id] = key.get_encoded()
        self._user_root_secrets[account] = user_root_secrets
        return key.get_encoded()
Example #28
0
    def get_configs(self, proxy_configs=None):
        configs = {}

        if proxy_configs:
            key = key_manager.API().get(context.current(),
                                        proxy_configs.get('proxy_password'))
            password = key.get_encoded()
            configs[sw.HADOOP_SWIFT_USERNAME] = proxy_configs.get(
                'proxy_username')
            configs[sw.HADOOP_SWIFT_PASSWORD] = password
            configs[sw.HADOOP_SWIFT_TRUST_ID] = proxy_configs.get(
                'proxy_trust_id')
            configs[sw.HADOOP_SWIFT_DOMAIN_NAME] = CONF.proxy_user_domain_name
            return configs

        return configs
Example #29
0
def get_certificate(context, signature_certificate_uuid):
    """Create the certificate object from the retrieved certificate data.

    :param context: the user context for authentication
    :param signature_certificate_uuid: the uuid to use to retrieve the
                                       certificate
    :returns: the certificate cryptography object
    :raises glance.common.exception.SignatureVerificationError: if the
            retrieval fails or the format is invalid
    """
    keymgr_api = key_manager.API()

    try:
        # The certificate retrieved here is a castellan certificate object
        cert = keymgr_api.get(context, signature_certificate_uuid)
    except Exception as e:
        # The problem encountered may be backend-specific, since castellan
        # can use different backends.  Rather than importing all possible
        # backends here, the generic "Exception" is used.
        msg = (_LE("Unable to retrieve certificate with ID %(id)s: %(e)s")
               % {'id': signature_certificate_uuid,
                  'e': encodeutils.exception_to_unicode(e)})
        LOG.error(msg)
        raise exception.SignatureVerificationError(
            _('Unable to retrieve certificate with ID: %s')
            % signature_certificate_uuid
        )

    if cert.format not in CERTIFICATE_FORMATS:
        raise exception.SignatureVerificationError(
            _('Invalid certificate format: %s') % cert.format
        )

    if cert.format == X_509:
        # castellan always encodes certificates in DER format
        cert_data = cert.get_encoded()
        certificate = x509.load_der_x509_certificate(cert_data,
                                                     default_backend())
    else:
        raise exception.SignatureVerificationError(
            _('Certificate format not supported: %s') % cert.format
        )

    # verify the certificate
    verify_certificate(certificate)

    return certificate
Example #30
0
    def get_latest_user_root_secret_and_id(self, account, user_token):
        """
        Retrieve the user's latest root encryption secret from an external key
        management system using Castellan.

        :param account: the name of the account
        :type account: string

        :param user_token: the keystone token of the user from the request
        :type user_token: string

        :return: a tuple containing the binary bytes of the latest encryption
                 root secret, and the id of the latest root encryption secret
        :rtype: (bytearray, string)
        """
        conf = self.conf
        if self.keymaster_config_path is not None:
            if any(opt in conf for opt in ('key_id', )):
                raise ValueError('keymaster_config_path is set, but there '
                                 'are other config options specified!')
            conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
        user_ctxt = keystone_token.KeystoneToken(token=user_token)
        oslo_conf = cfg.ConfigOpts()
        options.set_defaults(oslo_conf,
                             auth_endpoint=conf.get('auth_endpoint'),
                             api_class=conf.get('api_class'))
        options.enable_logging()
        manager = key_manager.API(oslo_conf)
        # Get the latest key from Barbican. If no keymanager class has been
        # specified (using 'api_class'), or the keymaster does not have a
        # 'get_latest_key()' method, an exception will be raised.
        latest_user_root_secret_id, key = manager.get_latest_key(
            user_ctxt, bits=256, algorithm='aes', name='swift_root_secret')
        self.logger.log(
            SECDEL_LOG_LEVEL_DEBUG,
            "ID of latest user root secret is %s" % latest_user_root_secret_id)
        if latest_user_root_secret_id is None or key is None:
            return None, None
        user_root_secrets = self._user_root_secrets.get(account)
        if user_root_secrets is None:
            user_root_secrets = dict()
        user_root_secrets[latest_user_root_secret_id] = key.get_encoded()
        self._user_root_secrets[account] = user_root_secrets
        return key.get_encoded(), latest_user_root_secret_id