def _generate_csr_from_private_key(order_model, project_model): """Generate a CSR from the private key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_id, container = _get_container_from_order_meta(order_model, project_model) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == "private_key": private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret("application/pkcs8", private_key_model, project_model) elif cs.name == "private_key_passphrase": passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret("text/plain;charset=utf-8", passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container.id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase) subject_name = order_model.meta.get("subject_dn") subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get("extensions", None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, "sha256") csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def _on_get_secret_payload(self, secret, external_project_id, **kwargs): """GET actual payload containing the secret.""" # With ACL support, the user token project does not have to be same as # project associated with secret. The lookup project_id needs to be # derived from the secret's data considering authorization is already # done. external_project_id = secret.project.external_id project = res.get_or_create_project(external_project_id) # default to application/octet-stream if there is no Accept header if (type(pecan.request.accept) is accept.NoHeaderType or not pecan.request.accept.header_value): accept_header = 'application/octet-stream' else: accept_header = pecan.request.accept.header_value pecan.override_template('', accept_header) # check if payload exists before proceeding if not secret.encrypted_data and not secret.secret_store_metadata: _secret_payload_not_found() twsk = kwargs.get('trans_wrapped_session_key', None) transport_key = None if twsk: transport_key = self._get_transport_key( kwargs.get('transport_key_id', None)) return plugin.get_secret(accept_header, secret, project, twsk, transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs): """GET actual payload containing the secret.""" # With ACL support, the user token project does not have to be same as # project associated with secret. The lookup project_id needs to be # derived from the secret's data considering authorization is already # done. external_project_id = secret.project.external_id project = res.get_or_create_project(external_project_id) # default to application/octet-stream if there is no Accept header accept_header = getattr(pecan.request.accept, 'header_value', 'application/octet-stream') pecan.override_template('', accept_header) # check if payload exists before proceeding if not secret.encrypted_data and not secret.secret_store_metadata: _secret_payload_not_found() twsk = kwargs.get('trans_wrapped_session_key', None) transport_key = None if twsk: transport_key = self._get_transport_key( kwargs.get('transport_key_id', None)) return plugin.get_secret(accept_header, secret, project, twsk, transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs): """GET actual payload containing the secret.""" # With ACL support, the user token project does not have to be same as # project associated with secret. The lookup project_id needs to be # derived from the secret's data considering authorization is already # done. external_project_id = secret.project.external_id project = res.get_or_create_project(external_project_id) # default to application/octet-stream if there is no Accept header accept_header = getattr(pecan.request.accept, 'header_value', 'application/octet-stream') pecan.override_template('', accept_header) twsk = kwargs.get('trans_wrapped_session_key', None) transport_key = None if twsk: transport_key = self._get_transport_key( kwargs.get('transport_key_id', None)) return plugin.get_secret(accept_header, secret, project, twsk, transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs): """GET actual payload containing the secret.""" project = res.get_or_create_project(external_project_id, self.repos.project_repo) pecan.override_template('', pecan.request.accept.header_value) twsk = kwargs.get('trans_wrapped_session_key', None) transport_key = None if twsk: transport_key = self._get_transport_key( kwargs.get('transport_key_id', None)) return plugin.get_secret(pecan.request.accept.header_value, secret, project, self.repos, twsk, transport_key)
def index(self, keystone_id, **kwargs): secret = self.repos.secret_repo.get(entity_id=self.secret_id, keystone_id=keystone_id, suppress_exception=True) if not secret: _secret_not_found() if controllers.is_json_request_accept(pecan.request): # Metadata-only response, no secret retrieval is necessary. pecan.override_template('json', 'application/json') secret_fields = putil.mime_types.augment_fields_with_content_types( secret) transport_key_needed = kwargs.get('transport_key_needed', 'false').lower() == 'true' if transport_key_needed: transport_key_id = plugin.get_transport_key_id_for_retrieval( secret) if transport_key_id is not None: secret_fields['transport_key_id'] = transport_key_id return hrefs.convert_to_hrefs(secret_fields) else: project = res.get_or_create_project(keystone_id, self.repos.project_repo) pecan.override_template('', pecan.request.accept.header_value) transport_key = None twsk = kwargs.get('trans_wrapped_session_key', None) if twsk is not None: transport_key_id = kwargs.get('transport_key_id', None) if transport_key_id is None: _request_has_twsk_but_no_transport_key_id() transport_key_model = self.repos.transport_key_repo.get( entity_id=transport_key_id, suppress_exception=True) transport_key = transport_key_model.transport_key return plugin.get_secret(pecan.request.accept.header_value, secret, project, self.repos, twsk, transport_key)
def index(self, keystone_id): secret = self.repos.secret_repo.get(entity_id=self.secret_id, keystone_id=keystone_id, suppress_exception=True) if not secret: _secret_not_found() if controllers.is_json_request_accept(pecan.request): # Metadata-only response, no secret retrieval is necessary. pecan.override_template('json', 'application/json') secret_fields = putil.mime_types.augment_fields_with_content_types( secret) return hrefs.convert_to_hrefs(keystone_id, secret_fields) else: tenant = res.get_or_create_tenant(keystone_id, self.repos.tenant_repo) pecan.override_template('', pecan.request.accept.header_value) return plugin.get_secret(pecan.request.accept.header_value, secret, tenant)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs): """GET actual payload containing the secret.""" # With ACL support, the user token project does not have to be same as # project associated with secret. The lookup project_id needs to be # derived from the secret's data considering authorization is already # done. external_project_id = secret.project_assocs[0].projects.external_id project = res.get_or_create_project(external_project_id) pecan.override_template('', pecan.request.accept.header_value) twsk = kwargs.get('trans_wrapped_session_key', None) transport_key = None if twsk: transport_key = self._get_transport_key( kwargs.get('transport_key_id', None)) return plugin.get_secret(pecan.request.accept.header_value, secret, project, twsk, transport_key)
def _generate_csr(order_model, project_model): """Generate a CSR from the public key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == 'private_key': private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret('application/pkcs8', private_key_model, project_model) elif cs.name == 'private_key_passphrase': passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret('text/plain;charset=utf-8', passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container_id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase) subject_name = order_model.meta.get('subject_dn') subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get('extensions', None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, 'sha256') csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr