def secdel_get_barbican_manager_and_ctxt(output_manager, conf, api_class):
try:
# FIXME: Parameters have different names if passed as options
# to swift-client
user_domain_name = conf.get('os_user_domain_name')
if user_domain_name is None:
user_domain_name = 'Default'
project_domain_name = conf.get('os_project_domain_name')
if project_domain_name is None:
project_domain_name = 'Default'
ctxt = keystone_password.KeystonePassword(
username=conf.get('os_username'),
password=conf.get('os_password'),
project_name=conf.get('os_project_name'),
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
user_id=conf.get('os_user_id'),
user_domain_id=conf.get('os_user_domain_id'),
trust_id=conf.get('os_trust_id'),
domain_id=conf.get('os_domain_id'),
domain_name=conf.get('os_domain_name'),
project_id=conf.get('os_project_id'),
project_domain_id=conf.get('os_project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
# FIXME: os_auth_url and not auth_endpoint?
options.set_defaults(
oslo_conf, auth_endpoint=conf.get('os_auth_url'),
api_class=conf.get('api_class', api_class)
)
options.enable_logging()
manager = key_manager.API(oslo_conf)
return manager, ctxt
except SwiftError as e:
output_manager.error(e.value)
def test___eq__(self):
self.assertTrue(
self.ks_password_credential == self.ks_password_credential)
self.assertTrue(
self.ks_password_credential is self.ks_password_credential)
self.assertFalse(self.ks_password_credential is None)
self.assertFalse(None == self.ks_password_credential)
other_ks_password_credential = keystone_password.KeystonePassword(
self.password,
username=self.username,
user_id=self.user_id,
user_domain_id=self.user_domain_id,
user_domain_name=self.user_domain_name,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=self.reauthenticate)
self.assertTrue(
self.ks_password_credential == other_ks_password_credential)
self.assertFalse(
self.ks_password_credential is other_ks_password_credential)
def generate_tacker_service_context():
return keystone_password.KeystonePassword(
password=CONF.keystone_authtoken.password,
auth_url=CONF.keystone_authtoken.auth_url,
username=CONF.keystone_authtoken.username,
user_domain_name=CONF.keystone_authtoken.user_domain_name,
project_name=CONF.keystone_authtoken.project_name,
project_domain_name=CONF.keystone_authtoken.project_domain_name)
def _get_root_secret(self, conf):
"""
Retrieve the root encryption secret from an external key management
system using Castellan.
:param conf: the keymaster config section from proxy-server.conf
:type conf: dict
:return: the encryption root secret binary bytes
:rtype: bytearray
"""
ctxt = keystone_password.KeystonePassword(
auth_url=conf.get('auth_endpoint'),
username=conf.get('username'),
password=conf.get('password'),
project_name=conf.get('project_name'),
user_domain_name=conf.get('user_domain_name'),
project_domain_name=conf.get('project_domain_name'),
user_id=conf.get('user_id'),
user_domain_id=conf.get('user_domain_id'),
trust_id=conf.get('trust_id'),
domain_id=conf.get('domain_id'),
domain_name=conf.get('domain_name'),
project_id=conf.get('project_id'),
project_domain_id=conf.get('project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
key = manager.get(ctxt, conf.get('key_id'))
if key is None:
raise ValueError("Retrieval of encryption root secret with key_id "
"'%s' returned None." % conf.get('key_id'))
try:
if (key.bit_length < 256) or (key.algorithm.lower() != "aes"):
raise ValueError('encryption root secret stored in the '
'external KMS must be an AES key of at least '
'256 bits (provided key length: %d, provided '
'key algorithm: %s)' %
(key.bit_length, key.algorithm))
if (key.format != 'RAW'):
raise ValueError('encryption root secret stored in the '
'external KMS must be in RAW format and not '
'e.g., as a base64 encoded string (format of '
'key with uuid %s: %s)' %
(conf.get('key_id'), key.format))
except Exception:
raise ValueError("Secret with key_id '%s' is not a symmetric key "
"(type: %s)" %
(conf.get('key_id'), str(type(key))))
return key.get_encoded()
def setUp(self):
super(BarbicanKeyManagerKSPasswordTestCase, self).setUp()
username = CONF.identity.username
password = CONF.identity.password
project_name = CONF.identity.project_name
user_domain_name = CONF.identity.user_domain_name
project_domain_name = CONF.identity.project_domain_name
self.ctxt = keystone_password.KeystonePassword(
username=username,
password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
def get_context(self):
username = CONF.identity.username
password = CONF.identity.password
project_name = CONF.identity.project_name
user_domain_name = CONF.identity.user_domain_name
project_domain_name = CONF.identity.project_domain_name
ctxt = keystone_password.KeystonePassword(
username=username, password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
return ctxt
def _create_ks_password_credential(self):
return keystone_password.KeystonePassword(
self.password,
username=self.username,
user_id=self.user_id,
user_domain_id=self.user_domain_id,
user_domain_name=self.user_domain_name,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=self.reauthenticate)
def test___ne___reauthenticate(self):
other_reauthenticate = False
other_ks_password_credential = keystone_password.KeystonePassword(
self.password,
username=self.username,
user_id=self.user_id,
user_domain_id=self.user_domain_id,
user_domain_name=self.user_domain_name,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=other_reauthenticate)
self.assertTrue(
self.ks_password_credential != other_ks_password_credential)
def delete_encryption_key(context, key_manager, encryption_key_id):
try:
key_manager.delete(context, encryption_key_id)
except castellan_exception.ManagedObjectNotFoundError:
pass
except castellan_exception.KeyManagerError:
LOG.info("First attempt to delete key id %s failed, retrying with "
"cinder's service context.", encryption_key_id)
conf = CONF
ks_loading.register_auth_conf_options(conf, 'keystone_authtoken')
service_context = keystone_password.KeystonePassword(
password=conf.keystone_authtoken.password,
auth_url=conf.keystone_authtoken.auth_url,
username=conf.keystone_authtoken.username,
user_domain_name=conf.keystone_authtoken.user_domain_name,
project_name=conf.keystone_authtoken.project_name,
project_domain_name=conf.keystone_authtoken.project_domain_name)
try:
castellan_key_manager.API(conf).delete(service_context,
encryption_key_id)
except castellan_exception.ManagedObjectNotFoundError:
pass
def credential_factory(conf=None, context=None):
"""This function provides a factory for credentials.
It is used to create an appropriare credential object
from a passed configuration. This should be called before
making any calls to a key manager.
:param conf: Configuration file which this factory method uses
to generate a credential object. Note: In the future it will
become a required field.
:param context: Context used for authentication. It can be used
in conjunction with the configuration file. If no conf is passed,
then the context object will be converted to a KeystoneToken and
returned. If a conf is passed then only the 'token' is grabbed from
the context for the authentication types that require a token.
:returns: A credential object used for authenticating with the
Castellan key manager. Type of credential returned depends on
config and/or context passed.
"""
if conf:
conf.register_opts(credential_opts, group=OPT_GROUP)
if conf.key_manager.auth_type == 'token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return token.Token(auth_token)
elif conf.key_manager.auth_type == 'password':
return password.Password(conf.key_manager.username,
conf.key_manager.password)
elif conf.key_manager.auth_type == 'keystone_password':
return keystone_password.KeystonePassword(
conf.key_manager.password,
username=conf.key_manager.username,
user_id=conf.key_manager.user_id,
user_domain_id=conf.key_manager.user_domain_id,
user_domain_name=conf.key_manager.user_domain_name,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.domain_id,
project_domain_name=conf.key_manager.domain_name,
reauthenticate=conf.key_manager.reauthenticate)
elif conf.key_manager.auth_type == 'keystone_token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return keystone_token.KeystoneToken(
auth_token,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.domain_id,
project_domain_name=conf.key_manager.domain_name,
reauthenticate=conf.key_manager.reauthenticate)
else:
LOG.error(_LE("Invalid auth_type specified."))
raise exception.AuthTypeInvalidError(
type=conf.key_manager.auth_type)
# for compatibility between _TokenData and RequestContext
if hasattr(context, 'tenant') and context.tenant:
project_id = context.tenant
elif hasattr(context, 'project_id') and context.project_id:
project_id = context.project_id
return keystone_token.KeystoneToken(context.auth_token,
project_id=project_id)
