def create_key(self, context, algorithm, length, expiration=None, name=None): """Creates a symmetric key. :param context: contains information of the user and the environment for the request (castellan/context.py) :param algorithm: the algorithm associated with the secret :param length: the bit length of the secret :param name: the name of the key :param expiration: the date the key will expire :return: the UUID of the new key :raises KeyManagerError: if key creation fails """ barbican_client = self._get_barbican_client(context) try: key_order = barbican_client.orders.create_key( name=name, algorithm=algorithm, bit_length=length, expiration=expiration) order_ref = key_order.submit() order = self._get_active_order(barbican_client, order_ref) return self._retrieve_secret_uuid(order.secret_ref) except (barbican_exceptions.HTTPAuthError, barbican_exceptions.HTTPClientError, barbican_exceptions.HTTPServerError) as e: LOG.error(_LE("Error creating key: %s"), e) raise exception.KeyManagerError(reason=e)
def _get_active_order(self, barbican_client, order_ref): """Returns the order when it is active. Barbican key creation is done asynchronously, so this loop continues checking until the order is active or a timeout occurs. """ active_status = u'ACTIVE' error_status = u'ERROR' number_of_retries = self.conf.barbican.number_of_retries retry_delay = self.conf.barbican.retry_delay order = barbican_client.orders.get(order_ref) time.sleep(.25) for n in range(number_of_retries): if order.status == error_status: kwargs = { "status": error_status, "code": order.error_status_code, "reason": order.error_reason } msg = _LE("Order is in %(status)s status - status code: " "%(code)s, status reason: %(reason)s") % kwargs LOG.error(msg) raise exception.KeyManagerError(reason=msg) if order.status != active_status: kwargs = { 'attempt': n, 'total': number_of_retries, 'status': order.status, 'active': active_status, 'delay': retry_delay } msg = _LI("Retry attempt #%(attempt)i out of %(total)i: " "Order status is '%(status)s'. Waiting for " "'%(active)s', will retry in %(delay)s " "seconds") LOG.info(msg, kwargs) time.sleep(retry_delay) order = barbican_client.orders.get(order_ref) else: return order msg = _LE("Exceeded retries: Failed to find '%(active)s' status " "within %(num_retries)i retries") % { 'active': active_status, 'num_retries': number_of_retries } LOG.error(msg) raise exception.KeyManagerError(reason=msg)
def _get_barbican_client(self, context): """Creates a client to connect to the Barbican service. :param context: the user context for authentication :return: a Barbican Client object :raises Forbidden: if the context is None :raises KeyManagerError: if context is missing tenant or tenant is None or error occurs while creating client """ # Confirm context is provided, if not raise forbidden if not context: msg = _LE("User is not authorized to use key manager.") LOG.error(msg) raise exception.Forbidden(msg) if self._barbican_client and self._current_context == context: return self._barbican_client try: auth = self._get_keystone_auth(context) sess = session.Session(auth=auth, verify=self.conf.barbican.verify_ssl) self._barbican_endpoint = self._get_barbican_endpoint(auth, sess) self._barbican_client = barbican_client.Client( session=sess, endpoint=self._barbican_endpoint) self._current_context = context except Exception as e: LOG.error(_LE("Error creating Barbican client: %s"), e) raise exception.KeyManagerError(reason=e) self._base_url = self._create_base_url(auth, sess, self._barbican_endpoint) return self._barbican_client
def _create_base_url(self, auth, sess, endpoint): if self.conf.barbican.barbican_api_version: api_version = self.conf.barbican.barbican_api_version else: discovery = auth.get_discovery(sess, url=endpoint) raw_data = discovery.raw_version_data() if len(raw_data) == 0: msg = _LE( "Could not find discovery information for %s") % endpoint LOG.error(msg) raise exception.KeyManagerError(reason=msg) latest_version = raw_data[-1] api_version = latest_version.get('id') base_url = urllib.parse.urljoin(endpoint, api_version) return base_url
def _get_keystone_auth(self, context): auth_url = self.conf.barbican.auth_endpoint if context.__class__.__name__ is 'KeystonePassword': return identity.Password( auth_url=auth_url, username=context.username, password=context.password, user_id=context.user_id, user_domain_id=context.user_domain_id, user_domain_name=context.user_domain_name, trust_id=context.trust_id, domain_id=context.domain_id, domain_name=context.domain_name, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name, reauthenticate=context.reauthenticate) elif context.__class__.__name__ is 'KeystoneToken': return identity.Token( auth_url=auth_url, token=context.token, trust_id=context.trust_id, domain_id=context.domain_id, domain_name=context.domain_name, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name, reauthenticate=context.reauthenticate) # this will be kept for oslo.context compatibility until # projects begin to use utils.credential_factory elif context.__class__.__name__ is 'RequestContext': return identity.Token(auth_url=auth_url, token=context.auth_token, project_id=context.tenant) else: msg = _LE("context must be of type KeystonePassword, " "KeystoneToken, or RequestContext.") LOG.error(msg) raise exception.Forbidden(reason=msg)
def create_key_pair(self, context, algorithm, length, expiration=None, name=None): """Creates an asymmetric key pair. :param context: contains information of the user and the environment for the request (castellan/context.py) :param algorithm: the algorithm associated with the secret :param length: the bit length of the secret :param name: the name of the key :param expiration: the date the key will expire :return: the UUIDs of the new key, in the order (private, public) :raises NotImplementedError: until implemented :raises KeyManagerError: if key pair creation fails """ barbican_client = self._get_barbican_client(context) try: key_pair_order = barbican_client.orders.create_asymmetric( algorithm=algorithm, bit_length=length, name=name, expiration=expiration) order_ref = key_pair_order.submit() order = self._get_active_order(barbican_client, order_ref) container = barbican_client.containers.get(order.container_ref) private_key_uuid = self._retrieve_secret_uuid( container.secret_refs['private_key']) public_key_uuid = self._retrieve_secret_uuid( container.secret_refs['public_key']) return private_key_uuid, public_key_uuid except (barbican_exceptions.HTTPAuthError, barbican_exceptions.HTTPClientError, barbican_exceptions.HTTPServerError) as e: LOG.error(_LE("Error creating key pair: %s"), e) raise exception.KeyManagerError(reason=e)
def get(self, context, managed_object_id): """Retrieves the specified managed object. :param context: contains information of the user and the environment for the request (castellan/context.py) :param managed_object_id: the UUID of the object to retrieve :return: ManagedObject representation of the managed object :raises KeyManagerError: if object retrieval fails :raises ManagedObjectNotFoundError: if object not found """ try: secret = self._get_secret(context, managed_object_id) return self._get_castellan_object(secret) except (barbican_exceptions.HTTPAuthError, barbican_exceptions.HTTPClientError, barbican_exceptions.HTTPServerError) as e: LOG.error(_LE("Error retrieving object: %s"), e) if self._is_secret_not_found_error(e): raise exception.ManagedObjectNotFoundError( uuid=managed_object_id) else: raise exception.KeyManagerError(reason=e)
def _get_secret(self, context, object_id): """Returns the metadata of the secret. :param context: contains information of the user and the environment for the request (castellan/context.py) :param object_id: UUID of the secret :return: the secret's metadata :raises HTTPAuthError: if object retrieval fails with 401 :raises HTTPClientError: if object retrieval fails with 4xx :raises HTTPServerError: if object retrieval fails with 5xx """ barbican_client = self._get_barbican_client(context) try: secret_ref = self._create_secret_ref(object_id) return barbican_client.secrets.get(secret_ref) except (barbican_exceptions.HTTPAuthError, barbican_exceptions.HTTPClientError, barbican_exceptions.HTTPServerError) as e: with excutils.save_and_reraise_exception(): LOG.error(_LE("Error getting secret metadata: %s"), e)
def delete(self, context, managed_object_id): """Deletes the specified managed object. :param context: contains information of the user and the environment for the request (castellan/context.py) :param managed_object_id: the UUID of the object to delete :raises KeyManagerError: if object deletion fails :raises ManagedObjectNotFoundError: if the object could not be found """ barbican_client = self._get_barbican_client(context) try: secret_ref = self._create_secret_ref(managed_object_id) barbican_client.secrets.delete(secret_ref) except (barbican_exceptions.HTTPAuthError, barbican_exceptions.HTTPClientError, barbican_exceptions.HTTPServerError) as e: LOG.error(_LE("Error deleting object: %s"), e) if self._is_secret_not_found_error(e): raise exception.ManagedObjectNotFoundError( uuid=managed_object_id) else: raise exception.KeyManagerError(reason=e)
def store(self, context, managed_object, expiration=None): """Stores (i.e., registers) an object with the key manager. :param context: contains information of the user and the environment for the request (castellan/context.py) :param managed_object: a secret object with unencrypted payload. Known as "secret" to the barbicanclient api :param expiration: the expiration time of the secret in ISO 8601 format :returns: the UUID of the stored object :raises KeyManagerError: if object store fails """ barbican_client = self._get_barbican_client(context) try: secret = self._get_barbican_object(barbican_client, managed_object) secret.expiration = expiration secret_ref = secret.store() return self._retrieve_secret_uuid(secret_ref) except (barbican_exceptions.HTTPAuthError, barbican_exceptions.HTTPClientError, barbican_exceptions.HTTPServerError) as e: LOG.error(_LE("Error storing object: %s"), e) raise exception.KeyManagerError(reason=e)
def credential_factory(conf=None, context=None): """This function provides a factory for credentials. It is used to create an appropriare credential object from a passed configuration. This should be called before making any calls to a key manager. :param conf: Configuration file which this factory method uses to generate a credential object. Note: In the future it will become a required field. :param context: Context used for authentication. It can be used in conjunction with the configuration file. If no conf is passed, then the context object will be converted to a KeystoneToken and returned. If a conf is passed then only the 'token' is grabbed from the context for the authentication types that require a token. :returns: A credential object used for authenticating with the Castellan key manager. Type of credential returned depends on config and/or context passed. """ if conf: conf.register_opts(credential_opts, group=OPT_GROUP) if conf.key_manager.auth_type == 'token': if conf.key_manager.token: auth_token = conf.key_manager.token elif context: auth_token = context.auth_token else: raise exception.InsufficientCredentialDataError() return token.Token(auth_token) elif conf.key_manager.auth_type == 'password': return password.Password(conf.key_manager.username, conf.key_manager.password) elif conf.key_manager.auth_type == 'keystone_password': return keystone_password.KeystonePassword( conf.key_manager.password, username=conf.key_manager.username, user_id=conf.key_manager.user_id, user_domain_id=conf.key_manager.user_domain_id, user_domain_name=conf.key_manager.user_domain_name, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, project_id=conf.key_manager.project_id, project_name=conf.key_manager.project_name, project_domain_id=conf.key_manager.domain_id, project_domain_name=conf.key_manager.domain_name, reauthenticate=conf.key_manager.reauthenticate) elif conf.key_manager.auth_type == 'keystone_token': if conf.key_manager.token: auth_token = conf.key_manager.token elif context: auth_token = context.auth_token else: raise exception.InsufficientCredentialDataError() return keystone_token.KeystoneToken( auth_token, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, project_id=conf.key_manager.project_id, project_name=conf.key_manager.project_name, project_domain_id=conf.key_manager.domain_id, project_domain_name=conf.key_manager.domain_name, reauthenticate=conf.key_manager.reauthenticate) else: LOG.error(_LE("Invalid auth_type specified.")) raise exception.AuthTypeInvalidError( type=conf.key_manager.auth_type) # for compatibility between _TokenData and RequestContext if hasattr(context, 'tenant') and context.tenant: project_id = context.tenant elif hasattr(context, 'project_id') and context.project_id: project_id = context.project_id return keystone_token.KeystoneToken(context.auth_token, project_id=project_id)