def secdel_get_barbican_manager_and_ctxt(output_manager, conf, api_class): try: # FIXME: Parameters have different names if passed as options # to swift-client user_domain_name = conf.get('os_user_domain_name') if user_domain_name is None: user_domain_name = 'Default' project_domain_name = conf.get('os_project_domain_name') if project_domain_name is None: project_domain_name = 'Default' ctxt = keystone_password.KeystonePassword( username=conf.get('os_username'), password=conf.get('os_password'), project_name=conf.get('os_project_name'), user_domain_name=user_domain_name, project_domain_name=project_domain_name, user_id=conf.get('os_user_id'), user_domain_id=conf.get('os_user_domain_id'), trust_id=conf.get('os_trust_id'), domain_id=conf.get('os_domain_id'), domain_name=conf.get('os_domain_name'), project_id=conf.get('os_project_id'), project_domain_id=conf.get('os_project_domain_id'), reauthenticate=conf.get('reauthenticate')) oslo_conf = cfg.ConfigOpts() # FIXME: os_auth_url and not auth_endpoint? options.set_defaults( oslo_conf, auth_endpoint=conf.get('os_auth_url'), api_class=conf.get('api_class', api_class) ) options.enable_logging() manager = key_manager.API(oslo_conf) return manager, ctxt except SwiftError as e: output_manager.error(e.value)
def _encrypt_data(context, data): try: # TODO(pbourke): move auth construction into common area if it ends up # been required in other areas auth = identity.V3Password( auth_url=settings.KEY_MANAGER['auth_url'], username=settings.KEY_MANAGER['username'], user_domain_name=settings.KEY_MANAGER['user_domain_name'], password=settings.KEY_MANAGER['password'], project_name=settings.KEY_MANAGER['project_name'], project_domain_name=settings.KEY_MANAGER['project_domain_name'] ) except (KeyError, AttributeError) as e: LOG.exception(e) msg = ('Could not find valid key manager credentials in the ' 'murano-dashboard config. encryptData yaql function not ' 'available') raise castellan_exception.KeyManagerError(message_arg=msg) sess = session.Session(auth=auth) auth_context = _oslo_context.RequestContext( auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess)) options.set_defaults(cfg.CONF, auth_endpoint=settings.KEY_MANAGER['auth_url']) manager = key_manager.API() try: # TODO(pbourke): while we feel opaque data should cover the most common # use case, we may want to add support for other secret types in the # future (see https://goo.gl/tZhfqe) stored_key_id = manager.store(auth_context, opaque_data.OpaqueData(data)) except castellan_exception.KeyManagerError as e: LOG.exception(e) raise return stored_key_id
def register_opts(conf): castellan_opts.set_defaults(conf) # TODO(raj_singh): Code block below is deprecated and will be removed # post Newton conf.register_group(barbican_group) conf.register_opts(barbican_opts, group=barbican_group) ks_loading.register_session_conf_options(conf, barbican_group.name)
def setUp(self): super(InitTestCase, self).setUp() self.config = cfg.ConfigOpts() castellan_opts.set_defaults(self.config) self.config.set_default('api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager', group='key_manager')
def handle_key_migration(self, volumes): castellan_options.set_defaults(self.conf) self.conf.import_opt(name='fixed_key', module_str='cinder.keymgr.conf_key_mgr', group='key_manager') fixed_key = self.conf.key_manager.fixed_key backend = self.conf.key_manager.backend or '' backend = backend.split('.')[-1] if backend == 'ConfKeyManager': LOG.info("Not migrating encryption keys because the " "ConfKeyManager is still in use.") elif not fixed_key: LOG.info("Not migrating encryption keys because the " "ConfKeyManager's fixed_key is not in use.") elif backend != 'barbican' and backend != 'BarbicanKeyManager': # Note: There are two ways of specifying the Barbican backend. # The long-hand method contains the "BarbicanKeyManager" class # name, and the short-hand method is just "barbican" with no # module path prefix. LOG.warning( "Not migrating encryption keys because migration to " "the '%s' key_manager backend is not supported.", backend) self._log_migration_status() elif not volumes: LOG.info("Not migrating encryption keys because there are no " "volumes associated with this host.") self._log_migration_status() else: self.fixed_key_bytes = bytes(binascii.unhexlify(fixed_key)) self.fixed_key_length = len(self.fixed_key_bytes) * 8 self._migrate_keys(volumes) self._log_migration_status()
def validate_config(): if CONF.use_barbican_key_manager: # NOTE (elmiko) there is no need to set the api_class as castellan # uses barbican by default. castellan.set_defaults(CONF, auth_endpoint=utils.retrieve_auth_url()) else: castellan.set_defaults(CONF, api_class='sahara.service.castellan.' 'sahara_key_manager.SaharaKeyManager')
def key_manager(): conf = cfg.ConfigOpts() auth_endpoint = settings.OPENSTACK_KEYSTONE_URL insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) options.set_defaults(conf, auth_endpoint=auth_endpoint, verify_ssl=not insecure) return key_manager_api.API(conf)
def _get_root_secret(self, conf): """ Retrieve the root encryption secret from an external key management system using Castellan. :param conf: the keymaster config section from proxy-server.conf :type conf: dict :return: the encryption root secret binary bytes :rtype: bytearray """ ctxt = keystone_password.KeystonePassword( auth_url=conf.get('auth_endpoint'), username=conf.get('username'), password=conf.get('password'), project_name=conf.get('project_name'), user_domain_name=conf.get('user_domain_name'), project_domain_name=conf.get( 'project_domain_name'), user_id=conf.get('user_id'), user_domain_id=conf.get('user_domain_id'), trust_id=conf.get('trust_id'), domain_id=conf.get('domain_id'), domain_name=conf.get('domain_name'), project_id=conf.get('project_id'), project_domain_id=conf.get('project_domain_id'), reauthenticate=conf.get('reauthenticate')) oslo_conf = cfg.ConfigOpts() options.set_defaults( oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class') ) options.enable_logging() manager = key_manager.API(oslo_conf) key = manager.get(ctxt, conf.get('key_id')) if key is None: raise ValueError("Retrieval of encryption root secret with key_id " "'%s' returned None." % conf.get('key_id')) try: if (key.bit_length < 256) or (key.algorithm.lower() != "aes"): raise ValueError('encryption root secret stored in the ' 'external KMS must be an AES key of at least ' '256 bits (provided key length: %d, provided ' 'key algorithm: %s)' % (key.bit_length, key.algorithm)) if (key.format != 'RAW'): raise ValueError('encryption root secret stored in the ' 'external KMS must be in RAW format and not ' 'e.g., as a base64 encoded string (format of ' 'key with uuid %s: %s)' % (conf.get('key_id'), key.format)) except Exception: raise ValueError("Secret with key_id '%s' is not a symmetric key " "(type: %s)" % (conf.get('key_id'), str(type(key)))) return key.get_encoded()
def _get_root_secret(self, conf): """ Retrieve the root encryption secret from an external key management system using Castellan. :param conf: the keymaster config section from proxy-server.conf :type conf: dict :return: the encryption root secret binary bytes :rtype: bytearray """ ctxt = keystone_password.KeystonePassword( auth_url=conf.get('auth_endpoint'), username=conf.get('username'), password=conf.get('password'), project_name=conf.get('project_name'), user_domain_name=conf.get('user_domain_name'), project_domain_name=conf.get('project_domain_name'), user_id=conf.get('user_id'), user_domain_id=conf.get('user_domain_id'), trust_id=conf.get('trust_id'), domain_id=conf.get('domain_id'), domain_name=conf.get('domain_name'), project_id=conf.get('project_id'), project_domain_id=conf.get('project_domain_id'), reauthenticate=conf.get('reauthenticate')) oslo_conf = cfg.ConfigOpts() options.set_defaults(oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class')) options.enable_logging() manager = key_manager.API(oslo_conf) key = manager.get(ctxt, conf.get('key_id')) if key is None: raise ValueError("Retrieval of encryption root secret with key_id " "'%s' returned None." % conf.get('key_id')) try: if (key.bit_length < 256) or (key.algorithm.lower() != "aes"): raise ValueError('encryption root secret stored in the ' 'external KMS must be an AES key of at least ' '256 bits (provided key length: %d, provided ' 'key algorithm: %s)' % (key.bit_length, key.algorithm)) if (key.format != 'RAW'): raise ValueError('encryption root secret stored in the ' 'external KMS must be in RAW format and not ' 'e.g., as a base64 encoded string (format of ' 'key with uuid %s: %s)' % (conf.get('key_id'), key.format)) except Exception: raise ValueError("Secret with key_id '%s' is not a symmetric key " "(type: %s)" % (conf.get('key_id'), str(type(key)))) return key.get_encoded()
def get_conf(self, conf=CONF): """Convert secret store conf into oslo conf Returns an oslo.config() object to pass to keymanager.API(conf) """ vault_conf = cfg.ConfigOpts() options.set_defaults( vault_conf, backend='vault', vault_root_token_id=conf.vault_plugin.root_token_id, vault_url=conf.vault_plugin.vault_url, vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file, vault_use_ssl=conf.vault_plugin.use_ssl) return vault_conf
def get_user_root_secret_by_id(self, account, user_token, key_id): """ Retrieve the user's root encryption secret with the specified ID from an external key management system using Castellan. :param account: the name of the account :type account: string :param user_token: the keystone token of the user from the request :type user_token: string :param key_id: the ID of the user's root encryption secret to retrieve :return: the binary bytes of the user's root encryption secret with the specified ID :rtype: bytearray """ user_root_secrets = self._user_root_secrets.get(account) if user_root_secrets is None: user_root_secrets = dict() else: encoded_key = user_root_secrets.get(key_id) if ROOT_SECRET_CACHE_TIME > 0: if encoded_key is not None: return encoded_key conf = self.conf if self.keymaster_config_path is not None: if any(opt in conf for opt in ('key_id', )): raise ValueError('keymaster_config_path is set, but there ' 'are other config options specified!') conf = readconf(self.keymaster_config_path, 'rotating_keymaster') user_ctxt = keystone_token.KeystoneToken(token=user_token) oslo_conf = cfg.ConfigOpts() options.set_defaults(oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class')) options.enable_logging() manager = key_manager.API(oslo_conf) # Get the latest key from Barbican. If no keymanager class has been # specified (using 'api_class'), or the keymaster does not have a # 'get_latest_key()' method, an exception will be raised. key = manager.get(user_ctxt, key_id) if key is None: raise ValueError("Could not find user '%s' with key_id '%s'" % (account, key_id)) user_root_secrets[key_id] = key.get_encoded() self._user_root_secrets[account] = user_root_secrets return key.get_encoded()
def decrypt_data(value): options.set_defaults(oslo_cfg.CONF, barbican_endpoint_type='internal') manager = key_manager.API() try: context = castellan_utils.credential_factory(conf=cfg.CONF) except castellan_exception.AuthTypeInvalidError as e: LOG.exception(e) LOG.error("Castellan must be correctly configured in order to use " "decryptData()") raise try: data = manager.get(context, value).get_encoded() except castellan_exception.KeyManagerError as e: LOG.exception(e) raise return data
def get_conf(self, conf=CONF): """Convert secret store conf into oslo conf Returns an oslo.config() object to pass to keymanager.API(conf) """ vault_conf = cfg.ConfigOpts() options.set_defaults( vault_conf, backend='vault', vault_root_token_id=conf.vault_plugin.root_token_id, vault_approle_role_id=conf.vault_plugin.approle_role_id, vault_approle_secret_id=conf.vault_plugin.approle_secret_id, vault_kv_mountpoint=conf.vault_plugin.kv_mountpoint, vault_url=conf.vault_plugin.vault_url, vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file, vault_use_ssl=conf.vault_plugin.use_ssl ) return vault_conf
def get_latest_user_root_secret_and_id(self, account, user_token): """ Retrieve the user's latest root encryption secret from an external key management system using Castellan. :param account: the name of the account :type account: string :param user_token: the keystone token of the user from the request :type user_token: string :return: a tuple containing the binary bytes of the latest encryption root secret, and the id of the latest root encryption secret :rtype: (bytearray, string) """ conf = self.conf if self.keymaster_config_path is not None: if any(opt in conf for opt in ('key_id', )): raise ValueError('keymaster_config_path is set, but there ' 'are other config options specified!') conf = readconf(self.keymaster_config_path, 'rotating_keymaster') user_ctxt = keystone_token.KeystoneToken(token=user_token) oslo_conf = cfg.ConfigOpts() options.set_defaults(oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class')) options.enable_logging() manager = key_manager.API(oslo_conf) # Get the latest key from Barbican. If no keymanager class has been # specified (using 'api_class'), or the keymaster does not have a # 'get_latest_key()' method, an exception will be raised. latest_user_root_secret_id, key = manager.get_latest_key( user_ctxt, bits=256, algorithm='aes', name='swift_root_secret') self.logger.log( SECDEL_LOG_LEVEL_DEBUG, "ID of latest user root secret is %s" % latest_user_root_secret_id) if latest_user_root_secret_id is None or key is None: return None, None user_root_secrets = self._user_root_secrets.get(account) if user_root_secrets is None: user_root_secrets = dict() user_root_secrets[latest_user_root_secret_id] = key.get_encoded() self._user_root_secrets[account] = user_root_secrets return key.get_encoded(), latest_user_root_secret_id
def handle_key_migration(self, volumes, backups): castellan_options.set_defaults(self.conf) try: self.conf.import_opt(name='fixed_key', module_str='cinder.keymgr.conf_key_mgr', group='key_manager') except cfg.DuplicateOptError: pass fixed_key = self.conf.key_manager.fixed_key backend = self.conf.key_manager.backend or '' backend = backend.split('.')[-1] if backend == 'ConfKeyManager': LOG.info("Not migrating encryption keys because the " "ConfKeyManager is still in use.") elif not fixed_key: LOG.info("Not migrating encryption keys because the " "ConfKeyManager's fixed_key is not in use.") elif backend != 'barbican' and backend != 'BarbicanKeyManager': # Note: There are two ways of specifying the Barbican backend. # The long-hand method contains the "BarbicanKeyManager" class # name, and the short-hand method is just "barbican" with no # module path prefix. LOG.warning("Not migrating encryption keys because migration to " "the '%s' key_manager backend is not supported.", backend) self._log_migration_status() elif not volumes and not backups: LOG.info("Not migrating encryption keys because there are no " "volumes or backups associated with this host.") self._log_migration_status() else: self.fixed_key_bytes = bytes(binascii.unhexlify(fixed_key)) self.fixed_key_length = len(self.fixed_key_bytes) * 8 self._migrate_keys(volumes, backups) self._log_migration_status()
def _encrypt_data(context, data): try: # TODO(pbourke): move auth construction into common area if it ends up # been required in other areas auth = identity.V3Password( auth_url=settings.KEY_MANAGER['auth_url'], username=settings.KEY_MANAGER['username'], user_domain_name=settings.KEY_MANAGER['user_domain_name'], password=settings.KEY_MANAGER['password'], project_name=settings.KEY_MANAGER['project_name'], project_domain_name=settings.KEY_MANAGER['project_domain_name'] ) except (KeyError, AttributeError) as e: LOG.exception(e) msg = ('Could not find valid key manager credentials in the ' 'murano-dashboard config. encryptData yaql function not ' 'available') raise castellan_exception.KeyManagerError(message_arg=msg) sess = session.Session(auth=auth) auth_context = _oslo_context.RequestContext( auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess)) options.set_defaults(cfg.CONF, auth_endpoint=settings.KEY_MANAGER['auth_url']) options.set_defaults(cfg.CONF, barbican_endpoint_type='internal') manager = key_manager.API() try: # TODO(pbourke): while we feel opaque data should cover the most common # use case, we may want to add support for other secret types in the # future (see https://goo.gl/tZhfqe) stored_key_id = manager.store(auth_context, opaque_data.OpaqueData(data)) except castellan_exception.KeyManagerError as e: LOG.exception(e) raise return stored_key_id
def test_set_defaults(self): conf = cfg.ConfigOpts() api_class = 'test.api.class' options.set_defaults(conf, api_class=api_class) self.assertEqual(api_class, conf.key_manager.api_class) barbican_endpoint = 'http://test-server.org:9311/' options.set_defaults(conf, barbican_endpoint=barbican_endpoint) self.assertEqual(barbican_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint) barbican_api_version = 'vSomething' options.set_defaults(conf, barbican_api_version=barbican_api_version) self.assertEqual(barbican_api_version, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
def register_opts(conf): castellan_opts.set_defaults(conf) conf.register_group(key_manager_group) conf.register_opts(key_manager_opts, group=key_manager_group)
# License for the specific language governing permissions and limitations # under the License. from castellan import options as castellan_opts from oslo_config import cfg from oslo_log import log as logging from oslo_log import versionutils from oslo_utils import importutils from cinder.i18n import _LW LOG = logging.getLogger(__name__) CONF = cfg.CONF castellan_opts.set_defaults(cfg.CONF) # NOTE(kfarr): This line can be removed when a value is assigned in DevStack CONF.set_default('api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager', group='key_manager') # NOTE(kfarr): For backwards compatibility, everything below this comment # is deprecated for removal api_class = None try: api_class = CONF.key_manager.api_class except cfg.NoSuchOptError: LOG.warning(_LW("key_manager.api_class is not set, will use deprecated " "option keymgr.api_class if set")) try: api_class = CONF.keymgr.api_class
# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from castellan import options as castellan_opts from oslo_config import cfg CONF = cfg.CONF castellan_opts.set_defaults(CONF)
# under the License. from castellan import options as castellan_opts from oslo_config import cfg from oslo_log import log as logging from oslo_utils import importutils import nova.conf from nova.i18n import _LW LOG = logging.getLogger(__name__) CONF = nova.conf.CONF castellan_opts.set_defaults(CONF) # NOTE(kfarr): This line can be removed when a value is assigned in DevStack CONF.set_default("api_class", "nova.keymgr.conf_key_mgr.ConfKeyManager", group="key_manager") # NOTE(kfarr): For backwards compatibility, everything below this comment # is deprecated for removal api_class = None try: api_class = CONF.key_manager.api_class except cfg.NoSuchOptError: LOG.warning(_LW("key_manager.api_class is not set, will use deprecated " "option keymgr.api_class if set")) try: api_class = CONF.keymgr.api_class except cfg.NoSuchOptError: LOG.warning(_LW("keymgr.api_class is not set"))
def test_set_defaults(self): conf = cfg.ConfigOpts() api_class = 'test.api.class' options.set_defaults(conf, api_class=api_class) self.assertEqual(api_class, conf.key_manager.api_class) barbican_endpoint = 'http://test-server.org:9311/' options.set_defaults(conf, barbican_endpoint=barbican_endpoint) self.assertEqual(barbican_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint) barbican_api_version = 'vSomething' options.set_defaults(conf, barbican_api_version=barbican_api_version) self.assertEqual(barbican_api_version, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version) auth_endpoint = 'http://test-server.org:5000/' options.set_defaults(conf, auth_endpoint=auth_endpoint) self.assertEqual(auth_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint) retry_delay = 3 options.set_defaults(conf, retry_delay=retry_delay) self.assertEqual(retry_delay, conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay) number_of_retries = 10 options.set_defaults(conf, number_of_retries=number_of_retries) self.assertEqual(number_of_retries, conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
def test_set_defaults(self): conf = cfg.ConfigOpts() api_class = 'test.api.class' options.set_defaults(conf, api_class=api_class) self.assertEqual(api_class, conf.key_manager.api_class) barbican_endpoint = 'http://test-server.org:9311/' options.set_defaults(conf, barbican_endpoint=barbican_endpoint) self.assertEqual(barbican_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint) barbican_api_version = 'vSomething' options.set_defaults(conf, barbican_api_version=barbican_api_version) self.assertEqual(barbican_api_version, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version) auth_endpoint = 'http://test-server.org:5000/' options.set_defaults(conf, auth_endpoint=auth_endpoint) self.assertEqual(auth_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint) retry_delay = 3 options.set_defaults(conf, retry_delay=retry_delay) self.assertEqual(retry_delay, conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay) number_of_retries = 10 options.set_defaults(conf, number_of_retries=number_of_retries) self.assertEqual(number_of_retries, conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries) verify_ssl = True options.set_defaults(conf, verify_ssl=True) self.assertEqual(verify_ssl, conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
def test_set_defaults(self): conf = cfg.ConfigOpts() self.assertTrue(isinstance(key_manager.API(conf), bkm.BarbicanKeyManager)) cls = mock_key_manager.MockKeyManager backend = '%s.%s' % (cls.__module__, cls.__name__) options.set_defaults(conf, backend=backend) self.assertEqual(backend, conf.key_manager.backend) self.assertIsInstance(key_manager.API(conf), mock_key_manager.MockKeyManager) barbican_endpoint = 'http://test-server.org:9311/' options.set_defaults(conf, barbican_endpoint=barbican_endpoint) self.assertEqual(barbican_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint) barbican_api_version = 'vSomething' options.set_defaults(conf, barbican_api_version=barbican_api_version) self.assertEqual(barbican_api_version, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version) auth_endpoint = 'http://test-server.org/identity' options.set_defaults(conf, auth_endpoint=auth_endpoint) self.assertEqual(auth_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint) retry_delay = 3 options.set_defaults(conf, retry_delay=retry_delay) self.assertEqual(retry_delay, conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay) number_of_retries = 10 options.set_defaults(conf, number_of_retries=number_of_retries) self.assertEqual(number_of_retries, conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries) verify_ssl = True options.set_defaults(conf, verify_ssl=True) self.assertEqual(verify_ssl, conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl) barbican_endpoint_type = 'internal' options.set_defaults(conf, barbican_endpoint_type='internal') result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type self.assertEqual(barbican_endpoint_type, result_type)
def test_set_defaults(self): conf = cfg.ConfigOpts() self.assertTrue( isinstance(key_manager.API(conf), bkm.BarbicanKeyManager)) cls = mock_key_manager.MockKeyManager backend = '%s.%s' % (cls.__module__, cls.__name__) options.set_defaults(conf, backend=backend) self.assertEqual(backend, conf.key_manager.backend) self.assertIsInstance(key_manager.API(conf), mock_key_manager.MockKeyManager) barbican_endpoint = 'http://test-server.org:9311/' options.set_defaults(conf, barbican_endpoint=barbican_endpoint) self.assertEqual(barbican_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint) barbican_api_version = 'vSomething' options.set_defaults(conf, barbican_api_version=barbican_api_version) self.assertEqual(barbican_api_version, conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version) auth_endpoint = 'http://test-server.org/identity' options.set_defaults(conf, auth_endpoint=auth_endpoint) self.assertEqual(auth_endpoint, conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint) retry_delay = 3 options.set_defaults(conf, retry_delay=retry_delay) self.assertEqual(retry_delay, conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay) number_of_retries = 10 options.set_defaults(conf, number_of_retries=number_of_retries) self.assertEqual(number_of_retries, conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries) verify_ssl = True options.set_defaults(conf, verify_ssl=True) self.assertEqual(verify_ssl, conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl) barbican_endpoint_type = 'internal' options.set_defaults(conf, barbican_endpoint_type='internal') result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type self.assertEqual(barbican_endpoint_type, result_type)