def setUp(self):
        super(TestSLUGSAuthenticationAndAccessControl, self).setUp()

        self.client_john_doe = client.ProxyKmipClient(
            config='john_doe', config_file=self.config_file)
        self.client_jane_doe = client.ProxyKmipClient(
            config='jane_doe', config_file=self.config_file)
        self.client_john_smith = client.ProxyKmipClient(
            config='john_smith', config_file=self.config_file)
        self.client_jane_smith = client.ProxyKmipClient(
            config='jane_smith', config_file=self.config_file)
Exemple #2
0
def simple(request):
    config = request.config.getoption("--config")

    client = pclient.ProxyKmipClient(config=config)
    client.open()

    def finalize():
        client.close()

    request.addfinalizer(finalize)
    request.cls.client = client
Exemple #3
0
from kmip.pie import client

# NOTE: This demo script shows how to delete the first Name attribute from
# the user-specified object. The object *must* have at least one Name
# attribute for attribute deletion to work. Otherwise, the client
# call to delete_attribute will fail.

if __name__ == '__main__':
    logger = utils.build_console_logger(logging.INFO)

    parser = utils.build_cli_parser(enums.Operation.DELETE_ATTRIBUTE)
    opts, args = parser.parse_args(sys.argv[1:])

    if opts.uuid is None:
        logger.error("No UUID provided, existing early from demo.")
        sys.exit()

    with client.ProxyKmipClient(config=opts.config,
                                config_file=opts.config_file) as c:
        try:
            object_id, modified_attribute = c.delete_attribute(
                unique_identifier=opts.uuid,
                attribute_name="Name",
                attribute_index=0)
            logger.info(
                "Successfully deleted 'Name' attribute from object: {}".format(
                    object_id))
            logger.info("Deleted attribute: {}".format(modified_attribute))
        except Exception as e:
            logger.error(e)
Exemple #4
0
if __name__ == '__main__':
    logger = utils.build_console_logger(logging.INFO)

    # Build and parse arguments
    parser = utils.build_cli_parser(enums.Operation.CREATE)
    opts, args = parser.parse_args(sys.argv[1:])

    config = opts.config
    algorithm = opts.algorithm
    length = opts.length

    # Exit early if the arguments are not specified
    if algorithm is None:
        logger.error('No algorithm provided, exiting early from demo')
        sys.exit()
    if length is None:
        logger.error("No key length provided, exiting early from demo")
        sys.exit()

    algorithm = getattr(enums.CryptographicAlgorithm, algorithm, None)

    # Build the client and connect to the server
    with client.ProxyKmipClient(config=config) as client:
        try:
            uid = client.create(algorithm, length)
            logger.info("Successfully created symmetric key with ID: "
                        "{0}".format(uid))
        except Exception as e:
            logger.error(e)
Exemple #5
0
# NOTE: This demo script shows how to set the Sensitive attribute on
# the user-specified object. The server must support KMIP 2.0, since
# the SetAttribute operation is KMIP 2.0+ only and the Sensitive
# attribute is KMIP 1.4+ only. Otherwise, the client call to
# set_attribute will fail.

if __name__ == '__main__':
    logger = utils.build_console_logger(logging.INFO)

    parser = utils.build_cli_parser(enums.Operation.SET_ATTRIBUTE)
    opts, args = parser.parse_args(sys.argv[1:])

    if opts.uuid is None:
        logger.error("No UUID provided, existing early from demo.")
        sys.exit()

    factory = attributes.AttributeFactory()

    with client.ProxyKmipClient(config=opts.config,
                                config_file=opts.config_file,
                                kmip_version=enums.KMIPVersion.KMIP_2_0) as c:
        try:
            object_id = c.set_attribute(unique_identifier=opts.uuid,
                                        attribute_name="Sensitive",
                                        attribute_value=True)
            logger.info(
                "Successfully set the 'Sensitive' attribute on object: "
                "{}".format(object_id))
        except Exception as e:
            logger.error(e)
Exemple #6
0
    def __init__(self, conf=CONF):
        """Initializes KMIPSecretStore

        Creates a dictionary of mappings between SecretStore enum values
        and pyKMIP enum values. Initializes the KMIP client with credentials
        needed to connect to the KMIP server.
        """
        super(KMIPSecretStore, self).__init__()
        self.valid_alg_dict = {
            ss.KeyAlgorithm.AES: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.AES
            },
            ss.KeyAlgorithm.DES: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [56],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.DES
            },
            ss.KeyAlgorithm.DESEDE: {
                KMIPSecretStore.VALID_BIT_LENGTHS:
                [56, 64, 112, 128, 168, 192],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.TRIPLE_DES
            },
            ss.KeyAlgorithm.DSA: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.DSA
            },
            ss.KeyAlgorithm.HMACSHA1: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.HMAC_SHA1
            },
            ss.KeyAlgorithm.HMACSHA256: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.HMAC_SHA256
            },
            ss.KeyAlgorithm.HMACSHA384: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.HMAC_SHA384
            },
            ss.KeyAlgorithm.HMACSHA512: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.HMAC_SHA512
            },
            ss.KeyAlgorithm.RSA: {
                KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072, 4096],
                KMIPSecretStore.KMIP_ALGORITHM_ENUM:
                enums.CryptographicAlgorithm.RSA
            },
        }
        self.pkcs1_only = conf.kmip_plugin.pkcs1_only
        if self.pkcs1_only:
            LOG.debug("KMIP secret store only supports PKCS#1")
            del self.valid_alg_dict[ss.KeyAlgorithm.DSA]
        self.kmip_barbican_alg_map = {
            enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES,
            enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES,
            enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE,
            enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA,
            enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1,
            enums.CryptographicAlgorithm.HMAC_SHA256:
            ss.KeyAlgorithm.HMACSHA256,
            enums.CryptographicAlgorithm.HMAC_SHA384:
            ss.KeyAlgorithm.HMACSHA384,
            enums.CryptographicAlgorithm.HMAC_SHA512:
            ss.KeyAlgorithm.HMACSHA512,
            enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA
        }

        if conf.kmip_plugin.keyfile is not None:
            self._validate_keyfile_permissions(conf.kmip_plugin.keyfile)

        if (conf.kmip_plugin.username is None) and (conf.kmip_plugin.password
                                                    is None):
            self.credential = None
        else:
            credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
            credential_value = {
                'Username': conf.kmip_plugin.username,
                'Password': conf.kmip_plugin.password
            }
            self.credential = (
                credentials.CredentialFactory().create_credential(
                    credential_type, credential_value))

        config = conf.kmip_plugin
        self.client = client.ProxyKmipClient(hostname=config.host,
                                             port=config.port,
                                             cert=config.certfile,
                                             key=config.keyfile,
                                             ca=config.ca_certs,
                                             ssl_version=config.ssl_version,
                                             username=config.username,
                                             password=config.password)
Exemple #7
0
# Register keys with the pykmip server
#Import modules
from kmip import enums
from kmip.pie import client
from kmip.pie import objects

c = client.ProxyKmipClient()

symmetric_key = objects.SymmetricKey(enums.CryptographicAlgorithm.AES, 256,
                                     (b'\x00\x01\x02\x03\x04\x05\x06\x07'
                                      b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
                                      b'\x00\x01\x02\x03\x04\x05\x06\x07'
                                      b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'))

with c:
    for i in range(10):
        key_id = c.register(symmetric_key)
        print(f'Registered new key with ID {key_id}')