def __init__(self):
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.secret_repo = repo.get_secret_repository()
self.validator = validators.ContainerValidator()
self.quota_enforcer = quota.QuotaEnforcer('containers',
self.container_repo)
def validate_stored_key_rsa_container(project_id, container_ref, req):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get_container_by_id(entity_id=container_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
ctxt = controllers._get_barbican_context(req)
inst = controllers.containers.ContainerController(container)
controllers._do_enforce_rbac(inst, req,
controllers.containers.CONTAINER_GET,
ctxt)
def __init__(self):
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.secret_repo = repo.get_secret_repository()
self.validator = validators.ContainerValidator()
self.quota_enforcer = quota.QuotaEnforcer('containers',
self.container_repo)
def __init__(self, container):
self.container = container
self.container_id = container.id
self.acl_repo = repo.get_container_acl_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ACLValidator()
self.container_project_id = container.project.external_id
def __init__(self, container):
self.container = container
self.container_id = container.id
self.acl_repo = repo.get_container_acl_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ACLValidator()
self.container_project_id = container.project.external_id
def _save_container(spec, project_model, private_secret_model,
public_secret_model, passphrase_secret_model):
container_model = models.Container()
container_model.name = spec.get('name')
container_model.type = spec.get('algorithm', '').lower()
container_model.status = models.States.ACTIVE
container_model.project_id = project_model.id
container_model.creator_id = spec.get('creator_id')
container_repo = repos.get_container_repository()
container_repo.create_from(container_model)
# create container_secret for private_key
_create_container_secret_association('private_key',
private_secret_model,
container_model)
# create container_secret for public_key
_create_container_secret_association('public_key',
public_secret_model,
container_model)
if spec.get('passphrase'):
# create container_secret for passphrase
_create_container_secret_association('private_key_passphrase',
passphrase_secret_model,
container_model)
return container_model
def __init__(self, container_id):
self.container_id = container_id
self.container = None
self.acl_repo = repo.get_container_acl_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ACLValidator()
self.container_project_id = None
def validate_stored_key_rsa_container(project_id, container_ref, req):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get_container_by_id(entity_id=container_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
ctxt = controllers._get_barbican_context(req)
inst = controllers.containers.ContainerController(container)
controllers._do_enforce_rbac(inst, req,
controllers.containers.CONTAINER_GET,
ctxt)
def __init__(self, container_id):
self.container_id = container_id
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.project_repo = repo.get_project_repository()
self.validator = validators.ContainerConsumerValidator()
self.quota_enforcer = quota.QuotaEnforcer('consumers',
self.consumer_repo)
def __init__(self, container_id):
self.container_id = container_id
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.project_repo = repo.get_project_repository()
self.validator = validators.ContainerConsumerValidator()
self.quota_enforcer = quota.QuotaEnforcer('consumers',
self.consumer_repo)
def __init__(self, container):
self.container = container
self.container_id = container.id
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ContainerValidator()
self.consumers = consumers.ContainerConsumersController(
self.container_id)
self.acls = acls.ContainerACLsController(self.container_id)
def __init__(self, container):
self.container = container
self.container_id = container.id
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ContainerValidator()
self.consumers = consumers.ContainerConsumersController(
self.container_id)
self.acl = acls.ContainerACLsController(self.container)
def _get_container_from_order_meta(order_model, project_model):
container_ref = order_model.meta.get("container_ref")
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id, project_model.external_id, suppress_exception=True)
return container_id, container
def _get_container_from_order_meta(order_model, project_model):
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
return container_id, container
def _save_secrets(result, project_model, request_type, order_model):
cert_secret_model, transport_key_model = plugin.store_secret(
unencrypted_raw=result.certificate,
content_type_raw='application/pkix-cert',
content_encoding='base64',
secret_model=models.Secret(),
project_model=project_model)
# save the certificate chain as a secret.
if result.intermediates:
intermediates_secret_model, transport_key_model = plugin.store_secret(
unencrypted_raw=result.intermediates,
content_type_raw='application/pkix-cert',
content_encoding='base64',
secret_model=models.Secret(),
project_model=project_model
)
else:
intermediates_secret_model = None
container_model = models.Container()
container_model.type = "certificate"
container_model.status = models.States.ACTIVE
container_model.project_id = project_model.id
container_repo = repos.get_container_repository()
container_repo.create_from(container_model)
# create container_secret for certificate
new_consec_assoc = models.ContainerSecret()
new_consec_assoc.name = 'certificate'
new_consec_assoc.container_id = container_model.id
new_consec_assoc.secret_id = cert_secret_model.id
container_secret_repo = repos.get_container_secret_repository()
container_secret_repo.create_from(new_consec_assoc)
if intermediates_secret_model:
# create container_secret for intermediate certs
new_consec_assoc = models.ContainerSecret()
new_consec_assoc.name = 'intermediates'
new_consec_assoc.container_id = container_model.id
new_consec_assoc.secret_id = intermediates_secret_model.id
container_secret_repo.create_from(new_consec_assoc)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
_add_private_key_to_generated_cert_container(container_model.id,
order_model,
project_model)
return container_model
def _create_base_container(self):
# Setup the container and needed base relationship
container_repo = repositories.get_container_repository()
session = container_repo.get_session()
project = models.Project()
project.external_id = "keystone_project_id"
project.save(session=session)
container = models.Container()
container.project_id = project.id
container.save(session=session)
session.commit()
return container
def _create_base_container(self, project_id=None):
# Setup the container and needed base relationship
container_repo = repositories.get_container_repository()
session = container_repo.get_session()
if project_id is None:
project = models.Project()
project.external_id = "keystone_project_id"
project.save(session=session)
project_id = project.id
container = models.Container()
container.project_id = project_id
container.save(session=session)
session.commit()
return container
def _save_asymmetric_secret_in_repo(container_model, private_secret_model,
public_secret_model,
passphrase_secret_model):
container_repo = repos.get_container_repository()
container_repo.create_from(container_model)
# create container_secret for private_key
_create_container_secret_association('private_key', private_secret_model,
container_model)
# create container_secret for public_key
_create_container_secret_association('public_key', public_secret_model,
container_model)
if passphrase_secret_model:
# create container_secret for passphrase
_create_container_secret_association('private_key_passphrase',
passphrase_secret_model,
container_model)
def validate_stored_key_rsa_container(project_id, container_ref):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get(container_id,
external_project_id=project_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
def _save_asymmetric_secret_in_repo(container_model, private_secret_model,
public_secret_model,
passphrase_secret_model):
container_repo = repos.get_container_repository()
container_repo.create_from(container_model)
# create container_secret for private_key
_create_container_secret_association('private_key',
private_secret_model,
container_model)
# create container_secret for public_key
_create_container_secret_association('public_key',
public_secret_model,
container_model)
if passphrase_secret_model:
# create container_secret for passphrase
_create_container_secret_association('private_key_passphrase',
passphrase_secret_model,
container_model)
import uuid
import mock
from barbican.common import resources
from barbican.model import models
from barbican.model import repositories
from barbican.tests.api.controllers import test_acls
from barbican.tests.api import test_resources_policy as test_policy
from barbican.tests import utils
order_repo = repositories.get_order_repository()
project_repo = repositories.get_project_repository()
ca_repo = repositories.get_ca_repository()
project_ca_repo = repositories.get_project_ca_repository()
container_repo = repositories.get_container_repository()
generic_key_meta = {
'name': 'secretname',
'algorithm': 'AES',
'bit_length': 256,
'mode': 'cbc',
'payload_content_type': 'application/octet-stream'
}
class WhenCreatingOrdersUsingOrdersResource(utils.BarbicanAPIBaseTestCase):
def test_can_create_a_new_order(self):
resp, order_uuid = create_order(self.app,
order_type='key',
meta=generic_key_meta)
def __init__(self):
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.secret_repo = repo.get_secret_repository()
self.validator = validators.ContainerValidator()
def __init__(self, container_id):
self.container_id = container_id
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ContainerConsumerValidator()
class Container(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'name':
fields.StringField(nullable=True, default=None),
'type':
fields.EnumField(nullable=True, valid_values=TYPE_VALUE),
'project_id':
fields.StringField(nullable=True, default=None),
'creator_id':
fields.StringField(nullable=True, default=None),
'consumers':
fields.ListOfObjectsField('ContainerConsumerMetadatum',
default=list()),
'container_secrets':
fields.ListOfObjectsField('ContainerSecret', default=list()),
'container_acls':
fields.ListOfObjectsField('ContainerACL', default=list()),
'project':
fields.ObjectField('Project', nullable=True, default=None)
}
db_model = models.Container
db_repo = repos.get_container_repository()
synthetic_fields = [
'consumers', 'container_secrets', 'container_acls', 'project'
]
def __init__(self, context=None, parsed_request=None, **kwargs):
super(Container, self).__init__(context=context, **kwargs)
if parsed_request:
self.name = parsed_request.get('name')
self.type = parsed_request.get('type')
self.status = base.States.ACTIVE
self.creator_id = parsed_request.get('creator_id')
secret_refs = parsed_request.get('secret_refs')
if secret_refs:
for secret_ref in parsed_request.get('secret_refs'):
container_secret = con_se.ContainerSecret()
container_secret.name = secret_ref.get('name')
secret_id = secret_ref.get('secret_ref')
if secret_id.endswith('/'):
secret_id = secret_id.rsplit('/', 2)[1]
elif '/' in secret_id:
secret_id = secret_id.rsplit('/', 1)[1]
else:
secret_id = secret_id
container_secret.secret_id = secret_id
self.container_secrets.append(container_secret)
def _get_db_entity(self, data=None):
return self.db_model(parsed_request=data, check_exc=False)
def _attach_container_secret(self, container_secrets, container_id,
session):
if container_secrets:
for container_secret in container_secrets:
container_secret.container_id = container_id
if container_secret.id is None:
self.container_secrets.append(
container_secret.create(session=session))
else:
self.container_secrets.append(
container_secret.save(session=session))
def _attach_consumers(self, consumers, container_id, session):
if consumers:
for consumer in consumers:
consumer.container_id = container_id
if consumer.id is None:
self.consumers.append(consumer.create(session=session))
else:
self.consumers.append(consumer.save(session=session))
def create(self, session=None):
fields = self.obj_get_changes()
super(Container, self).create(session=session)
if 'container_secrets' in fields:
self._attach_container_secret(fields['container_secrets'],
container_id=self.id,
session=session)
if 'consumers' in fields:
self._attach_consumers(fields['consumers'],
container_id=self.id,
session=session)
def save(self, session=None):
fields = self.obj_get_changes()
super(Container, self).save(session=session)
if 'consumers' in fields:
self._attach_consumers(fields['consumers'],
container_id=self.id,
session=session)
@classmethod
def get_by_create_date(cls,
external_project_id,
offset_arg=None,
limit_arg=None,
name_arg=None,
suppress_exception=False,
session=None):
entities_db, offset, limit, total = cls.db_repo.get_by_create_date(
external_project_id, offset_arg, limit_arg, name_arg,
suppress_exception, session)
entities_obj = [
cls()._from_db_object(entity_db) for entity_db in entities_db
]
return entities_obj, offset, limit, total
@classmethod
def get_container_by_id(cls,
entity_id,
suppress_exception=False,
session=None):
entity_db = cls.db_repo.get_container_by_id(entity_id,
suppress_exception,
session)
return cls()._from_db_object(entity_db)
def __init__(self, container_id):
self.container_id = container_id
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.validator = validators.ContainerConsumerValidator()
def _generate_csr(order_model, project_model):
"""Generate a CSR from the public key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == 'private_key':
private_key_model = secret_repo.get(cs.secret_id,
project_model.external_id)
private_key = plugin.get_secret('application/pkcs8',
private_key_model, project_model)
elif cs.name == 'private_key_passphrase':
passphrase_model = secret_repo.get(cs.secret_id,
project_model.external_id)
passphrase = plugin.get_secret('text/plain;charset=utf-8',
passphrase_model, project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container_id)
if passphrase is None:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
else:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key,
passphrase)
subject_name = order_model.meta.get('subject_dn')
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get('extensions', None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, 'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
def _generate_csr(order_model, project_model):
"""Generate a CSR from the public key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_ref = order_model.meta.get('container_ref')
# extract container_id as the last part of the URL
container_id = hrefs.get_container_id_from_ref(container_ref)
container_repo = repos.get_container_repository()
container = container_repo.get(container_id,
project_model.external_id,
suppress_exception=True)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == 'private_key':
private_key_model = secret_repo.get(
cs.secret_id,
project_model.external_id)
private_key = plugin.get_secret(
'application/pkcs8',
private_key_model,
project_model)
elif cs.name == 'private_key_passphrase':
passphrase_model = secret_repo.get(
cs.secret_id,
project_model.external_id)
passphrase = plugin.get_secret(
'text/plain;charset=utf-8',
passphrase_model,
project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container_id)
if passphrase is None:
pkey = crypto.load_privatekey(
crypto.FILETYPE_PEM,
private_key
)
else:
pkey = crypto.load_privatekey(
crypto.FILETYPE_PEM,
private_key,
passphrase
)
subject_name = order_model.meta.get('subject_dn')
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get('extensions', None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, 'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
def __init__(self):
self.consumer_repo = repo.get_container_consumer_repository()
self.container_repo = repo.get_container_repository()
self.secret_repo = repo.get_secret_repository()
self.validator = validators.ContainerValidator()
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import os
import uuid
from barbican.common import exception
from barbican.model import repositories
from barbican.tests.api.controllers import test_secrets as secret_helper
from barbican.tests import utils
containers_repo = repositories.get_container_repository()
class SuccessfulContainerCreateMixin(object):
def _assert_successful_container_create(self, resp, container_uuid):
self.assertEqual(201, resp.status_int)
# this will raise if the container uuid is not proper
uuid.UUID(container_uuid)
class WhenCreatingContainersUsingContainersResource(
utils.BarbicanAPIBaseTestCase,
SuccessfulContainerCreateMixin):
def test_should_add_new_empty_container(self):
container_name = 'test container name'
def create_container(project=None, session=None):
container = models.Container()
container.project_id = project.id
container_repo = repositories.get_container_repository()
container_repo.create_from(container, session=session)
return container
def create_container(project=None, session=None):
container = models.Container()
container.project_id = project.id
container_repo = repositories.get_container_repository()
container_repo.create_from(container, session=session)
return container
