def check_certificate_request(order_model, project_model, result_follow_on): """Check the status of a certificate request with the CA. Note that this method may be called more than once if retries are required. Barbican metadata is used to store intermediate information, including selected plugins by name, to support such retries. :param: order_model - order associated with this cert request :param: project_model - project associated with this request :param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance instantiated by the client that this function may optionally update with information on how to process this task into the future. :returns: container_model - container with the relevant cert if the request has been completed. None otherwise. """ plugin_meta = _get_plugin_meta(order_model) barbican_meta = _get_barbican_meta(order_model) # TODO(john-wood-w) See note above about DTO's name. barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO() cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( barbican_meta.get('plugin_name')) result = cert_plugin.check_certificate_status( order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto) # Save plugin order plugin state _save_plugin_metadata(order_model, plugin_meta) request_type = order_model.meta.get(cert.REQUEST_TYPE) return _handle_task_result( result, result_follow_on, order_model, project_model, request_type, unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_CHECK)
def issue_certificate_request(order_model, project_model, result_follow_on): """Create the initial order with CA. Note that this method may be called more than once if retries are required. Barbican metadata is used to store intermediate information, including selected plugins by name, to support such retries. :param: order_model - order associated with this cert request :param: project_model - project associated with this request :param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance instantiated by the client that this function may optionally update with information on how to process this task into the future. :returns: container_model - container with the relevant cert if the request has been completed. None otherwise """ plugin_meta = _get_plugin_meta(order_model) barbican_meta = _get_barbican_meta(order_model) # TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order # and not shown to plugins) with barbican_meta_dto (shared with plugins). # As a minimum we should change the name of the DTO to something like # 'extended_meta_dto' or some such. barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO() # refresh the CA table. This is mostly a no-op unless the entries # for a plugin are expired. cert.CertificatePluginManager().refresh_ca_table() cert_plugin = _get_cert_plugin(barbican_meta, barbican_meta_for_plugins_dto, order_model, project_model) barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin) # Generate CSR if needed. request_type = order_model.meta.get(cert.REQUEST_TYPE) if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST: csr = barbican_meta.get('generated_csr') if csr is None: # TODO(alee) Fix this to be a non-project specific call once # the ACL patches go in. csr = _generate_csr_from_private_key(order_model, project_model) barbican_meta['generated_csr'] = csr barbican_meta_for_plugins_dto.generated_csr = csr result = cert_plugin.issue_certificate_request( order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto) # Save plugin and barbican metadata for this order. _save_plugin_metadata(order_model, plugin_meta) _save_barbican_metadata(order_model, barbican_meta) # Handle result return _handle_task_result( result, result_follow_on, order_model, project_model, request_type, unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE)
def setUp(self): super(SnakeoilCAPluginTestCase, self).setUp() self.ca_cert_path = os.path.join(self.tmp_dir, 'ca.pem') self.ca_key_path = os.path.join(self.tmp_dir, 'ca.pem') self.db_dir = self.tmp_dir self.plugin = snakeoil_ca.SnakeoilCACertificatePlugin(self.conf) self.order_id = mock.MagicMock() self.barbican_meta_dto = cm.BarbicanMetaDTO()
def check_certificate_request(order_model, project_model, result_follow_on): """Check the status of a certificate request with the CA. Note that this method may be called more than once if retries are required. Barbican metadata is used to store intermediate information, including selected plugins by name, to support such retries. :param: order_model - order associated with this cert request :param: project_model - project associated with this request :param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance instantiated by the client that this function may optionally update with information on how to process this task into the future. :returns: container_model - container with the relevant cert if the request has been completed. None otherwise. """ container_model = None plugin_meta = _get_plugin_meta(order_model) barbican_meta = _get_barbican_meta(order_model) # TODO(john-wood-w) See note above about DTO's name. barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO() cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( barbican_meta.get('plugin_name')) result = cert_plugin.check_certificate_status( order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto) # Save plugin order plugin state _save_plugin_metadata(order_model, plugin_meta) # Handle result if cert.CertificateStatus.WAITING_FOR_CA == result.status: _update_result_follow_on( result_follow_on, order_status=ORDER_STATUS_REQUEST_PENDING, retry_task=common.RetryTasks.INVOKE_CERT_STATUS_CHECK_TASK, retry_msec=result.retry_msec) elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status: _update_result_follow_on(result_follow_on, order_status=ORDER_STATUS_CERT_GENERATED) container_model = _save_secrets(result, project_model) elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status: raise cert.CertificateStatusClientDataIssue(result.status_message) elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status: _update_result_follow_on( result_follow_on, order_status=ORDER_STATUS_CA_UNAVAIL_FOR_CHECK, retry_task=common.RetryTasks.INVOKE_SAME_TASK, retry_msec=cert.ERROR_RETRY_MSEC) _notify_ca_unavailable(order_model, result) elif cert.CertificateStatus.INVALID_OPERATION == result.status: raise cert.CertificateStatusInvalidOperation(result.status_message) else: raise cert.CertificateStatusNotSupported(result.status) return container_model
def setUp(self): super(SnakeoilCAPluginTestCase, self).setUp() self.ca_cert_path = os.path.join(self.tmp_dir, 'ca.cert') self.ca_key_path = os.path.join(self.tmp_dir, 'ca.key') self.ca_chain_path = os.path.join(self.tmp_dir, 'ca.chain') self.ca_pkcs7_path = os.path.join(self.tmp_dir, 'ca.pkcs7') self.db_dir = self.tmp_dir self.conf.snakeoil_ca_plugin.subca_cert_key_directory = os.path.join( self.tmp_dir, 'subca_cert_key_dir') self.subca_cert_key_directory = ( self.conf.snakeoil_ca_plugin.subca_cert_key_directory) self.plugin = snakeoil_ca.SnakeoilCACertificatePlugin(self.conf) self.order_id = mock.MagicMock() self.barbican_meta_dto = cm.BarbicanMetaDTO()
def setUp(self): super(WhenTestingSymantecPlugin, self).setUp() self.order_meta = { 'cert_type': 'ssl123', 'organization': 'Shinra Corp', 'phone': '555-555-5555', 'so many things...': 'more...' } self.error_msg = 'Error Message Here' self.symantec = sym.SymantecCertificatePlugin() self.barbican_plugin_dto = cm.BarbicanMetaDTO() self.symantec_patcher = mock.patch( 'barbican.plugin.symantec._ca_create_order') self.mock_create_order = self.symantec_patcher.start()
def setUp(self): super(WhenTestingDogtagCAPlugin, self).setUp() self.certclient_mock = mock.MagicMock(name="CertClient mock") self.patcher = mock.patch('pki.crypto.NSSCryptoProvider') self.patcher.start() # create nss db for test only self.nss_dir = tempfile.mkdtemp() self.cfg_mock = mock.MagicMock(name='config mock') self.cfg_mock.dogtag_plugin = mock.MagicMock( nss_db_path=self.nss_dir) self.plugin = dogtag_import.DogtagCAPlugin(self.cfg_mock) self.plugin.certclient = self.certclient_mock self.order_id = mock.MagicMock() self.profile_id = mock.MagicMock() # request generated self.request = mock.MagicMock() self.request_id_mock = mock.MagicMock() self.request.request_id = self.request_id_mock self.request.request_status = dogtag_cert.CertRequestStatus.COMPLETE self.cert_id_mock = mock.MagicMock() self.request.cert_id = self.cert_id_mock # cert generated self.cert = mock.MagicMock() self.cert_encoded_mock = mock.MagicMock() self.cert.encoded = self.cert_encoded_mock self.cert_pkcs7_mock = mock.MagicMock() self.cert.pkcs7_cert_chain = self.cert_pkcs7_mock # for cancel/modify self.review_response = mock.MagicMock() # modified request self.modified_request = mock.MagicMock() self.modified_request_id_mock = mock.MagicMock() self.modified_request.request_id = self.modified_request_id_mock self.modified_request.request_status = ( dogtag_cert.CertRequestStatus.COMPLETE) self.modified_request.cert_id = self.cert_id_mock self.barbican_meta_dto = cm.BarbicanMetaDTO()
def issue_certificate_request(order_model, project_model, result_follow_on): """Create the initial order with CA. Note that this method may be called more than once if retries are required. Barbican metadata is used to store intermediate information, including selected plugins by name, to support such retries. :param: order_model - order associated with this cert request :param: project_model - project associated with this request :param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance instantiated by the client that this function may optionally update with information on how to process this task into the future. :returns: container_model - container with the relevant cert if the request has been completed. None otherwise """ container_model = None plugin_meta = _get_plugin_meta(order_model) barbican_meta = _get_barbican_meta(order_model) # TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order # and not shown to plugins) with barbican_meta_dto (shared with plugins). # As a minimum we should change the name of the DTO to something like # 'extended_meta_dto' or some such. barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO() # refresh the CA table. This is mostly a no-op unless the entries # for a plugin are expired. cert.CertificatePluginManager().refresh_ca_table() # Locate the required certificate plugin. cert_plugin_name = barbican_meta.get('plugin_name') if cert_plugin_name: cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( cert_plugin_name) else: ca_id = _get_ca_id(order_model.meta, project_model.id) if ca_id: barbican_meta_for_plugins_dto.plugin_ca_id = ca_id cert_plugin = cert.CertificatePluginManager().get_plugin_by_ca_id( ca_id) else: cert_plugin = cert.CertificatePluginManager().get_plugin( order_model.meta) barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin) # Generate CSR if needed. request_type = order_model.meta.get(cert.REQUEST_TYPE) if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST: csr = barbican_meta.get('generated_csr') if csr is None: # TODO(alee) Fix this to be a non-project specific call once # the ACL patches go in. csr = _generate_csr(order_model, project_model) barbican_meta['generated_csr'] = csr barbican_meta_for_plugins_dto.generated_csr = csr result = cert_plugin.issue_certificate_request( order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto) # Save plugin and barbican metadata for this order. _save_plugin_metadata(order_model, plugin_meta) _save_barbican_metadata(order_model, barbican_meta) # Handle result if cert.CertificateStatus.WAITING_FOR_CA == result.status: _update_result_follow_on( result_follow_on, order_status=ORDER_STATUS_REQUEST_PENDING, retry_task=common.RetryTasks.INVOKE_CERT_STATUS_CHECK_TASK, retry_msec=result.retry_msec) elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status: _update_result_follow_on(result_follow_on, order_status=ORDER_STATUS_CERT_GENERATED) container_model = _save_secrets(result, project_model) elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status: raise cert.CertificateStatusClientDataIssue(result.status_message) elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status: _update_result_follow_on( result_follow_on, order_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE, retry_task=common.RetryTasks.INVOKE_SAME_TASK, retry_msec=cert.ERROR_RETRY_MSEC) _notify_ca_unavailable(order_model, result) elif cert.CertificateStatus.INVALID_OPERATION == result.status: raise cert.CertificateStatusInvalidOperation(result.status_message) else: raise cert.CertificateStatusNotSupported(result.status) return container_model
def setUp(self): super(WhenTestingDogtagCAPlugin, self).setUp() self.certclient_mock = mock.MagicMock(name="CertClient mock") self.patcher = mock.patch('pki.crypto.NSSCryptoProvider') self.patcher2 = mock.patch('pki.client.PKIConnection') self.patcher.start() self.patcher2.start() # create nss db for test only self.nss_dir = tempfile.mkdtemp() # create expiration file for test fh, self.expiration_data_path = tempfile.mkstemp() exp_time = datetime.datetime.utcnow() + datetime.timedelta(days=2) os.write(fh, exp_time.strftime( "%Y-%m-%d %H:%M:%S.%f")) os.close(fh) # create host CA file for test fh, self.host_ca_path = tempfile.mkstemp() os.write(fh, "host_ca_aid") os.close(fh) self.approved_profile_id = "caServerCert" CONF = dogtag_import.CONF CONF.dogtag_plugin.nss_db_path = self.nss_dir CONF.dogtag_plugin.ca_expiration_data_path = self.expiration_data_path CONF.dogtag_plugin.ca_host_aid_path = self.host_ca_path CONF.dogtag_plugin.auto_approved_profiles = [self.approved_profile_id] CONF.dogtag_plugin.dogtag_host = "localhost" CONF.dogtag_plugin.dogtag_port = 8443 CONF.dogtag_plugin.simple_cmc_profile = "caOtherCert" self.cfg = CONF self.plugin = dogtag_import.DogtagCAPlugin(CONF) self.plugin.certclient = self.certclient_mock self.order_id = mock.MagicMock() self.profile_id = mock.MagicMock() # request generated self.request_id_mock = mock.MagicMock() self.request = dogtag_cert.CertRequestInfo() self.request.request_id = self.request_id_mock self.request.request_status = dogtag_cert.CertRequestStatus.COMPLETE self.cert_id_mock = mock.MagicMock() self.request.cert_id = self.cert_id_mock # cert generated self.cert = mock.MagicMock() self.cert.encoded = keys.get_certificate_pem() self.cert.pkcs7_cert_chain = keys.get_certificate_der() # for cancel/modify self.review_response = mock.MagicMock() # modified request self.modified_request = mock.MagicMock() self.modified_request_id_mock = mock.MagicMock() self.modified_request.request_id = self.modified_request_id_mock self.modified_request.request_status = ( dogtag_cert.CertRequestStatus.COMPLETE) self.modified_request.cert_id = self.cert_id_mock self.barbican_meta_dto = cm.BarbicanMetaDTO()