def validate_stored_key_rsa_container(project_id, container_ref, req): try: container_id = hrefs.get_container_id_from_ref(container_ref) except Exception: reason = u._("Bad Container Reference {ref}").format( ref=container_ref ) raise exception.InvalidContainer(reason=reason) container_repo = repo.get_container_repository() container = container_repo.get_container_by_id(entity_id=container_id, suppress_exception=True) if not container: reason = u._("Container Not Found") raise exception.InvalidContainer(reason=reason) if container.type != 'rsa': reason = u._("Container Wrong Type") raise exception.InvalidContainer(reason=reason) ctxt = controllers._get_barbican_context(req) inst = controllers.containers.ContainerController(container) controllers._do_enforce_rbac(inst, req, controllers.containers.CONTAINER_GET, ctxt)
def _get_container_from_order_meta(order_model, project_model): container_ref = order_model.meta.get("container_ref") # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) return container_id, container
def _get_container_from_order_meta(order_model, project_model): container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) return container_id, container
def validate_stored_key_rsa_container(project_id, container_ref): try: container_id = hrefs.get_container_id_from_ref(container_ref) except Exception: reason = u._("Bad Container Reference {ref}").format( ref=container_ref ) raise exception.InvalidContainer(reason=reason) container_repo = repo.get_container_repository() container = container_repo.get(container_id, external_project_id=project_id, suppress_exception=True) if not container: reason = u._("Container Not Found") raise exception.InvalidContainer(reason=reason) if container.type != 'rsa': reason = u._("Container Wrong Type") raise exception.InvalidContainer(reason=reason)
def _generate_csr(order_model, project_model): """Generate a CSR from the public key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == 'private_key': private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret('application/pkcs8', private_key_model, project_model) elif cs.name == 'private_key_passphrase': passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret('text/plain;charset=utf-8', passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container_id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase) subject_name = order_model.meta.get('subject_dn') subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get('extensions', None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, 'sha256') csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def test_get_container_id_passes(self): test_ref = 'https://localhost/v1/containers/good_container_ref' result = hrefs.get_container_id_from_ref(test_ref) self.assertEqual('good_container_ref', result)
def _generate_csr(order_model, project_model): """Generate a CSR from the public key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_ref = order_model.meta.get('container_ref') # extract container_id as the last part of the URL container_id = hrefs.get_container_id_from_ref(container_ref) container_repo = repos.get_container_repository() container = container_repo.get(container_id, project_model.external_id, suppress_exception=True) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == 'private_key': private_key_model = secret_repo.get( cs.secret_id, project_model.external_id) private_key = plugin.get_secret( 'application/pkcs8', private_key_model, project_model) elif cs.name == 'private_key_passphrase': passphrase_model = secret_repo.get( cs.secret_id, project_model.external_id) passphrase = plugin.get_secret( 'text/plain;charset=utf-8', passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container_id) if passphrase is None: pkey = crypto.load_privatekey( crypto.FILETYPE_PEM, private_key ) else: pkey = crypto.load_privatekey( crypto.FILETYPE_PEM, private_key, passphrase ) subject_name = order_model.meta.get('subject_dn') subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get('extensions', None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, 'sha256') csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr