def _init_memory_db_setup(self):
# Force a refresh of the singleton plugin manager for each test.
manager._PLUGIN_MANAGER = None
manager.CONF.set_override('enabled_crypto_plugins',
'simple_crypto',
group='crypto')
self.project_id1 = uuid.uuid4().hex
self.project_id2 = uuid.uuid4().hex
self.repos = rep.Repositories(
project_repo=None, project_secret_repo=None, secret_repo=None,
datum_repo=None, kek_repo=None, secret_meta_repo=None,
order_repo=None, order_plugin_meta_repo=None,
transport_key_repo=None, container_repo=None,
container_secret_repo=None)
self.project1_data = c_resources.get_or_create_project(
self.project_id1, self.repos.project_repo)
self.assertIsNotNone(self.project1_data)
self.project2_data = c_resources.get_or_create_project(
self.project_id2, self.repos.project_repo)
self.assertIsNotNone(self.project2_data)
def get_global_default(self, external_project_id, **kw):
LOG.debug('Start secret-stores get global default secret store')
if not utils.is_multiple_backends_enabled():
_multiple_backends_not_enabled()
res.get_or_create_project(external_project_id)
store = multiple_backends.get_global_default_secret_store()
return convert_secret_store_to_response_format(store)
def get_global_default(self, external_project_id, **kw):
LOG.debug('Start secret-stores get global default secret store')
if not utils.is_multiple_backends_enabled():
_multiple_backends_not_enabled()
res.get_or_create_project(external_project_id)
store = multiple_backends.get_global_default_secret_store()
return convert_secret_store_to_response_format(store)
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
try:
container = self.container_repo.get(self.container_id,
external_project_id)
except exception.NotFound:
controllers.containers.container_not_found()
new_consumer = models.ContainerConsumerMetadatum(self.container_id,
data)
new_consumer.project_id = project.id
self.consumer_repo.create_or_update_from(new_consumer, container)
url = hrefs.convert_consumer_to_href(new_consumer.container_id)
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a consumer for project: %s'),
external_project_id)
return self._return_container_data(self.container_id,
external_project_id)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project.external_id
project = res.get_or_create_project(external_project_id)
# default to application/octet-stream if there is no Accept header
accept_header = getattr(pecan.request.accept, 'header_value',
'application/octet-stream')
pecan.override_template('', accept_header)
# check if payload exists before proceeding
if not secret.encrypted_data and not secret.secret_store_metadata:
_secret_payload_not_found()
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(accept_header,
secret,
project,
twsk,
transport_key)
def on_get(self, external_project_id, **kw):
LOG.debug('Start certificate_authorities on_get (limited)')
plugin_name = kw.get('plugin_name')
if plugin_name is not None:
plugin_name = parse.unquote_plus(plugin_name)
plugin_ca_id = kw.get('plugin_ca_id', None)
if plugin_ca_id is not None:
plugin_ca_id = parse.unquote_plus(plugin_ca_id)
# refresh CA table, in case plugin entries have expired
cert_resources.refresh_certificate_resources()
project_model = res.get_or_create_project(external_project_id)
if self._project_cas_defined(project_model.id):
cas, offset, limit, total = self._get_subcas_and_project_cas(
offset=kw.get('offset', 0),
limit=kw.get('limit', None),
plugin_name=plugin_name,
plugin_ca_id=plugin_ca_id,
project_id=project_model.id)
else:
cas, offset, limit, total = self._get_subcas_and_root_cas(
offset=kw.get('offset', 0),
limit=kw.get('limit', None),
plugin_name=plugin_name,
plugin_ca_id=plugin_ca_id,
project_id=project_model.id)
return self._display_cas(cas, offset, limit, total)
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type or
pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type)
)
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(
unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info(u._LI('Updated secret for project: %s'), external_project_id)
def add_to_project(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Saving CA %s to external_project_id %s",
self.ca.id, external_project_id)
project_model = res.get_or_create_project(external_project_id)
# CA must be a base CA or a subCA owned by this project
if (self.ca.project_id is not None and
self.ca.project_id != project_model.id):
raise excep.UnauthorizedSubCA()
project_cas = project_model.cas
num_cas = len(project_cas)
for project_ca in project_cas:
if project_ca.ca_id == self.ca.id:
# project already added
return
project_ca = models.ProjectCertificateAuthority(
project_model.id, self.ca.id)
self.project_ca_repo.create_from(project_ca)
if num_cas == 0:
# set first project CA to be the preferred one
preferred_ca = models.PreferredCertificateAuthority(
project_model.id, self.ca.id)
self.preferred_ca_repo.create_from(preferred_ca)
def on_put(self, external_project_id, **kwargs):
body = api.load_body(pecan.request,
validator=self.type_order_validator)
project = res.get_or_create_project(external_project_id)
order_type = body.get('type')
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt and ctxt.request_id:
request_id = ctxt.request_id
if self.order.type != order_type:
order_cannot_modify_order_type()
if models.OrderType.CERTIFICATE != self.order.type:
_order_update_not_supported_for_type(order_type)
if models.States.PENDING != self.order.status:
_order_cannot_be_updated_if_not_pending(self.order.status)
updated_meta = body.get('meta')
validators.validate_ca_id(project.id, updated_meta)
# TODO(chellygel): Put 'meta' into a separate order association
# entity.
self.queue.update_order(order_id=self.order.id,
project_id=external_project_id,
updated_meta=updated_meta,
request_id=request_id)
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type
or pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type))
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info('Updated secret for project: %s', external_project_id)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project.external_id
project = res.get_or_create_project(external_project_id)
# default to application/octet-stream if there is no Accept header
if (type(pecan.request.accept) is accept.NoHeaderType
or not pecan.request.accept.header_value):
accept_header = 'application/octet-stream'
else:
accept_header = pecan.request.accept.header_value
pecan.override_template('', accept_header)
# check if payload exists before proceeding
if not secret.encrypted_data and not secret.secret_store_metadata:
_secret_payload_not_found()
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(accept_header, secret, project, twsk,
transport_key)
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
# With ACL support, the user token project does not have to be same as
# project associated with secret. The lookup project_id needs to be
# derived from the secret's data considering authorization is already
# done.
external_project_id = secret.project.external_id
project = res.get_or_create_project(external_project_id)
# default to application/octet-stream if there is no Accept header
accept_header = getattr(pecan.request.accept, 'header_value',
'application/octet-stream')
pecan.override_template('', accept_header)
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(accept_header,
secret,
project,
twsk,
transport_key)
def create_cas(self, set_project_cas=True):
self.project = res.get_or_create_project(self.project_id)
self.global_project = res.get_or_create_global_preferred_project()
project_repo.save(self.project)
self.project_ca_ids = []
self.plugin_name = 'default_plugin'
self.plugin_ca_id = 'default_plugin_ca_id_'
self.ca_id = "id1"
self.num_cas = 10
self.offset = 2
self.limit = 4
self.params = {'offset': self.offset, 'limit': self.limit}
self._do_create_cas(set_project_cas)
# create subca for DELETE testing
parsed_ca = {
'plugin_name': self.plugin_name,
'plugin_ca_id': self.plugin_ca_id + "subca 1",
'name': self.plugin_name,
'description': 'Sub CA for default plugin',
'ca_signing_certificate': 'ZZZZZ' + "sub ca1",
'intermediates': 'YYYYY' + "sub ca1",
'project_id': self.project.id,
'creator_id': 'user12345'
}
ca = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(ca)
ca_repo.save(ca)
self.subca = ca
self.num_cas += 1
def on_post(self, keystone_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', keystone_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(keystone_id,
self.repos.project_repo)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
new_secret, transport_key_model = plugin.store_secret(
data.get('payload'),
data.get('payload_content_type',
'application/octet-stream'),
data.get('payload_content_encoding'),
data, None, project,
self.repos,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
pecan.response.status = 201
pecan.response.headers['Location'] = '/secrets/{0}'.format(
new_secret.id
)
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def on_put(self, external_project_id, **kwargs):
body = api.load_body(pecan.request,
validator=self.type_order_validator)
project = res.get_or_create_project(external_project_id)
order_type = body.get('type')
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt and ctxt.request_id:
request_id = ctxt.request_id
if self.order.type != order_type:
order_cannot_modify_order_type()
if models.OrderType.CERTIFICATE != self.order.type:
_order_update_not_supported_for_type(order_type)
if models.States.PENDING != self.order.status:
_order_cannot_be_updated_if_not_pending(self.order.status)
updated_meta = body.get('meta')
validators.validate_ca_id(project.id, updated_meta)
# TODO(chellygel): Put 'meta' into a separate order association
# entity.
self.queue.update_order(order_id=self.order.id,
project_id=external_project_id,
updated_meta=updated_meta,
request_id=request_id)
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
new_secret, transport_key_model = plugin.store_secret(
data.get('payload'),
data.get('payload_content_type',
'application/octet-stream'),
data.get('payload_content_encoding'),
data, None, project,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a secret for project: %s'),
external_project_id)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def set_preferred(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Setting preferred CA %s for project %s", self.ca.id,
external_project_id)
project_model = res.get_or_create_project(external_project_id)
(project_ca, __offset, __limit,
__total) = (self.project_ca_repo.get_by_create_date(
project_id=project_model.id,
ca_id=self.ca.id,
suppress_exception=True))
if not project_ca:
_requested_preferred_ca_not_a_project_ca()
preferred_ca = self.preferred_ca_repo.get_project_entities(
project_model.id)
if preferred_ca is not None:
self.preferred_ca_repo.update_preferred_ca(project_model.id,
self.ca)
else:
preferred_ca = models.PreferredCertificateAuthority(
project_model.id, self.ca.id)
self.preferred_ca_repo.create_from(preferred_ca)
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipeline case, always use auth token user
creator_id = ctxt.user
self.quota_enforcer.enforce(project)
new_ca = cert_resources.create_subordinate_ca(
project_model=project,
name=data.get('name'),
description=data.get('description'),
subject_dn=data.get('subject_dn'),
parent_ca_ref=data.get('parent_ca_ref'),
creator_id=creator_id
)
url = hrefs.convert_certificate_authority_to_href(new_ca.id)
LOG.debug('URI to sub-CA is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a sub CA for project: %s'),
external_project_id)
return {'ca_ref': url}
def set_preferred(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Setting preferred CA %s for project %s",
self.ca.id, external_project_id)
project_model = res.get_or_create_project(external_project_id)
(project_ca, __offset, __limit, __total) = (
self.project_ca_repo.get_by_create_date(
project_id=project_model.id,
ca_id=self.ca.id,
suppress_exception=True))
if not project_ca:
_requested_preferred_ca_not_a_project_ca()
preferred_ca = self.preferred_ca_repo.get_project_entities(
project_model.id)
if preferred_ca is not None:
self.preferred_ca_repo.update_preferred_ca(project_model.id,
self.ca)
else:
preferred_ca = models.PreferredCertificateAuthority(
project_model.id, self.ca.id)
self.preferred_ca_repo.create_from(preferred_ca)
def on_get(self, external_project_id, **kw):
LOG.debug('Start certificate_authorities on_get (limited)')
plugin_name = kw.get('plugin_name')
if plugin_name is not None:
plugin_name = parse.unquote_plus(plugin_name)
plugin_ca_id = kw.get('plugin_ca_id', None)
if plugin_ca_id is not None:
plugin_ca_id = parse.unquote_plus(plugin_ca_id)
# refresh CA table, in case plugin entries have expired
cert_resources.refresh_certificate_resources()
project_model = res.get_or_create_project(external_project_id)
if self._project_cas_defined(project_model.id):
cas, offset, limit, total = self._get_subcas_and_project_cas(
offset=kw.get('offset', 0),
limit=kw.get('limit', None),
plugin_name=plugin_name,
plugin_ca_id=plugin_ca_id,
project_id=project_model.id)
else:
cas, offset, limit, total = self._get_subcas_and_root_cas(
offset=kw.get('offset', 0),
limit=kw.get('limit', None),
plugin_name=plugin_name,
plugin_ca_id=plugin_ca_id,
project_id=project_model.id)
return self._display_cas(cas, offset, limit, total)
def add_to_project(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Saving CA %s to external_project_id %s", self.ca.id,
external_project_id)
project_model = res.get_or_create_project(external_project_id)
# CA must be a base CA or a subCA owned by this project
if (self.ca.project_id is not None
and self.ca.project_id != project_model.id):
raise excep.UnauthorizedSubCA()
project_cas = project_model.cas
num_cas = len(project_cas)
for project_ca in project_cas:
if project_ca.ca_id == self.ca.id:
# project already added
return
project_ca = models.ProjectCertificateAuthority(
project_model.id, self.ca.id)
self.project_ca_repo.create_from(project_ca)
if num_cas == 0:
# set first project CA to be the preferred one
preferred_ca = models.PreferredCertificateAuthority(
project_model.id, self.ca.id)
self.preferred_ca_repo.create_from(preferred_ca)
def on_post(self, external_project_id, **kwargs):
LOG.debug(u._('Start on_post for project-ID %s:...'),
external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipeline case, always use auth token user
creator_id = ctxt.user
self.quota_enforcer.enforce(project)
new_ca = cert_resources.create_subordinate_ca(
project_model=project,
name=data.get('name'),
description=data.get('description'),
subject_dn=data.get('subject_dn'),
parent_ca_ref=data.get('parent_ca_ref'),
creator_id=creator_id)
url = hrefs.convert_certificate_authority_to_href(new_ca.id)
LOG.debug(u._('URI to sub-CA is %s'), url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a sub CA for project: %s'),
external_project_id)
return {'ca_ref': url}
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id,
self.repos.project_repo)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
new_secret, transport_key_model = plugin.store_secret(
data.get('payload'),
data.get('payload_content_type', 'application/octet-stream'),
data.get('payload_content_encoding'),
data,
None,
project,
self.repos,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
pecan.response.status = 201
pecan.response.headers['Location'] = '/secrets/{0}'.format(
new_secret.id)
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def on_delete(self, external_project_id, **kwargs):
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_delete...%s', data)
project = res.get_or_create_project(external_project_id)
consumer = self.consumer_repo.get_by_values(self.container_id,
data["name"],
data["URL"],
suppress_exception=True)
if not consumer:
_consumer_not_found()
LOG.debug("Found container consumer: %s", consumer)
owner_of_consumer = consumer.project_id == project.id
owner_of_container = self.container.project.external_id \
== external_project_id
if not owner_of_consumer and not owner_of_container:
_consumer_ownership_mismatch()
try:
self.consumer_repo.delete_entity_by_id(consumer.id,
external_project_id)
except exception.NotFound:
LOG.exception('Problem deleting container consumer')
_consumer_not_found()
ret_data = self._return_container_data()
LOG.info('Deleted a container consumer for project: %s',
external_project_id)
return ret_data
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
try:
container = self.container_repo.get(self.container_id,
external_project_id)
except exception.NotFound:
controllers.containers.container_not_found()
self.quota_enforcer.enforce(project)
new_consumer = models.ContainerConsumerMetadatum(self.container_id,
data)
new_consumer.project_id = project.id
self.consumer_repo.create_or_update_from(new_consumer, container)
url = hrefs.convert_consumer_to_href(new_consumer.container_id)
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a consumer for project: %s'),
external_project_id)
return self._return_container_data(self.container_id,
external_project_id)
def on_post(self, keystone_id, **kwargs):
project = res.get_or_create_project(keystone_id, self.project_repo)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
new_container = models.Container(data)
new_container.tenant_id = project.id
# TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(404, u._("Secret provided for '{0}' doesn't"
" exist.").format(secret_ref.name))
self.container_repo.create_from(new_container)
pecan.response.status = 201
pecan.response.headers['Location'] = '/containers/{0}'.format(
new_container.id
)
url = hrefs.convert_container_to_href(new_container.id)
return {'container_ref': url}
def _init_memory_db_setup(self):
# Force a refresh of the singleton plugin manager for each test.
manager._PLUGIN_MANAGER = None
manager.CONF.set_override('enabled_crypto_plugins', ['simple_crypto'],
group='crypto')
self.project_id1 = uuidutils.generate_uuid()
self.project_id2 = uuidutils.generate_uuid(dashed=False)
self.project1_data = c_resources.get_or_create_project(
self.project_id1)
self.assertIsNotNone(self.project1_data)
self.project2_data = c_resources.get_or_create_project(
self.project_id2)
self.assertIsNotNone(self.project2_data)
def _init_memory_db_setup(self):
# Force a refresh of the singleton plugin manager for each test.
manager._PLUGIN_MANAGER = None
manager.CONF.set_override('enabled_crypto_plugins',
['simple_crypto'],
group='crypto')
self.project_id1 = uuidutils.generate_uuid()
self.project_id2 = uuidutils.generate_uuid(dashed=False)
self.project1_data = c_resources.get_or_create_project(
self.project_id1)
self.assertIsNotNone(self.project1_data)
self.project2_data = c_resources.get_or_create_project(
self.project_id2)
self.assertIsNotNone(self.project2_data)
def on_post(self, external_project_id):
data = api.load_body(pecan.request)
project = res.get_or_create_project(external_project_id)
self.quota_enforcer.enforce(project)
response = None
response = plugin.do_attestation(data, external_project_id, True)
if response is None:
_quote_not_found()
return response
def on_get(self, external_project_id, **kw):
LOG.debug('Start SecretStoresController on_get: listing secret '
'stores')
if not utils.is_multiple_backends_enabled():
_multiple_backends_not_enabled()
res.get_or_create_project(external_project_id)
secret_stores = self.secret_stores_repo.get_all()
resp_list = []
for store in secret_stores:
item = convert_secret_store_to_response_format(store)
resp_list.append(item)
resp = {'secret_stores': resp_list}
return resp
def on_get(self, external_project_id, **kw):
LOG.debug('Start SecretStoresController on_get: listing secret '
'stores')
if not utils.is_multiple_backends_enabled():
_multiple_backends_not_enabled()
res.get_or_create_project(external_project_id)
secret_stores = self.secret_stores_repo.get_all()
resp_list = []
for store in secret_stores:
item = convert_secret_store_to_response_format(store)
resp_list.append(item)
resp = {'secret_stores': resp_list}
return resp
def set_project_quotas(self, external_project_id, parsed_project_quotas):
"""Create a new database entry, or update existing one
:param external_project_id: ID of project whose quotas are to be set
:param parsed_project_quotas: quota values to save in database
:return: None
"""
project = res.get_or_create_project(external_project_id)
self.repo.create_or_update_by_project_id(project.id, parsed_project_quotas)
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
order_meta = body.get('meta')
request_type = order_meta.get('request_type')
LOG.debug('Processing order type %(order_type)s,'
' request type %(request_type)s' % {
'order_type': order_type,
'request_type': request_type
})
if order_type == models.OrderType.CERTIFICATE:
msg = _DEPRECATION_MSG % "Certificate Order Resource"
versionutils.report_deprecated_feature(LOG, msg)
validators.validate_ca_id(project.id, body.get('meta'))
if request_type == 'stored-key':
container_ref = order_meta.get('container_ref')
validators.validate_stored_key_rsa_container(
external_project_id, container_ref, pecan.request)
self.quota_enforcer.enforce(project)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.project_id = project.id
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt:
new_order.creator_id = ctxt.user
request_id = ctxt.request_id
self.order_repo.create_from(new_order)
# Grab our id before commit due to obj expiration from sqlalchemy
order_id = new_order.id
# Force commit to avoid async issues with the workers
repo.commit()
self.queue.process_type_order(order_id=order_id,
project_id=external_project_id,
request_id=request_id)
url = hrefs.convert_order_to_href(order_id)
pecan.response.status = 202
pecan.response.headers['Location'] = url
return {'order_ref': url}
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start: Set project preferred secret-store for store '
'id %s', self.secret_store.id)
project = res.get_or_create_project(external_project_id)
self.proj_store_repo.create_or_update_for_project(project.id,
self.secret_store.id)
pecan.response.status = 204
def setUp(self):
super(WhenCreatingSubordinateCAs, self).setUp()
self.project = res.get_or_create_project('12345')
self.project2 = res.get_or_create_project('56789')
self.subject_name = "cn=subca1 signing certificate, o=example.com"
self.creator_id = "user12345"
self.name = "Subordinate CA #1"
self.description = "This is a test subordinate CA"
self.plugin_name = "dogtag_plugin"
# create parent ca
expiration = (datetime.datetime.utcnow() +
datetime.timedelta(minutes=10))
parsed_ca = {
'plugin_name': self.plugin_name,
'plugin_ca_id': 'ca_master',
'expiration': expiration.isoformat(),
'name': 'Dogtag CA',
'description': 'Master CA for Dogtag plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY'
}
self.parent_ca = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(self.parent_ca)
self.parent_ca_ref = 'https://localhost:6311/cas/' + self.parent_ca.id
self.new_ca_dict = {
'plugin_ca_id': 'ca_subordinate',
'expiration': expiration.isoformat(),
'name': 'Dogtag Subordinate CA',
'description': 'Subordinate CA for Dogtag plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY',
}
# mock plugin and calls to plugin
self.cert_plugin = mock.MagicMock()
self.cert_plugin.supports_create_ca.return_value = True
self.cert_plugin.create_ca.return_value = self.new_ca_dict
self._config_cert_plugin()
def on_post(self, external_project_id, **kwargs):
LOG.debug(
'Start: Set project preferred secret-store for store '
'id %s', self.secret_store.id)
project = res.get_or_create_project(external_project_id)
self.proj_store_repo.create_or_update_for_project(
project.id, self.secret_store.id)
pecan.response.status = 204
def on_post(self, external_project_id):
ctxt = controllers._get_barbican_context(pecan.request)
data = api.load_body(pecan.request)
project = res.get_or_create_project(external_project_id)
self.quota_enforcer.enforce(project)
response = None
response = plugin.do_attestation(data, external_project_id, False,
ctxt)
if response is None:
_quote_not_found()
return response
def delete_subordinate_ca(external_project_id, ca):
"""Deletes a subordinate CA and any related artifacts
:param external_project_id: external project ID
:param ca: class:`models.CertificateAuthority` to be deleted
:return: None
"""
# TODO(alee) See if the checks below can be moved to the RBAC code
# Check that this CA is a subCA
if ca.project_id is None:
raise excep.CannotDeleteBaseCA()
# Check that the user's project owns this subCA
project = res.get_or_create_project(external_project_id)
if ca.project_id != project.id:
raise excep.UnauthorizedSubCA()
project_ca_repo = repos.get_project_ca_repository()
(project_cas, _, _,
_) = project_ca_repo.get_by_create_date(project_id=project.id,
ca_id=ca.id,
suppress_exception=True)
preferred_ca_repo = repos.get_preferred_ca_repository()
(preferred_cas, _, _,
_) = preferred_ca_repo.get_by_create_date(project_id=project.id,
ca_id=ca.id,
suppress_exception=True)
# Can not delete a project preferred CA, if other project CAs exist. One
# of those needs to be designated as the preferred CA first.
if project_cas and preferred_cas and not is_last_project_ca(project.id):
raise excep.CannotDeletePreferredCA()
# Remove the CA as preferred
if preferred_cas:
preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id,
external_project_id)
# Remove the CA from project list
if project_cas:
project_ca_repo.delete_entity_by_id(project_cas[0].id,
external_project_id)
# Delete the CA entry from plugin
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
ca.plugin_name)
cert_plugin.delete_ca(ca.plugin_ca_id)
# Finally, delete the CA entity from the CA repository
ca_repo = repos.get_ca_repository()
ca_repo.delete_entity_by_id(entity_id=ca.id,
external_project_id=external_project_id)
def preferred(self, external_project_id, **kw):
LOG.debug('Start certificate_authorities get project preferred CA')
project = res.get_or_create_project(external_project_id)
pref_ca_id = cert_resources.get_project_preferred_ca_id(project.id)
if not pref_ca_id:
pecan.abort(404, u._("No preferred CA defined for this project"))
return {
'ca_ref': hrefs.convert_certificate_authority_to_href(pref_ca_id)
}
def setUp(self):
super(WhenCreatingSubordinateCAs, self).setUp()
self.project = res.get_or_create_project('12345')
self.project2 = res.get_or_create_project('56789')
self.subject_name = "cn=subca1 signing certificate, o=example.com"
self.creator_id = "user12345"
self.name = "Subordinate CA #1"
self.description = "This is a test subordinate CA"
self.plugin_name = "dogtag_plugin"
# create parent ca
expiration = (datetime.datetime.utcnow() +
datetime.timedelta(minutes=10))
parsed_ca = {'plugin_name': self.plugin_name,
'plugin_ca_id': 'ca_master',
'expiration': expiration.isoformat(),
'name': 'Dogtag CA',
'description': 'Master CA for Dogtag plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY'}
self.parent_ca = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(self.parent_ca)
self.parent_ca_ref = 'https://localhost:6311/cas/' + self.parent_ca.id
self.new_ca_dict = {
'plugin_ca_id': 'ca_subordinate',
'expiration': expiration.isoformat(),
'name': 'Dogtag Subordinate CA',
'description': 'Subordinate CA for Dogtag plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY',
}
# mock plugin and calls to plugin
self.cert_plugin = mock.MagicMock()
self.cert_plugin.supports_create_ca.return_value = True
self.cert_plugin.create_ca.return_value = self.new_ca_dict
self._config_cert_plugin()
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
order_meta = body.get('meta')
request_type = order_meta.get('request_type')
LOG.debug('Processing order type %s, request type %s',
order_type, request_type)
if order_type == models.OrderType.CERTIFICATE:
validators.validate_ca_id(project.id, body.get('meta'))
if request_type == 'stored-key':
container_ref = order_meta.get('container_ref')
validators.validate_stored_key_rsa_container(
external_project_id,
container_ref, pecan.request)
self.quota_enforcer.enforce(project)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.project_id = project.id
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt:
new_order.creator_id = ctxt.user
request_id = ctxt.request_id
self.order_repo.create_from(new_order)
# Grab our id before commit due to obj expiration from sqlalchemy
order_id = new_order.id
# Force commit to avoid async issues with the workers
repo.commit()
self.queue.process_type_order(order_id=order_id,
project_id=external_project_id,
request_id=request_id)
url = hrefs.convert_order_to_href(order_id)
pecan.response.status = 202
pecan.response.headers['Location'] = url
return {'order_ref': url}
def setUp(self):
super(WhenCreatingCertificateOrders, self).setUp()
self.certificate_meta = {
'request': 'XXXXXX'
}
# Make sure we have a project
self.project = resources.get_or_create_project(self.project_id)
# Create CA's in the db
self.available_ca_ids = []
for i in range(2):
ca_information = {
'plugin_name': 'plugin_name',
'plugin_ca_id': 'plugin_name ca_id1',
'name': 'plugin name',
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY'
}
ca_model = models.CertificateAuthority(ca_information)
ca = ca_repo.create_from(ca_model)
self.available_ca_ids.append(ca.id)
foreign_project = resources.get_or_create_project('foreign_project')
foreign_ca_information = {
'project_id': foreign_project.id,
'plugin_name': 'plugin_name',
'plugin_ca_id': 'plugin_name ca_id1',
'name': 'plugin name',
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY'
}
foreign_ca_model = models.CertificateAuthority(foreign_ca_information)
foreign_ca = ca_repo.create_from(foreign_ca_model)
self.foreign_ca_id = foreign_ca.id
repositories.commit()
def preferred(self, external_project_id, **kw):
LOG.debug('Start certificate_authorities get project preferred CA')
project = res.get_or_create_project(external_project_id)
pref_ca_id = cert_resources.get_project_preferred_ca_id(project.id)
if not pref_ca_id:
pecan.abort(404, u._("No preferred CA defined for this project"))
return {
'ca_ref':
hrefs.convert_certificate_authority_to_href(pref_ca_id)
}
def set_project_quotas(self, external_project_id, parsed_project_quotas):
"""Create a new database entry, or update existing one
:param external_project_id: ID of project whose quotas are to be set
:param parsed_project_quotas: quota values to save in database
:return: None
"""
project = res.get_or_create_project(external_project_id)
self.repo.create_or_update_by_project_id(project.id,
parsed_project_quotas)
# commit to DB to avoid async issues if the enforcer is called from
# another thread
repo.commit()
def set_project_quotas(self, external_project_id, parsed_project_quotas):
"""Create a new database entry, or update existing one
:param external_project_id: ID of project whose quotas are to be set
:param parsed_project_quotas: quota values to save in database
:return: None
"""
project = res.get_or_create_project(external_project_id)
self.repo.create_or_update_by_project_id(project.id,
parsed_project_quotas)
# commit to DB to avoid async issues if the enforcer is called from
# another thread
repo.commit()
def delete_subordinate_ca(external_project_id, ca):
"""Deletes a subordinate CA and any related artifacts
:param external_project_id: external project ID
:param ca: class:`models.CertificateAuthority` to be deleted
:return: None
"""
# TODO(alee) See if the checks below can be moved to the RBAC code
# Check that this CA is a subCA
if ca.project_id is None:
raise excep.CannotDeleteBaseCA()
# Check that the user's project owns this subCA
project = res.get_or_create_project(external_project_id)
if ca.project_id != project.id:
raise excep.UnauthorizedSubCA()
project_ca_repo = repos.get_project_ca_repository()
(project_cas, _, _, _) = project_ca_repo.get_by_create_date(
project_id=project.id, ca_id=ca.id,
suppress_exception=True)
preferred_ca_repo = repos.get_preferred_ca_repository()
(preferred_cas, _, _, _) = preferred_ca_repo.get_by_create_date(
project_id=project.id, ca_id=ca.id, suppress_exception=True)
# Can not delete a project preferred CA, if other project CAs exist. One
# of those needs to be designated as the preferred CA first.
if project_cas and preferred_cas and not is_last_project_ca(project.id):
raise excep.CannotDeletePreferredCA()
# Remove the CA as preferred
if preferred_cas:
preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id,
external_project_id)
# Remove the CA from project list
if project_cas:
project_ca_repo.delete_entity_by_id(project_cas[0].id,
external_project_id)
# Delete the CA entry from plugin
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
ca.plugin_name)
cert_plugin.delete_ca(ca.plugin_ca_id)
# Finally, delete the CA entity from the CA repository
ca_repo = repos.get_ca_repository()
ca_repo.delete_entity_by_id(
entity_id=ca.id,
external_project_id=external_project_id)
def setUp(self):
super(WhenCreatingCertificateOrders, self).setUp()
self.certificate_meta = {'request': 'XXXXXX'}
# Make sure we have a project
self.project = resources.get_or_create_project(self.project_id)
# Create CA's in the db
self.available_ca_ids = []
for i in range(2):
ca_information = {
'plugin_name': 'plugin_name',
'plugin_ca_id': 'plugin_name ca_id1',
'name': 'plugin name',
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY'
}
ca_model = models.CertificateAuthority(ca_information)
ca = ca_repo.create_from(ca_model)
self.available_ca_ids.append(ca.id)
foreign_project = resources.get_or_create_project('foreign_project')
foreign_ca_information = {
'project_id': foreign_project.id,
'plugin_name': 'plugin_name',
'plugin_ca_id': 'plugin_name ca_id1',
'name': 'plugin name',
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'XXXXX',
'intermediates': 'YYYYY'
}
foreign_ca_model = models.CertificateAuthority(foreign_ca_information)
foreign_ca = ca_repo.create_from(foreign_ca_model)
self.foreign_ca_id = foreign_ca.id
repositories.commit()
def on_delete(self, external_project_id, **kw):
LOG.debug('Start: Remove project preferred secret-store for store'
' id %s', self.secret_store.id)
project = res.get_or_create_project(external_project_id)
project_store = self.proj_store_repo.get_secret_store_for_project(
project.id, None, suppress_exception=True)
if project_store is None:
_preferred_secret_store_not_found()
self.proj_store_repo.delete_entity_by_id(
entity_id=project_store.id,
external_project_id=external_project_id)
pecan.response.status = 204
def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
"""GET actual payload containing the secret."""
project = res.get_or_create_project(external_project_id,
self.repos.project_repo)
pecan.override_template('', pecan.request.accept.header_value)
twsk = kwargs.get('trans_wrapped_session_key', None)
transport_key = None
if twsk:
transport_key = self._get_transport_key(
kwargs.get('transport_key_id', None))
return plugin.get_secret(pecan.request.accept.header_value, secret,
project, self.repos, twsk, transport_key)
def remove_from_project(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Removing CA %s from project_external_id %s", self.ca.id,
external_project_id)
project_model = res.get_or_create_project(external_project_id)
(project_ca, __offset, __limit,
__total) = (self.project_ca_repo.get_by_create_date(
project_id=project_model.id,
ca_id=self.ca.id,
suppress_exception=True))
if project_ca:
self.project_ca_repo.delete_entity_by_id(project_ca[0].id, None)
def on_delete(self, external_project_id, **kw):
LOG.debug(
'Start: Remove project preferred secret-store for store'
' id %s', self.secret_store.id)
project = res.get_or_create_project(external_project_id)
project_store = self.proj_store_repo.get_secret_store_for_project(
project.id, None, suppress_exception=True)
if project_store is None:
_preferred_secret_store_not_found()
self.proj_store_repo.delete_entity_by_id(
entity_id=project_store.id,
external_project_id=external_project_id)
pecan.response.status = 204
def get_preferred(self, external_project_id, **kw):
LOG.debug('Start secret-stores get preferred secret store')
if not utils.is_multiple_backends_enabled():
_multiple_backends_not_enabled()
project = res.get_or_create_project(external_project_id)
project_store = self.proj_store_repo.get_secret_store_for_project(
project.id, None, suppress_exception=True)
if project_store is None:
_preferred_secret_store_not_found()
return convert_secret_store_to_response_format(
project_store.secret_store)
def get_preferred(self, external_project_id, **kw):
LOG.debug('Start secret-stores get preferred secret store')
if not utils.is_multiple_backends_enabled():
_multiple_backends_not_enabled()
project = res.get_or_create_project(external_project_id)
project_store = self.proj_store_repo.get_secret_store_for_project(
project.id, None, suppress_exception=True)
if project_store is None:
_preferred_secret_store_not_found()
return convert_secret_store_to_response_format(
project_store.secret_store)
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
order_meta = body.get('meta')
request_type = order_meta.get('request_type')
LOG.debug('Processing order type %(order_type)s,'
' request type %(request_type)s' % {
'order_type': order_type,
'request_type': request_type
})
self.quota_enforcer.enforce(project)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.project_id = project.id
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt:
new_order.creator_id = ctxt.user
request_id = ctxt.request_id
self.order_repo.create_from(new_order)
# Grab our id before commit due to obj expiration from sqlalchemy
order_id = new_order.id
# Force commit to avoid async issues with the workers
repo.commit()
self.queue.process_type_order(order_id=order_id,
project_id=external_project_id,
request_id=request_id)
url = hrefs.convert_order_to_href(order_id)
pecan.response.status = 202
pecan.response.headers['Location'] = url
return {'order_ref': url}
def remove_from_project(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Removing CA %s from project_external_id %s",
self.ca.id, external_project_id)
project_model = res.get_or_create_project(external_project_id)
(project_ca, __offset, __limit, __total) = (
self.project_ca_repo.get_by_create_date(
project_id=project_model.id,
ca_id=self.ca.id,
suppress_exception=True))
if project_ca:
self.project_ca_repo.delete_entity_by_id(
project_ca[0].id,
None)
def set_preferred(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Setting preferred CA %s for project %s",
self.ca.id, external_project_id)
project_model = res.get_or_create_project(external_project_id)
(project_ca, __offset, __limit, __total) = (
self.project_ca_repo.get_by_create_date(
project_id=project_model.id,
ca_id=self.ca.id,
suppress_exception=True))
if not project_ca:
_requested_preferred_ca_not_a_project_ca()
self.preferred_ca_repo.create_or_update_by_project_id(
project_model.id, self.ca.id)
def index(self, keystone_id, **kwargs):
secret = self.repos.secret_repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if controllers.is_json_request_accept(pecan.request):
# Metadata-only response, no secret retrieval is necessary.
pecan.override_template('json', 'application/json')
secret_fields = putil.mime_types.augment_fields_with_content_types(
secret)
transport_key_needed = kwargs.get('transport_key_needed',
'false').lower() == 'true'
if transport_key_needed:
transport_key_id = plugin.get_transport_key_id_for_retrieval(
secret)
if transport_key_id is not None:
secret_fields['transport_key_id'] = transport_key_id
return hrefs.convert_to_hrefs(secret_fields)
else:
project = res.get_or_create_project(keystone_id,
self.repos.project_repo)
pecan.override_template('', pecan.request.accept.header_value)
transport_key = None
twsk = kwargs.get('trans_wrapped_session_key', None)
if twsk is not None:
transport_key_id = kwargs.get('transport_key_id', None)
if transport_key_id is None:
_request_has_twsk_but_no_transport_key_id()
transport_key_model = self.repos.transport_key_repo.get(
entity_id=transport_key_id,
suppress_exception=True)
transport_key = transport_key_model.transport_key
return plugin.get_secret(pecan.request.accept.header_value,
secret,
project,
self.repos,
twsk,
transport_key)
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
self.quota_enforcer.enforce(project)
LOG.debug('Start on_post...%s', data)
new_container = models.Container(data)
new_container.project_id = project.id
# TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(
entity_id=secret_ref.secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(
404,
u._("Secret provided for '{secret_name}' doesn't "
"exist.").format(secret_name=secret_ref.name)
)
self.container_repo.create_from(new_container)
url = hrefs.convert_container_to_href(new_container.id)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a container for project: %s'),
external_project_id)
return {'container_ref': url}
def on_post(self, keystone_id, **kwargs):
project = res.get_or_create_project(keystone_id, self.project_repo)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
try:
container = self.container_repo.get(self.container_id, keystone_id)
except exception.NotFound:
controllers.containers.container_not_found()
new_consumer = models.ContainerConsumerMetadatum(self.container_id,
data)
new_consumer.tenant_id = project.id
self.consumer_repo.create_from(new_consumer, container)
pecan.response.headers['Location'] = (
'/containers/{0}/consumers'.format(new_consumer.container_id)
)
return self._return_container_data(self.container_id, keystone_id)