def get_plugin_store(self, key_spec, plugin_name=None, transport_key_needed=False): """Gets a secret store plugin. :param: plugin_name: set to plugin_name to get specific plugin :param: key_spec: KeySpec of key that will be stored :param: transport_key_needed: set to True if a transport key is required. :returns: SecretStoreBase plugin implementation """ if plugin_name is not None: for ext in self.extensions: if utils.generate_fullname_for(ext.obj) == plugin_name: return ext.obj raise SecretStorePluginNotFound(plugin_name) if not transport_key_needed: for ext in self.extensions: if ext.obj.store_secret_supports(key_spec): return ext.obj else: for ext in self.extensions: if (ext.obj.get_transport_key() is not None and ext.obj.store_secret_supports(key_spec)): return ext.obj raise SecretStoreSupportedPluginNotFound()
def test_get_store_supported_plugin_with_plugin_name(self): plugin = TestSecretStore([str.KeyAlgorithm.AES]) plugin_mock = mock.MagicMock(obj=plugin) self.manager.extensions = [plugin_mock] plugin_found = self.manager.get_plugin_store(None, plugin_name=common_utils.generate_fullname_for(plugin)) self.assertEqual(plugin, plugin_found)
def update_ca_info(self, cert_plugin): """Update the CA info for a particular plugin.""" plugin_name = utils.generate_fullname_for(cert_plugin) new_ca_infos = cert_plugin.get_ca_info() old_cas, offset, limit, total = self.ca_repo.get_by_create_date( plugin_name=plugin_name, suppress_exception=True, show_expired=True) for old_ca in old_cas: plugin_ca_id = old_ca.plugin_ca_id if plugin_ca_id not in new_ca_infos.keys(): # remove CAs that no longer exist self._delete_ca(old_ca) else: # update those that still exist self.ca_repo.update_entity( old_ca, new_ca_infos[plugin_ca_id]) old_ids = set([ca.plugin_ca_id for ca in old_cas]) new_ids = set(new_ca_infos.keys()) # add new CAs add_ids = new_ids - old_ids for add_id in add_ids: self._add_ca(plugin_name, add_id, new_ca_infos[add_id])
def issue_certificate_request(order_model, project_model, result_follow_on): """Create the initial order with CA. Note that this method may be called more than once if retries are required. Barbican metadata is used to store intermediate information, including selected plugins by name, to support such retries. :param: order_model - order associated with this cert request :param: project_model - project associated with this request :param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance instantiated by the client that this function may optionally update with information on how to process this task into the future. :returns: container_model - container with the relevant cert if the request has been completed. None otherwise """ plugin_meta = _get_plugin_meta(order_model) barbican_meta = _get_barbican_meta(order_model) # TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order # and not shown to plugins) with barbican_meta_dto (shared with plugins). # As a minimum we should change the name of the DTO to something like # 'extended_meta_dto' or some such. barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO() # refresh the CA table. This is mostly a no-op unless the entries # for a plugin are expired. cert.CertificatePluginManager().refresh_ca_table() cert_plugin = _get_cert_plugin(barbican_meta, barbican_meta_for_plugins_dto, order_model, project_model) barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin) # Generate CSR if needed. request_type = order_model.meta.get(cert.REQUEST_TYPE) if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST: csr = barbican_meta.get('generated_csr') if csr is None: # TODO(alee) Fix this to be a non-project specific call once # the ACL patches go in. csr = _generate_csr_from_private_key(order_model, project_model) barbican_meta['generated_csr'] = csr barbican_meta_for_plugins_dto.generated_csr = csr result = cert_plugin.issue_certificate_request( order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto) # Save plugin and barbican metadata for this order. _save_plugin_metadata(order_model, plugin_meta) _save_barbican_metadata(order_model, barbican_meta) # Handle result return _handle_task_result( result, result_follow_on, order_model, project_model, request_type, unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE)
def get_plugin_store(self, key_spec, plugin_name=None, transport_key_needed=False, project_id=None): """Gets a secret store plugin. :param: plugin_name: set to plugin_name to get specific plugin :param: key_spec: KeySpec of key that will be stored :param: transport_key_needed: set to True if a transport key is required. :returns: SecretStoreBase plugin implementation """ active_plugins = multiple_backends.get_applicable_store_plugins( self, project_id=project_id, existing_plugin_name=plugin_name) if plugin_name is not None: for plugin in active_plugins: if utils.generate_fullname_for(plugin) == plugin_name: return plugin raise SecretStorePluginNotFound(plugin_name) if not transport_key_needed: for plugin in active_plugins: if plugin.store_secret_supports(key_spec): return plugin else: for plugin in active_plugins: if (plugin.get_transport_key() is not None and plugin.store_secret_supports(key_spec)): return plugin raise SecretStoreSupportedPluginNotFound()
def update_ca_info(self, cert_plugin): """Update the CA info for a particular plugin.""" plugin_name = utils.generate_fullname_for(cert_plugin) new_ca_infos = cert_plugin.get_ca_info() old_cas, offset, limit, total = self.ca_repo.get_by_create_date( plugin_name=plugin_name, suppress_exception=True, show_expired=True) for old_ca in old_cas: plugin_ca_id = old_ca.plugin_ca_id if plugin_ca_id not in new_ca_infos.keys(): # remove CAs that no longer exist self._delete_ca(old_ca) else: # update those that still exist self.ca_repo.update_entity(old_ca, new_ca_infos[plugin_ca_id]) old_ids = set([ca.plugin_ca_id for ca in old_cas]) new_ids = set(new_ca_infos.keys()) # add new CAs add_ids = new_ids - old_ids for add_id in add_ids: self._add_ca(plugin_name, add_id, new_ca_infos[add_id])
def issue_certificate_request(order_model, project_model, result_follow_on): """Create the initial order with CA. Note that this method may be called more than once if retries are required. Barbican metadata is used to store intermediate information, including selected plugins by name, to support such retries. :param: order_model - order associated with this cert request :param: project_model - project associated with this request :param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance instantiated by the client that this function may optionally update with information on how to process this task into the future. :returns: container_model - container with the relevant cert if the request has been completed. None otherwise """ plugin_meta = _get_plugin_meta(order_model) barbican_meta = _get_barbican_meta(order_model) # TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order # and not shown to plugins) with barbican_meta_dto (shared with plugins). # As a minimum we should change the name of the DTO to something like # 'extended_meta_dto' or some such. barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO() # refresh the CA table. This is mostly a no-op unless the entries # for a plugin are expired. cert.CertificatePluginManager().refresh_ca_table() cert_plugin = _get_cert_plugin(barbican_meta, barbican_meta_for_plugins_dto, order_model, project_model) barbican_meta["plugin_name"] = utils.generate_fullname_for(cert_plugin) # Generate CSR if needed. request_type = order_model.meta.get(cert.REQUEST_TYPE) if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST: csr = barbican_meta.get("generated_csr") if csr is None: # TODO(alee) Fix this to be a non-project specific call once # the ACL patches go in. csr = _generate_csr_from_private_key(order_model, project_model) barbican_meta["generated_csr"] = csr barbican_meta_for_plugins_dto.generated_csr = csr result = cert_plugin.issue_certificate_request( order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto ) # Save plugin and barbican metadata for this order. _save_plugin_metadata(order_model, plugin_meta) _save_barbican_metadata(order_model, barbican_meta) # Handle result return _handle_task_result( result, result_follow_on, order_model, project_model, request_type, unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE, )
def test_get_store_supported_plugin_with_plugin_name(self): plugin = TestSecretStore([str.KeyAlgorithm.AES]) plugin_mock = mock.MagicMock(obj=plugin) self.manager.extensions = [plugin_mock] plugin_found = self.manager.get_plugin_store( None, plugin_name=common_utils.generate_fullname_for(plugin)) self.assertEqual(plugin, plugin_found)
def __init__(self, db_connection, library_path, login, slot_id): self.dry_run = False self.db_engine = sqlalchemy.create_engine(db_connection) self._session_creator = scoping.scoped_session(orm.sessionmaker(bind=self.db_engine, autocommit=True)) self.crypto_plugin = p11_crypto.P11CryptoPlugin(CONF) self.plugin_name = utils.generate_fullname_for(self.crypto_plugin) self.pkcs11 = self.crypto_plugin.pkcs11 self.session = self.pkcs11.get_session()
def get_plugin_by_name(self, plugin_name): """Gets a supporting certificate event plugin. :returns: CertficiateEventPluginBase plugin implementation """ for ext in self.extensions: if utils.generate_fullname_for(ext.obj) == plugin_name: return ext.obj raise CertificateEventPluginNotFound(plugin_name)
def get_plugin_by_name(self, plugin_name): """Gets a supporting certificate event plugin. :returns: CertificateEventPluginBase plugin implementation """ for plugin in plugin_utils.get_active_plugins(self): if utils.generate_fullname_for(plugin) == plugin_name: return plugin raise CertificateEventPluginNotFound(plugin_name)
def __init__(self, db_connection, library_path, login, slot_id): self.dry_run = False self.db_engine = session.create_engine(db_connection) self._session_creator = scoping.scoped_session( orm.sessionmaker(bind=self.db_engine, autocommit=True)) self.crypto_plugin = p11_crypto.P11CryptoPlugin(CONF) self.plugin_name = utils.generate_fullname_for(self.crypto_plugin) self.pkcs11 = self.crypto_plugin.pkcs11 self.session = self.pkcs11.get_session()
def get_plugin_by_name(self, plugin_name): """Gets a supporting certificate event plugin. :returns: CertificateEventPluginBase plugin implementation """ for ext in self.extensions: if utils.generate_fullname_for(ext.obj) == plugin_name: return ext.obj raise CertificateEventPluginNotFound(plugin_name)
def _verify_kek_repository_interactions(self, plugin_inst): """Verify the KEK repository interactions.""" self.assertEqual(1, self.kek_repo.find_or_create_kek_datum.call_count) args, kwargs = self.kek_repo.find_or_create_kek_datum.call_args test_project_model = args[0] test_full_plugin_name = args[1] self.assertEqual(self.project_model, test_project_model) plugin_name = utils.generate_fullname_for(plugin_inst) self.assertEqual(plugin_name, test_full_plugin_name)
def get_plugin_by_name(self, plugin_name): """Gets a supporting certificate plugin. :param plugin_name: Name of the plugin to invoke :returns: CertificatePluginBase plugin implementation """ for ext in self.extensions: if utils.generate_fullname_for(ext.obj) == plugin_name: return ext.obj raise CertificatePluginNotFound(plugin_name)
def get_plugin_retrieve_delete(self, plugin_name): """Gets a secret retrieve/delete plugin. :returns: SecretStoreBase plugin implementation """ for ext in self.extensions: if utils.generate_fullname_for(ext.obj) == plugin_name: return ext.obj raise SecretStorePluginNotFound(plugin_name)
def setUp(self): super(WhenTestingManager, self).setUp() self.plugin_returned = mock.MagicMock() self.plugin_type = crypto.PluginSupportTypes.ENCRYPT_DECRYPT self.plugin_returned.supports.return_value = True self.plugin_name = common_utils.generate_fullname_for(self.plugin_returned) self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) self.manager = cm.get_manager() self.manager.extensions = [self.plugin_loaded]
def _verify_kek_repository_interactions(self, plugin_inst): """Verify the KEK repository interactions.""" self.assertEqual( self.kek_repo.find_or_create_kek_datum.call_count, 1) args, kwargs = self.kek_repo.find_or_create_kek_datum.call_args test_tenant_model = args[0] test_full_plugin_name = args[1] self.assertEqual(self.tenant_model, test_tenant_model) plugin_name = utils.generate_fullname_for(plugin_inst) self.assertEqual(plugin_name, test_full_plugin_name)
def refresh_ca_table(self): """Refreshes the CertificateAuthority table.""" for plugin in plugin_utils.get_active_plugins(self): plugin_name = utils.generate_fullname_for(plugin) cas, offset, limit, total = self.ca_repo.get_by_create_date( plugin_name=plugin_name, suppress_exception=True) if total < 1: # if no entries are found, then the plugin has not yet been # queried or that plugin's entries have expired. # Most of the time, this will be a no-op for plugins. self.update_ca_info(plugin)
def setUp(self): super(WhenTestingManager, self).setUp() self.plugin_returned = mock.MagicMock() self.plugin_type = crypto.PluginSupportTypes.ENCRYPT_DECRYPT self.plugin_returned.supports.return_value = True self.plugin_name = common_utils.generate_fullname_for( self.plugin_returned) self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) self.manager = cm.get_manager() self.manager.extensions = [self.plugin_loaded]
def _save_secret_metadata_in_repo(secret_model, secret_metadata, store_plugin, content_type): """Add secret metadata to a secret.""" if not secret_metadata: secret_metadata = {} secret_metadata['plugin_name'] = utils.generate_fullname_for(store_plugin) secret_metadata['content_type'] = content_type secret_meta_repo = repos.get_secret_meta_repository() secret_meta_repo.save(secret_metadata, secret_model)
def setUp(self): super(WhenTestingCertificatePluginManager, self).setUp() self.cert_spec = {} self.plugin_returned = mock.MagicMock() self.plugin_name = common_utils.generate_fullname_for( self.plugin_returned) types_list = [ cm.CertificateRequestType.SIMPLE_CMC_REQUEST, cm.CertificateRequestType.CUSTOM_REQUEST ] self.plugin_returned.supported_request_types.return_value = types_list self.plugin_returned.supports.return_value = True self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) expiration = ( datetime.datetime.utcnow() + datetime.timedelta(days=cm.CA_INFO_DEFAULT_EXPIRATION_DAYS)) ca_info = { cm.INFO_NAME: "my_ca", cm.INFO_DESCRIPTION: "Certificate Authority my_ca", cm.INFO_CA_SIGNING_CERT: "Undefined", cm.INFO_INTERMEDIATES: "Undefined", cm.INFO_EXPIRATION: expiration.isoformat() } self.plugin_returned.get_ca_info.return_value = { 'plugin_ca_id1': ca_info } parsed_ca = { 'plugin_name': self.plugin_name, 'plugin_ca_id': 'plugin_ca_id1', 'name': self.plugin_name, 'description': 'Master CA for default plugin', 'ca_signing_certificate': 'ZZZZZ', 'intermediates': 'YYYYY' } self.ca = models.CertificateAuthority(parsed_ca) self.ca.id = 'ca_id' self.ca_repo = mock.MagicMock() self.ca_repo.get_by_create_date.return_value = (self.ca, 0, 1, 1) self.ca_repo.create_from.return_value = None self.ca_repo.get.return_value = self.ca self.project = models.Project() self.project.id = '12345' self.setup_ca_repository_mock(self.ca_repo) self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) self.manager = cm.CertificatePluginManager() self.manager.extensions = [self.plugin_loaded]
def _save_secret_metadata(secret_model, secret_metadata, store_plugin, content_type, repos): """Add secret metadata to a secret.""" if not secret_metadata: secret_metadata = dict() secret_metadata['plugin_name'] = utils.generate_fullname_for(store_plugin) secret_metadata['content_type'] = content_type repos.secret_meta_repo.save(secret_metadata, secret_model)
def _schedule_check_cert_request(cert_plugin, order_model, plugin_meta, repos, cert_result_dto, project_model, retry_time): retry_args = [order_model, project_model, utils.generate_fullname_for(cert_plugin), repos] _schedule_cert_retry_task( cert_result_dto, cert_plugin, order_model, plugin_meta, retry_method="check_certificate_request", retry_object="barbican.tasks.certificate_resources", retry_time=retry_time, retry_args=retry_args)
def _plugin_supports(self, plugin_inst, kek_metadata_tenant): """Tests for plugin support. Tests if the supplied plugin supports operations on the supplied key encryption key (KEK) metadata. :param plugin_inst: The plugin instance to test. :param kek_metadata: The KEK metadata to test. :return: True if the plugin can support operations on the KEK metadata. """ plugin_name = utils.generate_fullname_for(plugin_inst) return plugin_name == kek_metadata_tenant.plugin_name
def __init__(self, conf): self.dry_run = False self.db_engine = sqlalchemy.create_engine(conf.sql_connection) self._session_creator = scoping.scoped_session( orm.sessionmaker(bind=self.db_engine, autocommit=True)) self.crypto_plugin = p11_crypto.P11CryptoPlugin(conf) self.pkcs11 = self.crypto_plugin.pkcs11 self.plugin_name = utils.generate_fullname_for(self.crypto_plugin) self.hsm_session = self.pkcs11.get_session() self.new_mkek_label = self.crypto_plugin.mkek_label self.new_hmac_label = self.crypto_plugin.hmac_label self.new_mkek = self.crypto_plugin._get_master_key(self.new_mkek_label) self.new_mkhk = self.crypto_plugin._get_master_key(self.new_hmac_label)
def setUp(self): super(WhenTestingCertificatePluginManager, self).setUp() self.cert_spec = {} self.plugin_returned = mock.MagicMock() self.plugin_name = common_utils.generate_fullname_for( self.plugin_returned) types_list = [cm.CertificateRequestType.SIMPLE_CMC_REQUEST, cm.CertificateRequestType.CUSTOM_REQUEST] self.plugin_returned.supported_request_types.return_value = types_list self.plugin_returned.supports.return_value = True self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) expiration = (datetime.datetime.utcnow() + datetime.timedelta( days=cm.CA_INFO_DEFAULT_EXPIRATION_DAYS)) ca_info = { cm.INFO_NAME: "my_ca", cm.INFO_DESCRIPTION: "Certificate Authority my_ca", cm.INFO_CA_SIGNING_CERT: "Undefined", cm.INFO_INTERMEDIATES: "Undefined", cm.INFO_EXPIRATION: expiration.isoformat() } self.plugin_returned.get_ca_info.return_value = { 'plugin_ca_id1': ca_info } parsed_ca = { 'plugin_name': self.plugin_name, 'plugin_ca_id': 'plugin_ca_id1', 'name': self.plugin_name, 'description': 'Master CA for default plugin', 'ca_signing_certificate': 'ZZZZZ', 'intermediates': 'YYYYY' } self.ca = models.CertificateAuthority(parsed_ca) self.ca.id = 'ca_id' self.ca_repo = mock.MagicMock() self.ca_repo.get_by_create_date.return_value = ( self.ca, 0, 1, 1) self.ca_repo.create_from.return_value = None self.ca_repo.get.return_value = self.ca self.project = models.Project() self.project.id = '12345' self.setup_ca_repository_mock(self.ca_repo) self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) self.manager = cm.CertificatePluginManager() self.manager.extensions = [self.plugin_loaded]
def _schedule_check_cert_request(cert_plugin, order_model, plugin_meta, repos, cert_result_dto, project_model, retry_time): retry_args = [ order_model, project_model, utils.generate_fullname_for(cert_plugin), repos ] _schedule_cert_retry_task( cert_result_dto, cert_plugin, order_model, plugin_meta, retry_method="check_certificate_request", retry_object="barbican.tasks.certificate_resources", retry_time=retry_time, retry_args=retry_args)
def setUp(self): super(WhenTestingCertificateEventPluginManager, self).setUp() self.project_id = '1234' self.order_ref = 'http://www.mycerts.com/v1/orders/123456' self.container_ref = 'http://www.mycerts.com/v1/containers/654321' self.error_msg = 'Something is broken' self.retry_in_msec = 5432 self.plugin_returned = mock.MagicMock() self.plugin_name = common_utils.generate_fullname_for( self.plugin_returned) self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned) self.manager = cm.EVENT_PLUGIN_MANAGER self.manager.extensions = [self.plugin_loaded]
def _schedule_cert_retry_task(cert_result_dto, cert_plugin, order_model, plugin_meta, retry_method=None, retry_object=None, retry_time=None, retry_args=None): if cert_result_dto.retry_msec > 0: retry_time = cert_result_dto.retry_msec if cert_result_dto.retry_method: retry_method = cert_result_dto.retry_method retry_object = utils.generate_fullname_for(cert_plugin) retry_args = [order_model.id, order_model.meta, plugin_meta] _schedule_retry_task(retry_object, retry_method, retry_time, retry_args)
def get_plugin_retrieve_delete(self, plugin_name): """Gets a secret retrieve/delete plugin. :returns: SecretStoreBase plugin implementation """ if len(self.extensions) < 1: raise SecretStorePluginNotFound() for ext in self.extensions: if utils.generate_fullname_for(ext.obj) == plugin_name: retrieve_delete_plugin = ext.obj break else: raise SecretStoreSupportedPluginNotFound() return retrieve_delete_plugin
def __init__(self, conf): self.dry_run = False self.db_engine = sqlalchemy.create_engine(conf.sql_connection) self._session_creator = scoping.scoped_session( orm.sessionmaker( bind=self.db_engine, autocommit=True ) ) self.crypto_plugin = p11_crypto.P11CryptoPlugin(conf) self.pkcs11 = self.crypto_plugin.pkcs11 self.plugin_name = utils.generate_fullname_for(self.crypto_plugin) self.hsm_session = self.pkcs11.get_session() self.new_mkek_label = self.crypto_plugin.mkek_label self.new_hmac_label = self.crypto_plugin.hmac_label self.new_mkek = self.crypto_plugin._get_master_key(self.new_mkek_label) self.new_mkhk = self.crypto_plugin._get_master_key(self.new_hmac_label)
def get_plugin_retrieve_delete(self, plugin_name): """Gets a secret retrieve/delete plugin. If this function is being called, it is because we are trying to retrieve or delete an already stored secret. Thus, the plugin name is actually gotten from the plugin metadata that has already been stored in the database. So, in this case, if this plugin is not available, this might be due to a server misconfiguration. :returns: SecretStoreBase plugin implementation :raises: StorePluginNotAvailableOrMisconfigured: If the plugin wasn't found it's because the plugin parameters were not properly configured on the database side. """ for plugin in plugin_utils.get_active_plugins(self): if utils.generate_fullname_for(plugin) == plugin_name: return plugin raise StorePluginNotAvailableOrMisconfigured(plugin_name)
def update_ca_info(self, cert_plugin): """Update the CA info for a particular plugin.""" plugin_name = utils.generate_fullname_for(cert_plugin) try: new_ca_infos = cert_plugin.get_ca_info() except Exception as e: # The plugin gave an invalid CA, log and return LOG.error(u._LE("ERROR getting CA from plugin: %s"), encodeutils.exception_to_unicode(e)) return old_cas, offset, limit, total = self.ca_repo.get_by_create_date( plugin_name=plugin_name, suppress_exception=True, show_expired=True) if old_cas: for old_ca in old_cas: plugin_ca_id = old_ca.plugin_ca_id if plugin_ca_id not in new_ca_infos.keys(): # remove CAs that no longer exist self._delete_ca(old_ca) else: # update those that still exist self.ca_repo.update_entity( old_ca, new_ca_infos[plugin_ca_id]) old_ids = set([ca.plugin_ca_id for ca in old_cas]) else: old_ids = set() new_ids = set(new_ca_infos.keys()) # add new CAs add_ids = new_ids - old_ids for add_id in add_ids: try: self._add_ca(plugin_name, add_id, new_ca_infos[add_id]) except Exception as e: # The plugin gave an invalid CA, log and continue LOG.error(u._LE("ERROR adding CA from plugin: %s"), encodeutils.exception_to_unicode(e))
def update_ca_info(self, cert_plugin): """Update the CA info for a particular plugin.""" plugin_name = utils.generate_fullname_for(cert_plugin) try: new_ca_infos = cert_plugin.get_ca_info() except Exception as e: # The plugin gave an invalid CA, log and return LOG.error("ERROR getting CA from plugin: %s", encodeutils.exception_to_unicode(e)) return old_cas, offset, limit, total = self.ca_repo.get_by_create_date( plugin_name=plugin_name, suppress_exception=True, show_expired=True) if old_cas: for old_ca in old_cas: plugin_ca_id = old_ca.plugin_ca_id if plugin_ca_id not in new_ca_infos.keys(): # remove CAs that no longer exist self._delete_ca(old_ca) else: # update those that still exist self.ca_repo.update_entity(old_ca, new_ca_infos[plugin_ca_id]) old_ids = set([ca.plugin_ca_id for ca in old_cas]) else: old_ids = set() new_ids = set(new_ca_infos.keys()) # add new CAs add_ids = new_ids - old_ids for add_id in add_ids: try: self._add_ca(plugin_name, add_id, new_ca_infos[add_id]) except Exception as e: # The plugin gave an invalid CA, log and continue LOG.error("ERROR adding CA from plugin: %s", encodeutils.exception_to_unicode(e))
def get_transport_key_model(key_spec, repos, transport_key_needed): key_model = None if transport_key_needed: # get_plugin_store() will throw an exception if no suitable # plugin with transport key is found store_plugin = secret_store.SecretStorePluginManager(). \ get_plugin_store(key_spec=key_spec, transport_key_needed=True) plugin_name = utils.generate_fullname_for(store_plugin) key_repo = repos.transport_key_repo key_model = key_repo.get_latest_transport_key(plugin_name) if not key_model or not store_plugin.is_transport_key_current( key_model.transport_key): # transport key does not exist or is not current. # need to get a new transport key transport_key = store_plugin.get_transport_key() new_key_model = models.TransportKey(plugin_name, transport_key) key_model = key_repo.create_from(new_key_model) return key_model
def get_plugin_retrieve(self, plugin_name_for_store): """Gets a secret retrieve plugin that supports the provided type. :param type_needed: PluginSupportTypes that contains details on the type of plugin required :returns: CryptoPluginBase plugin implementation """ if len(self.extensions) < 1: raise crypto.CryptoPluginNotFound() for ext in self.extensions: decrypting_plugin = ext.obj plugin_name = utils.generate_fullname_for(decrypting_plugin) if plugin_name == plugin_name_for_store: break else: raise secret_store.SecretStorePluginNotFound() return decrypting_plugin
def get_plugin_retrieve(self, plugin_name_for_store): """Gets a secret retrieve plugin that supports the provided type. :param type_needed: PluginSupportTypes that contains details on the type of plugin required :returns: CryptoPluginBase plugin implementation """ active_plugins = plugin_utils.get_active_plugins(self) if not active_plugins: raise crypto.CryptoPluginNotFound() for decrypting_plugin in active_plugins: plugin_name = utils.generate_fullname_for(decrypting_plugin) if plugin_name == plugin_name_for_store: break else: raise secret_store.SecretStorePluginNotFound() return decrypting_plugin
def get_plugin_retrieve(self, plugin_name_for_store): """Gets a secret retrieve plugin that supports the provided type. :param type_needed: PluginSupportTypes that contains details on the type of plugin required :returns: CryptoPluginBase plugin implementation """ active_plugins = plugin_utils.get_active_plugins(self) if len(active_plugins) < 1: raise crypto.CryptoPluginNotFound() for decrypting_plugin in active_plugins: plugin_name = utils.generate_fullname_for(decrypting_plugin) if plugin_name == plugin_name_for_store: break else: raise secret_store.SecretStorePluginNotFound() return decrypting_plugin
def _get_transport_key_model(key_spec, transport_key_needed): key_model = None if transport_key_needed: # get_plugin_store() will throw an exception if no suitable # plugin with transport key is found plugin_manager = secret_store.get_manager() store_plugin = plugin_manager.get_plugin_store( key_spec=key_spec, transport_key_needed=True) plugin_name = utils.generate_fullname_for(store_plugin) key_repo = repos.get_transport_key_repository() key_model = key_repo.get_latest_transport_key(plugin_name) if not key_model or not store_plugin.is_transport_key_current( key_model.transport_key): # transport key does not exist or is not current. # need to get a new transport key transport_key = store_plugin.get_transport_key() new_key_model = models.TransportKey(plugin_name, transport_key) key_model = key_repo.create_from(new_key_model) return key_model
def _find_or_create_kek_objects(self, plugin_inst, tenant, kek_repo): # Find or create a key encryption key. full_plugin_name = utils.generate_fullname_for(plugin_inst) kek_datum = kek_repo.find_or_create_kek_datum(tenant, full_plugin_name) # Bind to the plugin's key management. # TODO(jwood): Does this need to be in a critical section? Should the # bind operation just be declared idempotent in the plugin contract? kek_meta_dto = plugin_mod.KEKMetaDTO(kek_datum) if not kek_datum.bind_completed: kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto) # By contract, enforce that plugins return a # (typically modified) DTO. if kek_meta_dto is None: raise CryptoKEKBindingException(full_plugin_name) plugin_mod.indicate_bind_completed(kek_meta_dto, kek_datum) kek_repo.save(kek_datum) return kek_datum, kek_meta_dto
def _find_or_create_kek_objects(self, plugin_inst, tenant_model, kek_repo): # Find or create a key encryption key. full_plugin_name = utils.generate_fullname_for(plugin_inst) kek_datum_model = kek_repo.find_or_create_kek_datum(tenant_model, full_plugin_name) # Bind to the plugin's key management. # TODO(jwood): Does this need to be in a critical section? Should the # bind operation just be declared idempotent in the plugin contract? kek_meta_dto = crypto.KEKMetaDTO(kek_datum_model) if not kek_datum_model.bind_completed: kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto) # By contract, enforce that plugins return a # (typically modified) DTO. if kek_meta_dto is None: raise crypto.CryptoKEKBindingException(full_plugin_name) self._indicate_bind_completed(kek_meta_dto, kek_datum_model) kek_repo.save(kek_datum_model) return kek_datum_model, kek_meta_dto
def get_plugin_retrieve(self, plugin_name_for_store): """Gets a secret retrieve plugin that supports the provided type. :param type_needed: PluginSupportTypes that contains details on the type of plugin required :returns: CryptoPluginBase plugin implementation """ active_plugins = plugin_utils.get_active_plugins(self) if not active_plugins: raise base.CryptoPluginNotFound() for decrypting_plugin in active_plugins: plugin_name = utils.generate_fullname_for(decrypting_plugin) if plugin_name == plugin_name_for_store: break else: operation = (u._("retrieve a secret from plugin: {plugin}") .format(plugin=plugin_name_for_store)) raise base.CryptoPluginUnsupportedOperation(operation=operation) return decrypting_plugin
def _find_or_create_kek_objects(plugin_inst, project_model): kek_repo = repositories.get_kek_datum_repository() # Find or create a key encryption key. full_plugin_name = utils.generate_fullname_for(plugin_inst) kek_datum_model = kek_repo.find_or_create_kek_datum( project_model, full_plugin_name) # Bind to the plugin's key management. # TODO(jwood): Does this need to be in a critical section? Should the # bind operation just be declared idempotent in the plugin contract? kek_meta_dto = crypto.KEKMetaDTO(kek_datum_model) if not kek_datum_model.bind_completed: kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto) # By contract, enforce that plugins return a # (typically modified) DTO. if kek_meta_dto is None: raise crypto.CryptoKEKBindingException(full_plugin_name) _indicate_bind_completed(kek_meta_dto, kek_datum_model) kek_repo.save(kek_datum_model) return kek_datum_model, kek_meta_dto
def test_returns_qualified_name(self): self.instance.__class__.__module__ = 'dummy' name = utils.generate_fullname_for(self.instance) self.assertEqual('dummy.DummyClassForTesting', name)
def test_returns_class_name_on_null_module(self): self.instance.__class__.__module__ = None name = utils.generate_fullname_for(self.instance) self.assertEqual('DummyClassForTesting', name)
def test_get_fullname_for_string_doesnt_include_module(self): test_string = "foo" fullname = utils.generate_fullname_for(test_string) self.assertEqual(0, fullname.count(".")) self.assertNotIn(six.moves.builtins.__name__, fullname)