def _get_secret_store_entry(self, store_plugin, crypto_plugin):
all_ss = repositories.get_secret_stores_repository().get_all()
for ss in all_ss:
if (ss.store_plugin == store_plugin
and ss.crypto_plugin == crypto_plugin):
return ss
return None
def _get_secret_store_entry(self, store_plugin, crypto_plugin):
all_ss = repositories.get_secret_stores_repository().get_all()
for ss in all_ss:
if (ss.store_plugin == store_plugin and
ss.crypto_plugin == crypto_plugin):
return ss
return None
class SecretStores(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'store_plugin': fields.StringField(),
'crypto_plugin': fields.StringField(nullable=True),
'global_default': fields.BooleanField(default=False),
'name': fields.StringField(),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.SecretStores
db_repo = repos.get_secret_stores_repository()
def _validate_fields(self, change_fields):
msg = u._("Must supply non-Blank {0} argument for SecretStores entry.")
if not change_fields.get('name'):
raise exception.MissingArgumentError(msg.format("name"))
if not change_fields.get('store_plugin'):
raise exception.MissingArgumentError(msg.format("store_plugin"))
@classmethod
def get_all(cls, session=None):
secret_stores_db = cls.db_repo.get_all(session)
secret_stores_obj = [cls()._from_db_object(secret_store_db) for
secret_store_db in secret_stores_db]
return secret_stores_obj
def setUp(self):
super(WhenTestingSecretStoresRepo, self).setUp()
self.s_stores_repo = repositories.get_secret_stores_repository()
self.def_name = "PKCS11 HSM"
self.def_store_plugin = "store_crypto"
self.def_crypto_plugin = "p11_crypto"
self.default_secret_store = self._create_secret_store(
self.def_name, self.def_store_plugin, self.def_crypto_plugin, True)
def setUp(self):
super(WhenTestingSecretStoresRepo, self).setUp()
self.s_stores_repo = repositories.get_secret_stores_repository()
self.def_name = "PKCS11 HSM"
self.def_store_plugin = "store_crypto"
self.def_crypto_plugin = "p11_crypto"
self.default_secret_store = self._create_secret_store(
self.def_name, self.def_store_plugin, self.def_crypto_plugin, True)
def get_global_default_secret_store():
secret_store_repo = db_repos.get_secret_stores_repository()
default_ss = None
for secret_store in secret_store_repo.get_all():
if secret_store.global_default:
default_ss = secret_store
break
return default_ss
def get_global_default_secret_store():
secret_store_repo = db_repos.get_secret_stores_repository()
default_ss = None
for secret_store in secret_store_repo.get_all():
if secret_store.global_default:
default_ss = secret_store
break
return default_ss
def test_syncup_with_existing_secret_stores(self):
ss_plugins = ['ss_p1', 'ss_p2', 'ss_p3', 'ss_p4', 'ss_p5']
cr_plugins = ['cr_p1', '', 'cr_p3', 'cr_p4', 'cr_p5']
self.init_via_conf_file(ss_plugins, cr_plugins, enabled=True)
secretstore_manager = MockedManager(ss_plugins)
crypto_manager = MockedManager(cr_plugins)
multiple_backends.sync_secret_stores(secretstore_manager,
crypto_manager)
ss_db_entries = repositories.get_secret_stores_repository().get_all()
self.assertEqual(5, len(ss_db_entries))
# check friendly name for the case when crypto plugin is not there
ss_db_entry = self._get_secret_store_entry('ss_p2', None)
self.assertIsNotNone(ss_db_entry)
self.assertEqual(MockedManager.NAME_PREFIX + 'ss_p2',
ss_db_entry.name)
ss_plugins = ['ss_p3', 'ss_p4', 'ss_p5', 'ss_p6']
cr_plugins = ['cr_p3', 'cr_p4', 'cr_p5', 'cr_p6']
# update conf and re-run sync store
self.init_via_conf_file(ss_plugins, cr_plugins, enabled=True)
secretstore_manager = MockedManager(ss_plugins)
crypto_manager = MockedManager(cr_plugins)
multiple_backends.sync_secret_stores(secretstore_manager,
crypto_manager)
ss_db_entry = self._get_secret_store_entry('ss_p2', 'cr_p2')
self.assertIsNone(ss_db_entry)
ss_db_entry = self._get_secret_store_entry('ss_p6', 'cr_p6')
self.assertIsNotNone(ss_db_entry)
default_secret_store = multiple_backends.\
get_global_default_secret_store()
self.assertEqual('ss_p3', default_secret_store.store_plugin)
self.assertEqual('cr_p3', default_secret_store.crypto_plugin)
self.assertEqual(MockedManager.NAME_PREFIX + 'cr_p3',
default_secret_store.name)
ss_db_entries = repositories.get_secret_stores_repository().get_all()
self.assertEqual(4, len(ss_db_entries))
def test_syncup_with_existing_secret_stores(self):
ss_plugins = ['ss_p1', 'ss_p2', 'ss_p3', 'ss_p4', 'ss_p5']
cr_plugins = ['cr_p1', '', 'cr_p3', 'cr_p4', 'cr_p5']
self.init_via_conf_file(ss_plugins, cr_plugins, enabled=True)
secretstore_manager = MockedManager(ss_plugins)
crypto_manager = MockedManager(cr_plugins)
multiple_backends.sync_secret_stores(secretstore_manager,
crypto_manager)
ss_db_entries = repositories.get_secret_stores_repository().get_all()
self.assertEqual(5, len(ss_db_entries))
# check friendly name for the case when crypto plugin is not there
ss_db_entry = self._get_secret_store_entry('ss_p2', None)
self.assertIsNotNone(ss_db_entry)
self.assertEqual(MockedManager.NAME_PREFIX + 'ss_p2',
ss_db_entry.name)
ss_plugins = ['ss_p3', 'ss_p4', 'ss_p5', 'ss_p6']
cr_plugins = ['cr_p3', 'cr_p4', 'cr_p5', 'cr_p6']
# update conf and re-run sync store
self.init_via_conf_file(ss_plugins, cr_plugins, enabled=True)
secretstore_manager = MockedManager(ss_plugins)
crypto_manager = MockedManager(cr_plugins)
multiple_backends.sync_secret_stores(secretstore_manager,
crypto_manager)
ss_db_entry = self._get_secret_store_entry('ss_p2', 'cr_p2')
self.assertIsNone(ss_db_entry)
ss_db_entry = self._get_secret_store_entry('ss_p6', 'cr_p6')
self.assertIsNotNone(ss_db_entry)
default_secret_store = multiple_backends.\
get_global_default_secret_store()
self.assertEqual('ss_p3', default_secret_store.store_plugin)
self.assertEqual('cr_p3', default_secret_store.crypto_plugin)
self.assertEqual(MockedManager.NAME_PREFIX + 'cr_p3',
default_secret_store.name)
ss_db_entries = repositories.get_secret_stores_repository().get_all()
self.assertEqual(4, len(ss_db_entries))
def _create_secret_store(self, name, store_plugin, crypto_plugin=None,
global_default=None):
s_stores_repo = repositories.get_secret_stores_repository()
session = s_stores_repo.get_session()
s_stores_model = models.SecretStores(name=name,
store_plugin=store_plugin,
crypto_plugin=crypto_plugin,
global_default=global_default)
s_stores = s_stores_repo.create_from(s_stores_model,
session=session)
s_stores.save(session=session)
session.commit()
return s_stores
def _create_secret_store(self, name, store_plugin, crypto_plugin=None,
global_default=None):
s_stores_repo = repositories.get_secret_stores_repository()
session = s_stores_repo.get_session()
s_stores_model = models.SecretStores(name=name,
store_plugin=store_plugin,
crypto_plugin=crypto_plugin,
global_default=global_default)
s_stores = s_stores_repo.create_from(s_stores_model,
session=session)
s_stores.save(session=session)
session.commit()
return s_stores
def test_successful_syncup_no_existing_secret_stores(self):
ss_plugins = ['ss_p1', 'ss_p2', 'ss_p3', 'ss_p4', 'ss_p5']
cr_plugins = ['cr_p1', 'cr_p2', 'cr_p3', 'cr_p4', 'cr_p5']
self.init_via_conf_file(ss_plugins, cr_plugins, enabled=True)
secretstore_manager = MockedManager(ss_plugins)
crypto_manager = MockedManager(cr_plugins)
multiple_backends.sync_secret_stores(secretstore_manager,
crypto_manager)
default_secret_store = multiple_backends.\
get_global_default_secret_store()
self.assertEqual('ss_p1', default_secret_store.store_plugin)
self.assertEqual('cr_p1', default_secret_store.crypto_plugin)
self.assertEqual(MockedManager.NAME_PREFIX + 'cr_p1',
default_secret_store.name)
ss_db_entries = repositories.get_secret_stores_repository().get_all()
self.assertEqual(5, len(ss_db_entries))
def test_successful_syncup_no_existing_secret_stores(self):
ss_plugins = ['ss_p1', 'ss_p2', 'ss_p3', 'ss_p4', 'ss_p5']
cr_plugins = ['cr_p1', 'cr_p2', 'cr_p3', 'cr_p4', 'cr_p5']
self.init_via_conf_file(ss_plugins, cr_plugins, enabled=True)
secretstore_manager = MockedManager(ss_plugins)
crypto_manager = MockedManager(cr_plugins)
multiple_backends.sync_secret_stores(secretstore_manager,
crypto_manager)
default_secret_store = multiple_backends.\
get_global_default_secret_store()
self.assertEqual('ss_p1', default_secret_store.store_plugin)
self.assertEqual('cr_p1', default_secret_store.crypto_plugin)
self.assertEqual(MockedManager.NAME_PREFIX + 'cr_p1',
default_secret_store.name)
ss_db_entries = repositories.get_secret_stores_repository().get_all()
self.assertEqual(5, len(ss_db_entries))
class SecretStores(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'store_plugin': fields.StringField(),
'crypto_plugin': fields.StringField(nullable=True),
'global_default': fields.BooleanField(default=False),
'name': fields.StringField(),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.SecretStores
db_repo = repos.get_secret_stores_repository()
@classmethod
def get_all(cls, session=None):
secret_stores_db = cls.db_repo.get_all(session)
secret_stores_obj = [
cls()._from_db_object(secret_store_db)
for secret_store_db in secret_stores_db
]
return secret_stores_obj
def setUp(self):
super(WhenTestingSecretStores, self).setUp()
self.secret_store_repo = repos.get_secret_stores_repository()
def setUp(self):
super(WhenTestingSecretStores, self).setUp()
self.secret_store_repo = repos.get_secret_stores_repository()
def setUp(self):
super(WhenTestingProjectSecretStore, self).setUp()
self.secret_store_repo = repos.get_secret_stores_repository()
self.proj_store_repo = repos.get_project_secret_store_repository()
def sync_secret_stores(secretstore_manager, crypto_manager=None):
"""Synchronize secret store plugin names between service conf and database
This method reads secret and crypto store plugin name from service
configuration and then synchronizes corresponding data maintained in
database SecretStores table.
Any new plugin name(s) added in service configuration is added as a new
entry in SecretStores table. If global_default value is changed for
existing plugins, then global_default flag is updated to reflect that
change in database. If plugin name is removed from service configuration,
then removal is possible as long as respective plugin names are NOT set as
preferred secret store for a project. If it is used and plugin name is
removed, then error is raised. This logic is intended to be invoked at
server startup so any error raised here will result in critical failure.
"""
if not utils.is_multiple_backends_enabled():
return
# doing local import to avoid circular dependency between manager and
# current utils module
from barbican.plugin.crypto import manager as cm
secret_stores_repo = db_repos.get_secret_stores_repository()
proj_store_repo = db_repos.get_project_secret_store_repository()
if crypto_manager is None:
crypto_manager = cm.get_manager()
def get_friendly_name_dict(ext_manager):
"""Returns dict of plugin internal name and friendly name entries."""
names_dict = {}
for ext in ext_manager.extensions:
if ext.obj and hasattr(ext.obj, 'get_plugin_name'):
names_dict[ext.name] = ext.obj.get_plugin_name()
return names_dict
ss_friendly_names = get_friendly_name_dict(secretstore_manager)
crypto_friendly_names = get_friendly_name_dict(crypto_manager)
# get existing secret stores data from database
db_stores = secret_stores_repo.get_all()
# read secret store data from service configuration
conf_stores = []
for parsed_store in secretstore_manager.parsed_stores:
crypto_plugin = parsed_store.crypto_plugin
if not crypto_plugin:
crypto_plugin = None
if crypto_plugin:
friendly_name = crypto_friendly_names.get(crypto_plugin)
else:
friendly_name = ss_friendly_names.get(parsed_store.store_plugin)
conf_stores.append(
db_models.SecretStores(name=friendly_name,
store_plugin=parsed_store.store_plugin,
crypto_plugin=crypto_plugin,
global_default=parsed_store.global_default))
if db_stores:
def fn_match(lh_store, rh_store):
return (lh_store.store_plugin == rh_store.store_plugin
and lh_store.crypto_plugin == rh_store.crypto_plugin)
for conf_store in conf_stores:
# find existing db entry for plugin using conf based plugin names
db_store_match = next(
(db_store
for db_store in db_stores if fn_match(conf_store, db_store)),
None)
if db_store_match:
# update existing db entry if global default is changed now
if db_store_match.global_default != conf_store.global_default:
db_store_match.global_default = conf_store.global_default
# persist flag change.
db_store_match.save()
# remove matches store from local list after processing
db_stores.remove(db_store_match)
else: # new conf entry as no match found in existing entries
secret_stores_repo.create_from(conf_store)
# entries still present in db list are no longer configured in service
# configuration, so try to remove them provided there is no project
# is using it as preferred secret store.
for db_store in db_stores:
if proj_store_repo.get_count_by_secret_store(db_store.id) == 0:
secret_stores_repo.delete_entity_by_id(db_store.id, None)
else:
raise exception.MultipleStorePluginStillInUse(db_store.name)
else: # initial setup case when there is no secret stores data in db
for conf_store in conf_stores:
secret_stores_repo.create_from(conf_store)
def setUp(self):
super(WhenTestingProjectSecretStore, self).setUp()
self.secret_store_repo = repos.get_secret_stores_repository()
self.proj_store_repo = repos.get_project_secret_store_repository()
def __init__(self):
LOG.debug('Creating SecretStoresController')
self.secret_stores_repo = repo.get_secret_stores_repository()
self.proj_store_repo = repo.get_project_secret_store_repository()
def __init__(self):
LOG.debug('Creating SecretStoresController')
self.secret_stores_repo = repo.get_secret_stores_repository()
self.proj_store_repo = repo.get_project_secret_store_repository()
def sync_secret_stores(secretstore_manager, crypto_manager=None):
"""Synchronize secret store plugin names between service conf and database
This method reads secret and crypto store plugin name from service
configuration and then synchronizes corresponding data maintained in
database SecretStores table.
Any new plugin name(s) added in service configuration is added as a new
entry in SecretStores table. If global_default value is changed for
existing plugins, then global_default flag is updated to reflect that
change in database. If plugin name is removed from service configuration,
then removal is possible as long as respective plugin names are NOT set as
preferred secret store for a project. If it is used and plugin name is
removed, then error is raised. This logic is intended to be invoked at
server startup so any error raised here will result in critical failure.
"""
if not utils.is_multiple_backends_enabled():
return
# doing local import to avoid circular dependency between manager and
# current utils module
from barbican.plugin.crypto import manager as cm
secret_stores_repo = db_repos.get_secret_stores_repository()
proj_store_repo = db_repos.get_project_secret_store_repository()
if crypto_manager is None:
crypto_manager = cm.get_manager()
def get_friendly_name_dict(ext_manager):
"""Returns dict of plugin internal name and friendly name entries."""
names_dict = {}
for ext in ext_manager.extensions:
if ext.obj and hasattr(ext.obj, 'get_plugin_name'):
names_dict[ext.name] = ext.obj.get_plugin_name()
return names_dict
ss_friendly_names = get_friendly_name_dict(secretstore_manager)
crypto_friendly_names = get_friendly_name_dict(crypto_manager)
# get existing secret stores data from database
db_stores = secret_stores_repo.get_all()
# read secret store data from service configuration
conf_stores = []
for parsed_store in secretstore_manager.parsed_stores:
crypto_plugin = parsed_store.crypto_plugin
if not crypto_plugin:
crypto_plugin = None
if crypto_plugin:
friendly_name = crypto_friendly_names.get(crypto_plugin)
else:
friendly_name = ss_friendly_names.get(parsed_store.store_plugin)
conf_stores.append(db_models.SecretStores(
name=friendly_name, store_plugin=parsed_store.store_plugin,
crypto_plugin=crypto_plugin,
global_default=parsed_store.global_default))
if db_stores:
def fn_match(lh_store, rh_store):
return (lh_store.store_plugin == rh_store.store_plugin and
lh_store.crypto_plugin == rh_store.crypto_plugin)
for conf_store in conf_stores:
# find existing db entry for plugin using conf based plugin names
db_store_match = next((db_store for db_store in db_stores if
fn_match(conf_store, db_store)), None)
if db_store_match:
# update existing db entry if global default is changed now
if db_store_match.global_default != conf_store.global_default:
db_store_match.global_default = conf_store.global_default
# persist flag change.
db_store_match.save()
# remove matches store from local list after processing
db_stores.remove(db_store_match)
else: # new conf entry as no match found in existing entries
secret_stores_repo.create_from(conf_store)
# entries still present in db list are no longer configured in service
# configuration, so try to remove them provided there is no project
# is using it as preferred secret store.
for db_store in db_stores:
if proj_store_repo.get_count_by_secret_store(db_store.id) == 0:
secret_stores_repo.delete_entity_by_id(db_store.id, None)
else:
raise exception.MultipleStorePluginStillInUse(db_store.name)
else: # initial setup case when there is no secret stores data in db
for conf_store in conf_stores:
secret_stores_repo.create_from(conf_store)
