def test_create_new_order_task(self): order = models.Order({ 'type': 'certificate', 'meta': { 'email': '*****@*****.**' }, 'sub_status': 'Pending', 'sub_status_message': 'Waiting for instructions...' }) at = datetime.datetime.utcnow() order_retry_task = models.OrderRetryTask( order_id=order.id, retry_task="foobar", retry_at=at, retry_args=json.dumps(["one", "two"]), retry_kwargs=json.dumps({"three": "four"}), ) self.assertEqual(order_retry_task.order_id, order.id) self.assertEqual(order_retry_task.retry_task, "foobar") self.assertEqual(order_retry_task.retry_at, at) self.assertEqual( order_retry_task.retry_args, json.dumps(["one", "two"]), ) self.assertEqual( order_retry_task.retry_kwargs, json.dumps({"three": "four"}), )
def __call__(self, target, creds, enforcer): """Check http: rules by calling to a remote server. This example implementation simply verifies that the response is exactly 'True'. """ url = ("http:" + self.match) % target data = {"target": jsonutils.dumps(target), "credentials": jsonutils.dumps(creds)} post_data = urlparse.urlencode(data) f = urlrequest.urlopen(url, post_data) return f.read() == "True"
def test_get_retry_params(self): order_retry_task = models.OrderRetryTask( retry_args=json.dumps(["one", "two"]), retry_kwargs=json.dumps({"three": "four"}), ) self.assertEqual( order_retry_task.get_retry_params(), (["one", "two"], { "three": "four" }), )
def __call__(self, target, creds, enforcer): """Check http: rules by calling to a remote server. This example implementation simply verifies that the response is exactly 'True'. """ url = ('http:' + self.match) % target data = {'target': jsonutils.dumps(target), 'credentials': jsonutils.dumps(creds)} post_data = urlparse.urlencode(data) f = urlrequest.urlopen(url, post_data) return f.read() == "True"
def _pack_json_msg(self, msg): """Qpid cannot serialize dicts containing strings longer than 65535 characters. This function dumps the message content to a JSON string, which Qpid is able to handle. :param msg: May be either a Qpid Message object or a bare dict. :returns: A Qpid Message with its content field JSON encoded. """ try: msg.content = jsonutils.dumps(msg.content) except AttributeError: # Need to have a Qpid message so we can set the content_type. msg = qpid_messaging.Message(jsonutils.dumps(msg)) msg.content_type = JSON_CONTENT_TYPE return msg
def encrypt(self, encrypt_dto, kek_meta_dto, project_id): session = self._create_working_session() key = self._unwrap_key(kek_meta_dto.plugin_meta, session) iv = self._generate_random(16, session) ck_mechanism = self._build_gcm_mech(iv) rv = self.lib.C_EncryptInit(session, ck_mechanism.mech, key) self._check_error(rv) # GCM does not require padding, but sometimes HSMs don't seem to # know that and then you need to pad things for no reason. pt_padded = self._pad(encrypt_dto.unencrypted) pt_len = len(pt_padded) # The GCM mechanism adds a 16 byte tag to the front of the # cyphertext (which is the same length as the (annoyingly) padded # plaintext) so adding 16 bytes guarantees sufficient space. ct_len = self.ffi.new("CK_ULONG *", pt_len + 16) ct = self.ffi.new("CK_BYTE[{0}]".format(pt_len + 16)) rv = self.lib.C_Encrypt(session, pt_padded, pt_len, ct, ct_len) self._check_error(rv) cyphertext = self.ffi.buffer(ct, ct_len[0])[:] kek_meta_extended = json.dumps({ 'iv': base64.b64encode(self.ffi.buffer(iv)[:]) }) self._close_session(session) return plugin.ResponseDTO(cyphertext, kek_meta_extended)
def __init__(self, session, node_name, node_opts=None): """Init the Publisher class with the exchange_name, routing_key, and other options """ self.sender = None self.session = session addr_opts = { "create": "always", "node": { "type": "topic", "x-declare": { "durable": False, # auto-delete isn't implemented for exchanges in qpid, # but put in here anyway "auto-delete": True, }, }, } if node_opts: addr_opts["node"]["x-declare"].update(node_opts) self.address = "%s ; %s" % (node_name, jsonutils.dumps(addr_opts)) self.reconnect(session)
def on_get(self, req, resp, keystone_id): LOG.debug('Start containers on_get ' 'for tenant-ID {0}:'.format(keystone_id)) result = self.container_repo.get_by_create_date( keystone_id, offset_arg=req.get_param('offset'), limit_arg=req.get_param('limit'), suppress_exception=True ) containers, offset, limit, total = result if not containers: resp_ctrs_overall = {'containers': [], 'total': total} else: resp_ctrs = [convert_to_hrefs(keystone_id, c.to_dict_fields()) for c in containers] resp_ctrs_overall = add_nav_hrefs('containers', keystone_id, offset, limit, total, {'containers': resp_ctrs}) resp_ctrs_overall.update({'total': total}) resp.status = falcon.HTTP_200 resp.body = json.dumps(resp_ctrs_overall, default=json_handler)
def on_post(self, req, resp, keystone_id): tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) data = api.load_body(req, resp, self.validator) LOG.debug('Start on_post...{0}'.format(data)) new_container = models.Container(data) new_container.tenant_id = tenant.id #TODO: (hgedikli) performance optimizations for secret_ref in new_container.container_secrets: secret = self.secret_repo.get(entity_id=secret_ref.secret_id, keystone_id=keystone_id, suppress_exception=True) if not secret: api.abort(falcon.HTTP_404, u._("Secret provided for '%s'" " doesn't exist." % secret_ref.name), req, resp) self.container_repo.create_from(new_container) resp.status = falcon.HTTP_202 resp.set_header('Location', '/{0}/containers/{1}'.format(keystone_id, new_container.id)) url = convert_container_to_href(keystone_id, new_container.id) resp.body = json.dumps({'container_ref': url})
def on_get(self, req, resp, keystone_id, secret_id): secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id, suppress_exception=True) if not secret: _secret_not_found(req, resp) resp.status = falcon.HTTP_200 if is_json_request_accept(req): # Metadata-only response, no decryption necessary. resp.set_header('Content-Type', 'application/json') secret_fields = mime_types.augment_fields_with_content_types( secret) resp.body = json.dumps(convert_to_hrefs(keystone_id, secret_fields), default=json_handler) else: tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) resp.set_header('Content-Type', req.accept) resp.body = self.crypto_manager \ .decrypt(req.accept, secret, tenant)
def serialize_remote_exception(failure_info, log_failure=True): """Prepares exception data to be sent over rpc. Failure_info should be a sys.exc_info() tuple. """ tb = traceback.format_exception(*failure_info) failure = failure_info[1] if log_failure: LOG.error(_("Returning exception %s to caller"), unicode(failure)) LOG.error(tb) kwargs = {} if hasattr(failure, 'kwargs'): kwargs = failure.kwargs data = { 'class': str(failure.__class__.__name__), 'module': str(failure.__class__.__module__), 'message': unicode(failure), 'tb': tb, 'args': failure.args, 'kwargs': kwargs } json_data = jsonutils.dumps(data) return json_data
def encode(self, version, target, json_msg): """This is the main encoding function. It takes a target and a message and returns a tuple consisting of a JSON serialized metadata object, a JSON serialized (and optionally encrypted) message, and a signature. :param version: the current envelope version :param target: The name of the target service (usually with hostname) :param json_msg: a serialized json message object """ ticket = self._get_ticket(target) metadata = jsonutils.dumps({'source': self._name, 'destination': target, 'timestamp': time.time(), 'nonce': _get_nonce(), 'esek': ticket.esek, 'encryption': self._encrypt}) message = json_msg if self._encrypt: message = self._crypto.encrypt(ticket.ekey, message) signature = self._crypto.sign(ticket.skey, version + metadata + message) return (metadata, message, signature)
def encrypt(self, encrypt_dto, kek_meta_dto, project_id): key = self._unwrap_key(kek_meta_dto.plugin_meta) iv = self._generate_random(16) mech = self._build_gcm_mech(iv) with self.enc_sem: rv = self.lib.C_EncryptInit(self.session, mech, key) self._check_error(rv) # GCM does not require padding, but sometimes HSMs don't seem to # know that and then you need to pad things for no reason. pt_padded = self._pad(encrypt_dto.unencrypted) pt_len = len(pt_padded) # The GCM mechanism adds a 16 byte tag to the front of the # cyphertext (which is the same length as the (annoyingly) padded # plaintext) so adding 16 bytes guarantees sufficient space. ct_len = self.ffi.new("CK_ULONG *", pt_len + 16) ct = self.ffi.new("CK_BYTE[{0}]".format(pt_len + 16)) rv = self.lib.C_Encrypt(self.session, pt_padded, pt_len, ct, ct_len) self._check_error(rv) cyphertext = self.ffi.buffer(ct, ct_len[0])[:] kek_meta_extended = json.dumps( {'iv': base64.b64encode(self.ffi.buffer(iv)[:])}) return plugin.ResponseDTO(cyphertext, kek_meta_extended)
def on_post(self, req, resp, keystone_id): tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) body = api.load_body(req, resp, self.validator) LOG.debug('Start on_post...{0}'.format(body)) if 'secret' not in body: _secret_not_in_order(req, resp) secret_info = body['secret'] name = secret_info['name'] LOG.debug('Secret to create is {0}'.format(name)) new_order = models.Order() new_order.secret_name = secret_info['name'] new_order.secret_algorithm = secret_info.get('algorithm', None) new_order.secret_bit_length = secret_info.get('bit_length', None) new_order.secret_cypher_type = secret_info.get('cypher_type', None) new_order.secret_mime_type = secret_info['mime_type'] new_order.secret_expiration = secret_info.get('expiration', None) new_order.tenant_id = tenant.id self.order_repo.create_from(new_order) # Send to workers to process. self.queue.process_order(order_id=new_order.id, keystone_id=keystone_id) resp.status = falcon.HTTP_202 resp.set_header('Location', '/{0}/orders/{1}'.format(keystone_id, new_order.id)) url = convert_order_to_href(keystone_id, new_order.id) resp.body = json.dumps({'order_ref': url})
def on_get(self, req, resp, keystone_id, secret_id): secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id, suppress_exception=True) if not secret: _secret_not_found(req, resp) resp.status = falcon.HTTP_200 if not req.accept or req.accept == 'application/json' \ or req.accept == '*/*': # Metadata-only response, no decryption necessary. resp.set_header('Content-Type', 'application/json') secret_fields = augment_fields_with_content_types(secret) resp.body = json.dumps(convert_to_hrefs(keystone_id, secret_fields), default=json_handler) else: tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) resp.set_header('Content-Type', req.accept) try: resp.body = self.crypto_manager.decrypt( req.accept, secret, tenant) except em.CryptoAcceptNotSupportedException as canse: LOG.exception('Secret decryption failed - ' 'accept not supported') _get_accept_not_supported(canse.accept, req, resp) except em.CryptoNoSecretOrDataException as cnsode: LOG.exception('Secret information of type {0} not ' 'found for decryption.'.format(cnsode.mime_type)) _get_secret_info_not_found(cnsode.mime_type, req, resp) except Exception as e: LOG.exception('Secret decryption failed - unknown') _failed_to_decrypt_data(req, resp)
def on_get(self, req, resp, keystone_id): LOG.debug('Start secrets on_get ' 'for tenant-ID {0}:'.format(keystone_id)) params = req._params result = self.secret_repo \ .get_by_create_date(keystone_id, offset_arg=params.get('offset', None), limit_arg=params.get('limit', None), suppress_exception=True) secrets, offset, limit = result if not secrets: secrets_resp_overall = {'secrets': []} else: secret_fields = lambda s: augment_fields_with_content_types(s) secrets_resp = [ convert_to_hrefs(keystone_id, secret_fields(s)) for s in secrets ] secrets_resp_overall = add_nav_hrefs('secrets', keystone_id, offset, limit, len(secrets), {'secrets': secrets_resp}) resp.status = falcon.HTTP_200 resp.body = json.dumps(secrets_resp_overall, default=json_handler)
def on_post(self, req, resp, keystone_id): LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id)) data = api.load_body(req, resp, self.validator) tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) try: new_secret = res.create_secret(data, tenant, self.crypto_manager, self.secret_repo, self.tenant_secret_repo, self.datum_repo) except em.CryptoMimeTypeNotSupportedException as cmtnse: LOG.exception('Secret creation failed - mime-type not supported') _secret_mime_type_not_supported(cmtnse.mime_type, req, resp) except exception.NoDataToProcess: LOG.exception('No secret data to process') _secret_plain_text_empty(req, resp) except exception.LimitExceeded: LOG.exception('Secret data too big to process') _secret_data_too_large(req, resp) except Exception as e: LOG.exception('Secret creation failed - unknown') _general_failure('Secret creation failed - unknown', req, resp) resp.status = falcon.HTTP_201 resp.set_header('Location', '/{0}/secrets/{1}'.format(keystone_id, new_secret.id)) url = convert_secret_to_href(keystone_id, new_secret.id) LOG.debug('URI to secret is {0}'.format(url)) resp.body = json.dumps({'secret_ref': url})
def on_get(self, req, resp, keystone_id): LOG.debug('Start orders on_get ' 'for tenant-ID {0}:'.format(keystone_id)) params = req._params result = self.order_repo \ .get_by_create_date(keystone_id, offset_arg=params.get('offset', None), limit_arg=params.get('limit', None), suppress_exception=True) orders, offset, limit = result if not orders: orders_resp_overall = {'orders': []} else: orders_resp = [ convert_to_hrefs(keystone_id, o.to_dict_fields()) for o in orders ] orders_resp_overall = add_nav_hrefs('orders', keystone_id, offset, limit, len(orders), {'orders': orders_resp}) resp.status = falcon.HTTP_200 resp.body = json.dumps(orders_resp_overall, default=json_handler)
def on_get(self, req, resp, keystone_id): LOG.debug('Start verifications on_get ' 'for tenant-ID {0}:'.format(keystone_id)) result = self.verification_repo.get_by_create_date( keystone_id, offset_arg=req.get_param('offset'), limit_arg=req.get_param('limit'), suppress_exception=True ) verifications, offset, limit, total = result if not verifications: resp_overall = {'verifications': [], 'total': total} else: resp = [convert_to_hrefs(keystone_id, v.to_dict_fields()) for v in verifications] resp_overall = add_nav_hrefs('verifications', keystone_id, offset, limit, total, {'verifications': resp}) resp_overall.update({'total': total}) resp.status = falcon.HTTP_200 resp.body = json.dumps(resp_overall, default=json_handler)
def on_get(self, req, resp, tenant_id, order_id): #TODO: Use a falcon exception here order = self.repo.get(entity_id=order_id) resp.status = falcon.HTTP_200 resp.body = json.dumps(convert_to_hrefs(order.tenant_id, order.to_dict_fields()), default=json_handler)
def format(self, record): message = {'message': record.getMessage(), 'asctime': self.formatTime(record, self.datefmt), 'name': record.name, 'msg': record.msg, 'args': record.args, 'levelname': record.levelname, 'levelno': record.levelno, 'pathname': record.pathname, 'filename': record.filename, 'module': record.module, 'lineno': record.lineno, 'funcname': record.funcName, 'created': record.created, 'msecs': record.msecs, 'relative_created': record.relativeCreated, 'thread': record.thread, 'thread_name': record.threadName, 'process_name': record.processName, 'process': record.process, 'traceback': None} if hasattr(record, 'extra'): message['extra'] = record.extra if record.exc_info: message['traceback'] = self.formatException(record.exc_info) return jsonutils.dumps(message)
def on_get(self, req, resp, keystone_id, secret_id): secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id, suppress_exception=True) if not secret: _secret_not_found(req, resp) resp.status = falcon.HTTP_200 if not req.accept or req.accept == 'application/json' \ or req.accept == '*/*': # Metadata-only response, no decryption necessary. resp.set_header('Content-Type', 'application/json') secret_fields = augment_fields_with_content_types(secret) resp.body = json.dumps(convert_to_hrefs(keystone_id, secret_fields), default=json_handler) else: tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) resp.set_header('Content-Type', req.accept) try: resp.body = self.crypto_manager.decrypt(req.accept, secret, tenant) except em.CryptoAcceptNotSupportedException as canse: LOG.exception('Secret decryption failed - ' 'accept not supported') _get_accept_not_supported(canse.accept, req, resp) except em.CryptoNoSecretOrDataException as cnsode: LOG.exception('Secret information of type {0} not ' 'found for decryption.'.format(cnsode.mime_type)) _get_secret_info_not_found(cnsode.mime_type, req, resp) except Exception as e: LOG.exception('Secret decryption failed - unknown') _failed_to_decrypt_data(req, resp)
def format(self, record): message = { "message": record.getMessage(), "asctime": self.formatTime(record, self.datefmt), "name": record.name, "msg": record.msg, "args": record.args, "levelname": record.levelname, "levelno": record.levelno, "pathname": record.pathname, "filename": record.filename, "module": record.module, "lineno": record.lineno, "funcname": record.funcName, "created": record.created, "msecs": record.msecs, "relative_created": record.relativeCreated, "thread": record.thread, "thread_name": record.threadName, "process_name": record.processName, "process": record.process, "traceback": None, } if hasattr(record, "extra"): message["extra"] = record.extra if record.exc_info: message["traceback"] = self.formatException(record.exc_info) return jsonutils.dumps(message)
def on_post(self, req, resp, keystone_id): tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) body = api.load_body(req, resp, self.validator) LOG.debug('Start on_post...{0}'.format(body)) if 'secret' not in body: _secret_not_in_order(req, resp) secret_info = body['secret'] name = secret_info.get('name') LOG.debug('Secret to create is {0}'.format(name)) new_order = models.Order() new_order.secret_name = secret_info.get('name') new_order.secret_algorithm = secret_info.get('algorithm') new_order.secret_bit_length = secret_info.get('bit_length', 0) new_order.secret_mode = secret_info.get('mode') new_order.secret_payload_content_type = secret_info.get( 'payload_content_type') new_order.secret_expiration = secret_info.get('expiration') new_order.tenant_id = tenant.id self.order_repo.create_from(new_order) # Send to workers to process. self.queue.process_order(order_id=new_order.id, keystone_id=keystone_id) resp.status = falcon.HTTP_202 resp.set_header('Location', '/{0}/orders/{1}'.format(keystone_id, new_order.id)) url = convert_order_to_href(keystone_id, new_order.id) resp.body = json.dumps({'order_ref': url})
def get_ticket(self, source, target, crypto, key): # prepare metadata md = {'requestor': source, 'target': target, 'timestamp': time.time(), 'nonce': struct.unpack('Q', os.urandom(8))[0]} metadata = base64.b64encode(jsonutils.dumps(md)) # sign metadata signature = crypto.sign(key, metadata) # HTTP request reply = self._get_ticket({'metadata': metadata, 'signature': signature}) # verify reply signature = crypto.sign(key, (reply['metadata'] + reply['ticket'])) if signature != reply['signature']: raise InvalidEncryptedTicket(md['source'], md['destination']) md = jsonutils.loads(base64.b64decode(reply['metadata'])) if ((md['source'] != source or md['destination'] != target or md['expiration'] < time.time())): raise InvalidEncryptedTicket(md['source'], md['destination']) # return ticket data tkt = jsonutils.loads(crypto.decrypt(key, reply['ticket'])) return tkt, md['expiration']
def on_get(self, req, resp, keystone_id): LOG.debug('Start orders on_get ' 'for tenant-ID {0}:'.format(keystone_id)) params = req._params result = self.order_repo \ .get_by_create_date(keystone_id, offset_arg=params.get('offset'), limit_arg=params.get('limit'), suppress_exception=True) orders, offset, limit, total = result if not orders: orders_resp_overall = {'orders': [], 'total': total} else: orders_resp = [convert_to_hrefs(keystone_id, o.to_dict_fields()) for o in orders] orders_resp_overall = add_nav_hrefs('orders', keystone_id, offset, limit, total, {'orders': orders_resp}) orders_resp_overall.update({'total': total}) resp.status = falcon.HTTP_200 resp.body = json.dumps(orders_resp_overall, default=json_handler)
def serialize_msg(raw_msg): # NOTE(russellb) See the docstring for _RPC_ENVELOPE_VERSION for more # information about this format. msg = {_VERSION_KEY: _RPC_ENVELOPE_VERSION, _MESSAGE_KEY: jsonutils.dumps(raw_msg)} return msg
def on_get(self, req, resp, keystone_id): LOG.debug('Start secrets on_get ' 'for tenant-ID {0}:'.format(keystone_id)) result = self.secret_repo.get_by_create_date( keystone_id, offset_arg=req.get_param('offset'), limit_arg=req.get_param('limit'), suppress_exception=True ) secrets, offset, limit, total = result if not secrets: secrets_resp_overall = {'secrets': [], 'total': total} else: secret_fields = lambda s: mime_types\ .augment_fields_with_content_types(s) secrets_resp = [convert_to_hrefs(keystone_id, secret_fields(s)) for s in secrets] secrets_resp_overall = add_nav_hrefs('secrets', keystone_id, offset, limit, total, {'secrets': secrets_resp}) secrets_resp_overall.update({'total': total}) resp.status = falcon.HTTP_200 resp.body = json.dumps(secrets_resp_overall, default=json_handler)
def format(self, record): message = { 'message': record.getMessage(), 'asctime': self.formatTime(record, self.datefmt), 'name': record.name, 'msg': record.msg, 'args': record.args, 'levelname': record.levelname, 'levelno': record.levelno, 'pathname': record.pathname, 'filename': record.filename, 'module': record.module, 'lineno': record.lineno, 'funcname': record.funcName, 'created': record.created, 'msecs': record.msecs, 'relative_created': record.relativeCreated, 'thread': record.thread, 'thread_name': record.threadName, 'process_name': record.processName, 'process': record.process, 'traceback': None } if hasattr(record, 'extra'): message['extra'] = record.extra if record.exc_info: message['traceback'] = self.formatException(record.exc_info) return jsonutils.dumps(message)
def on_error(self, state, exc): if isinstance(exc, webob_exc.HTTPError): exc.body = json.dumps({ 'code': exc.status_int, 'title': exc.title, 'description': exc.detail }) state.response.content_type = "application/json" return exc.body
def on_error(self, state, exc): if isinstance(exc, webob.exc.HTTPError): exc.body = jsonutils.dumps({ 'code': exc.status_int, 'title': exc.title, 'description': exc.detail }) state.response.content_type = "application/json" return exc.body
def serialize_msg(raw_msg): # NOTE(russellb) See the docstring for _RPC_ENVELOPE_VERSION for more # information about this format. msg = { _VERSION_KEY: _RPC_ENVELOPE_VERSION, _MESSAGE_KEY: jsonutils.dumps(raw_msg) } return msg
def notify(_context, message): """Notifies the recipient of the desired event given the model. Log notifications using openstack's default logging system""" priority = message.get('priority', CONF.default_notification_level) priority = priority.lower() logger = logging.getLogger('barbican.openstack.common.notification.%s' % message['event_type']) getattr(logger, priority)(jsonutils.dumps(message))
def on_get(self, req, resp, keystone_id, order_id): order = self.repo.get(entity_id=order_id, keystone_id=keystone_id, suppress_exception=True) if not order: _order_not_found(req, resp) resp.status = falcon.HTTP_200 resp.body = json.dumps(convert_to_hrefs(keystone_id, order.to_dict_fields()), default=json_handler)
def _serialize(data): """ Serialization wrapper We prefer using JSON, but it cannot encode all types. Error if a developer passes us bad data. """ try: return jsonutils.dumps(data, ensure_ascii=True) except TypeError: with excutils.save_and_reraise_exception(): LOG.error(_("JSON serialization failed."))
def on_get(self, req, resp, keystone_id, verification_id): verif = self.repo.get(entity_id=verification_id, keystone_id=keystone_id, suppress_exception=True) if not verif: _verification_not_found(req, resp) resp.status = falcon.HTTP_200 resp.body = json.dumps(convert_to_hrefs(keystone_id, verif.to_dict_fields()), default=json_handler)
def notify(_context, message): """Notifies the recipient of the desired event given the model. Log notifications using openstack's default logging system""" priority = message.get('priority', CONF.default_notification_level) priority = priority.lower() logger = logging.getLogger( 'barbican.openstack.common.notification.%s' % message['event_type']) getattr(logger, priority)(jsonutils.dumps(message))
def bind_kek_metadata(self, kek_meta_dto): # Enforce idempotency: If we've already generated a key leave now. if not kek_meta_dto.plugin_meta: kek_length = 32 kek_meta_dto.plugin_meta = json.dumps( self._generate_wrapped_kek(kek_meta_dto.kek_label, kek_length)) # To be persisted by Barbican: kek_meta_dto.algorithm = 'AES' kek_meta_dto.bit_length = kek_length * 8 kek_meta_dto.mode = 'CBC' return kek_meta_dto
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id): key = self._get_key_by_label(kek_meta_dto.kek_label) iv = self._generate_iv() gcm = self._build_gcm_params(iv) mech = PyKCS11.Mechanism(self.algorithm, gcm) encrypted = self.session.encrypt(key, encrypt_dto.unencrypted, mech) cyphertext = b''.join(chr(i) for i in encrypted) kek_meta_extended = json.dumps({ 'iv': base64.b64encode(iv) }) return plugin.ResponseDTO(cyphertext, kek_meta_extended)
def __str__(self): """Dumps a string representation of the rules.""" # Start by building the canonical strings for the rules out_rules = {} for key, value in self.items(): # Use empty string for singleton TrueCheck instances if isinstance(value, TrueCheck): out_rules[key] = '' else: out_rules[key] = str(value) # Dump a pretty-printed JSON representation return jsonutils.dumps(out_rules, indent=4)
def bind_kek_metadata(self, kek_meta_dto): # Enforce idempotency: If we've already generated a key leave now. if not kek_meta_dto.plugin_meta: kek_meta_dto.plugin_meta = json.dumps( self._generate_wrapped_kek( kek_meta_dto.kek_label, 32 ) ) # To be persisted by Barbican: kek_meta_dto.algorithm = 'AES' kek_meta_dto.bit_length = 32 * 8 kek_meta_dto.mode = 'CBC' return kek_meta_dto
def on_post(self, req, resp, tenant_id): # Retrieve Tenant, or else create new Tenant # if this is a request from a new tenant. tenant = self.tenant_repo.get(tenant_id, suppress_exception=True) if not tenant: tenant = Tenant() tenant.keystone_id = tenant_id tenant.status = States.ACTIVE self.tenant_repo.create_from(tenant) body = load_body(req) LOG.debug('Start on_post...{0}'.format(body)) if 'secret' not in body: _secret_not_in_order() secret_info = body['secret'] name = secret_info['name'] LOG.debug('Secret to create is {0}'.format(name)) # TODO: What criteria to restrict multiple concurrent Order # requests per tenant? # order = self.order_repo.find_by_name(name=secret_name, # suppress_exception=True) # if order: # abort(falcon.HTTP_400, 'Order with username {0} ' # 'already exists'.format(username)) # TODO: Encrypt fields as needed new_order = Order() new_order.secret_name = secret_info['name'] new_order.secret_algorithm = secret_info.get('algorithm', None) new_order.secret_bit_length = secret_info.get('bit_length', None) new_order.secret_cypher_type = secret_info.get('cypher_type', None) new_order.secret_mime_type = secret_info['mime_type'] new_order.secret_expiration = secret_info.get('expiration', None) new_order.tenant_id = tenant.id self.order_repo.create_from(new_order) # Send to workers to process. self.queue.process_order(order_id=new_order.id) resp.status = falcon.HTTP_202 resp.set_header('Location', '/{0}/orders/{1}'.format(tenant_id, new_order.id)) url = convert_order_to_href(tenant_id, new_order.id) resp.body = json.dumps({'order_ref': url})
def encrypt(self, unencrypted, tenant): if not isinstance(unencrypted, str): raise ValueError('Unencrypted data must be a byte type, ' 'but was {0}'.format(type(unencrypted))) padded_data = self._pad(unencrypted) iv = Random.get_random_bytes(self.block_size) encryptor = AES.new(self.kek, AES.MODE_CBC, iv) cyphertext = iv + encryptor.encrypt(padded_data) kek_metadata = json.dumps({ 'plugin': 'SimpleCryptoPlugin', 'encryption': 'aes-128-cbc', 'kek': 'kek_id' }) return cyphertext, kek_metadata
def on_get(self, req, resp, tenant_id, secret_id): secret = self.repo.get(entity_id=secret_id, suppress_exception=True) if not secret: _secret_not_found() resp.status = falcon.HTTP_200 if not req.accept or req.accept == 'application/json': # Metadata-only response, no decryption necessary. resp.set_header('Content-Type', 'application/json') resp.body = json.dumps(augment_fields_with_content_types(secret), default=json_handler) else: resp.set_header('Content-Type', req.accept) resp.body = generate_response_for(req.accept, secret)
def _do_get(self, url, request): req_kwargs = dict() req_kwargs['headers'] = dict() req_kwargs['headers']['User-Agent'] = self.USER_AGENT req_kwargs['headers']['Content-Type'] = 'application/json' req_kwargs['data'] = jsonutils.dumps({'request': request}) if self.timeout is not None: req_kwargs['timeout'] = self.timeout try: resp = requests.get(url, **req_kwargs) except requests.ConnectionError as e: err = "Unable to establish connection. %s" % e raise CommunicationError(url, err) return resp
def on_post(self, req, resp, keystone_id): LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id)) data = api.load_body(req, resp, self.validator) tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) new_secret = res.create_secret(data, tenant, self.crypto_manager, self.secret_repo, self.tenant_secret_repo, self.datum_repo, self.kek_repo) resp.status = falcon.HTTP_201 resp.set_header('Location', '/{0}/secrets/{1}'.format(keystone_id, new_secret.id)) url = convert_secret_to_href(keystone_id, new_secret.id) LOG.debug('URI to secret is {0}'.format(url)) resp.body = json.dumps({'secret_ref': url})
def on_get(self, req, resp, keystone_id, container_id): container = self.container_repo.get(entity_id=container_id, keystone_id=keystone_id, suppress_exception=True) if not container: _container_not_found(req, resp) resp.status = falcon.HTTP_200 dict_fields = container.to_dict_fields() for secret_ref in dict_fields['secret_refs']: convert_to_hrefs(keystone_id, secret_ref) resp.body = json.dumps( convert_to_hrefs(keystone_id, convert_to_hrefs(keystone_id, dict_fields)), default=json_handler)
def __init__(self, session, callback, node_name, node_opts, link_name, link_opts): """Declare a queue on an amqp session. 'session' is the amqp session to use 'callback' is the callback to call when messages are received 'node_name' is the first part of the Qpid address string, before ';' 'node_opts' will be applied to the "x-declare" section of "node" in the address string. 'link_name' goes into the "name" field of the "link" in the address string 'link_opts' will be applied to the "x-declare" section of "link" in the address string. """ self.callback = callback self.receiver = None self.session = None addr_opts = { "create": "always", "node": { "type": "topic", "x-declare": { "durable": True, "auto-delete": True, }, }, "link": { "name": link_name, "durable": True, "x-declare": { "durable": False, "auto-delete": True, "exclusive": False, }, }, } addr_opts["node"]["x-declare"].update(node_opts) addr_opts["link"]["x-declare"].update(link_opts) self.address = "%s ; %s" % (node_name, jsonutils.dumps(addr_opts)) self.reconnect(session)
def on_post(self, req, resp, keystone_id): LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id)) data = api.load_body(req, resp, self.validator) tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo) new_verification = models.Verification(data) new_verification.tenant_id = tenant.id self.verification_repo.create_from(new_verification) # Send to workers to process. self.queue.process_verification(verification_id=new_verification.id, keystone_id=keystone_id) resp.status = falcon.HTTP_202 resp.set_header('Location', '/{0}/verifications/{1}'.format(keystone_id, new_verification.id)) url = convert_verification_to_href(keystone_id, new_verification.id) LOG.debug('URI to verification is {0}'.format(url)) resp.body = json.dumps({'verification_ref': url})
def on_get(self, req, resp, keystone_id): LOG.debug('Start secrets on_get ' 'for tenant-ID {0}:'.format(keystone_id)) name = req.get_param('name') if name: name = urllib.unquote_plus(name) result = self.secret_repo.get_by_create_date( keystone_id, offset_arg=req.get_param('offset'), limit_arg=req.get_param('limit'), name=name, alg=req.get_param('alg'), mode=req.get_param('mode'), bits=req.get_param('bits'), suppress_exception=True ) secrets, offset, limit, total = result if not secrets: secrets_resp_overall = {'secrets': [], 'total': total} else: secret_fields = lambda s: mime_types\ .augment_fields_with_content_types(s) secrets_resp = [convert_to_hrefs(keystone_id, secret_fields(s)) for s in secrets] secrets_resp_overall = add_nav_hrefs('secrets', keystone_id, offset, limit, total, {'secrets': secrets_resp}) secrets_resp_overall.update({'total': total}) resp.status = falcon.HTTP_200 resp.body = json.dumps(secrets_resp_overall, default=json_handler)