def check_certificate_request(order_model, project_model, result_follow_on):
"""Check the status of a certificate request with the CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if the
request has been completed. None otherwise.
"""
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) See note above about DTO's name.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
barbican_meta.get('plugin_name'))
result = cert_plugin.check_certificate_status(
order_model.id, order_model.meta,
plugin_meta, barbican_meta_for_plugins_dto)
# Save plugin order plugin state
_save_plugin_metadata(order_model, plugin_meta)
request_type = order_model.meta.get(cert.REQUEST_TYPE)
return _handle_task_result(
result, result_follow_on, order_model, project_model, request_type,
unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_CHECK)
def issue_certificate_request(order_model, project_model, result_follow_on):
"""Create the initial order with CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order
# and not shown to plugins) with barbican_meta_dto (shared with plugins).
# As a minimum we should change the name of the DTO to something like
# 'extended_meta_dto' or some such.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
# refresh the CA table. This is mostly a no-op unless the entries
# for a plugin are expired.
cert.CertificatePluginManager().refresh_ca_table()
cert_plugin = _get_cert_plugin(barbican_meta,
barbican_meta_for_plugins_dto, order_model,
project_model)
barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin)
# Generate CSR if needed.
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
csr = barbican_meta.get('generated_csr')
if csr is None:
# TODO(alee) Fix this to be a non-project specific call once
# the ACL patches go in.
csr = _generate_csr_from_private_key(order_model, project_model)
barbican_meta['generated_csr'] = csr
barbican_meta_for_plugins_dto.generated_csr = csr
result = cert_plugin.issue_certificate_request(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin and barbican metadata for this order.
_save_plugin_metadata(order_model, plugin_meta)
_save_barbican_metadata(order_model, barbican_meta)
# Handle result
return _handle_task_result(
result,
result_follow_on,
order_model,
project_model,
request_type,
unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE)
def setUp(self):
super(SnakeoilCAPluginTestCase, self).setUp()
self.ca_cert_path = os.path.join(self.tmp_dir, 'ca.pem')
self.ca_key_path = os.path.join(self.tmp_dir, 'ca.pem')
self.db_dir = self.tmp_dir
self.plugin = snakeoil_ca.SnakeoilCACertificatePlugin(self.conf)
self.order_id = mock.MagicMock()
self.barbican_meta_dto = cm.BarbicanMetaDTO()
def check_certificate_request(order_model, project_model, result_follow_on):
"""Check the status of a certificate request with the CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if the
request has been completed. None otherwise.
"""
container_model = None
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) See note above about DTO's name.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
barbican_meta.get('plugin_name'))
result = cert_plugin.check_certificate_status(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin order plugin state
_save_plugin_metadata(order_model, plugin_meta)
# Handle result
if cert.CertificateStatus.WAITING_FOR_CA == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_REQUEST_PENDING,
retry_task=common.RetryTasks.INVOKE_CERT_STATUS_CHECK_TASK,
retry_msec=result.retry_msec)
elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status:
_update_result_follow_on(result_follow_on,
order_status=ORDER_STATUS_CERT_GENERATED)
container_model = _save_secrets(result, project_model)
elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status:
raise cert.CertificateStatusClientDataIssue(result.status_message)
elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_CA_UNAVAIL_FOR_CHECK,
retry_task=common.RetryTasks.INVOKE_SAME_TASK,
retry_msec=cert.ERROR_RETRY_MSEC)
_notify_ca_unavailable(order_model, result)
elif cert.CertificateStatus.INVALID_OPERATION == result.status:
raise cert.CertificateStatusInvalidOperation(result.status_message)
else:
raise cert.CertificateStatusNotSupported(result.status)
return container_model
def setUp(self):
super(SnakeoilCAPluginTestCase, self).setUp()
self.ca_cert_path = os.path.join(self.tmp_dir, 'ca.cert')
self.ca_key_path = os.path.join(self.tmp_dir, 'ca.key')
self.ca_chain_path = os.path.join(self.tmp_dir, 'ca.chain')
self.ca_pkcs7_path = os.path.join(self.tmp_dir, 'ca.pkcs7')
self.db_dir = self.tmp_dir
self.conf.snakeoil_ca_plugin.subca_cert_key_directory = os.path.join(
self.tmp_dir, 'subca_cert_key_dir')
self.subca_cert_key_directory = (
self.conf.snakeoil_ca_plugin.subca_cert_key_directory)
self.plugin = snakeoil_ca.SnakeoilCACertificatePlugin(self.conf)
self.order_id = mock.MagicMock()
self.barbican_meta_dto = cm.BarbicanMetaDTO()
def setUp(self):
super(WhenTestingSymantecPlugin, self).setUp()
self.order_meta = {
'cert_type': 'ssl123',
'organization': 'Shinra Corp',
'phone': '555-555-5555',
'so many things...': 'more...'
}
self.error_msg = 'Error Message Here'
self.symantec = sym.SymantecCertificatePlugin()
self.barbican_plugin_dto = cm.BarbicanMetaDTO()
self.symantec_patcher = mock.patch(
'barbican.plugin.symantec._ca_create_order')
self.mock_create_order = self.symantec_patcher.start()
def setUp(self):
super(WhenTestingDogtagCAPlugin, self).setUp()
self.certclient_mock = mock.MagicMock(name="CertClient mock")
self.patcher = mock.patch('pki.crypto.NSSCryptoProvider')
self.patcher.start()
# create nss db for test only
self.nss_dir = tempfile.mkdtemp()
self.cfg_mock = mock.MagicMock(name='config mock')
self.cfg_mock.dogtag_plugin = mock.MagicMock(
nss_db_path=self.nss_dir)
self.plugin = dogtag_import.DogtagCAPlugin(self.cfg_mock)
self.plugin.certclient = self.certclient_mock
self.order_id = mock.MagicMock()
self.profile_id = mock.MagicMock()
# request generated
self.request = mock.MagicMock()
self.request_id_mock = mock.MagicMock()
self.request.request_id = self.request_id_mock
self.request.request_status = dogtag_cert.CertRequestStatus.COMPLETE
self.cert_id_mock = mock.MagicMock()
self.request.cert_id = self.cert_id_mock
# cert generated
self.cert = mock.MagicMock()
self.cert_encoded_mock = mock.MagicMock()
self.cert.encoded = self.cert_encoded_mock
self.cert_pkcs7_mock = mock.MagicMock()
self.cert.pkcs7_cert_chain = self.cert_pkcs7_mock
# for cancel/modify
self.review_response = mock.MagicMock()
# modified request
self.modified_request = mock.MagicMock()
self.modified_request_id_mock = mock.MagicMock()
self.modified_request.request_id = self.modified_request_id_mock
self.modified_request.request_status = (
dogtag_cert.CertRequestStatus.COMPLETE)
self.modified_request.cert_id = self.cert_id_mock
self.barbican_meta_dto = cm.BarbicanMetaDTO()
def issue_certificate_request(order_model, project_model, result_follow_on):
"""Create the initial order with CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
container_model = None
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order
# and not shown to plugins) with barbican_meta_dto (shared with plugins).
# As a minimum we should change the name of the DTO to something like
# 'extended_meta_dto' or some such.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
# refresh the CA table. This is mostly a no-op unless the entries
# for a plugin are expired.
cert.CertificatePluginManager().refresh_ca_table()
# Locate the required certificate plugin.
cert_plugin_name = barbican_meta.get('plugin_name')
if cert_plugin_name:
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
cert_plugin_name)
else:
ca_id = _get_ca_id(order_model.meta, project_model.id)
if ca_id:
barbican_meta_for_plugins_dto.plugin_ca_id = ca_id
cert_plugin = cert.CertificatePluginManager().get_plugin_by_ca_id(
ca_id)
else:
cert_plugin = cert.CertificatePluginManager().get_plugin(
order_model.meta)
barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin)
# Generate CSR if needed.
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
csr = barbican_meta.get('generated_csr')
if csr is None:
# TODO(alee) Fix this to be a non-project specific call once
# the ACL patches go in.
csr = _generate_csr(order_model, project_model)
barbican_meta['generated_csr'] = csr
barbican_meta_for_plugins_dto.generated_csr = csr
result = cert_plugin.issue_certificate_request(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin and barbican metadata for this order.
_save_plugin_metadata(order_model, plugin_meta)
_save_barbican_metadata(order_model, barbican_meta)
# Handle result
if cert.CertificateStatus.WAITING_FOR_CA == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_REQUEST_PENDING,
retry_task=common.RetryTasks.INVOKE_CERT_STATUS_CHECK_TASK,
retry_msec=result.retry_msec)
elif cert.CertificateStatus.CERTIFICATE_GENERATED == result.status:
_update_result_follow_on(result_follow_on,
order_status=ORDER_STATUS_CERT_GENERATED)
container_model = _save_secrets(result, project_model)
elif cert.CertificateStatus.CLIENT_DATA_ISSUE_SEEN == result.status:
raise cert.CertificateStatusClientDataIssue(result.status_message)
elif cert.CertificateStatus.CA_UNAVAILABLE_FOR_REQUEST == result.status:
_update_result_follow_on(
result_follow_on,
order_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE,
retry_task=common.RetryTasks.INVOKE_SAME_TASK,
retry_msec=cert.ERROR_RETRY_MSEC)
_notify_ca_unavailable(order_model, result)
elif cert.CertificateStatus.INVALID_OPERATION == result.status:
raise cert.CertificateStatusInvalidOperation(result.status_message)
else:
raise cert.CertificateStatusNotSupported(result.status)
return container_model
def setUp(self):
super(WhenTestingDogtagCAPlugin, self).setUp()
self.certclient_mock = mock.MagicMock(name="CertClient mock")
self.patcher = mock.patch('pki.crypto.NSSCryptoProvider')
self.patcher2 = mock.patch('pki.client.PKIConnection')
self.patcher.start()
self.patcher2.start()
# create nss db for test only
self.nss_dir = tempfile.mkdtemp()
# create expiration file for test
fh, self.expiration_data_path = tempfile.mkstemp()
exp_time = datetime.datetime.utcnow() + datetime.timedelta(days=2)
os.write(fh, exp_time.strftime(
"%Y-%m-%d %H:%M:%S.%f"))
os.close(fh)
# create host CA file for test
fh, self.host_ca_path = tempfile.mkstemp()
os.write(fh, "host_ca_aid")
os.close(fh)
self.approved_profile_id = "caServerCert"
CONF = dogtag_import.CONF
CONF.dogtag_plugin.nss_db_path = self.nss_dir
CONF.dogtag_plugin.ca_expiration_data_path = self.expiration_data_path
CONF.dogtag_plugin.ca_host_aid_path = self.host_ca_path
CONF.dogtag_plugin.auto_approved_profiles = [self.approved_profile_id]
CONF.dogtag_plugin.dogtag_host = "localhost"
CONF.dogtag_plugin.dogtag_port = 8443
CONF.dogtag_plugin.simple_cmc_profile = "caOtherCert"
self.cfg = CONF
self.plugin = dogtag_import.DogtagCAPlugin(CONF)
self.plugin.certclient = self.certclient_mock
self.order_id = mock.MagicMock()
self.profile_id = mock.MagicMock()
# request generated
self.request_id_mock = mock.MagicMock()
self.request = dogtag_cert.CertRequestInfo()
self.request.request_id = self.request_id_mock
self.request.request_status = dogtag_cert.CertRequestStatus.COMPLETE
self.cert_id_mock = mock.MagicMock()
self.request.cert_id = self.cert_id_mock
# cert generated
self.cert = mock.MagicMock()
self.cert.encoded = keys.get_certificate_pem()
self.cert.pkcs7_cert_chain = keys.get_certificate_der()
# for cancel/modify
self.review_response = mock.MagicMock()
# modified request
self.modified_request = mock.MagicMock()
self.modified_request_id_mock = mock.MagicMock()
self.modified_request.request_id = self.modified_request_id_mock
self.modified_request.request_status = (
dogtag_cert.CertRequestStatus.COMPLETE)
self.modified_request.cert_id = self.cert_id_mock
self.barbican_meta_dto = cm.BarbicanMetaDTO()
