def _create_ks_token_credential(self): return keystone_token.KeystoneToken( self.token, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=self.reauthenticate)
def test___ne___reauthenticate(self): other_reauthenticate = False other_ks_token_credential = keystone_token.KeystoneToken( self.token, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=other_reauthenticate) self.assertTrue(self.ks_token_credential != other_ks_token_credential)
def test___ne___token(self): other_token = "5c59e3217d3d4dd297589b297aee2a6f" other_ks_token_credential = keystone_token.KeystoneToken( other_token, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=self.reauthenticate) self.assertTrue(self.ks_token_credential != other_ks_token_credential)
def get_user_root_secret_by_id(self, account, user_token, key_id): """ Retrieve the user's root encryption secret with the specified ID from an external key management system using Castellan. :param account: the name of the account :type account: string :param user_token: the keystone token of the user from the request :type user_token: string :param key_id: the ID of the user's root encryption secret to retrieve :return: the binary bytes of the user's root encryption secret with the specified ID :rtype: bytearray """ user_root_secrets = self._user_root_secrets.get(account) if user_root_secrets is None: user_root_secrets = dict() else: encoded_key = user_root_secrets.get(key_id) if ROOT_SECRET_CACHE_TIME > 0: if encoded_key is not None: return encoded_key conf = self.conf if self.keymaster_config_path is not None: if any(opt in conf for opt in ('key_id', )): raise ValueError('keymaster_config_path is set, but there ' 'are other config options specified!') conf = readconf(self.keymaster_config_path, 'rotating_keymaster') user_ctxt = keystone_token.KeystoneToken(token=user_token) oslo_conf = cfg.ConfigOpts() options.set_defaults(oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class')) options.enable_logging() manager = key_manager.API(oslo_conf) # Get the latest key from Barbican. If no keymanager class has been # specified (using 'api_class'), or the keymaster does not have a # 'get_latest_key()' method, an exception will be raised. key = manager.get(user_ctxt, key_id) if key is None: raise ValueError("Could not find user '%s' with key_id '%s'" % (account, key_id)) user_root_secrets[key_id] = key.get_encoded() self._user_root_secrets[account] = user_root_secrets return key.get_encoded()
def get_latest_user_root_secret_and_id(self, account, user_token): """ Retrieve the user's latest root encryption secret from an external key management system using Castellan. :param account: the name of the account :type account: string :param user_token: the keystone token of the user from the request :type user_token: string :return: a tuple containing the binary bytes of the latest encryption root secret, and the id of the latest root encryption secret :rtype: (bytearray, string) """ conf = self.conf if self.keymaster_config_path is not None: if any(opt in conf for opt in ('key_id', )): raise ValueError('keymaster_config_path is set, but there ' 'are other config options specified!') conf = readconf(self.keymaster_config_path, 'rotating_keymaster') user_ctxt = keystone_token.KeystoneToken(token=user_token) oslo_conf = cfg.ConfigOpts() options.set_defaults(oslo_conf, auth_endpoint=conf.get('auth_endpoint'), api_class=conf.get('api_class')) options.enable_logging() manager = key_manager.API(oslo_conf) # Get the latest key from Barbican. If no keymanager class has been # specified (using 'api_class'), or the keymaster does not have a # 'get_latest_key()' method, an exception will be raised. latest_user_root_secret_id, key = manager.get_latest_key( user_ctxt, bits=256, algorithm='aes', name='swift_root_secret') self.logger.log( SECDEL_LOG_LEVEL_DEBUG, "ID of latest user root secret is %s" % latest_user_root_secret_id) if latest_user_root_secret_id is None or key is None: return None, None user_root_secrets = self._user_root_secrets.get(account) if user_root_secrets is None: user_root_secrets = dict() user_root_secrets[latest_user_root_secret_id] = key.get_encoded() self._user_root_secrets[account] = user_root_secrets return key.get_encoded(), latest_user_root_secret_id
def test___eq__(self): self.assertTrue(self.ks_token_credential == self.ks_token_credential) self.assertTrue(self.ks_token_credential is self.ks_token_credential) self.assertFalse(self.ks_token_credential is None) self.assertFalse(None == self.ks_token_credential) other_ks_token_credential = keystone_token.KeystoneToken( self.token, trust_id=self.trust_id, domain_id=self.domain_id, domain_name=self.domain_name, project_id=self.project_id, project_name=self.project_name, project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name, reauthenticate=self.reauthenticate) self.assertTrue(self.ks_token_credential == other_ks_token_credential) self.assertFalse(self.ks_token_credential is other_ks_token_credential)
def get_context(self): username = CONF.identity.username password = CONF.identity.password project_name = CONF.identity.project_name auth_url = CONF.identity.auth_url user_domain_name = CONF.identity.user_domain_name project_domain_name = CONF.identity.project_domain_name auth = identity.V3Password(auth_url=auth_url, username=username, password=password, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) sess = session.Session() return keystone_token.KeystoneToken( token=auth.get_token(sess), project_id=auth.get_project_id(sess))
def setUp(self): super(BarbicanKeyManagerKSTokenTestCase, self).setUp() username = CONF.identity.username password = CONF.identity.password project_name = CONF.identity.project_name auth_url = CONF.identity.auth_url user_domain_name = CONF.identity.user_domain_name project_domain_name = CONF.identity.project_domain_name auth = v3.Password(auth_url=auth_url, username=username, password=password, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) sess = session.Session(auth=auth) keystone_client = client.Client(session=sess) project_list = keystone_client.projects.list(name=project_name) self.ctxt = keystone_token.KeystoneToken( token=auth.auth_ref.auth_token, project_id=project_list[0].id)
def credential_factory(conf=None, context=None): """This function provides a factory for credentials. It is used to create an appropriare credential object from a passed configuration. This should be called before making any calls to a key manager. :param conf: Configuration file which this factory method uses to generate a credential object. Note: In the future it will become a required field. :param context: Context used for authentication. It can be used in conjunction with the configuration file. If no conf is passed, then the context object will be converted to a KeystoneToken and returned. If a conf is passed then only the 'token' is grabbed from the context for the authentication types that require a token. :returns: A credential object used for authenticating with the Castellan key manager. Type of credential returned depends on config and/or context passed. """ if conf: conf.register_opts(credential_opts, group=OPT_GROUP) if conf.key_manager.auth_type == 'token': if conf.key_manager.token: auth_token = conf.key_manager.token elif context: auth_token = context.auth_token else: raise exception.InsufficientCredentialDataError() return token.Token(auth_token) elif conf.key_manager.auth_type == 'password': return password.Password(conf.key_manager.username, conf.key_manager.password) elif conf.key_manager.auth_type == 'keystone_password': return keystone_password.KeystonePassword( conf.key_manager.password, username=conf.key_manager.username, user_id=conf.key_manager.user_id, user_domain_id=conf.key_manager.user_domain_id, user_domain_name=conf.key_manager.user_domain_name, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, project_id=conf.key_manager.project_id, project_name=conf.key_manager.project_name, project_domain_id=conf.key_manager.domain_id, project_domain_name=conf.key_manager.domain_name, reauthenticate=conf.key_manager.reauthenticate) elif conf.key_manager.auth_type == 'keystone_token': if conf.key_manager.token: auth_token = conf.key_manager.token elif context: auth_token = context.auth_token else: raise exception.InsufficientCredentialDataError() return keystone_token.KeystoneToken( auth_token, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, project_id=conf.key_manager.project_id, project_name=conf.key_manager.project_name, project_domain_id=conf.key_manager.domain_id, project_domain_name=conf.key_manager.domain_name, reauthenticate=conf.key_manager.reauthenticate) else: LOG.error(_LE("Invalid auth_type specified.")) raise exception.AuthTypeInvalidError( type=conf.key_manager.auth_type) # for compatibility between _TokenData and RequestContext if hasattr(context, 'tenant') and context.tenant: project_id = context.tenant elif hasattr(context, 'project_id') and context.project_id: project_id = context.project_id return keystone_token.KeystoneToken(context.auth_token, project_id=project_id)