def create_key(self, context, algorithm=None, length=0,
expiration=None, **kwargs):
"""creates a key
algorithm, length, and expiration are unused by sahara keys.
"""
return key.Passphrase(passphrase=kwargs.get('passphrase', ''))
def data_source_update(self, context, id, values):
"""Update the Data Source or raise if it does not exist."""
values = copy.deepcopy(values)
values["id"] = id
# in cases where the credentials to access the data source are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
# it should be noted that the jsonschema validation ensures that
# if the proxy domain is not in use then credentials must be
# sent with this record.
if (CONF.use_barbican_key_manager
and not CONF.use_domain_for_proxy_users):
# first we retrieve the original record to get the old key
# uuid, and delete it.
ds_record = self.data_source_get(context, id)
if (ds_record.get('credentials')
and ds_record['credentials'].get('password')):
key_manager.API().delete(context,
ds_record['credentials']['password'])
# next we create the new key.
if (values.get('credentials')
and values['credentials'].get('password')):
key = passphrase.Passphrase(values['credentials']['password'])
password = key_manager.API().store(context, key)
values['credentials']['password'] = password
return self.db.data_source_update(context, values)
def job_binary_update(self, context, id, values):
"""Update a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values['id'] = id
# in cases where the credentials to access the job binary are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
if (CONF.use_barbican_key_manager
and not CONF.use_domain_for_proxy_users):
# first we retrieve the original record to get the old key
# uuid, and delete it.
jb_record = self.job_binary_get(context, id)
if jb_record.get('extra') and jb_record['extra'].get('password'):
key_manager.API().delete(context,
jb_record['extra']['password'])
# next we create the new key.
if values.get('extra') and values['extra'].get('password'):
key = passphrase.Passphrase(values['extra']['password'])
password = key_manager.API().store(context, key)
values['extra']['password'] = password
return self.db.job_binary_update(context, values)
def get(self, context, key_id, **kwargs):
"""get a key
since sahara is not actually storing key UUIDs the key_id to this
function should actually be the key payload. this function will
simply return a new SaharaKey based on that value.
"""
return key.Passphrase(passphrase=key_id)
def test___eq__(self):
self.assertTrue(self.passphrase == self.passphrase)
self.assertTrue(self.passphrase is self.passphrase)
self.assertFalse(self.passphrase is None)
self.assertFalse(None == self.passphrase)
other_passphrase = passphrase.Passphrase(self.passphrase_data)
self.assertTrue(self.passphrase == other_passphrase)
self.assertFalse(self.passphrase is other_passphrase)
def ensure_vtpm_secret(
context: nova_context.RequestContext,
instance: 'objects.Instance',
) -> ty.Tuple[str, str]:
"""Communicates with the key manager service to retrieve or create a secret
for an instance's emulated TPM.
When creating a secret, its UUID is saved to the instance's system_metadata
as ``vtpm_secret_uuid``.
:param context: Nova auth context.
:param instance: Instance object.
:return: A tuple comprising (secret_uuid, passphrase).
:raise: castellan_exception.ManagedObjectNotFoundError if communication
with the key manager API fails, or if a vtpm_secret_uuid was present in
the instance's system metadata but could not be found in the key
manager service.
"""
key_mgr = _get_key_manager()
secret_uuid = instance.system_metadata.get('vtpm_secret_uuid')
if secret_uuid is not None:
# Try to retrieve the secret from the key manager
try:
secret = key_mgr.get(context, secret_uuid)
# assert secret_uuid == secret.id ?
LOG.debug("Found existing vTPM secret with UUID %s.",
secret_uuid,
instance=instance)
return secret.id, secret.get_encoded()
except castellan_exception.ManagedObjectNotFoundError:
LOG.warning(
"Despite being set on the instance, failed to find a vTPM "
"secret with UUID %s. This should only happen if the secret "
"was manually deleted from the key manager service. Your vTPM "
"is likely to be unrecoverable.",
secret_uuid,
instance=instance)
raise
# If we get here, the instance has no vtpm_secret_uuid. Create a new one
# and register it with the key manager.
secret = base64.b64encode(os.urandom(_VTPM_SECRET_BYTE_LENGTH))
# Castellan ManagedObject
cmo = passphrase.Passphrase(secret,
name="vTPM secret for instance %s" %
instance.uuid)
secret_uuid = key_mgr.store(context, cmo)
LOG.debug("Created vTPM secret with UUID %s",
secret_uuid,
instance=instance)
instance.system_metadata['vtpm_secret_uuid'] = secret_uuid
instance.save()
return secret_uuid, secret
def store_secret(secret, ctx=None):
"""store a secret and return its identifier
:param secret: The secret to store, this should be a string
:param ctx: The context, and associated authentication, to use with
this operation (defaults to the current context)
"""
if ctx is None:
ctx = context.current()
key = passphrase.Passphrase(secret)
return key_manager.API().store(ctx, key)
def job_binary_create(self, context, values):
"""Create a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values = _apply_defaults(values, JOB_BINARY_DEFAULTS)
values['tenant_id'] = context.tenant_id
# if credentials are being passed in, we use the key_manager
# to store the password.
if values.get('extra') and values['extra'].get('password'):
key = passphrase.Passphrase(values['extra']['password'])
password = key_manager.API().store(context, key)
values['extra']['password'] = password
return self.db.job_binary_create(context, values)
def data_source_create(self, context, values):
"""Create a Data Source from the values dictionary."""
values = copy.deepcopy(values)
values = _apply_defaults(values, DATA_SOURCE_DEFAULTS)
values['tenant_id'] = context.tenant_id
# if credentials are being passed in, we use the key_manager
# to store the password.
if (values.get('credentials')
and values['credentials'].get('password')):
key = passphrase.Passphrase(values['credentials']['password'])
password = key_manager.API().store(context, key)
values['credentials']['password'] = password
return self.db.data_source_create(context, values)
def create_proxy_user_for_job_execution(job_execution):
'''Creates a proxy user and adds the credentials to the job execution
:param job_execution: The job execution model to update
'''
username = '******'.format(job_execution.id)
key = passphrase.Passphrase(proxy_user_create(username))
password = key_manager.API().store(context.current(), key)
current_user = k.auth()
proxy_user = k.auth_for_proxy(username, password)
trust_id = t.create_trust(trustor=current_user,
trustee=proxy_user,
role_names=CONF.proxy_user_role_names)
update = {'job_configs': job_execution.job_configs.to_dict()}
update['job_configs']['proxy_configs'] = {
'proxy_username': username,
'proxy_password': password,
'proxy_trust_id': trust_id
}
conductor.job_execution_update(context.ctx(), job_execution, update)
def create_proxy_user_for_cluster(cluster):
'''Creates a proxy user and adds the credentials to the cluster
:param cluster: The cluster model to update
'''
if cluster.cluster_configs.get('proxy_configs'):
return cluster
username = '******'.format(cluster.id)
key = passphrase.Passphrase(proxy_user_create(username))
password = key_manager.API().store(context.current(), key)
current_user = k.auth()
proxy_user = k.auth_for_proxy(username, password)
trust_id = t.create_trust(trustor=current_user,
trustee=proxy_user,
role_names=CONF.proxy_user_role_names)
update = {'cluster_configs': cluster.cluster_configs.to_dict()}
update['cluster_configs']['proxy_configs'] = {
'proxy_username': username,
'proxy_password': password,
'proxy_trust_id': trust_id
}
return conductor.cluster_update(context.ctx(), cluster, update)
def _create_passphrase(self):
return passphrase.Passphrase(self.passphrase_data, self.name,
self.created)
def _get_test_passphrase():
data = bytes(b'passphrase')
passphrase_object = passphrase.Passphrase(data)
return passphrase_object
def test___ne___data(self):
other_phrase = passphrase.Passphrase(b"other passphrase", self.name)
self.assertTrue(self.passphrase != other_phrase)
def test_store(self):
k = key.Passphrase(passphrase='super_secret')
k_id = self.k_m.store(self.ctx, k)
self.assertEqual('super_secret', k_id)
def test_get_created_none(self):
created = None
phrase = passphrase.Passphrase(self.passphrase_data, self.name,
created)
self.assertEqual(created, phrase.created)
def test_is_only_metadata(self):
p = passphrase.Passphrase(None, self.name, self.created)
self.assertTrue(p.is_metadata_only())
def _store_secret(secret):
key = passphrase.Passphrase(secret)
password = key_manager.API().store(context.current(), key)
return password
def test___ne__name(self):
other_phrase = passphrase.Passphrase(self.passphrase_data,
"other phrase")
self.assertTrue(self.passphrase != other_phrase)
