def setUp(self):
super(TestSLUGSAuthenticationAndAccessControl, self).setUp()
self.client_john_doe = client.ProxyKmipClient(
config='john_doe', config_file=self.config_file)
self.client_jane_doe = client.ProxyKmipClient(
config='jane_doe', config_file=self.config_file)
self.client_john_smith = client.ProxyKmipClient(
config='john_smith', config_file=self.config_file)
self.client_jane_smith = client.ProxyKmipClient(
config='jane_smith', config_file=self.config_file)
def simple(request):
config = request.config.getoption("--config")
client = pclient.ProxyKmipClient(config=config)
client.open()
def finalize():
client.close()
request.addfinalizer(finalize)
request.cls.client = client
from kmip.pie import client
# NOTE: This demo script shows how to delete the first Name attribute from
# the user-specified object. The object *must* have at least one Name
# attribute for attribute deletion to work. Otherwise, the client
# call to delete_attribute will fail.
if __name__ == '__main__':
logger = utils.build_console_logger(logging.INFO)
parser = utils.build_cli_parser(enums.Operation.DELETE_ATTRIBUTE)
opts, args = parser.parse_args(sys.argv[1:])
if opts.uuid is None:
logger.error("No UUID provided, existing early from demo.")
sys.exit()
with client.ProxyKmipClient(config=opts.config,
config_file=opts.config_file) as c:
try:
object_id, modified_attribute = c.delete_attribute(
unique_identifier=opts.uuid,
attribute_name="Name",
attribute_index=0)
logger.info(
"Successfully deleted 'Name' attribute from object: {}".format(
object_id))
logger.info("Deleted attribute: {}".format(modified_attribute))
except Exception as e:
logger.error(e)
if __name__ == '__main__':
logger = utils.build_console_logger(logging.INFO)
# Build and parse arguments
parser = utils.build_cli_parser(enums.Operation.CREATE)
opts, args = parser.parse_args(sys.argv[1:])
config = opts.config
algorithm = opts.algorithm
length = opts.length
# Exit early if the arguments are not specified
if algorithm is None:
logger.error('No algorithm provided, exiting early from demo')
sys.exit()
if length is None:
logger.error("No key length provided, exiting early from demo")
sys.exit()
algorithm = getattr(enums.CryptographicAlgorithm, algorithm, None)
# Build the client and connect to the server
with client.ProxyKmipClient(config=config) as client:
try:
uid = client.create(algorithm, length)
logger.info("Successfully created symmetric key with ID: "
"{0}".format(uid))
except Exception as e:
logger.error(e)
# NOTE: This demo script shows how to set the Sensitive attribute on
# the user-specified object. The server must support KMIP 2.0, since
# the SetAttribute operation is KMIP 2.0+ only and the Sensitive
# attribute is KMIP 1.4+ only. Otherwise, the client call to
# set_attribute will fail.
if __name__ == '__main__':
logger = utils.build_console_logger(logging.INFO)
parser = utils.build_cli_parser(enums.Operation.SET_ATTRIBUTE)
opts, args = parser.parse_args(sys.argv[1:])
if opts.uuid is None:
logger.error("No UUID provided, existing early from demo.")
sys.exit()
factory = attributes.AttributeFactory()
with client.ProxyKmipClient(config=opts.config,
config_file=opts.config_file,
kmip_version=enums.KMIPVersion.KMIP_2_0) as c:
try:
object_id = c.set_attribute(unique_identifier=opts.uuid,
attribute_name="Sensitive",
attribute_value=True)
logger.info(
"Successfully set the 'Sensitive' attribute on object: "
"{}".format(object_id))
except Exception as e:
logger.error(e)
def __init__(self, conf=CONF):
"""Initializes KMIPSecretStore
Creates a dictionary of mappings between SecretStore enum values
and pyKMIP enum values. Initializes the KMIP client with credentials
needed to connect to the KMIP server.
"""
super(KMIPSecretStore, self).__init__()
self.valid_alg_dict = {
ss.KeyAlgorithm.AES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.AES
},
ss.KeyAlgorithm.DES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [56],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DES
},
ss.KeyAlgorithm.DESEDE: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[56, 64, 112, 128, 168, 192],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.TRIPLE_DES
},
ss.KeyAlgorithm.DSA: {
KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DSA
},
ss.KeyAlgorithm.HMACSHA1: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA1
},
ss.KeyAlgorithm.HMACSHA256: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA256
},
ss.KeyAlgorithm.HMACSHA384: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA384
},
ss.KeyAlgorithm.HMACSHA512: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA512
},
ss.KeyAlgorithm.RSA: {
KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072, 4096],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.RSA
},
}
self.pkcs1_only = conf.kmip_plugin.pkcs1_only
if self.pkcs1_only:
LOG.debug("KMIP secret store only supports PKCS#1")
del self.valid_alg_dict[ss.KeyAlgorithm.DSA]
self.kmip_barbican_alg_map = {
enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES,
enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES,
enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE,
enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA,
enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1,
enums.CryptographicAlgorithm.HMAC_SHA256:
ss.KeyAlgorithm.HMACSHA256,
enums.CryptographicAlgorithm.HMAC_SHA384:
ss.KeyAlgorithm.HMACSHA384,
enums.CryptographicAlgorithm.HMAC_SHA512:
ss.KeyAlgorithm.HMACSHA512,
enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA
}
if conf.kmip_plugin.keyfile is not None:
self._validate_keyfile_permissions(conf.kmip_plugin.keyfile)
if (conf.kmip_plugin.username is None) and (conf.kmip_plugin.password
is None):
self.credential = None
else:
credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
credential_value = {
'Username': conf.kmip_plugin.username,
'Password': conf.kmip_plugin.password
}
self.credential = (
credentials.CredentialFactory().create_credential(
credential_type, credential_value))
config = conf.kmip_plugin
self.client = client.ProxyKmipClient(hostname=config.host,
port=config.port,
cert=config.certfile,
key=config.keyfile,
ca=config.ca_certs,
ssl_version=config.ssl_version,
username=config.username,
password=config.password)
# Register keys with the pykmip server
#Import modules
from kmip import enums
from kmip.pie import client
from kmip.pie import objects
c = client.ProxyKmipClient()
symmetric_key = objects.SymmetricKey(enums.CryptographicAlgorithm.AES, 256,
(b'\x00\x01\x02\x03\x04\x05\x06\x07'
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
b'\x00\x01\x02\x03\x04\x05\x06\x07'
b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'))
with c:
for i in range(10):
key_id = c.register(symmetric_key)
print(f'Registered new key with ID {key_id}')
