def _test_import_and_delete_cert(self, with_pkey=True): filename = '/tmp/test.pem' # this driver simulates storage==none scenario noop_driver = DummyStorageDriver() cert, key = client_cert.generate_self_signed_cert_pair(4096, 20, 'sha256', {}) cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) with open(filename, 'wb') as f: f.write(cert_pem) if with_pkey: f.write(key_pem) mocked_trust = self._get_mocked_trust('create_delete', cert_pem) cert = client_cert.ClientCertificateManager(self.identity, mocked_trust, noop_driver) cert.import_pem(filename, self.node_id) self._verify_backend_create(mocked_trust, cert_pem) cert.delete_pem(filename) self._verify_backend_delete(mocked_trust) os.remove(filename)
def test_generate_cert(self): """Test startup without certificate + certificate generation""" storage_driver = DummyStorageDriver() # Prepare fake trust management for "cert create" requests cert_pem, key_pem = storage_driver.get_cert(self.identity) mocked_trust = self._get_mocked_trust('create', cert_pem) cert = client_cert.ClientCertificateManager(self.identity, mocked_trust, storage_driver) self.assertFalse(cert.exists()) cert.generate(subject={}, key_size=2048, valid_for_days=333, node_id=self.node_id) # verify client cert was generated and makes sense self.assertTrue(cert.exists()) self.assertEqual(332, cert.expires_in_days()) cert_pem, key_pem = cert.get_pem() # verify cert ans PK were stored in storage stored_cert, stored_key = storage_driver.get_cert(self.identity) self.assertEqual(cert_pem, stored_cert) self.assertEqual(key_pem, stored_key) # verify backend API calls self._verify_backend_create(mocked_trust, cert_pem) # try to generate cert again and fail self.assertRaises(nsxlib_exc.ObjectAlreadyExists, cert.generate, {})
def __enter__(self): # No certificate file available - need to create one # Choose a random filename to contain the certificate self._thread_local._filename = '/tmp/.' + str( random.randint(1, 10000000)) try: context = q_context.get_admin_context() db_storage_driver = cert_utils.DbCertificateStorageDriver(context) with client_cert.ClientCertificateManager( cert_utils.NSX_OPENSTACK_IDENTITY, None, db_storage_driver) as cert_manager: if not cert_manager.exists(): msg = _("Unable to load from nsx-db") raise nsx_exc.ClientCertificateException(err_msg=msg) filename = self._thread_local._filename if not os.path.exists(os.path.dirname(filename)): if len(os.path.dirname(filename)) > 0: os.makedirs(os.path.dirname(filename)) cert_manager.export_pem(filename) expires_in_days = cert_manager.expires_in_days() self._check_expiration(expires_in_days) except Exception as e: self._on_exit() raise e LOG.debug("Prepared client certificate file") return self
def get_certificate_manager(**kwargs): storage_driver_type = cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() LOG.info("Certificate storage is %s", storage_driver_type) if storage_driver_type == 'nsx-db': storage_driver = cert_utils.DbCertificateStorageDriver( context.get_admin_context()) elif storage_driver_type == 'none': storage_driver = cert_utils.DummyCertificateStorageDriver() # TODO(annak) - add support for barbican storage driver return client_cert.ClientCertificateManager( cert_utils.NSX_OPENSTACK_IDENTITY, get_nsx_trust_management(**kwargs), storage_driver)
def test_get_certificate_details(self): """Test retrieving cert details for existing cert""" key_size = 2048 days = 999 alg = 'sha256' subj = {'country': 'CA', 'organization': 'squirrel rights', 'hostname': 'www.squirrels.ca', 'unit': 'nuts', 'state': 'BC'} storage_driver = self._prepare_storage_with_existing_cert(key_size, days, alg, subj) with client_cert.ClientCertificateManager(self.identity, None, storage_driver) as cert: self.assertTrue(cert.exists()) self.assertEqual(days - 1, cert.expires_in_days()) self.assertEqual(key_size, cert.get_key_size()) cert_subj = cert.get_subject() self.assertEqual(subj, cert_subj)
def test_load_and_delete_existing_cert(self): """Test startup with existing certificate + certificate deletion""" storage_driver = self._prepare_storage_with_existing_cert(4096, 3650, 'sha256', {}) # get mocked backend driver for trust management, # prepared for get request, that preceeds delete operation cert_pem, key_pem = storage_driver.get_cert(self.identity) mocked_trust = self._get_mocked_trust('delete', cert_pem) cert = client_cert.ClientCertificateManager(self.identity, mocked_trust, storage_driver) self.assertTrue(cert.exists()) cert.delete() self.assertFalse(cert.exists()) self.assertTrue(storage_driver.is_empty(self.identity)) self._verify_backend_delete(mocked_trust)
def __enter__(self): try: context = q_context.get_admin_context() db_storage_driver = cert_utils.DbCertificateStorageDriver(context) with client_cert.ClientCertificateManager( cert_utils.NSX_OPENSTACK_IDENTITY, None, db_storage_driver) as cert_manager: if not cert_manager.exists(): msg = _("Unable to load from nsx-db") raise nsx_exc.ClientCertificateException(err_msg=msg) filename = self._filename if not os.path.exists(os.path.dirname(filename)): if len(os.path.dirname(filename)) > 0: os.makedirs(os.path.dirname(filename)) cert_manager.export_pem(filename) expires_in_days = cert_manager.expires_in_days() self._check_expiration(expires_in_days) except Exception as e: self._on_exit() raise e return self