def get_plugin_store(self, key_spec, plugin_name=None,
transport_key_needed=False):
"""Gets a secret store plugin.
:param: plugin_name: set to plugin_name to get specific plugin
:param: key_spec: KeySpec of key that will be stored
:param: transport_key_needed: set to True if a transport
key is required.
:returns: SecretStoreBase plugin implementation
"""
if plugin_name is not None:
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise SecretStorePluginNotFound(plugin_name)
if not transport_key_needed:
for ext in self.extensions:
if ext.obj.store_secret_supports(key_spec):
return ext.obj
else:
for ext in self.extensions:
if (ext.obj.get_transport_key() is not None and
ext.obj.store_secret_supports(key_spec)):
return ext.obj
raise SecretStoreSupportedPluginNotFound()
def test_get_store_supported_plugin_with_plugin_name(self):
plugin = TestSecretStore([str.KeyAlgorithm.AES])
plugin_mock = mock.MagicMock(obj=plugin)
self.manager.extensions = [plugin_mock]
plugin_found = self.manager.get_plugin_store(None, plugin_name=common_utils.generate_fullname_for(plugin))
self.assertEqual(plugin, plugin_found)
def update_ca_info(self, cert_plugin):
"""Update the CA info for a particular plugin."""
plugin_name = utils.generate_fullname_for(cert_plugin)
new_ca_infos = cert_plugin.get_ca_info()
old_cas, offset, limit, total = self.ca_repo.get_by_create_date(
plugin_name=plugin_name,
suppress_exception=True,
show_expired=True)
for old_ca in old_cas:
plugin_ca_id = old_ca.plugin_ca_id
if plugin_ca_id not in new_ca_infos.keys():
# remove CAs that no longer exist
self._delete_ca(old_ca)
else:
# update those that still exist
self.ca_repo.update_entity(
old_ca,
new_ca_infos[plugin_ca_id])
old_ids = set([ca.plugin_ca_id for ca in old_cas])
new_ids = set(new_ca_infos.keys())
# add new CAs
add_ids = new_ids - old_ids
for add_id in add_ids:
self._add_ca(plugin_name, add_id, new_ca_infos[add_id])
def issue_certificate_request(order_model, project_model, result_follow_on):
"""Create the initial order with CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order
# and not shown to plugins) with barbican_meta_dto (shared with plugins).
# As a minimum we should change the name of the DTO to something like
# 'extended_meta_dto' or some such.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
# refresh the CA table. This is mostly a no-op unless the entries
# for a plugin are expired.
cert.CertificatePluginManager().refresh_ca_table()
cert_plugin = _get_cert_plugin(barbican_meta,
barbican_meta_for_plugins_dto, order_model,
project_model)
barbican_meta['plugin_name'] = utils.generate_fullname_for(cert_plugin)
# Generate CSR if needed.
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
csr = barbican_meta.get('generated_csr')
if csr is None:
# TODO(alee) Fix this to be a non-project specific call once
# the ACL patches go in.
csr = _generate_csr_from_private_key(order_model, project_model)
barbican_meta['generated_csr'] = csr
barbican_meta_for_plugins_dto.generated_csr = csr
result = cert_plugin.issue_certificate_request(
order_model.id, order_model.meta, plugin_meta,
barbican_meta_for_plugins_dto)
# Save plugin and barbican metadata for this order.
_save_plugin_metadata(order_model, plugin_meta)
_save_barbican_metadata(order_model, barbican_meta)
# Handle result
return _handle_task_result(
result,
result_follow_on,
order_model,
project_model,
request_type,
unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE)
def get_plugin_store(self, key_spec, plugin_name=None,
transport_key_needed=False, project_id=None):
"""Gets a secret store plugin.
:param: plugin_name: set to plugin_name to get specific plugin
:param: key_spec: KeySpec of key that will be stored
:param: transport_key_needed: set to True if a transport
key is required.
:returns: SecretStoreBase plugin implementation
"""
active_plugins = multiple_backends.get_applicable_store_plugins(
self, project_id=project_id, existing_plugin_name=plugin_name)
if plugin_name is not None:
for plugin in active_plugins:
if utils.generate_fullname_for(plugin) == plugin_name:
return plugin
raise SecretStorePluginNotFound(plugin_name)
if not transport_key_needed:
for plugin in active_plugins:
if plugin.store_secret_supports(key_spec):
return plugin
else:
for plugin in active_plugins:
if (plugin.get_transport_key() is not None and
plugin.store_secret_supports(key_spec)):
return plugin
raise SecretStoreSupportedPluginNotFound()
def get_plugin_store(self, key_spec, plugin_name=None,
transport_key_needed=False):
"""Gets a secret store plugin.
:param: plugin_name: set to plugin_name to get specific plugin
:param: key_spec: KeySpec of key that will be stored
:param: transport_key_needed: set to True if a transport
key is required.
:returns: SecretStoreBase plugin implementation
"""
if plugin_name is not None:
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise SecretStorePluginNotFound(plugin_name)
if not transport_key_needed:
for ext in self.extensions:
if ext.obj.store_secret_supports(key_spec):
return ext.obj
else:
for ext in self.extensions:
if (ext.obj.get_transport_key() is not None and
ext.obj.store_secret_supports(key_spec)):
return ext.obj
raise SecretStoreSupportedPluginNotFound()
def update_ca_info(self, cert_plugin):
"""Update the CA info for a particular plugin."""
plugin_name = utils.generate_fullname_for(cert_plugin)
new_ca_infos = cert_plugin.get_ca_info()
old_cas, offset, limit, total = self.ca_repo.get_by_create_date(
plugin_name=plugin_name,
suppress_exception=True,
show_expired=True)
for old_ca in old_cas:
plugin_ca_id = old_ca.plugin_ca_id
if plugin_ca_id not in new_ca_infos.keys():
# remove CAs that no longer exist
self._delete_ca(old_ca)
else:
# update those that still exist
self.ca_repo.update_entity(old_ca, new_ca_infos[plugin_ca_id])
old_ids = set([ca.plugin_ca_id for ca in old_cas])
new_ids = set(new_ca_infos.keys())
# add new CAs
add_ids = new_ids - old_ids
for add_id in add_ids:
self._add_ca(plugin_name, add_id, new_ca_infos[add_id])
def issue_certificate_request(order_model, project_model, result_follow_on):
"""Create the initial order with CA.
Note that this method may be called more than once if retries are
required. Barbican metadata is used to store intermediate information,
including selected plugins by name, to support such retries.
:param: order_model - order associated with this cert request
:param: project_model - project associated with this request
:param: result_follow_on - A :class:`FollowOnProcessingStatusDTO` instance
instantiated by the client that this function may optionally update
with information on how to process this task into the future.
:returns: container_model - container with the relevant cert if
the request has been completed. None otherwise
"""
plugin_meta = _get_plugin_meta(order_model)
barbican_meta = _get_barbican_meta(order_model)
# TODO(john-wood-w) We need to de-conflict barbican_meta (stored with order
# and not shown to plugins) with barbican_meta_dto (shared with plugins).
# As a minimum we should change the name of the DTO to something like
# 'extended_meta_dto' or some such.
barbican_meta_for_plugins_dto = cert.BarbicanMetaDTO()
# refresh the CA table. This is mostly a no-op unless the entries
# for a plugin are expired.
cert.CertificatePluginManager().refresh_ca_table()
cert_plugin = _get_cert_plugin(barbican_meta, barbican_meta_for_plugins_dto, order_model, project_model)
barbican_meta["plugin_name"] = utils.generate_fullname_for(cert_plugin)
# Generate CSR if needed.
request_type = order_model.meta.get(cert.REQUEST_TYPE)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
csr = barbican_meta.get("generated_csr")
if csr is None:
# TODO(alee) Fix this to be a non-project specific call once
# the ACL patches go in.
csr = _generate_csr_from_private_key(order_model, project_model)
barbican_meta["generated_csr"] = csr
barbican_meta_for_plugins_dto.generated_csr = csr
result = cert_plugin.issue_certificate_request(
order_model.id, order_model.meta, plugin_meta, barbican_meta_for_plugins_dto
)
# Save plugin and barbican metadata for this order.
_save_plugin_metadata(order_model, plugin_meta)
_save_barbican_metadata(order_model, barbican_meta)
# Handle result
return _handle_task_result(
result,
result_follow_on,
order_model,
project_model,
request_type,
unavailable_status=ORDER_STATUS_CA_UNAVAIL_FOR_ISSUE,
)
def test_get_store_supported_plugin_with_plugin_name(self):
plugin = TestSecretStore([str.KeyAlgorithm.AES])
plugin_mock = mock.MagicMock(obj=plugin)
self.manager.extensions = [plugin_mock]
plugin_found = self.manager.get_plugin_store(
None, plugin_name=common_utils.generate_fullname_for(plugin))
self.assertEqual(plugin, plugin_found)
def __init__(self, db_connection, library_path, login, slot_id):
self.dry_run = False
self.db_engine = sqlalchemy.create_engine(db_connection)
self._session_creator = scoping.scoped_session(orm.sessionmaker(bind=self.db_engine, autocommit=True))
self.crypto_plugin = p11_crypto.P11CryptoPlugin(CONF)
self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
self.pkcs11 = self.crypto_plugin.pkcs11
self.session = self.pkcs11.get_session()
def get_plugin_by_name(self, plugin_name):
"""Gets a supporting certificate event plugin.
:returns: CertficiateEventPluginBase plugin implementation
"""
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise CertificateEventPluginNotFound(plugin_name)
def get_plugin_by_name(self, plugin_name):
"""Gets a supporting certificate event plugin.
:returns: CertificateEventPluginBase plugin implementation
"""
for plugin in plugin_utils.get_active_plugins(self):
if utils.generate_fullname_for(plugin) == plugin_name:
return plugin
raise CertificateEventPluginNotFound(plugin_name)
def __init__(self, db_connection, library_path, login, slot_id):
self.dry_run = False
self.db_engine = session.create_engine(db_connection)
self._session_creator = scoping.scoped_session(
orm.sessionmaker(bind=self.db_engine, autocommit=True))
self.crypto_plugin = p11_crypto.P11CryptoPlugin(CONF)
self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
self.pkcs11 = self.crypto_plugin.pkcs11
self.session = self.pkcs11.get_session()
def get_plugin_by_name(self, plugin_name):
"""Gets a supporting certificate event plugin.
:returns: CertificateEventPluginBase plugin implementation
"""
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise CertificateEventPluginNotFound(plugin_name)
def get_plugin_by_name(self, plugin_name):
"""Gets a supporting certificate event plugin.
:returns: CertificateEventPluginBase plugin implementation
"""
for plugin in plugin_utils.get_active_plugins(self):
if utils.generate_fullname_for(plugin) == plugin_name:
return plugin
raise CertificateEventPluginNotFound(plugin_name)
def _verify_kek_repository_interactions(self, plugin_inst):
"""Verify the KEK repository interactions."""
self.assertEqual(1, self.kek_repo.find_or_create_kek_datum.call_count)
args, kwargs = self.kek_repo.find_or_create_kek_datum.call_args
test_project_model = args[0]
test_full_plugin_name = args[1]
self.assertEqual(self.project_model, test_project_model)
plugin_name = utils.generate_fullname_for(plugin_inst)
self.assertEqual(plugin_name, test_full_plugin_name)
def get_plugin_by_name(self, plugin_name):
"""Gets a supporting certificate plugin.
:param plugin_name: Name of the plugin to invoke
:returns: CertificatePluginBase plugin implementation
"""
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise CertificatePluginNotFound(plugin_name)
def get_plugin_retrieve_delete(self, plugin_name):
"""Gets a secret retrieve/delete plugin.
:returns: SecretStoreBase plugin implementation
"""
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise SecretStorePluginNotFound(plugin_name)
def setUp(self):
super(WhenTestingManager, self).setUp()
self.plugin_returned = mock.MagicMock()
self.plugin_type = crypto.PluginSupportTypes.ENCRYPT_DECRYPT
self.plugin_returned.supports.return_value = True
self.plugin_name = common_utils.generate_fullname_for(self.plugin_returned)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.get_manager()
self.manager.extensions = [self.plugin_loaded]
def _verify_kek_repository_interactions(self, plugin_inst):
"""Verify the KEK repository interactions."""
self.assertEqual(
self.kek_repo.find_or_create_kek_datum.call_count, 1)
args, kwargs = self.kek_repo.find_or_create_kek_datum.call_args
test_tenant_model = args[0]
test_full_plugin_name = args[1]
self.assertEqual(self.tenant_model, test_tenant_model)
plugin_name = utils.generate_fullname_for(plugin_inst)
self.assertEqual(plugin_name, test_full_plugin_name)
def get_plugin_retrieve_delete(self, plugin_name):
"""Gets a secret retrieve/delete plugin.
:returns: SecretStoreBase plugin implementation
"""
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
return ext.obj
raise SecretStorePluginNotFound(plugin_name)
def refresh_ca_table(self):
"""Refreshes the CertificateAuthority table."""
for plugin in plugin_utils.get_active_plugins(self):
plugin_name = utils.generate_fullname_for(plugin)
cas, offset, limit, total = self.ca_repo.get_by_create_date(
plugin_name=plugin_name, suppress_exception=True)
if total < 1:
# if no entries are found, then the plugin has not yet been
# queried or that plugin's entries have expired.
# Most of the time, this will be a no-op for plugins.
self.update_ca_info(plugin)
def setUp(self):
super(WhenTestingManager, self).setUp()
self.plugin_returned = mock.MagicMock()
self.plugin_type = crypto.PluginSupportTypes.ENCRYPT_DECRYPT
self.plugin_returned.supports.return_value = True
self.plugin_name = common_utils.generate_fullname_for(
self.plugin_returned)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.get_manager()
self.manager.extensions = [self.plugin_loaded]
def _save_secret_metadata_in_repo(secret_model, secret_metadata,
store_plugin, content_type):
"""Add secret metadata to a secret."""
if not secret_metadata:
secret_metadata = {}
secret_metadata['plugin_name'] = utils.generate_fullname_for(store_plugin)
secret_metadata['content_type'] = content_type
secret_meta_repo = repos.get_secret_meta_repository()
secret_meta_repo.save(secret_metadata, secret_model)
def _save_secret_metadata_in_repo(secret_model, secret_metadata,
store_plugin, content_type):
"""Add secret metadata to a secret."""
if not secret_metadata:
secret_metadata = {}
secret_metadata['plugin_name'] = utils.generate_fullname_for(store_plugin)
secret_metadata['content_type'] = content_type
secret_meta_repo = repos.get_secret_meta_repository()
secret_meta_repo.save(secret_metadata, secret_model)
def refresh_ca_table(self):
"""Refreshes the CertificateAuthority table."""
for plugin in plugin_utils.get_active_plugins(self):
plugin_name = utils.generate_fullname_for(plugin)
cas, offset, limit, total = self.ca_repo.get_by_create_date(
plugin_name=plugin_name,
suppress_exception=True)
if total < 1:
# if no entries are found, then the plugin has not yet been
# queried or that plugin's entries have expired.
# Most of the time, this will be a no-op for plugins.
self.update_ca_info(plugin)
def setUp(self):
super(WhenTestingCertificatePluginManager, self).setUp()
self.cert_spec = {}
self.plugin_returned = mock.MagicMock()
self.plugin_name = common_utils.generate_fullname_for(
self.plugin_returned)
types_list = [
cm.CertificateRequestType.SIMPLE_CMC_REQUEST,
cm.CertificateRequestType.CUSTOM_REQUEST
]
self.plugin_returned.supported_request_types.return_value = types_list
self.plugin_returned.supports.return_value = True
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
expiration = (
datetime.datetime.utcnow() +
datetime.timedelta(days=cm.CA_INFO_DEFAULT_EXPIRATION_DAYS))
ca_info = {
cm.INFO_NAME: "my_ca",
cm.INFO_DESCRIPTION: "Certificate Authority my_ca",
cm.INFO_CA_SIGNING_CERT: "Undefined",
cm.INFO_INTERMEDIATES: "Undefined",
cm.INFO_EXPIRATION: expiration.isoformat()
}
self.plugin_returned.get_ca_info.return_value = {
'plugin_ca_id1': ca_info
}
parsed_ca = {
'plugin_name': self.plugin_name,
'plugin_ca_id': 'plugin_ca_id1',
'name': self.plugin_name,
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'ZZZZZ',
'intermediates': 'YYYYY'
}
self.ca = models.CertificateAuthority(parsed_ca)
self.ca.id = 'ca_id'
self.ca_repo = mock.MagicMock()
self.ca_repo.get_by_create_date.return_value = (self.ca, 0, 1, 1)
self.ca_repo.create_from.return_value = None
self.ca_repo.get.return_value = self.ca
self.project = models.Project()
self.project.id = '12345'
self.setup_ca_repository_mock(self.ca_repo)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.CertificatePluginManager()
self.manager.extensions = [self.plugin_loaded]
def _save_secret_metadata(secret_model, secret_metadata,
store_plugin, content_type, repos):
"""Add secret metadata to a secret."""
if not secret_metadata:
secret_metadata = dict()
secret_metadata['plugin_name'] = utils.generate_fullname_for(store_plugin)
secret_metadata['content_type'] = content_type
repos.secret_meta_repo.save(secret_metadata, secret_model)
def _schedule_check_cert_request(cert_plugin, order_model, plugin_meta, repos,
cert_result_dto, project_model, retry_time):
retry_args = [order_model,
project_model,
utils.generate_fullname_for(cert_plugin),
repos]
_schedule_cert_retry_task(
cert_result_dto, cert_plugin, order_model, plugin_meta,
retry_method="check_certificate_request",
retry_object="barbican.tasks.certificate_resources",
retry_time=retry_time,
retry_args=retry_args)
def _plugin_supports(self, plugin_inst, kek_metadata_tenant):
"""Tests for plugin support.
Tests if the supplied plugin supports operations on the supplied
key encryption key (KEK) metadata.
:param plugin_inst: The plugin instance to test.
:param kek_metadata: The KEK metadata to test.
:return: True if the plugin can support operations on the KEK metadata.
"""
plugin_name = utils.generate_fullname_for(plugin_inst)
return plugin_name == kek_metadata_tenant.plugin_name
def __init__(self, conf):
self.dry_run = False
self.db_engine = sqlalchemy.create_engine(conf.sql_connection)
self._session_creator = scoping.scoped_session(
orm.sessionmaker(bind=self.db_engine, autocommit=True))
self.crypto_plugin = p11_crypto.P11CryptoPlugin(conf)
self.pkcs11 = self.crypto_plugin.pkcs11
self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
self.hsm_session = self.pkcs11.get_session()
self.new_mkek_label = self.crypto_plugin.mkek_label
self.new_hmac_label = self.crypto_plugin.hmac_label
self.new_mkek = self.crypto_plugin._get_master_key(self.new_mkek_label)
self.new_mkhk = self.crypto_plugin._get_master_key(self.new_hmac_label)
def _plugin_supports(self, plugin_inst, kek_metadata_tenant):
"""Tests for plugin support.
Tests if the supplied plugin supports operations on the supplied
key encryption key (KEK) metadata.
:param plugin_inst: The plugin instance to test.
:param kek_metadata: The KEK metadata to test.
:return: True if the plugin can support operations on the KEK metadata.
"""
plugin_name = utils.generate_fullname_for(plugin_inst)
return plugin_name == kek_metadata_tenant.plugin_name
def setUp(self):
super(WhenTestingCertificatePluginManager, self).setUp()
self.cert_spec = {}
self.plugin_returned = mock.MagicMock()
self.plugin_name = common_utils.generate_fullname_for(
self.plugin_returned)
types_list = [cm.CertificateRequestType.SIMPLE_CMC_REQUEST,
cm.CertificateRequestType.CUSTOM_REQUEST]
self.plugin_returned.supported_request_types.return_value = types_list
self.plugin_returned.supports.return_value = True
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
expiration = (datetime.datetime.utcnow() + datetime.timedelta(
days=cm.CA_INFO_DEFAULT_EXPIRATION_DAYS))
ca_info = {
cm.INFO_NAME: "my_ca",
cm.INFO_DESCRIPTION: "Certificate Authority my_ca",
cm.INFO_CA_SIGNING_CERT: "Undefined",
cm.INFO_INTERMEDIATES: "Undefined",
cm.INFO_EXPIRATION: expiration.isoformat()
}
self.plugin_returned.get_ca_info.return_value = {
'plugin_ca_id1': ca_info
}
parsed_ca = {
'plugin_name': self.plugin_name,
'plugin_ca_id': 'plugin_ca_id1',
'name': self.plugin_name,
'description': 'Master CA for default plugin',
'ca_signing_certificate': 'ZZZZZ',
'intermediates': 'YYYYY'
}
self.ca = models.CertificateAuthority(parsed_ca)
self.ca.id = 'ca_id'
self.ca_repo = mock.MagicMock()
self.ca_repo.get_by_create_date.return_value = (
self.ca, 0, 1, 1)
self.ca_repo.create_from.return_value = None
self.ca_repo.get.return_value = self.ca
self.project = models.Project()
self.project.id = '12345'
self.setup_ca_repository_mock(self.ca_repo)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.CertificatePluginManager()
self.manager.extensions = [self.plugin_loaded]
def _schedule_check_cert_request(cert_plugin, order_model, plugin_meta, repos,
cert_result_dto, project_model, retry_time):
retry_args = [
order_model, project_model,
utils.generate_fullname_for(cert_plugin), repos
]
_schedule_cert_retry_task(
cert_result_dto,
cert_plugin,
order_model,
plugin_meta,
retry_method="check_certificate_request",
retry_object="barbican.tasks.certificate_resources",
retry_time=retry_time,
retry_args=retry_args)
def setUp(self):
super(WhenTestingCertificateEventPluginManager, self).setUp()
self.project_id = '1234'
self.order_ref = 'http://www.mycerts.com/v1/orders/123456'
self.container_ref = 'http://www.mycerts.com/v1/containers/654321'
self.error_msg = 'Something is broken'
self.retry_in_msec = 5432
self.plugin_returned = mock.MagicMock()
self.plugin_name = common_utils.generate_fullname_for(
self.plugin_returned)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.EVENT_PLUGIN_MANAGER
self.manager.extensions = [self.plugin_loaded]
def _schedule_cert_retry_task(cert_result_dto, cert_plugin, order_model,
plugin_meta,
retry_method=None,
retry_object=None,
retry_time=None,
retry_args=None):
if cert_result_dto.retry_msec > 0:
retry_time = cert_result_dto.retry_msec
if cert_result_dto.retry_method:
retry_method = cert_result_dto.retry_method
retry_object = utils.generate_fullname_for(cert_plugin)
retry_args = [order_model.id, order_model.meta, plugin_meta]
_schedule_retry_task(retry_object, retry_method, retry_time, retry_args)
def setUp(self):
super(WhenTestingCertificateEventPluginManager, self).setUp()
self.project_id = '1234'
self.order_ref = 'http://www.mycerts.com/v1/orders/123456'
self.container_ref = 'http://www.mycerts.com/v1/containers/654321'
self.error_msg = 'Something is broken'
self.retry_in_msec = 5432
self.plugin_returned = mock.MagicMock()
self.plugin_name = common_utils.generate_fullname_for(
self.plugin_returned)
self.plugin_loaded = mock.MagicMock(obj=self.plugin_returned)
self.manager = cm.EVENT_PLUGIN_MANAGER
self.manager.extensions = [self.plugin_loaded]
def get_plugin_retrieve_delete(self, plugin_name):
"""Gets a secret retrieve/delete plugin.
:returns: SecretStoreBase plugin implementation
"""
if len(self.extensions) < 1:
raise SecretStorePluginNotFound()
for ext in self.extensions:
if utils.generate_fullname_for(ext.obj) == plugin_name:
retrieve_delete_plugin = ext.obj
break
else:
raise SecretStoreSupportedPluginNotFound()
return retrieve_delete_plugin
def _schedule_cert_retry_task(cert_result_dto,
cert_plugin,
order_model,
plugin_meta,
retry_method=None,
retry_object=None,
retry_time=None,
retry_args=None):
if cert_result_dto.retry_msec > 0:
retry_time = cert_result_dto.retry_msec
if cert_result_dto.retry_method:
retry_method = cert_result_dto.retry_method
retry_object = utils.generate_fullname_for(cert_plugin)
retry_args = [order_model.id, order_model.meta, plugin_meta]
_schedule_retry_task(retry_object, retry_method, retry_time, retry_args)
def __init__(self, conf):
self.dry_run = False
self.db_engine = sqlalchemy.create_engine(conf.sql_connection)
self._session_creator = scoping.scoped_session(
orm.sessionmaker(
bind=self.db_engine,
autocommit=True
)
)
self.crypto_plugin = p11_crypto.P11CryptoPlugin(conf)
self.pkcs11 = self.crypto_plugin.pkcs11
self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
self.hsm_session = self.pkcs11.get_session()
self.new_mkek_label = self.crypto_plugin.mkek_label
self.new_hmac_label = self.crypto_plugin.hmac_label
self.new_mkek = self.crypto_plugin._get_master_key(self.new_mkek_label)
self.new_mkhk = self.crypto_plugin._get_master_key(self.new_hmac_label)
def get_plugin_retrieve_delete(self, plugin_name):
"""Gets a secret retrieve/delete plugin.
If this function is being called, it is because we are trying to
retrieve or delete an already stored secret. Thus, the plugin name is
actually gotten from the plugin metadata that has already been stored
in the database. So, in this case, if this plugin is not available,
this might be due to a server misconfiguration.
:returns: SecretStoreBase plugin implementation
:raises: StorePluginNotAvailableOrMisconfigured: If the plugin wasn't
found it's because the plugin parameters were not properly
configured on the database side.
"""
for plugin in plugin_utils.get_active_plugins(self):
if utils.generate_fullname_for(plugin) == plugin_name:
return plugin
raise StorePluginNotAvailableOrMisconfigured(plugin_name)
def get_plugin_retrieve_delete(self, plugin_name):
"""Gets a secret retrieve/delete plugin.
If this function is being called, it is because we are trying to
retrieve or delete an already stored secret. Thus, the plugin name is
actually gotten from the plugin metadata that has already been stored
in the database. So, in this case, if this plugin is not available,
this might be due to a server misconfiguration.
:returns: SecretStoreBase plugin implementation
:raises: StorePluginNotAvailableOrMisconfigured: If the plugin wasn't
found it's because the plugin parameters were not properly
configured on the database side.
"""
for plugin in plugin_utils.get_active_plugins(self):
if utils.generate_fullname_for(plugin) == plugin_name:
return plugin
raise StorePluginNotAvailableOrMisconfigured(plugin_name)
def update_ca_info(self, cert_plugin):
"""Update the CA info for a particular plugin."""
plugin_name = utils.generate_fullname_for(cert_plugin)
try:
new_ca_infos = cert_plugin.get_ca_info()
except Exception as e:
# The plugin gave an invalid CA, log and return
LOG.error(u._LE("ERROR getting CA from plugin: %s"),
encodeutils.exception_to_unicode(e))
return
old_cas, offset, limit, total = self.ca_repo.get_by_create_date(
plugin_name=plugin_name,
suppress_exception=True,
show_expired=True)
if old_cas:
for old_ca in old_cas:
plugin_ca_id = old_ca.plugin_ca_id
if plugin_ca_id not in new_ca_infos.keys():
# remove CAs that no longer exist
self._delete_ca(old_ca)
else:
# update those that still exist
self.ca_repo.update_entity(
old_ca,
new_ca_infos[plugin_ca_id])
old_ids = set([ca.plugin_ca_id for ca in old_cas])
else:
old_ids = set()
new_ids = set(new_ca_infos.keys())
# add new CAs
add_ids = new_ids - old_ids
for add_id in add_ids:
try:
self._add_ca(plugin_name, add_id, new_ca_infos[add_id])
except Exception as e:
# The plugin gave an invalid CA, log and continue
LOG.error(u._LE("ERROR adding CA from plugin: %s"),
encodeutils.exception_to_unicode(e))
def update_ca_info(self, cert_plugin):
"""Update the CA info for a particular plugin."""
plugin_name = utils.generate_fullname_for(cert_plugin)
try:
new_ca_infos = cert_plugin.get_ca_info()
except Exception as e:
# The plugin gave an invalid CA, log and return
LOG.error("ERROR getting CA from plugin: %s",
encodeutils.exception_to_unicode(e))
return
old_cas, offset, limit, total = self.ca_repo.get_by_create_date(
plugin_name=plugin_name,
suppress_exception=True,
show_expired=True)
if old_cas:
for old_ca in old_cas:
plugin_ca_id = old_ca.plugin_ca_id
if plugin_ca_id not in new_ca_infos.keys():
# remove CAs that no longer exist
self._delete_ca(old_ca)
else:
# update those that still exist
self.ca_repo.update_entity(old_ca,
new_ca_infos[plugin_ca_id])
old_ids = set([ca.plugin_ca_id for ca in old_cas])
else:
old_ids = set()
new_ids = set(new_ca_infos.keys())
# add new CAs
add_ids = new_ids - old_ids
for add_id in add_ids:
try:
self._add_ca(plugin_name, add_id, new_ca_infos[add_id])
except Exception as e:
# The plugin gave an invalid CA, log and continue
LOG.error("ERROR adding CA from plugin: %s",
encodeutils.exception_to_unicode(e))
def get_transport_key_model(key_spec, repos, transport_key_needed):
key_model = None
if transport_key_needed:
# get_plugin_store() will throw an exception if no suitable
# plugin with transport key is found
store_plugin = secret_store.SecretStorePluginManager(). \
get_plugin_store(key_spec=key_spec, transport_key_needed=True)
plugin_name = utils.generate_fullname_for(store_plugin)
key_repo = repos.transport_key_repo
key_model = key_repo.get_latest_transport_key(plugin_name)
if not key_model or not store_plugin.is_transport_key_current(
key_model.transport_key):
# transport key does not exist or is not current.
# need to get a new transport key
transport_key = store_plugin.get_transport_key()
new_key_model = models.TransportKey(plugin_name, transport_key)
key_model = key_repo.create_from(new_key_model)
return key_model
def get_plugin_retrieve(self, plugin_name_for_store):
"""Gets a secret retrieve plugin that supports the provided type.
:param type_needed: PluginSupportTypes that contains details on the
type of plugin required
:returns: CryptoPluginBase plugin implementation
"""
if len(self.extensions) < 1:
raise crypto.CryptoPluginNotFound()
for ext in self.extensions:
decrypting_plugin = ext.obj
plugin_name = utils.generate_fullname_for(decrypting_plugin)
if plugin_name == plugin_name_for_store:
break
else:
raise secret_store.SecretStorePluginNotFound()
return decrypting_plugin
def get_plugin_retrieve(self, plugin_name_for_store):
"""Gets a secret retrieve plugin that supports the provided type.
:param type_needed: PluginSupportTypes that contains details on the
type of plugin required
:returns: CryptoPluginBase plugin implementation
"""
active_plugins = plugin_utils.get_active_plugins(self)
if not active_plugins:
raise crypto.CryptoPluginNotFound()
for decrypting_plugin in active_plugins:
plugin_name = utils.generate_fullname_for(decrypting_plugin)
if plugin_name == plugin_name_for_store:
break
else:
raise secret_store.SecretStorePluginNotFound()
return decrypting_plugin
def get_plugin_retrieve(self, plugin_name_for_store):
"""Gets a secret retrieve plugin that supports the provided type.
:param type_needed: PluginSupportTypes that contains details on the
type of plugin required
:returns: CryptoPluginBase plugin implementation
"""
active_plugins = plugin_utils.get_active_plugins(self)
if len(active_plugins) < 1:
raise crypto.CryptoPluginNotFound()
for decrypting_plugin in active_plugins:
plugin_name = utils.generate_fullname_for(decrypting_plugin)
if plugin_name == plugin_name_for_store:
break
else:
raise secret_store.SecretStorePluginNotFound()
return decrypting_plugin
def _get_transport_key_model(key_spec, transport_key_needed):
key_model = None
if transport_key_needed:
# get_plugin_store() will throw an exception if no suitable
# plugin with transport key is found
plugin_manager = secret_store.get_manager()
store_plugin = plugin_manager.get_plugin_store(
key_spec=key_spec, transport_key_needed=True)
plugin_name = utils.generate_fullname_for(store_plugin)
key_repo = repos.get_transport_key_repository()
key_model = key_repo.get_latest_transport_key(plugin_name)
if not key_model or not store_plugin.is_transport_key_current(
key_model.transport_key):
# transport key does not exist or is not current.
# need to get a new transport key
transport_key = store_plugin.get_transport_key()
new_key_model = models.TransportKey(plugin_name, transport_key)
key_model = key_repo.create_from(new_key_model)
return key_model
def _find_or_create_kek_objects(self, plugin_inst, tenant, kek_repo):
# Find or create a key encryption key.
full_plugin_name = utils.generate_fullname_for(plugin_inst)
kek_datum = kek_repo.find_or_create_kek_datum(tenant, full_plugin_name)
# Bind to the plugin's key management.
# TODO(jwood): Does this need to be in a critical section? Should the
# bind operation just be declared idempotent in the plugin contract?
kek_meta_dto = plugin_mod.KEKMetaDTO(kek_datum)
if not kek_datum.bind_completed:
kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
# By contract, enforce that plugins return a
# (typically modified) DTO.
if kek_meta_dto is None:
raise CryptoKEKBindingException(full_plugin_name)
plugin_mod.indicate_bind_completed(kek_meta_dto, kek_datum)
kek_repo.save(kek_datum)
return kek_datum, kek_meta_dto
def _find_or_create_kek_objects(self, plugin_inst, tenant_model, kek_repo):
# Find or create a key encryption key.
full_plugin_name = utils.generate_fullname_for(plugin_inst)
kek_datum_model = kek_repo.find_or_create_kek_datum(tenant_model,
full_plugin_name)
# Bind to the plugin's key management.
# TODO(jwood): Does this need to be in a critical section? Should the
# bind operation just be declared idempotent in the plugin contract?
kek_meta_dto = crypto.KEKMetaDTO(kek_datum_model)
if not kek_datum_model.bind_completed:
kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
# By contract, enforce that plugins return a
# (typically modified) DTO.
if kek_meta_dto is None:
raise crypto.CryptoKEKBindingException(full_plugin_name)
self._indicate_bind_completed(kek_meta_dto, kek_datum_model)
kek_repo.save(kek_datum_model)
return kek_datum_model, kek_meta_dto
def get_plugin_retrieve(self, plugin_name_for_store):
"""Gets a secret retrieve plugin that supports the provided type.
:param type_needed: PluginSupportTypes that contains details on the
type of plugin required
:returns: CryptoPluginBase plugin implementation
"""
active_plugins = plugin_utils.get_active_plugins(self)
if not active_plugins:
raise base.CryptoPluginNotFound()
for decrypting_plugin in active_plugins:
plugin_name = utils.generate_fullname_for(decrypting_plugin)
if plugin_name == plugin_name_for_store:
break
else:
operation = (u._("retrieve a secret from plugin: {plugin}")
.format(plugin=plugin_name_for_store))
raise base.CryptoPluginUnsupportedOperation(operation=operation)
return decrypting_plugin
def get_plugin_retrieve(self, plugin_name_for_store):
"""Gets a secret retrieve plugin that supports the provided type.
:param type_needed: PluginSupportTypes that contains details on the
type of plugin required
:returns: CryptoPluginBase plugin implementation
"""
active_plugins = plugin_utils.get_active_plugins(self)
if not active_plugins:
raise base.CryptoPluginNotFound()
for decrypting_plugin in active_plugins:
plugin_name = utils.generate_fullname_for(decrypting_plugin)
if plugin_name == plugin_name_for_store:
break
else:
operation = (u._("retrieve a secret from plugin: {plugin}")
.format(plugin=plugin_name_for_store))
raise base.CryptoPluginUnsupportedOperation(operation=operation)
return decrypting_plugin
def _find_or_create_kek_objects(plugin_inst, project_model):
kek_repo = repositories.get_kek_datum_repository()
# Find or create a key encryption key.
full_plugin_name = utils.generate_fullname_for(plugin_inst)
kek_datum_model = kek_repo.find_or_create_kek_datum(
project_model, full_plugin_name)
# Bind to the plugin's key management.
# TODO(jwood): Does this need to be in a critical section? Should the
# bind operation just be declared idempotent in the plugin contract?
kek_meta_dto = crypto.KEKMetaDTO(kek_datum_model)
if not kek_datum_model.bind_completed:
kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
# By contract, enforce that plugins return a
# (typically modified) DTO.
if kek_meta_dto is None:
raise crypto.CryptoKEKBindingException(full_plugin_name)
_indicate_bind_completed(kek_meta_dto, kek_datum_model)
kek_repo.save(kek_datum_model)
return kek_datum_model, kek_meta_dto
def test_returns_qualified_name(self):
self.instance.__class__.__module__ = 'dummy'
name = utils.generate_fullname_for(self.instance)
self.assertEqual('dummy.DummyClassForTesting', name)
def test_returns_class_name_on_null_module(self):
self.instance.__class__.__module__ = None
name = utils.generate_fullname_for(self.instance)
self.assertEqual('DummyClassForTesting', name)
def test_get_fullname_for_string_doesnt_include_module(self):
test_string = "foo"
fullname = utils.generate_fullname_for(test_string)
self.assertEqual(0, fullname.count("."))
self.assertNotIn(six.moves.builtins.__name__, fullname)
