def _get_client(self, retry_on_conflict=True):
# If we've already constructed a valid, authed client, just return
# that.
if retry_on_conflict and self._cached_client is not None:
return self._cached_client
# TODO(fmontei): Deckhand's configuration file needs to be populated
# with correct Keystone authentication values as well as the Barbican
# endpoint URL automatically.
barbican_url = CONF.barbican.api_endpoint
auth = loading.load_auth_from_conf_options(CONF, 'keystone_authtoken')
sess = session.Session(auth=auth)
try:
cli = barbican.client.Client(endpoint=barbican_url, session=sess)
# Cache the client so we don't have to reconstruct and
# reauthenticate it every time we need it.
if retry_on_conflict:
self._cached_client = cli
except barbican_exc.HTTPAuthError as e:
LOG.exception(str(e))
raise errors.BarbicanClientException(code=e.status_code,
details=str(e))
return cli
def _do_create_secret(self, secret_args):
"""Using the cache construct, and the barbican client, create a secret
:param secret_args: Dict containing the data for the secret to create
:type secret_args: dict
:returns: Secret reference returned by Barbican
:rtype: str
"""
try:
return cache.lookup_by_payload(self.barbicanclient, **secret_args)
except (barbicanclient.exceptions.HTTPAuthError,
barbicanclient.exceptions.HTTPClientError) as e:
LOG.exception(str(e))
raise errors.BarbicanClientException(code=e.status_code,
details=str(e))
except barbicanclient.exceptions.HTTPServerError as e:
LOG.error(
'Caught %s error from Barbican, likely due to a '
'configuration or deployment issue.', e.__class__.__name__)
raise errors.BarbicanServerException(details=str(e))
except barbicanclient.exceptions.PayloadException as e:
LOG.error(
'Caught %s error from Barbican, because the secret '
'payload type is unsupported.', e.__class__.__name__)
raise errors.BarbicanServerException(details=str(e))
def create_secret(self, secret_doc):
"""Create a secret.
:param secret_doc: Document with ``storagePolicy`` of "encrypted".
:type secret_doc: document.DocumentDict
:returns: Secret reference returned by Barbican
:rtype: str
"""
secret_type, payload = self._base64_encode_payload(secret_doc)
if secret_doc.storage_policy == types.CLEARTEXT:
return payload
# Store secret_ref in database for `secret_doc`.
kwargs = {
'name': secret_doc['metadata']['name'],
'secret_type': secret_type,
'payload': payload
}
LOG.info('Storing encrypted document data in Barbican.')
try:
secret_ref = cache.lookup_by_payload(self.barbicanclient, **kwargs)
except (barbicanclient.exceptions.HTTPAuthError,
barbicanclient.exceptions.HTTPClientError) as e:
LOG.exception(str(e))
raise errors.BarbicanClientException(code=e.status_code,
details=str(e))
except barbicanclient.exceptions.HTTPServerError as e:
LOG.error(
'Caught %s error from Barbican, likely due to a '
'configuration or deployment issue.', e.__class__.__name__)
raise errors.BarbicanServerException(details=str(e))
except barbicanclient.exceptions.PayloadException as e:
LOG.error(
'Caught %s error from Barbican, because the secret '
'payload type is unsupported.', e.__class__.__name__)
raise errors.BarbicanServerException(details=str(e))
return secret_ref
def get_secret(self, secret_ref, src_doc):
"""Get a secret."""
try:
secret = cache.lookup_by_ref(self.barbicanclient, secret_ref)
except (barbicanclient.exceptions.HTTPAuthError,
barbicanclient.exceptions.HTTPClientError) as e:
LOG.exception(str(e))
raise errors.BarbicanClientException(code=e.status_code,
details=str(e))
except (barbicanclient.exceptions.HTTPServerError, ValueError) as e:
LOG.exception(str(e))
raise errors.BarbicanServerException(details=str(e))
payload = secret.payload
if secret.secret_type == 'opaque':
LOG.debug(
'Forcibly base64-decoding original non-string payload '
'for document [%s, %s] %s.', *src_doc.meta)
secret = self._base64_decode_payload(payload)
else:
secret = payload
return secret