def get_secret(context, secret_ref):
"""Retrieves a secret payload by reference.
:param context: Ignored in this implementation
:param secret_ref: The secret reference ID
:return: The secret payload
:raises CertificateStorageException: if secret retrieval fails
"""
LOG.info("Loading secret %s from the local filesystem.", secret_ref)
filename_base = os.path.join(CONF.certificates.storage_path,
secret_ref)
filename_secret = "{0}.crt".format(filename_base)
secret_data = None
flags = os.O_RDONLY
try:
with os.fdopen(os.open(filename_secret, flags)) as secret_file:
secret_data = secret_file.read()
except IOError:
LOG.error("Failed to read secret for %s.", secret_ref)
raise exceptions.CertificateRetrievalException(ref=secret_ref)
return secret_data
def get_secret(self, context, secret_ref):
try:
certbag = self.manager.get(context, secret_ref)
certbag_data = certbag.get_encoded()
except Exception as e:
LOG.error("Failed to access secret for %s due to: %s.", secret_ref,
str(e))
raise exceptions.CertificateRetrievalException(ref=secret_ref)
return certbag_data
def _validate_tls_refs(self, tls_refs):
context = pecan.request.context.get('octavia_context')
bad_refs = []
for ref in tls_refs:
try:
self.cert_manager.get_cert(context, ref, check_only=True)
except Exception:
bad_refs.append(ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
def _validate_client_ca_and_crl_refs(self, client_ca_ref, crl_ref):
context = pecan.request.context.get('octavia_context')
bad_refs = []
try:
self.cert_manager.set_acls(context, client_ca_ref)
ca_pem = self.cert_manager.get_secret(context, client_ca_ref)
except Exception:
bad_refs.append(client_ca_ref)
pem_crl = None
if crl_ref:
try:
self.cert_manager.set_acls(context, crl_ref)
pem_crl = self.cert_manager.get_secret(context, crl_ref)
except Exception:
bad_refs.append(crl_ref)
if bad_refs:
raise exceptions.CertificateRetrievalException(ref=bad_refs)
ca_cert = None
try:
# Test if it needs to be UTF-8 encoded
try:
ca_pem = ca_pem.encode('utf-8')
except AttributeError:
pass
ca_cert = x509.load_pem_x509_certificate(ca_pem, default_backend())
except Exception as e:
raise exceptions.ValidationException(detail=_(
"The client authentication CA certificate is invalid. "
"It must be a valid x509 PEM format certificate. "
"Error: %s") % str(e))
# Validate the CRL is for the client CA
if pem_crl:
ca_pub_key = ca_cert.public_key()
crl = None
# Test if it needs to be UTF-8 encoded
try:
pem_crl = pem_crl.encode('utf-8')
except AttributeError:
pass
try:
crl = x509.load_pem_x509_crl(pem_crl, default_backend())
except Exception as e:
raise exceptions.ValidationException(detail=_(
"The client authentication certificate revocation list "
"is invalid. It must be a valid x509 PEM format "
"certificate revocation list. Error: %s") % str(e))
if not crl.is_signature_valid(ca_pub_key):
raise exceptions.ValidationException(detail=_(
"The CRL specified is not valid for client certificate "
"authority reference supplied."))
def load_certificates_data(cert_mngr, obj, context=None):
"""Load TLS certificate data from the listener/pool.
return TLS_CERT and SNI_CERTS
"""
tls_cert = None
sni_certs = []
if not context:
context = oslo_context.RequestContext(project_id=obj.project_id)
if obj.tls_certificate_id:
try:
tls_cert = _map_cert_tls_container(
cert_mngr.get_cert(context,
obj.tls_certificate_id,
check_only=True))
except Exception as e:
LOG.warning('Unable to retrieve certificate: %s due to %s.',
obj.tls_certificate_id, str(e))
raise exceptions.CertificateRetrievalException(
ref=obj.tls_certificate_id)
if hasattr(obj, 'sni_containers') and obj.sni_containers:
for sni_cont in obj.sni_containers:
try:
cert_container = _map_cert_tls_container(
cert_mngr.get_cert(context,
sni_cont.tls_container_id,
check_only=True))
except Exception as e:
LOG.warning('Unable to retrieve certificate: %s due to %s.',
sni_cont.tls_container_id, str(e))
raise exceptions.CertificateRetrievalException(
ref=sni_cont.tls_container_id)
sni_certs.append(cert_container)
return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
def _get_secret_data(cert_manager, project_id, secret_ref, for_delete=False):
"""Get the secret from the certificate manager and upload it to the amp.
:returns: The secret data.
"""
context = oslo_context.RequestContext(project_id=project_id)
try:
secret_data = cert_manager.get_secret(context, secret_ref)
except Exception as e:
LOG.warning('Unable to retrieve certificate: %s due to %s.',
secret_ref, str(e))
if for_delete:
secret_data = None
else:
raise exceptions.CertificateRetrievalException(ref=secret_ref)
return secret_data
def get_secret(self, context, secret_ref):
"""Retrieves a secret payload by reference.
:param context: Oslo context of the request
:param secret_ref: The secret reference ID
:return: The secret payload
:raises CertificateStorageException: if retrieval fails
"""
connection = self.auth.get_barbican_client(context.project_id)
LOG.info('Loading secret %s from Barbican.', secret_ref)
try:
secret = connection.secrets.get(secret_ref=secret_ref)
return secret.payload
except Exception as e:
LOG.error("Failed to access secret for %s due to: %s.",
secret_ref, str(e))
raise exceptions.CertificateRetrievalException(ref=secret_ref)
def _get_secret_data(cert_manager, project_id, secret_ref, for_delete=False):
"""Get the secret from the certificate manager and upload it to the amp.
:returns: The secret data.
"""
context = oslo_context.RequestContext(project_id=project_id)
try:
secret_data = cert_manager.get_secret(context, secret_ref)
except Exception as e:
LOG.warning('Unable to retrieve certificate: %s due to %s.',
secret_ref, str(e))
if for_delete:
secret_data = None
else:
raise exceptions.CertificateRetrievalException(ref=secret_ref)
# We need to have json convertible data for storing it in
# persistence jobboard backend.
if isinstance(secret_data, bytes):
return secret_data.decode()
return secret_data
