def get_secret(context, secret_ref): """Retrieves a secret payload by reference. :param context: Ignored in this implementation :param secret_ref: The secret reference ID :return: The secret payload :raises CertificateStorageException: if secret retrieval fails """ LOG.info("Loading secret %s from the local filesystem.", secret_ref) filename_base = os.path.join(CONF.certificates.storage_path, secret_ref) filename_secret = "{0}.crt".format(filename_base) secret_data = None flags = os.O_RDONLY try: with os.fdopen(os.open(filename_secret, flags)) as secret_file: secret_data = secret_file.read() except IOError: LOG.error("Failed to read secret for %s.", secret_ref) raise exceptions.CertificateRetrievalException(ref=secret_ref) return secret_data
def get_secret(self, context, secret_ref): try: certbag = self.manager.get(context, secret_ref) certbag_data = certbag.get_encoded() except Exception as e: LOG.error("Failed to access secret for %s due to: %s.", secret_ref, str(e)) raise exceptions.CertificateRetrievalException(ref=secret_ref) return certbag_data
def _validate_tls_refs(self, tls_refs): context = pecan.request.context.get('octavia_context') bad_refs = [] for ref in tls_refs: try: self.cert_manager.get_cert(context, ref, check_only=True) except Exception: bad_refs.append(ref) if bad_refs: raise exceptions.CertificateRetrievalException(ref=bad_refs)
def _validate_client_ca_and_crl_refs(self, client_ca_ref, crl_ref): context = pecan.request.context.get('octavia_context') bad_refs = [] try: self.cert_manager.set_acls(context, client_ca_ref) ca_pem = self.cert_manager.get_secret(context, client_ca_ref) except Exception: bad_refs.append(client_ca_ref) pem_crl = None if crl_ref: try: self.cert_manager.set_acls(context, crl_ref) pem_crl = self.cert_manager.get_secret(context, crl_ref) except Exception: bad_refs.append(crl_ref) if bad_refs: raise exceptions.CertificateRetrievalException(ref=bad_refs) ca_cert = None try: # Test if it needs to be UTF-8 encoded try: ca_pem = ca_pem.encode('utf-8') except AttributeError: pass ca_cert = x509.load_pem_x509_certificate(ca_pem, default_backend()) except Exception as e: raise exceptions.ValidationException(detail=_( "The client authentication CA certificate is invalid. " "It must be a valid x509 PEM format certificate. " "Error: %s") % str(e)) # Validate the CRL is for the client CA if pem_crl: ca_pub_key = ca_cert.public_key() crl = None # Test if it needs to be UTF-8 encoded try: pem_crl = pem_crl.encode('utf-8') except AttributeError: pass try: crl = x509.load_pem_x509_crl(pem_crl, default_backend()) except Exception as e: raise exceptions.ValidationException(detail=_( "The client authentication certificate revocation list " "is invalid. It must be a valid x509 PEM format " "certificate revocation list. Error: %s") % str(e)) if not crl.is_signature_valid(ca_pub_key): raise exceptions.ValidationException(detail=_( "The CRL specified is not valid for client certificate " "authority reference supplied."))
def load_certificates_data(cert_mngr, obj, context=None): """Load TLS certificate data from the listener/pool. return TLS_CERT and SNI_CERTS """ tls_cert = None sni_certs = [] if not context: context = oslo_context.RequestContext(project_id=obj.project_id) if obj.tls_certificate_id: try: tls_cert = _map_cert_tls_container( cert_mngr.get_cert(context, obj.tls_certificate_id, check_only=True)) except Exception as e: LOG.warning('Unable to retrieve certificate: %s due to %s.', obj.tls_certificate_id, str(e)) raise exceptions.CertificateRetrievalException( ref=obj.tls_certificate_id) if hasattr(obj, 'sni_containers') and obj.sni_containers: for sni_cont in obj.sni_containers: try: cert_container = _map_cert_tls_container( cert_mngr.get_cert(context, sni_cont.tls_container_id, check_only=True)) except Exception as e: LOG.warning('Unable to retrieve certificate: %s due to %s.', sni_cont.tls_container_id, str(e)) raise exceptions.CertificateRetrievalException( ref=sni_cont.tls_container_id) sni_certs.append(cert_container) return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
def _get_secret_data(cert_manager, project_id, secret_ref, for_delete=False): """Get the secret from the certificate manager and upload it to the amp. :returns: The secret data. """ context = oslo_context.RequestContext(project_id=project_id) try: secret_data = cert_manager.get_secret(context, secret_ref) except Exception as e: LOG.warning('Unable to retrieve certificate: %s due to %s.', secret_ref, str(e)) if for_delete: secret_data = None else: raise exceptions.CertificateRetrievalException(ref=secret_ref) return secret_data
def get_secret(self, context, secret_ref): """Retrieves a secret payload by reference. :param context: Oslo context of the request :param secret_ref: The secret reference ID :return: The secret payload :raises CertificateStorageException: if retrieval fails """ connection = self.auth.get_barbican_client(context.project_id) LOG.info('Loading secret %s from Barbican.', secret_ref) try: secret = connection.secrets.get(secret_ref=secret_ref) return secret.payload except Exception as e: LOG.error("Failed to access secret for %s due to: %s.", secret_ref, str(e)) raise exceptions.CertificateRetrievalException(ref=secret_ref)
def _get_secret_data(cert_manager, project_id, secret_ref, for_delete=False): """Get the secret from the certificate manager and upload it to the amp. :returns: The secret data. """ context = oslo_context.RequestContext(project_id=project_id) try: secret_data = cert_manager.get_secret(context, secret_ref) except Exception as e: LOG.warning('Unable to retrieve certificate: %s due to %s.', secret_ref, str(e)) if for_delete: secret_data = None else: raise exceptions.CertificateRetrievalException(ref=secret_ref) # We need to have json convertible data for storing it in # persistence jobboard backend. if isinstance(secret_data, bytes): return secret_data.decode() return secret_data