def store(self, context, secret, expiration=None): """Stores a secret with the key manager. :param context: contains information of the user and the environment for the request :param secret: a secret object with unencrypted payload. Known as "secret" to the barbicanclient api :param expiration: the expiration time of the secret in ISO 8601 format :returns: the UUID of the stored object :raises KeyManagerError: if object store fails """ barbican_client = self._get_barbican_client(context) try: secret = barbican_client.secrets.create(payload=secret, secret_type='opaque') secret.expiration = expiration secret_ref = secret.store() return self._retrieve_secret_uuid(secret_ref) except (barbican_exception.HTTPAuthError, barbican_exception.HTTPClientError, barbican_exception.HTTPServerError) as e: LOG.error("Error storing object: %s", e) raise exception.KeyManagerError(reason=e)
def get(self, context, managed_object_id, metadata_only=False): """Retrieves the specified managed object. :param context: contains information of the user and the environment for the request :param managed_object_id: the UUID of the object to retrieve :param metadata_only: whether secret data should be included :return: ManagedObject representation of the managed object :raises KeyManagerError: if object retrieval fails :raises ManagedObjectNotFoundError: if object not found """ barbican_client = self._get_barbican_client(context) try: secret_ref = self._create_secret_ref(managed_object_id) return barbican_client.secrets.get(secret_ref) except (barbican_exception.HTTPAuthError, barbican_exception.HTTPClientError, barbican_exception.HTTPServerError) as e: LOG.error("Error retrieving object: %s", e) if self._is_secret_not_found_error(e): raise exception.ManagedObjectNotFoundError( uuid=managed_object_id) else: raise exception.KeyManagerError(reason=e)
def _create_secret_ref(self, object_id): """Creates the URL required for accessing a secret. :param object_id: the UUID of the key to copy :return: the URL of the requested secret """ if not object_id: msg = _("Key ID is None") raise exception.KeyManagerError(reason=msg) return "%ssecrets/%s" % (self._base_url, object_id)
def _create_base_url(self, auth, sess, endpoint): discovery = auth.get_discovery(sess, url=endpoint) raw_data = discovery.raw_version_data() if len(raw_data) == 0: msg = _("Could not find discovery information for %s") % endpoint LOG.error(msg) raise exception.KeyManagerError(reason=msg) latest_version = raw_data[-1] api_version = latest_version.get('id') base_url = "%s%s/" % (endpoint, api_version) return base_url
def _create_secret_ref(self, object_id): """Creates the URL required for accessing a secret. :param object_id: the UUID of the key to copy :return: the URL of the requested secret """ if not object_id: msg = _("Key ID is None") raise exception.KeyManagerError(reason=msg) base_url = self._base_url if base_url[-1] != '/': base_url += '/' return urllib.parse.urljoin(base_url, "secrets/" + object_id)
def delete(self, context, managed_object_id): """Deletes the specified managed object. :param context: contains information of the user and the environment for the request :param managed_object_id: the UUID of the object to delete :raises KeyManagerError: if object deletion fails :raises ManagedObjectNotFoundError: if the object could not be found """ barbican_client = self._get_barbican_client(context) try: secret_ref = self._create_secret_ref(managed_object_id) barbican_client.secrets.delete(secret_ref) except (barbican_exception.HTTPAuthError, barbican_exception.HTTPClientError, barbican_exception.HTTPServerError) as e: LOG.error("Error deleting object: %s", e) if self._is_secret_not_found_error(e): pass else: raise exception.KeyManagerError(reason=e)
def _get_barbican_client(self, context): """Creates a client to connect to the Barbican service. :param context: the user context for authentication :return: a Barbican Client object :raises Forbidden: if the context is empty :raises KeyManagerError: if context is missing tenant or tenant is None or error occurs while creating client """ # Confirm context is provided, if not raise forbidden if not context: msg = _("User is not authorized to use key manager.") LOG.error(msg) raise exception.Forbidden(msg) if self._barbican_client and self._current_context == context: return self._barbican_client try: auth = self._get_keystone_auth(context) sess = session.Session(auth=auth) self._barbican_endpoint = self._get_barbican_endpoint(auth, sess) if self._barbican_endpoint[-1] != '/': self._barbican_endpoint += '/' self._barbican_client = barbican_client.Client( session=sess, endpoint=self._barbican_endpoint) self._current_context = context except Exception as e: LOG.error("Error creating Barbican client: %s", e) raise exception.KeyManagerError(reason=e) self._base_url = self._create_base_url(auth, sess, self._barbican_endpoint) return self._barbican_client