def _create_ks_token_credential(self):
return keystone_token.KeystoneToken(
self.token,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=self.reauthenticate)
def test___ne___reauthenticate(self):
other_reauthenticate = False
other_ks_token_credential = keystone_token.KeystoneToken(
self.token,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=other_reauthenticate)
self.assertTrue(self.ks_token_credential != other_ks_token_credential)
def test___ne___token(self):
other_token = "5c59e3217d3d4dd297589b297aee2a6f"
other_ks_token_credential = keystone_token.KeystoneToken(
other_token,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=self.reauthenticate)
self.assertTrue(self.ks_token_credential != other_ks_token_credential)
def get_user_root_secret_by_id(self, account, user_token, key_id):
"""
Retrieve the user's root encryption secret with the specified ID from
an external key management system using Castellan.
:param account: the name of the account
:type account: string
:param user_token: the keystone token of the user from the request
:type user_token: string
:param key_id: the ID of the user's root encryption secret to retrieve
:return: the binary bytes of the user's root encryption secret with the
specified ID
:rtype: bytearray
"""
user_root_secrets = self._user_root_secrets.get(account)
if user_root_secrets is None:
user_root_secrets = dict()
else:
encoded_key = user_root_secrets.get(key_id)
if ROOT_SECRET_CACHE_TIME > 0:
if encoded_key is not None:
return encoded_key
conf = self.conf
if self.keymaster_config_path is not None:
if any(opt in conf for opt in ('key_id', )):
raise ValueError('keymaster_config_path is set, but there '
'are other config options specified!')
conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
user_ctxt = keystone_token.KeystoneToken(token=user_token)
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
# Get the latest key from Barbican. If no keymanager class has been
# specified (using 'api_class'), or the keymaster does not have a
# 'get_latest_key()' method, an exception will be raised.
key = manager.get(user_ctxt, key_id)
if key is None:
raise ValueError("Could not find user '%s' with key_id '%s'" %
(account, key_id))
user_root_secrets[key_id] = key.get_encoded()
self._user_root_secrets[account] = user_root_secrets
return key.get_encoded()
def get_latest_user_root_secret_and_id(self, account, user_token):
"""
Retrieve the user's latest root encryption secret from an external key
management system using Castellan.
:param account: the name of the account
:type account: string
:param user_token: the keystone token of the user from the request
:type user_token: string
:return: a tuple containing the binary bytes of the latest encryption
root secret, and the id of the latest root encryption secret
:rtype: (bytearray, string)
"""
conf = self.conf
if self.keymaster_config_path is not None:
if any(opt in conf for opt in ('key_id', )):
raise ValueError('keymaster_config_path is set, but there '
'are other config options specified!')
conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
user_ctxt = keystone_token.KeystoneToken(token=user_token)
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
# Get the latest key from Barbican. If no keymanager class has been
# specified (using 'api_class'), or the keymaster does not have a
# 'get_latest_key()' method, an exception will be raised.
latest_user_root_secret_id, key = manager.get_latest_key(
user_ctxt, bits=256, algorithm='aes', name='swift_root_secret')
self.logger.log(
SECDEL_LOG_LEVEL_DEBUG,
"ID of latest user root secret is %s" % latest_user_root_secret_id)
if latest_user_root_secret_id is None or key is None:
return None, None
user_root_secrets = self._user_root_secrets.get(account)
if user_root_secrets is None:
user_root_secrets = dict()
user_root_secrets[latest_user_root_secret_id] = key.get_encoded()
self._user_root_secrets[account] = user_root_secrets
return key.get_encoded(), latest_user_root_secret_id
def test___eq__(self):
self.assertTrue(self.ks_token_credential == self.ks_token_credential)
self.assertTrue(self.ks_token_credential is self.ks_token_credential)
self.assertFalse(self.ks_token_credential is None)
self.assertFalse(None == self.ks_token_credential)
other_ks_token_credential = keystone_token.KeystoneToken(
self.token,
trust_id=self.trust_id,
domain_id=self.domain_id,
domain_name=self.domain_name,
project_id=self.project_id,
project_name=self.project_name,
project_domain_id=self.project_domain_id,
project_domain_name=self.project_domain_name,
reauthenticate=self.reauthenticate)
self.assertTrue(self.ks_token_credential == other_ks_token_credential)
self.assertFalse(self.ks_token_credential is other_ks_token_credential)
def get_context(self):
username = CONF.identity.username
password = CONF.identity.password
project_name = CONF.identity.project_name
auth_url = CONF.identity.auth_url
user_domain_name = CONF.identity.user_domain_name
project_domain_name = CONF.identity.project_domain_name
auth = identity.V3Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
sess = session.Session()
return keystone_token.KeystoneToken(
token=auth.get_token(sess),
project_id=auth.get_project_id(sess))
def setUp(self):
super(BarbicanKeyManagerKSTokenTestCase, self).setUp()
username = CONF.identity.username
password = CONF.identity.password
project_name = CONF.identity.project_name
auth_url = CONF.identity.auth_url
user_domain_name = CONF.identity.user_domain_name
project_domain_name = CONF.identity.project_domain_name
auth = v3.Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
sess = session.Session(auth=auth)
keystone_client = client.Client(session=sess)
project_list = keystone_client.projects.list(name=project_name)
self.ctxt = keystone_token.KeystoneToken(
token=auth.auth_ref.auth_token,
project_id=project_list[0].id)
def credential_factory(conf=None, context=None):
"""This function provides a factory for credentials.
It is used to create an appropriare credential object
from a passed configuration. This should be called before
making any calls to a key manager.
:param conf: Configuration file which this factory method uses
to generate a credential object. Note: In the future it will
become a required field.
:param context: Context used for authentication. It can be used
in conjunction with the configuration file. If no conf is passed,
then the context object will be converted to a KeystoneToken and
returned. If a conf is passed then only the 'token' is grabbed from
the context for the authentication types that require a token.
:returns: A credential object used for authenticating with the
Castellan key manager. Type of credential returned depends on
config and/or context passed.
"""
if conf:
conf.register_opts(credential_opts, group=OPT_GROUP)
if conf.key_manager.auth_type == 'token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return token.Token(auth_token)
elif conf.key_manager.auth_type == 'password':
return password.Password(conf.key_manager.username,
conf.key_manager.password)
elif conf.key_manager.auth_type == 'keystone_password':
return keystone_password.KeystonePassword(
conf.key_manager.password,
username=conf.key_manager.username,
user_id=conf.key_manager.user_id,
user_domain_id=conf.key_manager.user_domain_id,
user_domain_name=conf.key_manager.user_domain_name,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.domain_id,
project_domain_name=conf.key_manager.domain_name,
reauthenticate=conf.key_manager.reauthenticate)
elif conf.key_manager.auth_type == 'keystone_token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return keystone_token.KeystoneToken(
auth_token,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.domain_id,
project_domain_name=conf.key_manager.domain_name,
reauthenticate=conf.key_manager.reauthenticate)
else:
LOG.error(_LE("Invalid auth_type specified."))
raise exception.AuthTypeInvalidError(
type=conf.key_manager.auth_type)
# for compatibility between _TokenData and RequestContext
if hasattr(context, 'tenant') and context.tenant:
project_id = context.tenant
elif hasattr(context, 'project_id') and context.project_id:
project_id = context.project_id
return keystone_token.KeystoneToken(context.auth_token,
project_id=project_id)
