def _get_barbican_client(self, ctxt):
"""Creates a client to connect to the Barbican service.
:param ctxt: the user context for authentication
:return: a Barbican Client object
:throws NotAuthorized: if the ctxt is None
:throws KeyManagerError: if ctxt is missing project_id
or project_id is None
"""
if not self._barbican_client:
# Confirm context is provided, if not raise not authorized
if not ctxt:
msg = _("User is not authorized to use key manager.")
LOG.error(msg)
raise exception.NotAuthorized(msg)
if not hasattr(ctxt, 'project_id') or ctxt.project_id is None:
msg = _("Unable to create Barbican Client without project_id.")
LOG.error(msg)
raise exception.KeyManagerError(msg)
try:
auth = identity.v3.Token(
auth_url=CONF.keymgr.encryption_auth_url,
token=ctxt.auth_token,
project_id=ctxt.project_id)
sess = session.Session(auth=auth)
self._barbican_client = barbican_client.Client(
session=sess, endpoint=self._barbican_endpoint)
except Exception:
with excutils.save_and_reraise_exception():
LOG.exception(_LE("Error creating Barbican client."))
return self._barbican_client
def delete_key(self, ctxt, key_id, **kwargs):
if ctxt is None:
raise exception.NotAuthorized()
if key_id != self.key_id:
raise exception.KeyManagerError(
reason="cannot delete non-existent key")
LOG.warn(_("Not deleting key %s"), key_id)
def store_key(self, ctxt, key, **kwargs):
"""Stores (i.e., registers) a key with the key manager."""
if ctxt is None:
raise exception.NotAuthorized()
if key != self._generate_key():
raise exception.KeyManagerError(
reason="cannot store arbitrary keys")
return self.key_id
def store(self, context, managed_object, **kwargs):
"""Stores (i.e., registers) a key with the key manager."""
if context is None:
raise exception.NotAuthorized()
if managed_object != self._get_key():
raise exception.KeyManagerError(
reason="cannot store arbitrary keys")
return self.key_id
def _create_secret_ref(self, key_id, barbican_client):
"""Creates the URL required for accessing a secret.
:param key_id: the UUID of the key to copy
:param barbican_client: barbican key manager object
:return: the URL of the requested secret
"""
if not key_id:
msg = "Key ID is None"
raise exception.KeyManagerError(msg)
return self._base_url + "/secrets/" + key_id
def _parse_barbican_api_url(self):
"""Setup member variables to reference the Barbican URL.
The key manipulation functions in this module need to use the
barbican URL with the version appended. But the barbicanclient
Client() class needs the URL without the version appended.
So set up a member variables here for each case.
"""
m = URL_PATTERN.search(self._base_url)
if m is None:
raise exception.KeyManagerError(
_("Invalid url: must be in the form "
"'http[s]://<ipaddr>|<fqdn>[:port]/<version>', "
"url specified is: %s"), self._base_url)
url_info = dict(m.groupdict())
if 'url_version' not in url_info or url_info['url_version'] == "":
raise exception.KeyManagerError(
_("Invalid barbican api url: version is required, "
"e.g. 'http[s]://<ipaddr>|<fqdn>[:port]/<version>' "
"url specified is: %s") % self._base_url)
# We will also need the barbican API URL without the '/v1'.
# So save that now.
self._barbican_endpoint = url_info['url_base']
def delete(self, context, managed_object_id):
"""Represents deleting the key.
Because the ConfKeyManager has only one key, which is read from the
configuration file, the key is not actually deleted when this is
called.
"""
if context is None:
raise exception.NotAuthorized()
if managed_object_id != self.key_id:
raise exception.KeyManagerError(
reason="cannot delete non-existent key")
LOG.warning("Not deleting key %s", managed_object_id)
