def create_key(self,
context,
algorithm,
length,
expiration=None,
name=None):
"""Creates a symmetric key.
:param context: contains information of the user and the environment
for the request (castellan/context.py)
:param algorithm: the algorithm associated with the secret
:param length: the bit length of the secret
:param name: the name of the key
:param expiration: the date the key will expire
:return: the UUID of the new key
:raises KeyManagerError: if key creation fails
"""
barbican_client = self._get_barbican_client(context)
try:
key_order = barbican_client.orders.create_key(
name=name,
algorithm=algorithm,
bit_length=length,
expiration=expiration)
order_ref = key_order.submit()
order = self._get_active_order(barbican_client, order_ref)
return self._retrieve_secret_uuid(order.secret_ref)
except (barbican_exceptions.HTTPAuthError,
barbican_exceptions.HTTPClientError,
barbican_exceptions.HTTPServerError) as e:
LOG.error(_LE("Error creating key: %s"), e)
raise exception.KeyManagerError(reason=e)
def _get_active_order(self, barbican_client, order_ref):
"""Returns the order when it is active.
Barbican key creation is done asynchronously, so this loop continues
checking until the order is active or a timeout occurs.
"""
active_status = u'ACTIVE'
error_status = u'ERROR'
number_of_retries = self.conf.barbican.number_of_retries
retry_delay = self.conf.barbican.retry_delay
order = barbican_client.orders.get(order_ref)
time.sleep(.25)
for n in range(number_of_retries):
if order.status == error_status:
kwargs = {
"status": error_status,
"code": order.error_status_code,
"reason": order.error_reason
}
msg = _LE("Order is in %(status)s status - status code: "
"%(code)s, status reason: %(reason)s") % kwargs
LOG.error(msg)
raise exception.KeyManagerError(reason=msg)
if order.status != active_status:
kwargs = {
'attempt': n,
'total': number_of_retries,
'status': order.status,
'active': active_status,
'delay': retry_delay
}
msg = _LI("Retry attempt #%(attempt)i out of %(total)i: "
"Order status is '%(status)s'. Waiting for "
"'%(active)s', will retry in %(delay)s "
"seconds")
LOG.info(msg, kwargs)
time.sleep(retry_delay)
order = barbican_client.orders.get(order_ref)
else:
return order
msg = _LE("Exceeded retries: Failed to find '%(active)s' status "
"within %(num_retries)i retries") % {
'active': active_status,
'num_retries': number_of_retries
}
LOG.error(msg)
raise exception.KeyManagerError(reason=msg)
def _get_barbican_client(self, context):
"""Creates a client to connect to the Barbican service.
:param context: the user context for authentication
:return: a Barbican Client object
:raises Forbidden: if the context is None
:raises KeyManagerError: if context is missing tenant or tenant is
None or error occurs while creating client
"""
# Confirm context is provided, if not raise forbidden
if not context:
msg = _LE("User is not authorized to use key manager.")
LOG.error(msg)
raise exception.Forbidden(msg)
if self._barbican_client and self._current_context == context:
return self._barbican_client
try:
auth = self._get_keystone_auth(context)
sess = session.Session(auth=auth,
verify=self.conf.barbican.verify_ssl)
self._barbican_endpoint = self._get_barbican_endpoint(auth, sess)
self._barbican_client = barbican_client.Client(
session=sess, endpoint=self._barbican_endpoint)
self._current_context = context
except Exception as e:
LOG.error(_LE("Error creating Barbican client: %s"), e)
raise exception.KeyManagerError(reason=e)
self._base_url = self._create_base_url(auth, sess,
self._barbican_endpoint)
return self._barbican_client
def _create_base_url(self, auth, sess, endpoint):
if self.conf.barbican.barbican_api_version:
api_version = self.conf.barbican.barbican_api_version
else:
discovery = auth.get_discovery(sess, url=endpoint)
raw_data = discovery.raw_version_data()
if len(raw_data) == 0:
msg = _LE(
"Could not find discovery information for %s") % endpoint
LOG.error(msg)
raise exception.KeyManagerError(reason=msg)
latest_version = raw_data[-1]
api_version = latest_version.get('id')
base_url = urllib.parse.urljoin(endpoint, api_version)
return base_url
def _get_keystone_auth(self, context):
auth_url = self.conf.barbican.auth_endpoint
if context.__class__.__name__ is 'KeystonePassword':
return identity.Password(
auth_url=auth_url,
username=context.username,
password=context.password,
user_id=context.user_id,
user_domain_id=context.user_domain_id,
user_domain_name=context.user_domain_name,
trust_id=context.trust_id,
domain_id=context.domain_id,
domain_name=context.domain_name,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name,
reauthenticate=context.reauthenticate)
elif context.__class__.__name__ is 'KeystoneToken':
return identity.Token(
auth_url=auth_url,
token=context.token,
trust_id=context.trust_id,
domain_id=context.domain_id,
domain_name=context.domain_name,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name,
reauthenticate=context.reauthenticate)
# this will be kept for oslo.context compatibility until
# projects begin to use utils.credential_factory
elif context.__class__.__name__ is 'RequestContext':
return identity.Token(auth_url=auth_url,
token=context.auth_token,
project_id=context.tenant)
else:
msg = _LE("context must be of type KeystonePassword, "
"KeystoneToken, or RequestContext.")
LOG.error(msg)
raise exception.Forbidden(reason=msg)
def create_key_pair(self,
context,
algorithm,
length,
expiration=None,
name=None):
"""Creates an asymmetric key pair.
:param context: contains information of the user and the environment
for the request (castellan/context.py)
:param algorithm: the algorithm associated with the secret
:param length: the bit length of the secret
:param name: the name of the key
:param expiration: the date the key will expire
:return: the UUIDs of the new key, in the order (private, public)
:raises NotImplementedError: until implemented
:raises KeyManagerError: if key pair creation fails
"""
barbican_client = self._get_barbican_client(context)
try:
key_pair_order = barbican_client.orders.create_asymmetric(
algorithm=algorithm,
bit_length=length,
name=name,
expiration=expiration)
order_ref = key_pair_order.submit()
order = self._get_active_order(barbican_client, order_ref)
container = barbican_client.containers.get(order.container_ref)
private_key_uuid = self._retrieve_secret_uuid(
container.secret_refs['private_key'])
public_key_uuid = self._retrieve_secret_uuid(
container.secret_refs['public_key'])
return private_key_uuid, public_key_uuid
except (barbican_exceptions.HTTPAuthError,
barbican_exceptions.HTTPClientError,
barbican_exceptions.HTTPServerError) as e:
LOG.error(_LE("Error creating key pair: %s"), e)
raise exception.KeyManagerError(reason=e)
def get(self, context, managed_object_id):
"""Retrieves the specified managed object.
:param context: contains information of the user and the environment
for the request (castellan/context.py)
:param managed_object_id: the UUID of the object to retrieve
:return: ManagedObject representation of the managed object
:raises KeyManagerError: if object retrieval fails
:raises ManagedObjectNotFoundError: if object not found
"""
try:
secret = self._get_secret(context, managed_object_id)
return self._get_castellan_object(secret)
except (barbican_exceptions.HTTPAuthError,
barbican_exceptions.HTTPClientError,
barbican_exceptions.HTTPServerError) as e:
LOG.error(_LE("Error retrieving object: %s"), e)
if self._is_secret_not_found_error(e):
raise exception.ManagedObjectNotFoundError(
uuid=managed_object_id)
else:
raise exception.KeyManagerError(reason=e)
def _get_secret(self, context, object_id):
"""Returns the metadata of the secret.
:param context: contains information of the user and the environment
for the request (castellan/context.py)
:param object_id: UUID of the secret
:return: the secret's metadata
:raises HTTPAuthError: if object retrieval fails with 401
:raises HTTPClientError: if object retrieval fails with 4xx
:raises HTTPServerError: if object retrieval fails with 5xx
"""
barbican_client = self._get_barbican_client(context)
try:
secret_ref = self._create_secret_ref(object_id)
return barbican_client.secrets.get(secret_ref)
except (barbican_exceptions.HTTPAuthError,
barbican_exceptions.HTTPClientError,
barbican_exceptions.HTTPServerError) as e:
with excutils.save_and_reraise_exception():
LOG.error(_LE("Error getting secret metadata: %s"), e)
def delete(self, context, managed_object_id):
"""Deletes the specified managed object.
:param context: contains information of the user and the environment
for the request (castellan/context.py)
:param managed_object_id: the UUID of the object to delete
:raises KeyManagerError: if object deletion fails
:raises ManagedObjectNotFoundError: if the object could not be found
"""
barbican_client = self._get_barbican_client(context)
try:
secret_ref = self._create_secret_ref(managed_object_id)
barbican_client.secrets.delete(secret_ref)
except (barbican_exceptions.HTTPAuthError,
barbican_exceptions.HTTPClientError,
barbican_exceptions.HTTPServerError) as e:
LOG.error(_LE("Error deleting object: %s"), e)
if self._is_secret_not_found_error(e):
raise exception.ManagedObjectNotFoundError(
uuid=managed_object_id)
else:
raise exception.KeyManagerError(reason=e)
def store(self, context, managed_object, expiration=None):
"""Stores (i.e., registers) an object with the key manager.
:param context: contains information of the user and the environment
for the request (castellan/context.py)
:param managed_object: a secret object with unencrypted payload.
Known as "secret" to the barbicanclient api
:param expiration: the expiration time of the secret in ISO 8601
format
:returns: the UUID of the stored object
:raises KeyManagerError: if object store fails
"""
barbican_client = self._get_barbican_client(context)
try:
secret = self._get_barbican_object(barbican_client, managed_object)
secret.expiration = expiration
secret_ref = secret.store()
return self._retrieve_secret_uuid(secret_ref)
except (barbican_exceptions.HTTPAuthError,
barbican_exceptions.HTTPClientError,
barbican_exceptions.HTTPServerError) as e:
LOG.error(_LE("Error storing object: %s"), e)
raise exception.KeyManagerError(reason=e)
def credential_factory(conf=None, context=None):
"""This function provides a factory for credentials.
It is used to create an appropriare credential object
from a passed configuration. This should be called before
making any calls to a key manager.
:param conf: Configuration file which this factory method uses
to generate a credential object. Note: In the future it will
become a required field.
:param context: Context used for authentication. It can be used
in conjunction with the configuration file. If no conf is passed,
then the context object will be converted to a KeystoneToken and
returned. If a conf is passed then only the 'token' is grabbed from
the context for the authentication types that require a token.
:returns: A credential object used for authenticating with the
Castellan key manager. Type of credential returned depends on
config and/or context passed.
"""
if conf:
conf.register_opts(credential_opts, group=OPT_GROUP)
if conf.key_manager.auth_type == 'token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return token.Token(auth_token)
elif conf.key_manager.auth_type == 'password':
return password.Password(conf.key_manager.username,
conf.key_manager.password)
elif conf.key_manager.auth_type == 'keystone_password':
return keystone_password.KeystonePassword(
conf.key_manager.password,
username=conf.key_manager.username,
user_id=conf.key_manager.user_id,
user_domain_id=conf.key_manager.user_domain_id,
user_domain_name=conf.key_manager.user_domain_name,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.domain_id,
project_domain_name=conf.key_manager.domain_name,
reauthenticate=conf.key_manager.reauthenticate)
elif conf.key_manager.auth_type == 'keystone_token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return keystone_token.KeystoneToken(
auth_token,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.domain_id,
project_domain_name=conf.key_manager.domain_name,
reauthenticate=conf.key_manager.reauthenticate)
else:
LOG.error(_LE("Invalid auth_type specified."))
raise exception.AuthTypeInvalidError(
type=conf.key_manager.auth_type)
# for compatibility between _TokenData and RequestContext
if hasattr(context, 'tenant') and context.tenant:
project_id = context.tenant
elif hasattr(context, 'project_id') and context.project_id:
project_id = context.project_id
return keystone_token.KeystoneToken(context.auth_token,
project_id=project_id)