def secdel_get_barbican_manager_and_ctxt(output_manager, conf, api_class):
try:
# FIXME: Parameters have different names if passed as options
# to swift-client
user_domain_name = conf.get('os_user_domain_name')
if user_domain_name is None:
user_domain_name = 'Default'
project_domain_name = conf.get('os_project_domain_name')
if project_domain_name is None:
project_domain_name = 'Default'
ctxt = keystone_password.KeystonePassword(
username=conf.get('os_username'),
password=conf.get('os_password'),
project_name=conf.get('os_project_name'),
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
user_id=conf.get('os_user_id'),
user_domain_id=conf.get('os_user_domain_id'),
trust_id=conf.get('os_trust_id'),
domain_id=conf.get('os_domain_id'),
domain_name=conf.get('os_domain_name'),
project_id=conf.get('os_project_id'),
project_domain_id=conf.get('os_project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
# FIXME: os_auth_url and not auth_endpoint?
options.set_defaults(
oslo_conf, auth_endpoint=conf.get('os_auth_url'),
api_class=conf.get('api_class', api_class)
)
options.enable_logging()
manager = key_manager.API(oslo_conf)
return manager, ctxt
except SwiftError as e:
output_manager.error(e.value)
def _encrypt_data(context, data):
try:
# TODO(pbourke): move auth construction into common area if it ends up
# been required in other areas
auth = identity.V3Password(
auth_url=settings.KEY_MANAGER['auth_url'],
username=settings.KEY_MANAGER['username'],
user_domain_name=settings.KEY_MANAGER['user_domain_name'],
password=settings.KEY_MANAGER['password'],
project_name=settings.KEY_MANAGER['project_name'],
project_domain_name=settings.KEY_MANAGER['project_domain_name']
)
except (KeyError, AttributeError) as e:
LOG.exception(e)
msg = ('Could not find valid key manager credentials in the '
'murano-dashboard config. encryptData yaql function not '
'available')
raise castellan_exception.KeyManagerError(message_arg=msg)
sess = session.Session(auth=auth)
auth_context = _oslo_context.RequestContext(
auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess))
options.set_defaults(cfg.CONF,
auth_endpoint=settings.KEY_MANAGER['auth_url'])
manager = key_manager.API()
try:
# TODO(pbourke): while we feel opaque data should cover the most common
# use case, we may want to add support for other secret types in the
# future (see https://goo.gl/tZhfqe)
stored_key_id = manager.store(auth_context,
opaque_data.OpaqueData(data))
except castellan_exception.KeyManagerError as e:
LOG.exception(e)
raise
return stored_key_id
def register_opts(conf):
castellan_opts.set_defaults(conf)
# TODO(raj_singh): Code block below is deprecated and will be removed
# post Newton
conf.register_group(barbican_group)
conf.register_opts(barbican_opts, group=barbican_group)
ks_loading.register_session_conf_options(conf, barbican_group.name)
def register_opts(conf):
castellan_opts.set_defaults(conf)
# TODO(raj_singh): Code block below is deprecated and will be removed
# post Newton
conf.register_group(barbican_group)
conf.register_opts(barbican_opts, group=barbican_group)
ks_loading.register_session_conf_options(conf, barbican_group.name)
def setUp(self):
super(InitTestCase, self).setUp()
self.config = cfg.ConfigOpts()
castellan_opts.set_defaults(self.config)
self.config.set_default('api_class',
'cinder.keymgr.conf_key_mgr.ConfKeyManager',
group='key_manager')
def handle_key_migration(self, volumes):
castellan_options.set_defaults(self.conf)
self.conf.import_opt(name='fixed_key',
module_str='cinder.keymgr.conf_key_mgr',
group='key_manager')
fixed_key = self.conf.key_manager.fixed_key
backend = self.conf.key_manager.backend or ''
backend = backend.split('.')[-1]
if backend == 'ConfKeyManager':
LOG.info("Not migrating encryption keys because the "
"ConfKeyManager is still in use.")
elif not fixed_key:
LOG.info("Not migrating encryption keys because the "
"ConfKeyManager's fixed_key is not in use.")
elif backend != 'barbican' and backend != 'BarbicanKeyManager':
# Note: There are two ways of specifying the Barbican backend.
# The long-hand method contains the "BarbicanKeyManager" class
# name, and the short-hand method is just "barbican" with no
# module path prefix.
LOG.warning(
"Not migrating encryption keys because migration to "
"the '%s' key_manager backend is not supported.", backend)
self._log_migration_status()
elif not volumes:
LOG.info("Not migrating encryption keys because there are no "
"volumes associated with this host.")
self._log_migration_status()
else:
self.fixed_key_bytes = bytes(binascii.unhexlify(fixed_key))
self.fixed_key_length = len(self.fixed_key_bytes) * 8
self._migrate_keys(volumes)
self._log_migration_status()
def setUp(self):
super(InitTestCase, self).setUp()
self.config = cfg.ConfigOpts()
castellan_opts.set_defaults(self.config)
self.config.set_default('api_class',
'cinder.keymgr.conf_key_mgr.ConfKeyManager',
group='key_manager')
def validate_config():
if CONF.use_barbican_key_manager:
# NOTE (elmiko) there is no need to set the api_class as castellan
# uses barbican by default.
castellan.set_defaults(CONF, auth_endpoint=utils.retrieve_auth_url())
else:
castellan.set_defaults(CONF, api_class='sahara.service.castellan.'
'sahara_key_manager.SaharaKeyManager')
def key_manager():
conf = cfg.ConfigOpts()
auth_endpoint = settings.OPENSTACK_KEYSTONE_URL
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
options.set_defaults(conf,
auth_endpoint=auth_endpoint,
verify_ssl=not insecure)
return key_manager_api.API(conf)
def validate_config():
if CONF.use_barbican_key_manager:
# NOTE (elmiko) there is no need to set the api_class as castellan
# uses barbican by default.
castellan.set_defaults(CONF, auth_endpoint=utils.retrieve_auth_url())
else:
castellan.set_defaults(CONF,
api_class='sahara.service.castellan.'
'sahara_key_manager.SaharaKeyManager')
def _get_root_secret(self, conf):
"""
Retrieve the root encryption secret from an external key management
system using Castellan.
:param conf: the keymaster config section from proxy-server.conf
:type conf: dict
:return: the encryption root secret binary bytes
:rtype: bytearray
"""
ctxt = keystone_password.KeystonePassword(
auth_url=conf.get('auth_endpoint'),
username=conf.get('username'),
password=conf.get('password'),
project_name=conf.get('project_name'),
user_domain_name=conf.get('user_domain_name'),
project_domain_name=conf.get(
'project_domain_name'),
user_id=conf.get('user_id'),
user_domain_id=conf.get('user_domain_id'),
trust_id=conf.get('trust_id'),
domain_id=conf.get('domain_id'),
domain_name=conf.get('domain_name'),
project_id=conf.get('project_id'),
project_domain_id=conf.get('project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
options.set_defaults(
oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class')
)
options.enable_logging()
manager = key_manager.API(oslo_conf)
key = manager.get(ctxt, conf.get('key_id'))
if key is None:
raise ValueError("Retrieval of encryption root secret with key_id "
"'%s' returned None." % conf.get('key_id'))
try:
if (key.bit_length < 256) or (key.algorithm.lower() != "aes"):
raise ValueError('encryption root secret stored in the '
'external KMS must be an AES key of at least '
'256 bits (provided key length: %d, provided '
'key algorithm: %s)'
% (key.bit_length, key.algorithm))
if (key.format != 'RAW'):
raise ValueError('encryption root secret stored in the '
'external KMS must be in RAW format and not '
'e.g., as a base64 encoded string (format of '
'key with uuid %s: %s)' %
(conf.get('key_id'), key.format))
except Exception:
raise ValueError("Secret with key_id '%s' is not a symmetric key "
"(type: %s)" % (conf.get('key_id'),
str(type(key))))
return key.get_encoded()
def _get_root_secret(self, conf):
"""
Retrieve the root encryption secret from an external key management
system using Castellan.
:param conf: the keymaster config section from proxy-server.conf
:type conf: dict
:return: the encryption root secret binary bytes
:rtype: bytearray
"""
ctxt = keystone_password.KeystonePassword(
auth_url=conf.get('auth_endpoint'),
username=conf.get('username'),
password=conf.get('password'),
project_name=conf.get('project_name'),
user_domain_name=conf.get('user_domain_name'),
project_domain_name=conf.get('project_domain_name'),
user_id=conf.get('user_id'),
user_domain_id=conf.get('user_domain_id'),
trust_id=conf.get('trust_id'),
domain_id=conf.get('domain_id'),
domain_name=conf.get('domain_name'),
project_id=conf.get('project_id'),
project_domain_id=conf.get('project_domain_id'),
reauthenticate=conf.get('reauthenticate'))
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
key = manager.get(ctxt, conf.get('key_id'))
if key is None:
raise ValueError("Retrieval of encryption root secret with key_id "
"'%s' returned None." % conf.get('key_id'))
try:
if (key.bit_length < 256) or (key.algorithm.lower() != "aes"):
raise ValueError('encryption root secret stored in the '
'external KMS must be an AES key of at least '
'256 bits (provided key length: %d, provided '
'key algorithm: %s)' %
(key.bit_length, key.algorithm))
if (key.format != 'RAW'):
raise ValueError('encryption root secret stored in the '
'external KMS must be in RAW format and not '
'e.g., as a base64 encoded string (format of '
'key with uuid %s: %s)' %
(conf.get('key_id'), key.format))
except Exception:
raise ValueError("Secret with key_id '%s' is not a symmetric key "
"(type: %s)" %
(conf.get('key_id'), str(type(key))))
return key.get_encoded()
def get_conf(self, conf=CONF):
"""Convert secret store conf into oslo conf
Returns an oslo.config() object to pass to keymanager.API(conf)
"""
vault_conf = cfg.ConfigOpts()
options.set_defaults(
vault_conf,
backend='vault',
vault_root_token_id=conf.vault_plugin.root_token_id,
vault_url=conf.vault_plugin.vault_url,
vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file,
vault_use_ssl=conf.vault_plugin.use_ssl)
return vault_conf
def get_user_root_secret_by_id(self, account, user_token, key_id):
"""
Retrieve the user's root encryption secret with the specified ID from
an external key management system using Castellan.
:param account: the name of the account
:type account: string
:param user_token: the keystone token of the user from the request
:type user_token: string
:param key_id: the ID of the user's root encryption secret to retrieve
:return: the binary bytes of the user's root encryption secret with the
specified ID
:rtype: bytearray
"""
user_root_secrets = self._user_root_secrets.get(account)
if user_root_secrets is None:
user_root_secrets = dict()
else:
encoded_key = user_root_secrets.get(key_id)
if ROOT_SECRET_CACHE_TIME > 0:
if encoded_key is not None:
return encoded_key
conf = self.conf
if self.keymaster_config_path is not None:
if any(opt in conf for opt in ('key_id', )):
raise ValueError('keymaster_config_path is set, but there '
'are other config options specified!')
conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
user_ctxt = keystone_token.KeystoneToken(token=user_token)
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
# Get the latest key from Barbican. If no keymanager class has been
# specified (using 'api_class'), or the keymaster does not have a
# 'get_latest_key()' method, an exception will be raised.
key = manager.get(user_ctxt, key_id)
if key is None:
raise ValueError("Could not find user '%s' with key_id '%s'" %
(account, key_id))
user_root_secrets[key_id] = key.get_encoded()
self._user_root_secrets[account] = user_root_secrets
return key.get_encoded()
def decrypt_data(value):
options.set_defaults(oslo_cfg.CONF, barbican_endpoint_type='internal')
manager = key_manager.API()
try:
context = castellan_utils.credential_factory(conf=cfg.CONF)
except castellan_exception.AuthTypeInvalidError as e:
LOG.exception(e)
LOG.error("Castellan must be correctly configured in order to use "
"decryptData()")
raise
try:
data = manager.get(context, value).get_encoded()
except castellan_exception.KeyManagerError as e:
LOG.exception(e)
raise
return data
def get_conf(self, conf=CONF):
"""Convert secret store conf into oslo conf
Returns an oslo.config() object to pass to keymanager.API(conf)
"""
vault_conf = cfg.ConfigOpts()
options.set_defaults(
vault_conf,
backend='vault',
vault_root_token_id=conf.vault_plugin.root_token_id,
vault_approle_role_id=conf.vault_plugin.approle_role_id,
vault_approle_secret_id=conf.vault_plugin.approle_secret_id,
vault_kv_mountpoint=conf.vault_plugin.kv_mountpoint,
vault_url=conf.vault_plugin.vault_url,
vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file,
vault_use_ssl=conf.vault_plugin.use_ssl
)
return vault_conf
def get_latest_user_root_secret_and_id(self, account, user_token):
"""
Retrieve the user's latest root encryption secret from an external key
management system using Castellan.
:param account: the name of the account
:type account: string
:param user_token: the keystone token of the user from the request
:type user_token: string
:return: a tuple containing the binary bytes of the latest encryption
root secret, and the id of the latest root encryption secret
:rtype: (bytearray, string)
"""
conf = self.conf
if self.keymaster_config_path is not None:
if any(opt in conf for opt in ('key_id', )):
raise ValueError('keymaster_config_path is set, but there '
'are other config options specified!')
conf = readconf(self.keymaster_config_path, 'rotating_keymaster')
user_ctxt = keystone_token.KeystoneToken(token=user_token)
oslo_conf = cfg.ConfigOpts()
options.set_defaults(oslo_conf,
auth_endpoint=conf.get('auth_endpoint'),
api_class=conf.get('api_class'))
options.enable_logging()
manager = key_manager.API(oslo_conf)
# Get the latest key from Barbican. If no keymanager class has been
# specified (using 'api_class'), or the keymaster does not have a
# 'get_latest_key()' method, an exception will be raised.
latest_user_root_secret_id, key = manager.get_latest_key(
user_ctxt, bits=256, algorithm='aes', name='swift_root_secret')
self.logger.log(
SECDEL_LOG_LEVEL_DEBUG,
"ID of latest user root secret is %s" % latest_user_root_secret_id)
if latest_user_root_secret_id is None or key is None:
return None, None
user_root_secrets = self._user_root_secrets.get(account)
if user_root_secrets is None:
user_root_secrets = dict()
user_root_secrets[latest_user_root_secret_id] = key.get_encoded()
self._user_root_secrets[account] = user_root_secrets
return key.get_encoded(), latest_user_root_secret_id
def handle_key_migration(self, volumes, backups):
castellan_options.set_defaults(self.conf)
try:
self.conf.import_opt(name='fixed_key',
module_str='cinder.keymgr.conf_key_mgr',
group='key_manager')
except cfg.DuplicateOptError:
pass
fixed_key = self.conf.key_manager.fixed_key
backend = self.conf.key_manager.backend or ''
backend = backend.split('.')[-1]
if backend == 'ConfKeyManager':
LOG.info("Not migrating encryption keys because the "
"ConfKeyManager is still in use.")
elif not fixed_key:
LOG.info("Not migrating encryption keys because the "
"ConfKeyManager's fixed_key is not in use.")
elif backend != 'barbican' and backend != 'BarbicanKeyManager':
# Note: There are two ways of specifying the Barbican backend.
# The long-hand method contains the "BarbicanKeyManager" class
# name, and the short-hand method is just "barbican" with no
# module path prefix.
LOG.warning("Not migrating encryption keys because migration to "
"the '%s' key_manager backend is not supported.",
backend)
self._log_migration_status()
elif not volumes and not backups:
LOG.info("Not migrating encryption keys because there are no "
"volumes or backups associated with this host.")
self._log_migration_status()
else:
self.fixed_key_bytes = bytes(binascii.unhexlify(fixed_key))
self.fixed_key_length = len(self.fixed_key_bytes) * 8
self._migrate_keys(volumes, backups)
self._log_migration_status()
def _encrypt_data(context, data):
try:
# TODO(pbourke): move auth construction into common area if it ends up
# been required in other areas
auth = identity.V3Password(
auth_url=settings.KEY_MANAGER['auth_url'],
username=settings.KEY_MANAGER['username'],
user_domain_name=settings.KEY_MANAGER['user_domain_name'],
password=settings.KEY_MANAGER['password'],
project_name=settings.KEY_MANAGER['project_name'],
project_domain_name=settings.KEY_MANAGER['project_domain_name']
)
except (KeyError, AttributeError) as e:
LOG.exception(e)
msg = ('Could not find valid key manager credentials in the '
'murano-dashboard config. encryptData yaql function not '
'available')
raise castellan_exception.KeyManagerError(message_arg=msg)
sess = session.Session(auth=auth)
auth_context = _oslo_context.RequestContext(
auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess))
options.set_defaults(cfg.CONF,
auth_endpoint=settings.KEY_MANAGER['auth_url'])
options.set_defaults(cfg.CONF,
barbican_endpoint_type='internal')
manager = key_manager.API()
try:
# TODO(pbourke): while we feel opaque data should cover the most common
# use case, we may want to add support for other secret types in the
# future (see https://goo.gl/tZhfqe)
stored_key_id = manager.store(auth_context,
opaque_data.OpaqueData(data))
except castellan_exception.KeyManagerError as e:
LOG.exception(e)
raise
return stored_key_id
def test_set_defaults(self):
conf = cfg.ConfigOpts()
api_class = 'test.api.class'
options.set_defaults(conf, api_class=api_class)
self.assertEqual(api_class, conf.key_manager.api_class)
barbican_endpoint = 'http://test-server.org:9311/'
options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
self.assertEqual(barbican_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)
barbican_api_version = 'vSomething'
options.set_defaults(conf, barbican_api_version=barbican_api_version)
self.assertEqual(barbican_api_version,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
def register_opts(conf):
castellan_opts.set_defaults(conf)
conf.register_group(key_manager_group)
conf.register_opts(key_manager_opts, group=key_manager_group)
# License for the specific language governing permissions and limitations
# under the License.
from castellan import options as castellan_opts
from oslo_config import cfg
from oslo_log import log as logging
from oslo_log import versionutils
from oslo_utils import importutils
from cinder.i18n import _LW
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
castellan_opts.set_defaults(cfg.CONF)
# NOTE(kfarr): This line can be removed when a value is assigned in DevStack
CONF.set_default('api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager',
group='key_manager')
# NOTE(kfarr): For backwards compatibility, everything below this comment
# is deprecated for removal
api_class = None
try:
api_class = CONF.key_manager.api_class
except cfg.NoSuchOptError:
LOG.warning(_LW("key_manager.api_class is not set, will use deprecated "
"option keymgr.api_class if set"))
try:
api_class = CONF.keymgr.api_class
# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from castellan import options as castellan_opts from oslo_config import cfg CONF = cfg.CONF castellan_opts.set_defaults(CONF)
# under the License.
from castellan import options as castellan_opts
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import importutils
import nova.conf
from nova.i18n import _LW
LOG = logging.getLogger(__name__)
CONF = nova.conf.CONF
castellan_opts.set_defaults(CONF)
# NOTE(kfarr): This line can be removed when a value is assigned in DevStack
CONF.set_default("api_class", "nova.keymgr.conf_key_mgr.ConfKeyManager", group="key_manager")
# NOTE(kfarr): For backwards compatibility, everything below this comment
# is deprecated for removal
api_class = None
try:
api_class = CONF.key_manager.api_class
except cfg.NoSuchOptError:
LOG.warning(_LW("key_manager.api_class is not set, will use deprecated " "option keymgr.api_class if set"))
try:
api_class = CONF.keymgr.api_class
except cfg.NoSuchOptError:
LOG.warning(_LW("keymgr.api_class is not set"))
def test_set_defaults(self):
conf = cfg.ConfigOpts()
api_class = 'test.api.class'
options.set_defaults(conf, api_class=api_class)
self.assertEqual(api_class, conf.key_manager.api_class)
barbican_endpoint = 'http://test-server.org:9311/'
options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
self.assertEqual(barbican_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)
barbican_api_version = 'vSomething'
options.set_defaults(conf, barbican_api_version=barbican_api_version)
self.assertEqual(barbican_api_version,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
auth_endpoint = 'http://test-server.org:5000/'
options.set_defaults(conf, auth_endpoint=auth_endpoint)
self.assertEqual(auth_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint)
retry_delay = 3
options.set_defaults(conf, retry_delay=retry_delay)
self.assertEqual(retry_delay,
conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay)
number_of_retries = 10
options.set_defaults(conf, number_of_retries=number_of_retries)
self.assertEqual(number_of_retries,
conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
def test_set_defaults(self):
conf = cfg.ConfigOpts()
api_class = 'test.api.class'
options.set_defaults(conf, api_class=api_class)
self.assertEqual(api_class, conf.key_manager.api_class)
barbican_endpoint = 'http://test-server.org:9311/'
options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
self.assertEqual(barbican_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)
barbican_api_version = 'vSomething'
options.set_defaults(conf, barbican_api_version=barbican_api_version)
self.assertEqual(barbican_api_version,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
auth_endpoint = 'http://test-server.org:5000/'
options.set_defaults(conf, auth_endpoint=auth_endpoint)
self.assertEqual(auth_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint)
retry_delay = 3
options.set_defaults(conf, retry_delay=retry_delay)
self.assertEqual(retry_delay,
conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay)
number_of_retries = 10
options.set_defaults(conf, number_of_retries=number_of_retries)
self.assertEqual(number_of_retries,
conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
verify_ssl = True
options.set_defaults(conf, verify_ssl=True)
self.assertEqual(verify_ssl,
conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
def test_set_defaults(self):
conf = cfg.ConfigOpts()
self.assertTrue(isinstance(key_manager.API(conf),
bkm.BarbicanKeyManager))
cls = mock_key_manager.MockKeyManager
backend = '%s.%s' % (cls.__module__, cls.__name__)
options.set_defaults(conf, backend=backend)
self.assertEqual(backend, conf.key_manager.backend)
self.assertIsInstance(key_manager.API(conf),
mock_key_manager.MockKeyManager)
barbican_endpoint = 'http://test-server.org:9311/'
options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
self.assertEqual(barbican_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)
barbican_api_version = 'vSomething'
options.set_defaults(conf, barbican_api_version=barbican_api_version)
self.assertEqual(barbican_api_version,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
auth_endpoint = 'http://test-server.org/identity'
options.set_defaults(conf, auth_endpoint=auth_endpoint)
self.assertEqual(auth_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint)
retry_delay = 3
options.set_defaults(conf, retry_delay=retry_delay)
self.assertEqual(retry_delay,
conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay)
number_of_retries = 10
options.set_defaults(conf, number_of_retries=number_of_retries)
self.assertEqual(number_of_retries,
conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
verify_ssl = True
options.set_defaults(conf, verify_ssl=True)
self.assertEqual(verify_ssl,
conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
barbican_endpoint_type = 'internal'
options.set_defaults(conf, barbican_endpoint_type='internal')
result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type
self.assertEqual(barbican_endpoint_type, result_type)
def test_set_defaults(self):
conf = cfg.ConfigOpts()
self.assertTrue(
isinstance(key_manager.API(conf), bkm.BarbicanKeyManager))
cls = mock_key_manager.MockKeyManager
backend = '%s.%s' % (cls.__module__, cls.__name__)
options.set_defaults(conf, backend=backend)
self.assertEqual(backend, conf.key_manager.backend)
self.assertIsInstance(key_manager.API(conf),
mock_key_manager.MockKeyManager)
barbican_endpoint = 'http://test-server.org:9311/'
options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
self.assertEqual(barbican_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)
barbican_api_version = 'vSomething'
options.set_defaults(conf, barbican_api_version=barbican_api_version)
self.assertEqual(barbican_api_version,
conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
auth_endpoint = 'http://test-server.org/identity'
options.set_defaults(conf, auth_endpoint=auth_endpoint)
self.assertEqual(auth_endpoint,
conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint)
retry_delay = 3
options.set_defaults(conf, retry_delay=retry_delay)
self.assertEqual(retry_delay,
conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay)
number_of_retries = 10
options.set_defaults(conf, number_of_retries=number_of_retries)
self.assertEqual(number_of_retries,
conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
verify_ssl = True
options.set_defaults(conf, verify_ssl=True)
self.assertEqual(verify_ssl,
conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
barbican_endpoint_type = 'internal'
options.set_defaults(conf, barbican_endpoint_type='internal')
result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type
self.assertEqual(barbican_endpoint_type, result_type)
def register_opts(conf):
castellan_opts.set_defaults(conf)
conf.register_group(key_manager_group)
conf.register_opts(key_manager_opts, group=key_manager_group)
