def _create_usage_mask_attribute(self, kmip_type):
"""Creates a KMIP Usage Mask attribute.
:param kmip_type: A PyKMIP enums ObjectType value
:returns: A KMIP Usage Mask attribute specific to the object type
"""
if (kmip_type == enums.ObjectType.SYMMETRIC_KEY
or kmip_type == enums.ObjectType.SECRET_DATA
or kmip_type == enums.ObjectType.OPAQUE_DATA):
flags = [
enums.CryptographicUsageMask.ENCRYPT,
enums.CryptographicUsageMask.DECRYPT
]
elif (kmip_type == enums.ObjectType.PUBLIC_KEY
or kmip_type == enums.ObjectType.CERTIFICATE):
flags = [
enums.CryptographicUsageMask.ENCRYPT,
enums.CryptographicUsageMask.VERIFY
]
elif kmip_type == enums.ObjectType.PRIVATE_KEY:
flags = [
enums.CryptographicUsageMask.DECRYPT,
enums.CryptographicUsageMask.SIGN
]
attribute_type = enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK
usage_mask = attributes.AttributeFactory().create_attribute(
attribute_type, flags)
LOG.debug(attribute_debug_msg, attribute_type.value,
', '.join(map(str, flags)))
return usage_mask
def __init__(self,
hostname=None,
port=None,
cert=None,
key=None,
ca=None,
ssl_version=None,
username=None,
password=None,
config='client'):
"""
Construct a ProxyKmipClient.
Args:
hostname (string): The host or IP address of a KMIP appliance.
Optional, defaults to None.
port (int): The port number used to establish a connection to a
KMIP appliance. Usually 5696 for KMIP applications. Optional,
defaults to None.
cert (string): The path to the client's certificate. Optional,
defaults to None.
key (string): The path to the key for the client's certificate.
Optional, defaults to None.
ca (string): The path to the CA certificate used to verify the
server's certificate. Optional, defaults to None.
ssl_version (string): The name of the ssl version to use for the
connection. Example: 'PROTOCOL_SSLv23'. Optional, defaults to
None.
username (string): The username of the KMIP appliance account to
use for operations. Optional, defaults to None.
password (string): The password of the KMIP appliance account to
use for operations. Optional, defaults to None.
config (string): The name of a section in the PyKMIP configuration
file. Use to load a specific set of configuration settings from
the configuration file, instead of specifying them manually.
Optional, defaults to the default client section, 'client'.
"""
self.logger = logging.getLogger()
self.attribute_factory = attributes.AttributeFactory()
self.object_factory = factory.ObjectFactory()
# TODO (peter-hamilton) Consider adding validation checks for inputs.
self.proxy = KMIPProxy(host=hostname,
port=port,
certfile=cert,
keyfile=key,
ca_certs=ca,
ssl_version=ssl_version,
username=username,
password=password,
config=config)
# TODO (peter-hamilton) Add a multiprocessing lock for synchronization.
self._is_open = False
def _create_cryptographic_length_attribute(self, bit_length):
"""Creates a KMIP Cryptographic Length attribute.
This attribute is used when telling the KMIP server what kind of
key to generate.
:param bit_length: Bit length of the secret's algorithm
:returns: KMIP Cryptographic Length attribute
"""
attribute_type = enums.AttributeType.CRYPTOGRAPHIC_LENGTH
length = attributes.AttributeFactory().create_attribute(
attribute_type, int(bit_length))
LOG.debug(attribute_debug_msg, attribute_type.value, bit_length)
return length
def setUp(self):
super(WhenTestingKMIPSecretStore, self).setUp()
self.kmipclient_mock = mock.MagicMock(name="KMIP client mock")
CONF = cfg.CONF
CONF.kmip_plugin.keyfile = None
self.credential = None
self.secret_store = kss.KMIPSecretStore(CONF)
self.secret_store.client = self.kmipclient_mock
self.secret_store.credential = self.credential
self.sample_secret_features = {
'key_format_type': enums.KeyFormatType.RAW,
'key_value': {
'bytes': bytearray(b'\x00\x00\x00')
},
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
'cryptographic_length': 128
}
self.sample_secret = secrets.SecretFactory().create_secret(
enums.ObjectType.SYMMETRIC_KEY, self.sample_secret_features)
self.secret_store.client.create = mock.create_autospec(
proxy.KMIPProxy.create,
return_value=results.CreateResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.register = mock.create_autospec(
proxy.KMIPProxy.register,
return_value=results.RegisterResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.destroy = mock.create_autospec(
proxy.KMIPProxy.destroy,
return_value=results.DestroyResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS)))
self.secret_store.client.get = mock.create_autospec(
proxy.KMIPProxy.get,
return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=self.sample_secret))
self.attribute_factory = attributes.AttributeFactory()
def _create_cryptographic_algorithm_attribute(self, alg):
"""Creates a KMIP Cryptographic Algorithm attribute.
This attribute is used when telling the KMIP server what kind of
key to generate.
:param algorithm: A SecretStore KeyAlgorithm enum value
:returns: A KMIP Cryptographic Algorithm attribute
"""
attribute_type = enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM
algorithm_name = self._map_algorithm_ss_to_kmip(alg.lower())
algorithm = attributes.AttributeFactory().create_attribute(
attribute_type, algorithm_name)
LOG.debug(attribute_debug_msg, attribute_type.value,
algorithm_name.name)
return algorithm
def _create_usage_mask_attribute(self):
"""Creates a KMIP Usage Mask attribute.
For now, we assume the key will only be used for encryption and
decryption. This attribute is used when telling the KMIP server
what kind of key to generate or store.
:returns: A KMIP Usage Mask attribute with values ENCRYPT and DECRYPT
"""
attribute_type = enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK
mask_flags = [enums.CryptographicUsageMask.ENCRYPT,
enums.CryptographicUsageMask.DECRYPT]
usage_mask = attributes.AttributeFactory().create_attribute(
attribute_type,
mask_flags)
LOG.debug(attribute_debug_msg,
attribute_type.value,
', '.join(map(str, mask_flags)))
return usage_mask
# NOTE: This demo script shows how to set the Sensitive attribute on
# the user-specified object. The server must support KMIP 2.0, since
# the SetAttribute operation is KMIP 2.0+ only and the Sensitive
# attribute is KMIP 1.4+ only. Otherwise, the client call to
# set_attribute will fail.
if __name__ == '__main__':
logger = utils.build_console_logger(logging.INFO)
parser = utils.build_cli_parser(enums.Operation.SET_ATTRIBUTE)
opts, args = parser.parse_args(sys.argv[1:])
if opts.uuid is None:
logger.error("No UUID provided, existing early from demo.")
sys.exit()
factory = attributes.AttributeFactory()
with client.ProxyKmipClient(config=opts.config,
config_file=opts.config_file,
kmip_version=enums.KMIPVersion.KMIP_2_0) as c:
try:
object_id = c.set_attribute(unique_identifier=opts.uuid,
attribute_name="Sensitive",
attribute_value=True)
logger.info(
"Successfully set the 'Sensitive' attribute on object: "
"{}".format(object_id))
except Exception as e:
logger.error(e)
def setUp(self):
super(WhenTestingKMIPSecretStore, self).setUp()
self.expected_username = "******"
self.expected_password = "******"
CONF = kss.CONF
CONF.kmip_plugin.username = self.expected_username
CONF.kmip_plugin.password = self.expected_password
CONF.kmip_plugin.keyfile = None
CONF.kmip_plugin.pkcs1_only = False
self.secret_store = kss.KMIPSecretStore(CONF)
self.credential = self.secret_store.credential
self.symmetric_type = secret_store.SecretType.SYMMETRIC
self.sample_secret_features = {
'key_format_type': enums.KeyFormatType.RAW,
'key_value': {
'bytes': bytearray(b'\x00\x00\x00')
},
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
'cryptographic_length': 128
}
self.symmetric_key_uuid = 'dde870ad-cea3-41a3-9bb9-e8ab579a2f91'
self.public_key_uuid = 'cb908abb-d363-4d9f-8ef2-5e84d27dd25c'
self.private_key_uuid = '2d4c0544-4ec6-45b7-81cd-b23c75744eac'
self.sample_secret = get_sample_symmetric_key()
self.secret_store.client.proxy.open = mock.MagicMock(
proxy.KMIPProxy().open)
self.secret_store.client.proxy.close = mock.MagicMock(
proxy.KMIPProxy().close)
self.secret_store.client.proxy.create = mock.MagicMock(
proxy.KMIPProxy().create, return_value=results.CreateResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier(
self.symmetric_key_uuid)))
self.secret_store.client.proxy.create_key_pair = mock.MagicMock(
proxy.KMIPProxy().create_key_pair,
return_value=results.CreateKeyPairResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
private_key_uuid=attr.UniqueIdentifier(self.private_key_uuid),
public_key_uuid=attr.UniqueIdentifier(self.public_key_uuid)))
self.secret_store.client.proxy.register = mock.MagicMock(
proxy.KMIPProxy().register, return_value=results.RegisterResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.proxy.destroy = mock.MagicMock(
proxy.KMIPProxy().destroy, return_value=results.DestroyResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS)))
self.secret_store.client.proxy.get = mock.MagicMock(
proxy.KMIPProxy().get, return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=self.sample_secret))
self.attribute_factory = attributes.AttributeFactory()
def setUp(self):
super(TestProxyKmipClientIntegration, self).setUp()
self.object_factory = factory.ObjectFactory()
self.attribute_factory = attribute_factory.AttributeFactory()
def setUp(self):
super(TestProxyKmipClient, self).setUp()
self.attribute_factory = attributes.AttributeFactory()
def setUp(self):
super(TestAttributeFactory, self).setUp()
self.attribute_factory = attributes.AttributeFactory()