def test_should_get_count_one_after_delete(self):
session = self.repo.get_session()
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
container_model = models.Container()
container_model.project_id = project.id
self.repo.create_from(container_model, session=session)
container_model = models.Container()
container_model.project_id = project.id
self.repo.create_from(container_model, session=session)
session.commit()
count = self.repo.get_count(project.id, session=session)
self.assertEqual(2, count)
self.repo.delete_entity_by_id(container_model.id,
"my keystone id",
session=session)
session.commit()
count = self.repo.get_count(project.id, session=session)
self.assertEqual(1, count)
def test_parse_secret_ref_uri(self):
self.parsed_container['secret_refs'][0]['secret_ref'] =\
'http://localhost:9110/123/secrets/123456'
container = models.Container(self.parsed_container)
self.assertEqual(container.container_secrets[0].secret_id, '123456')
self.parsed_container['secret_refs'][0]['secret_ref'] =\
'http://localhost:9110/123/secrets/123456/'
container = models.Container(self.parsed_container)
self.assertEqual(container.container_secrets[0].secret_id, '123456')
def test_should_update_with_duplicate_consumer(self):
session = self.repo.get_session()
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
container = models.Container()
container.project_id = project.id
container.save(session=session)
# Create a consumer.
consumer = models.ContainerConsumerMetadatum(
container.id, project.id, {'name': 'name', 'URL': 'www.foo.com'})
consumer.save(session=session)
# Commit things so far, because the 'create_or_update_from' call below
# will handle consumer metadata with same composite key items already
# existing, and then rollback this session's transaction, which would
# remove the items added above and result in a not-found error below.
session.commit()
# Try to create a consumer on the container...should re-use the
# one added above.
consumer2 = models.ContainerConsumerMetadatum(
container.id, project.id, {'name': 'name', 'URL': 'www.foo.com'})
self.repo.create_or_update_from(consumer2, container, session=session)
container2 = self.repo_container.get(
container.id, project.external_id, session=session)
self.assertEqual(1, len(container2.consumers))
def test_new_container_is_created_from_dict(self):
container = models.Container(self.parsed_container)
self.assertEqual(self.parsed_container['name'], container.name)
self.assertEqual(self.parsed_container['type'], container.type)
self.assertEqual(self.parsed_container['creator_id'],
container.creator_id)
self.assertEqual(len(self.parsed_container['secret_refs']),
len(container.container_secrets))
self.assertEqual(self.parsed_container['secret_refs'][0]['name'],
container.container_secrets[0].name)
self.assertEqual(self.parsed_container['secret_refs'][0]['secret_ref'],
container.container_secrets[0].secret_id)
self.assertEqual(self.parsed_container['secret_refs'][1]['name'],
container.container_secrets[1].name)
self.assertEqual(self.parsed_container['secret_refs'][1]['secret_ref'],
container.container_secrets[1].secret_id)
self.assertEqual(self.parsed_container['secret_refs'][2]['name'],
container.container_secrets[2].name)
self.assertEqual(self.parsed_container['secret_refs'][2]['secret_ref'],
container.container_secrets[2].secret_id)
fields = container.to_dict_fields()
self.assertEqual(self.parsed_container['name'], fields['name'])
self.assertEqual(self.parsed_container['type'], fields['type'])
self.assertEqual(self.parsed_container['creator_id'],
fields['creator_id'])
def on_post(self, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(
404,
u._("Secret provided for '{0}' doesn't"
" exist.").format(secret_ref.name))
self.container_repo.create_from(new_container)
pecan.response.status = 202
pecan.response.headers['Location'] = '/{0}/containers/{1}'.format(
keystone_id, new_container.id)
url = controllers.hrefs.convert_container_to_href(
keystone_id, new_container.id)
return {'container_ref': url}
def test_new_certificate_container_is_created_from_dict(self):
self.parsed_container['type'] = 'certificate'
container = models.Container(self.parsed_container)
self.assertEqual(self.parsed_container['name'], container.name)
self.assertEqual(self.parsed_container['type'], container.type)
self.assertEqual(self.parsed_container['creator_id'],
container.creator_id)
self.assertEqual(len(self.parsed_container['secret_refs']),
len(container.container_secrets))
self.assertEqual(self.parsed_container['secret_refs'][0]['name'],
container.container_secrets[0].name)
self.assertEqual(self.parsed_container['secret_refs'][0]['secret_ref'],
container.container_secrets[0].secret_id)
self.assertEqual(
self.parsed_container['secret_refs'][1]['name'],
container.container_secrets[1].name,
)
self.assertEqual(self.parsed_container['secret_refs'][1]['secret_ref'],
container.container_secrets[1].secret_id)
self.assertEqual(self.parsed_container['secret_refs'][2]['name'],
container.container_secrets[2].name)
self.assertEqual(self.parsed_container['secret_refs'][2]['secret_ref'],
container.container_secrets[2].secret_id)
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO: (hgedikli) performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
api.abort(falcon.HTTP_404,
u._("Secret provided for '%s'"
" doesn't exist." % secret_ref.name),
req, resp)
self.container_repo.create_from(new_container)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/containers/{1}'.format(keystone_id,
new_container.id))
url = convert_container_to_href(keystone_id, new_container.id)
resp.body = json.dumps({'container_ref': url})
def test_should_raise_constraint_create_same_composite_key_no_id(self):
session = self.repo.get_session()
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
container = models.Container()
container.project_id = project.id
container.save(session=session)
# Create a consumer.
consumer = models.ContainerConsumerMetadatum(
container.id, project.id, {'name': 'name', 'URL': 'www.foo.com'})
consumer.save(session=session)
# Commit things so far, because the 'create_from' call below will
# handle consumer metadata with same composite key items already
# existing, and then rollback this session's transaction, which would
# remove the items added above and result in a not-found error below.
session.commit()
# Create a new entity with the same composite key as the first one.
consumer2 = models.ContainerConsumerMetadatum(
container.id, project.id, {'name': 'name', 'URL': 'www.foo.com'})
exception_result = self.assertRaises(
exception.ConstraintCheck,
self.repo.create_from,
consumer2,
session=session)
self.assertIn(
"SQL constraint check failed",
six.text_type(exception_result))
def test_should_get_count_one_after_delete(self):
session = self.repo.get_session()
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
container = models.Container()
container.project_id = project.id
container.save(session=session)
consumer = models.ContainerConsumerMetadatum(
container.id, project.id, {'name': 'name1', 'URL': 'www.foo.com'})
consumer.save(session=session)
consumer = models.ContainerConsumerMetadatum(
container.id, project.id, {'name': 'name2', 'URL': 'www.foo.com'})
consumer.save(session=session)
session.commit()
count = self.repo.get_count(project.id, session=session)
self.assertEqual(2, count)
self.repo.delete_entity_by_id(consumer.id, "my keystone id",
session=session)
session.commit()
count = self.repo.get_count(project.id, session=session)
self.assertEqual(1, count)
def setUp(self):
super(BaseOrderTestCase, self).setUp()
self.requestor = 'requestor1234'
self.order = models.Order()
self.order.id = "id1"
self.order.requestor = self.requestor
self.order.type = "key"
self.meta = {
'name': 'name',
'payload_content_type': 'application/octet-stream',
'algorithm': 'AES',
'bit_length': 256,
'expiration': timeutils.utcnow(),
'mode': 'CBC'
}
self.order.meta = self.meta
self.external_project_id = 'keystone1234'
self.project_id = 'projectid1234'
self.project = models.Project()
self.project.id = self.project_id
self.project.external_id = self.external_project_id
self.project_repo = mock.MagicMock()
self.project_repo.get.return_value = self.project
self.setup_project_repository_mock(self.project_repo)
self.order.status = models.States.PENDING
self.order.id = 'orderid1234'
self.order.project_id = self.project_id
self.order_repo = mock.MagicMock()
self.order_repo.get.return_value = self.order
self.setup_order_repository_mock(self.order_repo)
self.setup_order_plugin_meta_repository_mock()
self.setup_order_barbican_meta_repository_mock()
self.secret = models.Secret()
self.secret_repo = mock.MagicMock()
self.secret_repo.create_from.return_value = None
self.setup_secret_repository_mock(self.secret_repo)
self.datum_repo = mock.MagicMock()
self.datum_repo.create_from.return_value = None
self.setup_encrypted_datum_repository_mock(self.datum_repo)
self.setup_kek_datum_repository_mock()
self.setup_secret_meta_repository_mock()
self.container_repo = mock.MagicMock()
self.container_repo.create_from.return_value = None
self.setup_container_repository_mock(self.container_repo)
self.container_secret_repo = mock.MagicMock()
self.container_secret_repo.create_from.return_value = None
self.setup_container_secret_repository_mock(self.container_secret_repo)
self.container = models.Container()
def _create_container_for_asymmetric_secret(spec, project_model):
container_model = models.Container()
container_model.name = spec.get('name')
container_model.type = spec.get('algorithm', '').lower()
container_model.status = models.States.ACTIVE
container_model.project_id = project_model.id
container_model.creator_id = spec.get('creator_id')
return container_model
def _save_secrets(result, project_model, request_type, order_model):
cert_secret_model, transport_key_model = plugin.store_secret(
unencrypted_raw=result.certificate,
content_type_raw='application/pkix-cert',
content_encoding='base64',
secret_model=models.Secret(),
project_model=project_model)
# save the certificate chain as a secret.
if result.intermediates:
intermediates_secret_model, transport_key_model = plugin.store_secret(
unencrypted_raw=result.intermediates,
content_type_raw='application/pkix-cert',
content_encoding='base64',
secret_model=models.Secret(),
project_model=project_model
)
else:
intermediates_secret_model = None
container_model = models.Container()
container_model.type = "certificate"
container_model.status = models.States.ACTIVE
container_model.project_id = project_model.id
container_repo = repos.get_container_repository()
container_repo.create_from(container_model)
# create container_secret for certificate
new_consec_assoc = models.ContainerSecret()
new_consec_assoc.name = 'certificate'
new_consec_assoc.container_id = container_model.id
new_consec_assoc.secret_id = cert_secret_model.id
container_secret_repo = repos.get_container_secret_repository()
container_secret_repo.create_from(new_consec_assoc)
if intermediates_secret_model:
# create container_secret for intermediate certs
new_consec_assoc = models.ContainerSecret()
new_consec_assoc.name = 'intermediates'
new_consec_assoc.container_id = container_model.id
new_consec_assoc.secret_id = intermediates_secret_model.id
container_secret_repo.create_from(new_consec_assoc)
if request_type == cert.CertificateRequestType.STORED_KEY_REQUEST:
_add_private_key_to_generated_cert_container(container_model.id,
order_model,
project_model)
return container_model
def test_get_container_by_id(self):
session = self.repo.get_session()
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
container = models.Container()
container.project_id = project.id
container.save(session=session)
session.commit()
db_container = self.repo.get_container_by_id(container.id)
self.assertIsNotNone(db_container)
def create_container(id_ref, project_id=None, external_project_id=None):
"""Generate a Container entity instance."""
container = models.Container()
container.id = id_ref
container.name = 'test name'
container.type = 'rsa'
container_secret = models.ContainerSecret()
container_secret.container_id = id_ref
container_secret.secret_id = '123'
container.container_secrets.append(container_secret)
if project_id:
project = models.Project()
project.id = project_id
project.external_id = external_project_id
container.project = project
return container
def _save_secrets(result, project_model, repos):
cert_secret_model, transport_key_model = plugin.store_secret(
unencrypted_raw=result.certificate,
content_type_raw='text/plain',
content_encoding='base64',
spec={},
secret_model=None,
project_model=project_model,
repos=repos)
# save the certificate chain as a secret.
if result.intermediates:
intermediates_secret_model, transport_key_model = plugin.store_secret(
unencrypted_raw=result.intermediates,
content_type_raw='text/plain',
content_encoding='base64',
spec={},
secret_model=None,
project_model=project_model,
repos=repos)
else:
intermediates_secret_model = None
container_model = models.Container()
container_model.type = "certificate"
container_model.status = models.States.ACTIVE
container_model.project_id = project_model.id
repos.container_repo.create_from(container_model)
# create container_secret for certificate
new_consec_assoc = models.ContainerSecret()
new_consec_assoc.name = 'certificate'
new_consec_assoc.container_id = container_model.id
new_consec_assoc.secret_id = cert_secret_model.id
repos.container_secret_repo.create_from(new_consec_assoc)
if intermediates_secret_model:
# create container_secret for intermediate certs
new_consec_assoc = models.ContainerSecret()
new_consec_assoc.name = 'intermediates'
new_consec_assoc.container_id = container_model.id
new_consec_assoc.secret_id = intermediates_secret_model.id
repos.container_secret_repo.create_from(new_consec_assoc)
return container_model
def _create_base_container(self, project_id=None):
# Setup the container and needed base relationship
container_repo = repositories.get_container_repository()
session = container_repo.get_session()
if project_id is None:
project = models.Project()
project.external_id = "keystone_project_id"
project.save(session=session)
project_id = project.id
container = models.Container()
container.project_id = project_id
container.save(session=session)
session.commit()
return container
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
self.quota_enforcer.enforce(project)
LOG.debug('Start on_post...%s', data)
new_container = models.Container(data)
new_container.project_id = project.id
# TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(
entity_id=secret_ref.secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(
404,
u._("Secret provided for '{secret_name}' doesn't "
"exist.").format(secret_name=secret_ref.name)
)
self.container_repo.create_from(new_container)
url = hrefs.convert_container_to_href(new_container.id)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a container for project: %s'),
external_project_id)
return {'container_ref': url}
def test_new_container_is_created_from_dict(self):
container = models.Container(self.parsed_container)
self.assertEqual(container.name, self.parsed_container['name'])
self.assertEqual(container.type, self.parsed_container['type'])
self.assertEqual(len(container.container_secrets),
len(self.parsed_container['secret_refs']))
self.assertEqual(container.container_secrets[0].name,
self.parsed_container['secret_refs'][0]['name'])
self.assertEqual(container.container_secrets[0].secret_id,
self.parsed_container['secret_refs'][0]['secret_ref'])
self.assertEqual(container.container_secrets[1].name,
self.parsed_container['secret_refs'][1]['name'])
self.assertEqual(container.container_secrets[1].secret_id,
self.parsed_container['secret_refs'][1]['secret_ref'])
self.assertEqual(container.container_secrets[2].name,
self.parsed_container['secret_refs'][2]['name'])
self.assertEqual(container.container_secrets[2].secret_id,
self.parsed_container['secret_refs'][2]['secret_ref'])
def create_container(project=None, session=None):
container = models.Container()
container.project_id = project.id
container_repo = repositories.get_container_repository()
container_repo.create_from(container, session=session)
return container
def setUp(self):
super(BaseCertificateRequestsTestCase, self).setUp()
self.external_project_id = "56789"
self.project = res.get_or_create_project(self.external_project_id)
project_repo.save(self.project)
self.barbican_meta_dto = mock.MagicMock()
self.order_meta = {}
self.plugin_meta = {}
self.barbican_meta = {}
self.result = cert_man.ResultDTO(
cert_man.CertificateStatus.WAITING_FOR_CA
)
self.result_follow_on = common.FollowOnProcessingStatusDTO()
self.cert_plugin = mock.MagicMock()
self.cert_plugin.issue_certificate_request.return_value = self.result
self.cert_plugin.check_certificate_status.return_value = self.result
self.store_plugin = mock.MagicMock()
parsed_ca = {
'plugin_name': "cert_plugin",
'plugin_ca_id': "XXXX",
'name': "test ca",
'description': 'Test CA',
'ca_signing_certificate': 'ZZZZZ',
'intermediates': 'YYYYY'
}
self.ca = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(self.ca)
self.ca_id = self.ca.id
# second ca for testing
parsed_ca = {
'plugin_name': "cert_plugin",
'plugin_ca_id': "XXXX2",
'name': "test ca2",
'description': 'Test CA2',
'ca_signing_certificate': 'ZZZZZ2',
'intermediates': 'YYYYY2'
}
self.ca2 = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(self.ca2)
self.ca_id2 = self.ca2.id
# data for preferred CA and global preferred CA tests
# add those to the repo in those tests
self.pref_ca = models.PreferredCertificateAuthority(
self.project.id,
self.ca_id)
self.global_pref_ca = models.PreferredCertificateAuthority(
self.project.id,
self.ca_id)
# data for stored key cases
self.private_key = models.Secret()
self.private_key.secret_type = 'PRIVATE'
self.private_key.project_id = self.project.id
secret_repo.create_from(self.private_key)
self.public_key = models.Secret()
self.public_key.secret_type = 'PUBLIC'
self.public_key.project_id = self.project.id
secret_repo.create_from(self.public_key)
self.passphrase = models.Secret()
self.passphrase.secret_type = 'PASSPHRASE'
self.passphrase.project_id = self.project.id
secret_repo.create_from(self.passphrase)
self.private_key_value = None
self.public_key_value = "public_key"
self.passphrase_value = None
self.parsed_container_with_passphrase = {
'name': 'container name',
'type': 'rsa',
'secret_refs': [
{'name': 'private_key',
'secret_ref': 'https://localhost/secrets/' +
self.private_key.id},
{'name': 'public_key',
'secret_ref': 'https://localhost/secrets/' +
self.public_key.id},
{'name': 'private_key_passphrase',
'secret_ref': 'https://localhost/secrets/' +
self.passphrase.id}
]
}
self.parsed_container = {
'name': 'container name',
'type': 'rsa',
'secret_refs': [
{'name': 'private_key',
'secret_ref': 'https://localhost/secrets/' +
self.private_key.id},
{'name': 'public_key',
'secret_ref': 'https://localhost/secrets/' +
self.public_key.id}
]
}
self.container_with_passphrase = models.Container(
self.parsed_container_with_passphrase)
self.container_with_passphrase.project_id = self.project.id
container_repo.create_from(self.container_with_passphrase)
self.container = models.Container(self.parsed_container)
self.container.project_id = self.project.id
container_repo.create_from(self.container)
repositories.commit()
self.stored_key_meta = {
cert_man.REQUEST_TYPE:
cert_man.CertificateRequestType.STORED_KEY_REQUEST,
"container_ref":
"https://localhost/containers/" + self.container.id,
"subject_dn": "cn=host.example.com,ou=dev,ou=us,o=example.com"
}
self.order = models.Order()
self.order.meta = self.order_meta
self.order.project_id = self.project.id
self.order.order_barbican_meta = self.barbican_meta
self.order.type = 'certificate'
order_repo.create_from(self.order)
self._config_cert_plugin()
self._config_store_plugin()
self._config_cert_event_plugin()
self._config_save_meta_plugin()
self._config_get_meta_plugin()
self._config_save_barbican_meta_plugin()
self._config_get_barbican_meta_plugin()
self._config_barbican_meta_dto()
def _do_create_instance(self):
return models.Container()
