def __init__(self, object_type=None, unique_identifier=None, secret=None):
"""
Construct a Get response payload struct.
Args:
object_type (ObjectType): An ObjectType enumeration specifying the
type of managed object being returned. Optional, defaults to
None. Required for read/write.
unique_identifier (string): The ID of the managed object (e.g., a
symmetric key) being returned. Optional, defaults to None.
Required for read/write.
secret (various): The managed object struct being returned. Must
be one of the following:
Optional, defaults to None. Required for read/write.
"""
super(GetResponsePayload, self).__init__()
self._object_type = None
self._unique_identifier = None
self._secret = None
self.object_type = object_type
self.unique_identifier = unique_identifier
self.secret = secret
self.secret_factory = secret_factory.SecretFactory()
def _build_core_object(self, obj):
try:
object_type = obj._object_type
except Exception:
raise exceptions.InvalidField(
"Cannot build an unsupported object type."
)
value = {}
if object_type == enums.ObjectType.CERTIFICATE:
value = {
'certificate_type': obj.certificate_type,
'certificate_value': obj.value
}
elif object_type == enums.ObjectType.SYMMETRIC_KEY:
value = {
'cryptographic_algorithm': obj.cryptographic_algorithm,
'cryptographic_length': obj.cryptographic_length,
'key_format_type': obj.key_format_type,
'key_value': obj.value
}
elif object_type == enums.ObjectType.PUBLIC_KEY:
value = {
'cryptographic_algorithm': obj.cryptographic_algorithm,
'cryptographic_length': obj.cryptographic_length,
'key_format_type': obj.key_format_type,
'key_value': obj.value
}
elif object_type == enums.ObjectType.PRIVATE_KEY:
value = {
'cryptographic_algorithm': obj.cryptographic_algorithm,
'cryptographic_length': obj.cryptographic_length,
'key_format_type': obj.key_format_type,
'key_value': obj.value
}
elif object_type == enums.ObjectType.SECRET_DATA:
value = {
'key_format_type': enums.KeyFormatType.OPAQUE,
'key_value': obj.value,
'secret_data_type': obj.data_type
}
elif object_type == enums.ObjectType.OPAQUE_DATA:
value = {
'opaque_data_type': obj.opaque_type,
'opaque_data_value': obj.value
}
else:
name = object_type.name
raise exceptions.InvalidField(
"The {0} object type is not supported.".format(
''.join(
[x.capitalize() for x in name.split('_')]
)
)
)
secret_factory = secrets.SecretFactory()
return secret_factory.create(object_type, value)
def setUp(self):
super(WhenTestingKMIPSecretStore, self).setUp()
self.kmipclient_mock = mock.MagicMock(name="KMIP client mock")
CONF = cfg.CONF
CONF.kmip_plugin.keyfile = None
self.credential = None
self.secret_store = kss.KMIPSecretStore(CONF)
self.secret_store.client = self.kmipclient_mock
self.secret_store.credential = self.credential
self.sample_secret_features = {
'key_format_type': enums.KeyFormatType.RAW,
'key_value': {
'bytes': bytearray(b'\x00\x00\x00')
},
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
'cryptographic_length': 128
}
self.sample_secret = secrets.SecretFactory().create_secret(
enums.ObjectType.SYMMETRIC_KEY, self.sample_secret_features)
self.secret_store.client.create = mock.create_autospec(
proxy.KMIPProxy.create,
return_value=results.CreateResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.register = mock.create_autospec(
proxy.KMIPProxy.register,
return_value=results.RegisterResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
uuid=attr.UniqueIdentifier('uuid')))
self.secret_store.client.destroy = mock.create_autospec(
proxy.KMIPProxy.destroy,
return_value=results.DestroyResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS)))
self.secret_store.client.get = mock.create_autospec(
proxy.KMIPProxy.get,
return_value=results.GetResult(
contents.ResultStatus(enums.ResultStatus.SUCCESS),
object_type=attr.ObjectType(enums.ObjectType.SYMMETRIC_KEY),
secret=self.sample_secret))
self.attribute_factory = attributes.AttributeFactory()
def __init__(self,
object_type=None,
template_attribute=None,
managed_object=None,
protection_storage_masks=None):
"""
Construct a Register request payload structure.
Args:
object_type (enum): An ObjectType enumeration specifying the type
of object to register. Optional, defaults to None. Required for
read/write.
template_attribute (TemplateAttribute): A TemplateAttribute
structure containing a set of attributes to set on the new
object. Optional, defaults to None. Required for read/write.
managed_object (Struct): A managed object structure representing
the object to register. Must be one of:
* secrets.Certificate
* secrets.OpaqueObject
* secrets.PrivateKey
* secrets.PublicKey
* secrets.SecretData
* secrets.SplitKey
* secrets.SymmetricKey
* secrets.Template
Optional, defaults to None. Required for read/write.
protection_storage_masks (structure): A ProtectionStorageMasks
structure containing the storage masks permissible for the new
object. Added in KMIP 2.0. Optional, defaults to None.
"""
super(RegisterRequestPayload, self).__init__(
enums.Tags.REQUEST_PAYLOAD
)
self.secret_factory = secret_factory.SecretFactory()
self._object_type = None
self._template_attribute = None
self._secret = None
self._protection_storage_masks = None
self.object_type = object_type
self.template_attribute = template_attribute
self.managed_object = managed_object
self.protection_storage_masks = protection_storage_masks
def store_secret(self, secret_dto):
"""Stores a secret
To store a secret in KMIP, the attributes must be known.
:param secret_dto: SecretDTO of the secret to be stored
:returns: Dictionary holding the key_uuid assigned by KMIP
:raises: SecretGeneralException, SecretAlgorithmNotSupportedException
"""
LOG.debug("Starting secret storage with KMIP plugin")
if not self.store_secret_supports(secret_dto.key_spec):
raise ss.SecretAlgorithmNotSupportedException(
secret_dto.key_spec.alg)
object_type = self._map_type_ss_to_kmip(secret_dto.type)
algorithm_value = self._map_algorithm_ss_to_kmip(
secret_dto.key_spec.alg)
usage_mask = self._create_usage_mask_attribute()
attribute_list = [usage_mask]
template_attribute = kmip_objects.TemplateAttribute(
attributes=attribute_list)
secret_features = {
'key_format_type': enums.KeyFormatType.RAW,
'key_value': {
'bytes': self._convert_base64_to_byte_array(secret_dto.secret)
},
'cryptographic_algorithm': algorithm_value,
'cryptographic_length': secret_dto.key_spec.bit_length
}
secret = secrets.SecretFactory().create_secret(object_type,
secret_features)
LOG.debug("Created secret object to be stored: %s, %s, %s",
secret_features.get('key_format_type'),
secret_features.get('cryptographic_algorithm'),
secret_features.get('cryptographic_length'))
try:
self.client.open()
LOG.debug("Opened connection to KMIP client for secret storage")
result = self.client.register(object_type,
template_attribute,
secret,
self.credential)
except Exception as e:
LOG.exception(u._LE("Error opening or writing to client"))
raise ss.SecretGeneralException(str(e))
else:
if result.result_status.enum == enums.ResultStatus.SUCCESS:
LOG.debug("SUCCESS: Key stored with uuid: %s",
result.uuid.value)
return {KMIPSecretStore.KEY_UUID: result.uuid.value}
else:
self._raise_secret_general_exception(result)
finally:
self.client.close()
LOG.debug("Closed connection to KMIP client for secret storage")