def __init__(self, *args, **kwargs): self.invalid_property = kwargs.get('property') self.message = u._("Failed to validate JSON information: ") self.client_message = u._("Provided object does not match " "schema '{schema}': " "{reason}").format(*args, **kwargs) self.message = self.message + self.client_message super(InvalidObject, self).__init__(*args, **kwargs)
def _get_token_from_keystone(self): """ Get token from Keystone""" token = None kms_endpoint = None payload = { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "id": self.lic.user_id, "password": self.lic.user_pass } } }, "scope": { "project": { "id": self.lic.project_id, "domain": { "id": "default" }, "name": self.lic.project_name } } } } self.json_data = json.dumps(payload) hdrs = { 'Accept': 'application/json', 'Content-Type': 'application/json; charset=UTF-8' } pr = requests.post(self.lic.keystone_endpoint, data=json.dumps(payload), headers=hdrs) if pr.status_code != 201: log_msg = _('Unable to get identity from Keystone. Response Code\ was: '+str(pr.status_code)) client_msg = _('Marshal was unable to authenticate.') raise exception.MarshalHTTPException(log_msg, client_msg, pr.status_code) else: LOG.debug("Successfully authenticated against Keystone.") token = pr.headers['X-Subject-Token'] pr_j = json.loads(pr.content) catalog = pr_j['token']['catalog'] for endpoint in catalog: if endpoint.get('type') == 'kms': kms_endpoint = endpoint break return token, kms_endpoint
def _get_key_from_kms(self, accept=None): if self.kms_type is None or self.kms_type == "barbican": if accept: headers = {"Accept": accept, "X-Project-Id": self.project_id} else: headers = {"Accept": "application/json", "X-Project-Id": self.project_id} if self.token is not None: headers["X-Auth-Token"] = self.token key_manager_url = self.kms_endpoint + format(self.key_id) elif self.kms_type == "vault": if self.token is not None: headers = {"Accept": "application/json"} headers["X-Vault-Token"] = self.token key_manager_url = self.kms_endpoint LOG.debug("Calling KMS API at: %s", key_manager_url) content = None r = requests.get(key_manager_url, headers=headers) if r.status_code != 200: log_msg = _("Unable to get key from KMS. Response Code was: " + str(r.status_code)) client_msg = _("Unable to get key from KMS") raise exception.MarshalHTTPException(log_msg, client_msg, r.status_code) elif r.content is None or r.content == "" or r.content == "None": LOG.info("KMS returned a blank key!") else: LOG.info("Successfully retrieved key from KMS.") content = r.content if self.kms_type is None or self.kms_type == "barbican": key = content elif self.kms_type == "vault": try: gr_j = json.loads(content) key = gr_j["data"]["value"] except (ValueError, KeyError, TypeError): msg = _("Unable to parse JSON response from Key Manager") raise exception.PayloadDecodingError(msg) return key
cfg.StrOpt('kms_get_key_api', default=KMS_API, help=('Key management service key retrieval API')), cfg.StrOpt('kms_key_id', default=SECRET_ID, help=('Key management service key ID')), cfg.StrOpt('kms_project_id', default=TENANT_ID, help=('Key management service project/tenant ID')), cfg.StrOpt('keystone_endpoint', default=KEYSTONE_ENDPOINT, help=('Keystone endpoint for authentication')) ] vol_crypt_opt_group = cfg.OptGroup(name=VOL_CRYPT_GRP_NAME, title='Volume Encryption Options') vol_crypt_opts = [ cfg.StrOpt('action', default='isLuks', help=u._('One of: set, unset, isLuks, open, close, format,\ status')), cfg.StrOpt('dev', default=None, help=u._('The target device.')), cfg.StrOpt('mn', default=None, help=u._('The managed name for the device.')), cfg.StrOpt('lf', default='license.json', help=u._('The key license file.')), # Direct keyfile input not supported at this time for security reasons. # cfg.StrOpt('kf', default=None, # help=u._('The key file.')), cfg.IntOpt('ks', default=256, help=u._('Limits the key size to the specified number of bytes.\ ')), cfg.StrOpt('ci', default='aes-cbc-essiv:sha256', help=u._('Cipher. The encryption algorithm.')) ]