def unset_acls(self, context, cert_ref): LOG.debug('Unsetting project ACL for certificate secret...') self.auth.revoke_secret_access(context, cert_ref) # TODO(velizarx): Remove this code when the deprecation cycle for # the legacy driver is complete. legacy_mgr = barbican_legacy.BarbicanCertManager(auth=self.auth) legacy_mgr.unset_acls(context, cert_ref)
def get_cert(self, context, cert_ref, resource_ref=None, check_only=False, service_name=None): """Retrieves the specified cert and registers as a consumer. :param context: Oslo context of the request :param cert_ref: the UUID of the cert to retrieve :param resource_ref: Full HATEOAS reference to the consuming resource :param check_only: Read Certificate data without registering :param service_name: Friendly name for the consuming service :return: octavia.certificates.common.Cert representation of the certificate data :raises Exception: if certificate retrieval fails """ connection = self.auth.get_barbican_client(context.project_id) LOG.info('Loading certificate secret %s from Barbican.', cert_ref) try: cert_secret = connection.secrets.get(secret_ref=cert_ref) return pkcs12.PKCS12Cert(cert_secret.payload) except exceptions.UnreadablePKCS12: raise except Exception: # If our get fails, try with the legacy driver. # TODO(rm_work): Remove this code when the deprecation cycle for # the legacy driver is complete. legacy_mgr = barbican_legacy.BarbicanCertManager() legacy_cert = legacy_mgr.get_cert( context, cert_ref, resource_ref=resource_ref, check_only=check_only, service_name=service_name ) return legacy_cert
def setUp(self): # Make a fake Container and contents self.barbican_endpoint = 'http://localhost:9311/v1' self.container_uuid = uuidutils.generate_uuid() self.certificate_uuid = uuidutils.generate_uuid() self.intermediates_uuid = uuidutils.generate_uuid() self.private_key_uuid = uuidutils.generate_uuid() self.private_key_passphrase_uuid = uuidutils.generate_uuid() self.container_ref = '{0}/containers/{1}'.format( self.barbican_endpoint, self.container_uuid) self.barbican_api = mock.MagicMock() self.name = 'My Fancy Cert' self.certificate = secrets.Secret(api=self.barbican_api, payload=sample.X509_CERT, secret_ref=self.certificate_uuid) self.intermediates = secrets.Secret(api=self.barbican_api, payload=sample.X509_IMDS, secret_ref=self.intermediates_uuid) self.private_key = secrets.Secret( api=self.barbican_api, payload=sample.X509_CERT_KEY_ENCRYPTED, secret_ref=self.private_key_uuid) self.private_key_passphrase = secrets.Secret( api=self.barbican_api, payload=sample.X509_CERT_KEY_PASSPHRASE, secret_ref=self.private_key_passphrase_uuid) container = mock.Mock(spec=containers.CertificateContainer) container.container_ref = self.container_ref container.name = self.name container.private_key = self.private_key container.certificate = self.certificate container.intermediates = self.intermediates container.private_key_passphrase = self.private_key_passphrase self.container = container self.empty_container = mock.Mock(spec=containers.CertificateContainer) self.secret1 = mock.Mock(spec=secrets.Secret) self.secret2 = mock.Mock(spec=secrets.Secret) self.secret3 = mock.Mock(spec=secrets.Secret) self.secret4 = mock.Mock(spec=secrets.Secret) # Mock out the client self.bc = mock.Mock() self.bc.containers.get.return_value = self.container barbican_auth = mock.Mock(spec=barbican_common.BarbicanAuth) barbican_auth.get_barbican_client.return_value = self.bc self.cert_manager = barbican_cert_mgr.BarbicanCertManager() self.cert_manager.auth = barbican_auth self.context = mock.Mock() self.context.project_id = PROJECT_ID super(TestBarbicanManager, self).setUp()
def delete_cert(self, context, cert_ref, resource_ref, service_name=None): """Deregister as a consumer for the specified cert. :param context: Oslo context of the request :param cert_ref: the UUID of the cert to retrieve :param resource_ref: Full HATEOAS reference to the consuming resource :param service_name: Friendly name for the consuming service :raises Exception: if deregistration fails """ # TODO(rm_work): We won't take any action on a delete in this driver, # but for now try the legacy driver's delete and ignore failure. try: legacy_mgr = barbican_legacy.BarbicanCertManager(auth=self.auth) legacy_mgr.delete_cert( context, cert_ref, resource_ref, service_name=service_name) except Exception: # If the delete failed, it was probably because it isn't legacy # (this will be fixed once Secrets have Consumer registration). pass