def encode_vim_auth(self, vim_id, auth): """Encode VIM credentials Store VIM auth using fernet key encryption """ fernet_key, fernet_obj = self.keystone.create_fernet_key() encoded_auth = fernet_obj.encrypt(auth['password'].encode('utf-8')) auth['password'] = encoded_auth if CONF.vim_keys.use_barbican: try: k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken keymgr_api = KEYMGR_API(keystone_conf.auth_url) secret_uuid = keymgr_api.store(k_context, fernet_key) auth['key_type'] = 'barbican_key' auth['secret_uuid'] = secret_uuid LOG.debug('VIM auth successfully stored for vim %s', vim_id) except Exception as ex: LOG.warning('VIM key creation failed for vim %s due to %s', vim_id, ex) raise else: auth['key_type'] = 'fernet_key' key_file = os.path.join(CONF.vim_keys.openstack, vim_id) try: with open(key_file, 'wb') as f: f.write(fernet_key) LOG.debug('VIM auth successfully stored for vim %s', vim_id) except IOError: raise nfvo.VimKeyNotFoundException(vim_id=vim_id)
def delete_vim_auth(self, vim_id, auth): """Delete vim information Delete vim key stored in file system """ LOG.debug('Attempting to delete key for vim id %s', vim_id) if auth.get('key_type') == 'barbican_key': try: k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken secret_uuid = auth['secret_uuid'] keymgr_api = KEYMGR_API(keystone_conf.auth_url) keymgr_api.delete(k_context, secret_uuid) LOG.debug('VIM key deleted successfully for vim %s', vim_id) except Exception as ex: LOG.warning('VIM key deletion failed for vim %s due to %s', vim_id, ex) raise else: key_file = os.path.join(CONF.vim_keys.openstack, vim_id) try: os.remove(key_file) LOG.debug('VIM key deleted successfully for vim %s', vim_id) except OSError: LOG.warning('VIM key deletion failed for vim %s', vim_id)
def delete_vim_auth(self, vim_id, auth): """Delete kubernetes vim information Delete vim key stored in file system """ if 'secret_uuid' in auth: # Delete secret id of barbican LOG.debug('Attempting to delete key for vim id %s', vim_id) if auth.get('key_type') == 'barbican_key': try: k_context = \ t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken secret_uuid = auth['secret_uuid'] keymgr_api = KEYMGR_API(keystone_conf.auth_url) keymgr_api.delete(k_context, secret_uuid) LOG.debug('VIM key deleted successfully for vim %s', vim_id) except Exception as exception: LOG.warning('VIM key deletion failed for vim %s due to %s', vim_id, exception) raise else: raise nfvo.VimEncryptKeyError(vim_id=vim_id)
def encode_vim_auth(self, vim_id, auth): """Encode VIM credentials Store VIM auth using fernet key encryption """ fernet_key, fernet_obj = self.kubernetes.create_fernet_key() if ('password' in auth) and (auth['password'] is not None): encoded_auth = fernet_obj.encrypt(auth['password'].encode('utf-8')) auth['password'] = encoded_auth if 'bearer_token' in auth: encoded_auth = fernet_obj.encrypt( auth['bearer_token'].encode('utf-8')) auth['bearer_token'] = encoded_auth if auth.get('ssl_ca_cert', ''): encoded_auth = fernet_obj.encrypt( auth['ssl_ca_cert'].encode('utf-8')) auth['ssl_ca_cert'] = encoded_auth if CONF.k8s_vim.use_barbican: try: k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken keymgr_api = KEYMGR_API(keystone_conf.auth_url) secret_uuid = keymgr_api.store(k_context, fernet_key) auth['key_type'] = 'barbican_key' auth['secret_uuid'] = secret_uuid LOG.debug('VIM auth successfully stored for vim %s', vim_id) except Exception as exception: LOG.warning('VIM key creation failed for vim %s due to %s', vim_id, exception) raise else: raise nfvo.VimEncryptKeyError(vim_id=vim_id)
def delete_vim_auth(self, vim_id, auth): """Delete vim information Delete vim key stored in file system """ LOG.debug('Attempting to delete key for vim id %s', vim_id) if auth.get('key_type') == 'barbican_key': try: k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken secret_uuid = auth['secret_uuid'] keymgr_api = KEYMGR_API(keystone_conf.auth_url) keymgr_api.delete(k_context, secret_uuid) LOG.debug('VIM key deleted successfully for vim %s', vim_id) except Exception as ex: LOG.warning('VIM key deletion failed for vim %s due to %s', vim_id, ex) raise else: key_file = os.path.join(CONF.vim_keys.openstack, vim_id) try: os.remove(key_file) LOG.debug('VIM key deleted successfully for vim %s', vim_id) except OSError: LOG.warning('VIM key deletion failed for vim %s', vim_id)
def test_encode_vim_auth_barbican(self): self.config_fixture.config(group='vim_keys', use_barbican=True) fernet_attrs = {'encrypt.return_value': 'encrypted_password'} mock_fernet_obj = mock.Mock(**fernet_attrs) mock_fernet_key = 'test_fernet_key' self.keymgr.store.return_value = 'fake-secret-uuid' self.keystone.create_fernet_key.return_value = (mock_fernet_key, mock_fernet_obj) vim_obj = self.get_vim_obj() self.openstack_driver.encode_vim_auth(vim_obj['id'], vim_obj['auth_cred']) self.keymgr.store.assert_called_once_with( t_context.generate_tacker_service_context(), 'test_fernet_key') mock_fernet_obj.encrypt.assert_called_once_with(mock.ANY) self.assertEqual(vim_obj['auth_cred']['key_type'], 'barbican_key') self.assertEqual(vim_obj['auth_cred']['secret_uuid'], 'fake-secret-uuid')
def test_encode_vim_auth_barbican(self): self.config_fixture.config(group='k8s_vim', use_barbican=True) fernet_attrs = {'encrypt.return_value': 'encrypted_password'} mock_fernet_obj = mock.Mock(**fernet_attrs) mock_fernet_key = 'test_fernet_key' self.keymgr.store.return_value = 'fake-secret-uuid' self.kubernetes_api.create_fernet_key.return_value = (mock_fernet_key, mock_fernet_obj) vim_obj = self.get_vim_obj() self.kubernetes_driver.encode_vim_auth( vim_obj['id'], vim_obj['auth_cred']) self.keymgr.store.assert_called_once_with( t_context.generate_tacker_service_context(), 'test_fernet_key') mock_fernet_obj.encrypt.assert_called_once_with(mock.ANY) self.assertEqual(vim_obj['auth_cred']['key_type'], 'barbican_key') self.assertEqual(vim_obj['auth_cred']['secret_uuid'], 'fake-secret-uuid')
def _decode_vim_auth(self, vim_id, auth): """Decode Vim credentials Decrypt VIM cred, get fernet Key from local_file_system or barbican. """ cred = auth['password'].encode('utf-8') if auth.get('key_type') == 'barbican_key': k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken secret_uuid = auth['secret_uuid'] keymgr_api = KEYMGR_API(keystone_conf.auth_url) secret_obj = keymgr_api.get(k_context, secret_uuid) vim_key = secret_obj.payload else: vim_key = self._find_vim_key(vim_id) f = fernet.Fernet(vim_key) if not f: LOG.warning('Unable to decode VIM auth') raise nfvo.VimNotFoundException(vim_id=vim_id) return f.decrypt(cred)
def _decode_vim_auth(self, vim_id, auth, secret_value): """Decode Vim credentials Decrypt VIM cred, get fernet Key from local_file_system or barbican. """ cred = secret_value.encode('utf-8') if auth.get('key_type') == 'barbican_key': keystone_conf = CONF.keystone_authtoken secret_uuid = auth['secret_uuid'] keymgr_api = KEYMGR_API(keystone_conf.auth_url) k_context = t_context.generate_tacker_service_context() secret_obj = keymgr_api.get(k_context, secret_uuid) vim_key = secret_obj.payload else: vim_key = self._find_vim_key(vim_id) f = fernet.Fernet(vim_key) if not f: LOG.warning('Unable to decode VIM auth') raise nfvo.VimNotFoundException(vim_id=vim_id) return f.decrypt(cred)
def encode_vim_auth(self, vim_id, auth): """Encode VIM credentials Store VIM auth using fernet key encryption """ fernet_key, fernet_obj = self.keystone.create_fernet_key() encoded_auth = fernet_obj.encrypt(auth['password'].encode('utf-8')) auth['password'] = encoded_auth if CONF.vim_keys.use_barbican: try: k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken keymgr_api = KEYMGR_API(keystone_conf.auth_url) secret_uuid = keymgr_api.store(k_context, fernet_key) auth['key_type'] = 'barbican_key' auth['secret_uuid'] = secret_uuid LOG.debug('VIM auth successfully stored for vim %s', vim_id) except Exception as ex: LOG.warning('VIM key creation failed for vim %s due to %s', vim_id, ex) raise else: auth['key_type'] = 'fernet_key' key_file = os.path.join(CONF.vim_keys.openstack, vim_id) try: with open(key_file, 'w') as f: if six.PY2: f.write(fernet_key.decode('utf-8')) else: f.write(fernet_key) LOG.debug('VIM auth successfully stored for vim %s', vim_id) except IOError: raise nfvo.VimKeyNotFoundException(vim_id=vim_id)
def encode_vim_auth(self, vim_id, auth): """Encode VIM credentials Store VIM auth using fernet key encryption """ fernet_key, fernet_obj = self.kubernetes.create_fernet_key() if ('password' in auth) and (auth['password'] is not None): encoded_auth = fernet_obj.encrypt( auth['password'].encode('utf-8')) auth['password'] = encoded_auth if 'bearer_token' in auth: encoded_auth = fernet_obj.encrypt( auth['bearer_token'].encode('utf-8')) auth['bearer_token'] = encoded_auth if auth.get('ssl_ca_cert', ''): encoded_auth = fernet_obj.encrypt( auth['ssl_ca_cert'].encode('utf-8')) auth['ssl_ca_cert'] = encoded_auth if CONF.k8s_vim.use_barbican: try: k_context = t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken keymgr_api = KEYMGR_API(keystone_conf.auth_url) secret_uuid = keymgr_api.store(k_context, fernet_key) auth['key_type'] = 'barbican_key' auth['secret_uuid'] = secret_uuid LOG.debug('VIM auth successfully stored for vim %s', vim_id) except Exception as exception: LOG.warning('VIM key creation failed for vim %s due to %s', vim_id, exception) raise else: raise nfvo.VimEncryptKeyError(vim_id=vim_id)
def delete_vim_auth(self, vim_id, auth): """Delete kubernetes vim information Delete vim key stored in file system """ if 'secret_uuid' in auth: # Delete secret id of barbican LOG.debug('Attempting to delete key for vim id %s', vim_id) if auth.get('key_type') == 'barbican_key': try: k_context = \ t_context.generate_tacker_service_context() keystone_conf = CONF.keystone_authtoken secret_uuid = auth['secret_uuid'] keymgr_api = KEYMGR_API(keystone_conf.auth_url) keymgr_api.delete(k_context, secret_uuid) LOG.debug('VIM key deleted successfully for vim %s', vim_id) except Exception as exception: LOG.warning('VIM key deletion failed for vim %s due to %s', vim_id, exception) raise else: raise nfvo.VimEncryptKeyError(vim_id=vim_id)
def test_deregister_vim_barbican(self): self.keymgr.delete.return_value = None vim_obj = self.get_vim_obj_barbican() self.openstack_driver.deregister_vim(vim_obj) self.keymgr.delete.assert_called_once_with( t_context.generate_tacker_service_context(), 'fake-secret-uuid')
def test_deregister_vim_barbican(self): self.keymgr.delete.return_value = None vim_obj = self.get_vim_obj_barbican() self.kubernetes_driver.deregister_vim(vim_obj) self.keymgr.delete.assert_called_once_with( t_context.generate_tacker_service_context(), 'fake-secret-uuid')