Commit Graph

50 Commits

Author SHA1 Message Date
Grzegorz Grasza 96027e9cff Implement force parameter
This change adds the force parameter to the secret delete
method. By default, a secret cannot be deleted if it
contains consumers.

This code cannot be merged without a corresponding release and
bump of version for the barbicanclient.

Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Change-Id: I84fd870b1cd19975a5bb832ed6fd6d18ec56eb5a
2023-02-17 10:00:07 +00:00
Grzegorz Grasza bc6d87b969 Add secret consumers
This change adds the ability to add or remove consumers to a
managed object to allow services to indicate which object is
associated with a specific secret.  At this time, only barbican
supports consumers.

This code cannot be merged without a corresponding release and
bump of version for the barbicanclient.

Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Depends-On: https://review.opendev.org/c/openstack/requirements/+/873906
Change-Id: Ic25ac329f87db5992e32ef0b2d7d4020f37b2dee
2023-02-16 13:45:16 +01:00
LiZekun 86712360f3 remove unicode from code
Change-Id: I086d90b6f46e31582d412b8725e48cba5c21d6bc
2022-01-05 10:44:00 +08:00
Mark Goddard 162039467a barbican key manager: Add support for service user
This change adds support to the Barbican key manager for configuring a
service user. This can be used to provide additional security through
the combination of a user token and a service token, with appropriate
modifications to Barbican API policy.

Use of a service user is enabled via the [barbican]
send_service_user_token option, which defaults to False. When set to
True, the service user is configured via keystoneauth options in the
barbican_service_user group.

Change-Id: I143cb57c8534a8dc0a91e6e42917dd0c134170c0
2021-06-21 12:48:03 +00:00
Takashi Kajinami bfcf4b2f69 Simplify the reference to barbican parameters
... so that we can easily identify the logics which are referring to
configuration parameters.

Change-Id: I93427a64b83f474c7c2dd45c8c200e7a3c9bc6f9
2021-02-03 23:31:56 +09:00
Takashi Kajinami 8c48341169 Allow specifying region of barbican endpoint
This change introduces a new option to define the region to which
the Barbican endpoint belongs. This is required if the deployment has
multiple regions and a single Keystone instance stores multiple
Barbican endpoints for different regions.
This change also ensures that the same interface and region are used
in endpoint detection and api version detection.

Change-Id: If2c0055d45922937e259a8f22f5879c9faa41e35
2021-02-03 12:11:09 +00:00
Sam Morrison 4a4544b8ec Don't expect barbican service name to be barbican.
It is standard practice to search for services in the catalog by
service type and interface only. Service name should be left
to deployers to choose and this could be something other than barbican.

Change-Id: I9dddba1e52bbf1ee1d8227fdb45e625fdbf0a21b
2020-12-01 13:54:37 +11:00
Ivan Kolodyazhny e63d813a70 Use 'barbican_endpoint_type'config option to get endpoint from catalog
_get_barbican_endpoint now uses barbican_endpoint_type config option to
retrieve a correct endpoint from catalog.

This config option is set to 'public' by default and it's a default
value for ServiceCatalog.endpoint_data_for method. It means that the
default behaviour will be the same as before this patch.

Change-Id: Idf4061fe3e35e3c47a993a56b23c0257c92e5cc3
2020-07-31 21:48:42 +00:00
ramboman 89f311dfbd add "verify_ssl_path" config for barbican key manager
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.

Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
2020-05-06 21:31:27 +08:00
Moisés Guimarães de Medeiros fd01ccc0f5 Moving common objects under KeyManager.
Both Barbican and Vault backends have this replicated code. Let's
centralize it to reduce code duplication.

Change-Id: I365a6d3031695ee369664c00a61816c77792f2e2
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-03-09 16:06:55 +01:00
Moisés Guimarães de Medeiros 3ccf918c98 Drop use of six
nit: Certificate inherits from ManagedObject which already has
ABCMeta as metaclass.

Change-Id: I17b12980b88e306fbdc99a3e92b1fa22d8e96471
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-03-09 11:14:16 +01:00
Moisés Guimarães de Medeiros 943150ee51 Implements KeyManager's option discovery.
The KeyManager itself should be responsible for advertising the
correct set of options for discovery, not relying on the global
option listing method to know which variable holds the options
and how are they grouped.

Change-Id: I1764c383206df835b7d654f2f776663bd6d4d25b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-02-21 16:33:17 +01:00
Eric Harney fcb39e5d9d Fix "is" usage with literals
This throws warnings on Python 3.8.

Change-Id: I82625d6d202b33daaa2e7f02fbfb8dc5ab59079c
2019-11-12 12:07:12 -05:00
Vladislav Kuzmin 5d93676338 Reuse existing token from RequestContext
When castellan trying to recreate trust-scoped token
from RequestContext keystone throw exception
because it's not allowed.
Starting from this commit castellan trying to
reuse existing token constructed from RequestContext
if get_auth_plugin() is available.

Change-Id: I10a12b9a2a7f796eca37dd20a280d3a4015a6903
Closes-Bug: #1827047
Depends-On: https://review.opendev.org/#/c/664558/
2019-06-13 15:44:44 +04:00
Ellen Batbouta 777b1cce10 Add config option for Barbican endpoint type
This change willl allow the user to specify the endpoint
type for Barbican.  The allowed values are: public, internal,
and admin.  The default value will be 'public' since this is
the current value.

Change-Id: Ic89519ed3a9c347a9fff245ec231aa575b42f1ac
Closes-bug: 1767473
2018-05-01 13:58:58 -04:00
Alan Bishop aa0216d66e Include domain info when creating identity token
Include the project domain info (name and ID) when creating an identity
token that's associated with a RequestContext. This ensures the keystone
v3 auth plugin will be used whenever possible. Without the domain info,
the v2 plugin would be the only possible choice.

Closes-Bug: #1733898
Change-Id: I8b177725db71002d8eca835a7d5367d7911cf347
2017-11-22 10:51:48 -05:00
Jenkins 35c2a9912e Merge "Add ID to managed objects" 2017-09-18 13:15:26 +00:00
Kaitlin Farr d8fb4f1794 Add ID to managed objects
The managed objects did not have an ID associated with them. This is most
helpful for the list command, where once you have more than one object,
it's hard to track unique identifiers for the objects.

Change-Id: Ibc48762e7c2c71659fb96826c53301bc6f55ddf7
2017-08-31 21:08:08 +00:00
Kaitlin Farr 233febb0c1 Append a forward slash to the base_url
six.moves.urllib.parse.urljoin strips everything that doesn't end
with a forward slash, so for example, if the barbican URL is
http://ip-address/key-manager, the "key-manager" part will be removed.
If the URL is http://ip-address/key-manager/, everything will be fine.

Change-Id: I1afcd7ae460633e451bc365fdb87f6e30bb3a60b
2017-08-08 18:25:56 -04:00
Kaitlin Farr fafceee8cb Rename barbican client import
Importing the barbican client object as barbican_client and
also using barbican_client as a variable name was confusing.
Changes the import name to prevent confusion.

Change-Id: I886f045eb56683713ab75401b5ec1669ddbb072d
2017-07-28 14:14:46 -04:00
Jenkins dfce4df2f5 Merge "Fix retrieving barbican endpoint from service catalog" 2017-07-28 09:07:40 +00:00
Paul Bourke 17e8b29067 Fix retrieving barbican endpoint from service catalog
The context wrapper classes under castellan.common.credentials were
missing an auth_url property resulting in calls to get_endpoint()
failing with 'Could not determine a suitable URL for the plugin' unless
users set barbican/auth_endpoint.

Change-Id: I1be3a1e11e3f4c2170062927ad359bf679eb25d9
Closes-Bug: #1497993
2017-07-19 09:40:25 +00:00
yushangbin cf5ffc5f0a Replace LOG.warn with LOG.warning
logging.warn is deprecated in Python 3 [1].

[1] https://docs.python.org/3/library/logging.html#logging.warning

Change-Id: Iecf3ba100fb896189c8da0fc69da3f4b86345fb2
2017-07-19 15:21:16 +08:00
Kaitlin Farr 1a13c2b203 Add list capability
Adds ability to list secrets, and adds initial filtering ability. Can
filter by secret_type.

Depends-On: I583f27f91cb3c6bdb23438dff6b539407b4005ed
Depends-On: I99cd72724e11bab362bcaaeb773f33b2abfe815c
Change-Id: I245d5846aa8d3b9586bea6dc4e0b24db86c911c9
2017-07-18 09:46:59 -04:00
bhavani.cr 04874c25cb Remove log translations
Log messages are no longer being translated. This removes all use of the
_LE, _LI, and _LW translation markers to simplify logging and to avoid
confusion with new contributions.

See:
http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html
http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html

Change-Id: I410ac1eaa0a3c9bfa68ec1634e74aae369dde1cf
2017-07-03 07:12:25 +00:00
Kaitlin Farr 64207e3035 Change keystone endpoint
DevStack was changed so that keystone uses uwsgi [1]. This
means we can't call keystone with the port number anymore.

1. https://review.openstack.org/#/c/456344/

Change-Id: I349b689e8030c8c2a7313b9781973952ead29c75
2017-04-19 15:38:50 -04:00
Kaitlin Farr d1d8568d2b Add ability to get only metadata
Adds the ability to retrieve only the metadata of a secret. This is
helpful in situations when the caller wants to know information about
the secret, but doesn't want to unnecessarily handle the secret data.

Change-Id: I63aec037973aad2555190ca3eb6bba765955399a
2017-02-06 12:35:14 -05:00
Kaitlin Farr f96ba10252 Remove outdated comment
The get operation supports all object types, not just symmetric keys.

Change-Id: I0fe566df3235874aac57b45f9421da72c52b74d8
2017-01-31 02:10:36 +00:00
Jenkins 53ff248f4b Merge "Add option for verifying TLS (https) requests" 2017-01-21 23:29:29 +00:00
Kaitlin Farr a6b25bb136 Add option for verifying TLS (https) requests
This new option should be used with caution, but is useful
for development environments where the certificates can't
be verified yet.

Closes-Bug: #1516793

Change-Id: I2e5433fda8dec02556a6715b8182201daf8fe9bb
2017-01-08 21:14:03 -05:00
Juan Antonio Osorio Robles 555fba7dee Use generic keystoneauth plugin identity interfaces
This allows us to use versionless endpoints for keystone in the
configuration files and furthermore, we won't depend on a specific
keystone version, as is the case today.

Change-Id: I124c0ea2d9403d6b530b33f18896c4e7bf4eabb5
Depends-On: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4
2016-12-02 06:14:16 +00:00
Steve Martinelli fccb2fef4b remove obsolete oslo incubator code
as part of the openstack wide community goals, oslo
incubator code should be removed from all projects [1]

[1] https://governance.openstack.org/goals/ocata/remove-incubated-oslo-code.html

Change-Id: Ifa3564df125ed002dc1710d7a7c0e9346c34c9f1
2016-11-01 14:16:50 +00:00
Jiong Liu bf50f8ce67 Use international logging message
Change-Id: I09be95a4a2fee0d7448295d58df892bcc48141a6
2016-09-23 15:37:50 +00:00
Jamie Lennox 712e85763b Use keystoneauth1 instead of keystoneclient
The keystoneclient session has been deprecated in favour of
keystoneauth1. To make this cleaner a few unnecessary usages of
keystoneclient are cleaned up.

Change-Id: I8bfcff53165a18f94c600797dd8105d64d948e7a
2016-06-01 22:20:58 +10:00
Fernando Diaz 01f6801c0d Allow Barbican Key Manager to accept different auth credentials
This patch alters the barbican key manager to be able to use
Token, Password, and OSLO Credentials. It is the third of
several patches which will implement the
"Allow different Keystone Auth Support in Castellan" blueprint.

Other patches will add:
1.) documentation on usage

Needs Functional Tests
Change-Id: Ib3bb9d4e167f0b85bcf7a9053743239c9e6e6dae
Implements: blueprint remove-keystone-dependency
2016-03-01 14:52:09 +00:00
Jenkins 3ff964d200 Merge "Add logic to error out of key creation if order errors out" 2016-02-05 12:49:47 +00:00
Jenkins b535a10532 Merge "Add created property to Managed Objects" 2016-02-05 12:38:06 +00:00
“Fernando 31d467a35e Add created property to Managed Objects
Adds the property 'created' to managed objects in Castellan.
The property is None until the secret has been stored.

Change-Id: I83e79cd3dbc07b90f4526a36aaf4ee76e902e228
2016-02-02 17:16:37 +00:00
Kaitlin Farr 18fdab8ef5 Add logic to error out of key creation if order errors out
The Barbican back end contains a timeout loop during key creation
to return the key's UUID only if the Barbican order status is ACTIVE.
This loop waits for ACTIVE status, but it should also exit the loop if
an ERROR status is found.

Change-Id: I8282f3929dcdf68b438285eb0dde884b36ec6c3b
2016-01-13 10:56:25 -06:00
Dave McCowan 43efbf1d5f Move line of code to ensure context and client stay in sync
If the barbican_client.Client() throws an exception, then
self._current_context will not match self._barbican_client.
This fix moves a line of code down to ensure they will match.

Change-Id: I4e6291d98d9b2d37b3d5063b9b20fbb093d254d4
Closes-bug: #1523646
2015-12-09 10:40:43 -05:00
Jenkins c347f4d4b2 Merge "Add name to Castellan Objects and Barbican Key Manager" 2015-10-05 16:53:01 +00:00
Fernando Diaz 9e0b3c9588 Add name to Castellan Objects and Barbican Key Manager
Allows for Castellan Objects to be created with a unique name
using the Barbican Key Manager.

Change-Id: If4b00bbf1d94e084d69dc38d5065d92b2e66fd07
2015-10-02 15:30:12 -05:00
Kaitlin Farr 14db1346e7 Add ManagedObjectNotFoundError
Adding this new error type will allow Castellan to distinguish between
whether an error occurred because the could not be found or some other sort
of error with communicating with Barbican.

Change-Id: Ie8fc3cf457009522349285c750adeeedd75e9a60
2015-09-21 13:16:40 -04:00
Kaitlin Farr 0be6648f6f Standardize Barbican error messages
Wrap Barbican's errors with a KeyManagerError instead of reraising the
Barbican exception.

Change-Id: Ib49bad7336534df75ef8165c7229c656fae04dd8
2015-09-14 12:08:10 -04:00
Kaitlin Farr 73e9601095 Update Barbican wrapper
Changes to Barbican key manager to support all managed objects and
API changes.

Updates  to the functional tests will follow in another patch in the
interest of shorter code reviews.

Change-Id: I2af3e7c2f16f31dcd2b4484a6537d3114bc4b3bb
2015-08-31 15:30:52 -04:00
Joel Coffman 4088221f28 Remove copy_key operation
This change removes the copy_key operation from the key manager. The
copy_key operation isn't ideal because few key managers support such
an operation natively. Lack of native support requires the key to be
retrieved and stored in separate steps, which increases the handling
of the key material.

It would be relatively trivial to add this operation back to the
key manager interface at a future point. Once Castellan becomes
widely used by other projects, removing this operation will not be
possible, as it would be a backward-incompatible change.

Change-Id: I1a1dfdb4d4268319f9277fc639027819e70d4a8b
2015-08-12 16:50:27 -04:00
Michael McCune d768fbc97d refactoring castellan configuration
This change adds a module for listing configuration options and setting
their defaults. It also changes the key manager base class to
incorporate a configuration during creation. By default, the key manager
will continue to use the global CONF object from the oslo.config
package.

For the most part, this change will be backwards compatible. The one
exception is the creation of sample configuration files. Previously,
importing castellan was sufficient to add these options to the global
configuration object. Now, these options will need to be applied by
using the castellan.options.list_opts function, or adding them through
other means, to create sample configuration files. Similar applies for
setting configuration before instantiating a key manager.

changes
* adding castellan.options with list_opts and set_defaults functions
* changing KeyManager abc to include a configuration option to __init__
* changing barbican and not_implemented key managers to accept
  configuration parameters
* adding tests for set_defaults function
* fixing barbican tests to accomodate new configuration parameter
* adding documentation about configuration usage
* adding castellan configs to oslo entry point in setup.cfg
* adding a genconfig target to tox for producing a sample castellan
  configuration file
* adding the sample configuration file to the git ignore
* renaming barbican option api_version to barbican_api_version

Change-Id: I86d6d7d49a893beaae6f311060ec593e0482d889
Implements: blueprint improved-configuration-options
2015-08-12 12:03:36 -04:00
Kaitlin Farr 3d031cb5af Update the key manager API
Includes changes to the base API class to support managed objects
and creation of asymmetric key pairs. The current implementations
of the key manager only support symmetric keys for retrieval, and raise
NotImplementedErrors for generation of asymmetric key pairs. Full
functionality coming in later commits.

Change-Id: I69e0c22729413e95808f9419df59017011f14d99
2015-08-10 17:30:26 -04:00
Kaitlin Farr 39e139f88e Add managed objects hierarchy
Castellan will support multiple objects, not just symmetric keys. The bytes of
the managed object are returned as bytestrings.

Change-Id: If75ff5d458604a8210980a4f50d1e4fc27d2b037
2015-08-07 15:27:18 -04:00
Kaitlin Farr 4a0d606f74 Add Barbican key manager
Adds the first usable key manager plugin to Castellan. While there is an
implementation of a mock key manager in the test directories, it is used
only for testing.

This code is based on the barbican key manager code in Nova written by
Brianna Poulos. See: https://review.openstack.org/#/c/104001/

The Barbican API version info will be read from a config option until
the Barbican Version API is fixed.  See fix-version-api blueprint.

Implements: blueprint add-barbican-key-manager
Co-authored-by: Brianna Poulos <brianna.poulos@jhuapl.edu>
Change-Id: Ia27cd831f42c6b027778240b3396b1c4149dc689
2015-07-05 20:08:49 -04:00