Commit Graph

105 Commits

Author SHA1 Message Date
melanie witt 4925356be6 Raise ManagedObjectNotFoundError in MockKeyManager
Currently the MockKeyManager raises KeyError when a key is not found
for a get() or delete() but a real key manager raises
ManagedObjectNotFoundError in the case of not found [1][2].

This updates the MockKeyManager to raise the same exception as a real
key manager so that projects using it in tests will be able to test
their handling of "not found" scenarios properly.

[1] a662b30764/castellan/key_manager/barbican_key_manager.py (L617)
[2] a662b30764/castellan/key_manager/barbican_key_manager.py (L644)

Change-Id: I3184a229f6690854dda1edc12e74bb483b47a057
2024-02-26 08:34:28 +00:00
Takashi Kajinami 291ad9c778 Bump hacking
hacking 3.0.x is too old.

Change-Id: Ic6d33295b33cff8a68fbb8181973480bc17e7711
2024-02-02 01:50:46 +09:00
Mauricio Harley 7de4f89f02 Add force parameter functional tests
Change-Id: I37036867297ae5e6f95191154c71d25ac9eda796
2023-02-17 13:26:27 +01:00
Mauricio Harley e65ac5e439 Add secret consumers functional tests
This adds secret consumers functional tests
to use with Barbican.

Change-Id: I23e71e534d94e753c3e94154f39ec04219ab0fa6
2023-02-17 11:11:26 +01:00
Grzegorz Grasza 96027e9cff Implement force parameter
This change adds the force parameter to the secret delete
method. By default, a secret cannot be deleted if it
contains consumers.

This code cannot be merged without a corresponding release and
bump of version for the barbicanclient.

Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Change-Id: I84fd870b1cd19975a5bb832ed6fd6d18ec56eb5a
2023-02-17 10:00:07 +00:00
Grzegorz Grasza bc6d87b969 Add secret consumers
This change adds the ability to add or remove consumers to a
managed object to allow services to indicate which object is
associated with a specific secret.  At this time, only barbican
supports consumers.

This code cannot be merged without a corresponding release and
bump of version for the barbicanclient.

Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Depends-On: https://review.opendev.org/c/openstack/requirements/+/873906
Change-Id: Ic25ac329f87db5992e32ef0b2d7d4020f37b2dee
2023-02-16 13:45:16 +01:00
Grzegorz Grasza fe10397ac0 Initial change to add secret consumers
This adds consumers to the objects. Unit tests are
also covered.

Co-Authored-By: Ade Lee <alee@redhat.com>
Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Change-Id: I598209e30d8f0e4515292b1f8c9a89aa952bac4e
2023-01-27 13:11:05 +01:00
Ade Lee 316db6cb53 Make tests more consistent
Tests periodically fail right now because the cleanup which is
running in a different thread sometimes removes the managed objects
before we have completed testing with them.  The change to use
concurrency=1 will slow down the tests, but also make them more
consistent.

Also, when things are not cleaned up, you can get false positive
results if multiple objects contain the same content.  This will
fix this problem by making the contents unique.

Change-Id: Ic2b9e6afe9371dbe135e90fa6df36a8e91921556
2022-09-21 16:27:54 +02:00
Joel Capitao a160e5c8dc Replace the deprecated argument tenant
The deprecated argument tenant from RequestContext
has been removed since [1], so we switch to 'project_id'.

[1] https://review.opendev.org/c/openstack/oslo.context/+/815938

Change-Id: I4e3e4c50ba5d829ed739e278b5286f2bf4808870
2022-03-15 08:36:02 +01:00
LiZekun 86712360f3 remove unicode from code
Change-Id: I086d90b6f46e31582d412b8725e48cba5c21d6bc
2022-01-05 10:44:00 +08:00
Pavlo Shchelokovskyy ecf625b65c Add support for Vault Namespaces
Vault Namespaces [0] is a feature available in Vault Enterprise that
can be considered as a more advanced isolation feature on top of current
KV Mountpoint option in Castellan Vault plugin.

Passing a namespace in all request headers (including Auth) allows to organize
Vault-in-Vault style of isolation, with clients using the same simple URI path
but accessing separate sets of entities in Vault.

[0] https://www.vaultproject.io/docs/enterprise/namespaces

Change-Id: I627c20002bb2a0a1b346b57e824f87f856eca4c9
2021-10-07 12:12:51 +00:00
Mark Goddard 162039467a barbican key manager: Add support for service user
This change adds support to the Barbican key manager for configuring a
service user. This can be used to provide additional security through
the combination of a user token and a service token, with appropriate
modifications to Barbican API policy.

Use of a service user is enabled via the [barbican]
send_service_user_token option, which defaults to False. When set to
True, the service user is configured via keystoneauth options in the
barbican_service_user group.

Change-Id: I143cb57c8534a8dc0a91e6e42917dd0c134170c0
2021-06-21 12:48:03 +00:00
Zuul 984ebb2bf8 Merge "Allow specifying region of barbican endpoint" 2021-03-30 17:21:40 +00:00
Takashi Kajinami 8c48341169 Allow specifying region of barbican endpoint
This change introduces a new option to define the region to which
the Barbican endpoint belongs. This is required if the deployment has
multiple regions and a single Keystone instance stores multiple
Barbican endpoints for different regions.
This change also ensures that the same interface and region are used
in endpoint detection and api version detection.

Change-Id: If2c0055d45922937e259a8f22f5879c9faa41e35
2021-02-03 12:11:09 +00:00
Mark Goddard 35f1a20d51 Fix assertion typo in barbican key manager unit test
Change-Id: Ibd761519cb6ef2ee27aebe2b02c80c8c5c0b7ca4
2021-01-21 17:45:43 +00:00
Moisés Guimarães de Medeiros 883e9603fa Add to_dict and from_dict conversions to managed objects
This patch centralizes the managed objects conversion in order to be
used across multiple key_manager backends.

Change-Id: Ia2e15d46eb2e504b815a7f51173aecaf82978402
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-07-13 13:44:22 +02:00
Zuul 9a9bf2e48c Merge "Use unittest.mock instead of third party mock" 2020-05-25 14:23:04 +00:00
ramboman 89f311dfbd add "verify_ssl_path" config for barbican key manager
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.

Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
2020-05-06 21:31:27 +08:00
Sean McGinnis 27cf110749
Use unittest.mock instead of third party mock
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.

Change-Id: Ib3028d55552ef51d93aaf38653bca888166e6d27
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
2020-04-18 11:52:10 -05:00
Zuul 2ae27479f8 Merge "Update hacking for Python3" 2020-04-14 13:21:01 +00:00
Andreas Jaeger a1718bb95a Update hacking for Python3
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.

Fix problems found by updated hacking version.

Change-Id: I4f24c0fa5178f15912db899fcf26ca11480eab21
2020-03-31 13:08:37 +00:00
Moisés Guimarães de Medeiros 8e88919f02 Removes context "validation".
The Vault backend doesn't really care about context. Even an empty
string would suffice these checks.

Change-Id: I1c0d00675a479cf05d92cec7b69fd720a88023d3
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-03-09 16:06:55 +01:00
Moisés Guimarães de Medeiros 3ccf918c98 Drop use of six
nit: Certificate inherits from ManagedObject which already has
ABCMeta as metaclass.

Change-Id: I17b12980b88e306fbdc99a3e92b1fa22d8e96471
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-03-09 11:14:16 +01:00
Moisés Guimarães de Medeiros 943150ee51 Implements KeyManager's option discovery.
The KeyManager itself should be responsible for advertising the
correct set of options for discovery, not relying on the global
option listing method to know which variable holds the options
and how are they grouped.

Change-Id: I1764c383206df835b7d654f2f776663bd6d4d25b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2020-02-21 16:33:17 +01:00
Vladislav Kuzmin 5d93676338 Reuse existing token from RequestContext
When castellan trying to recreate trust-scoped token
from RequestContext keystone throw exception
because it's not allowed.
Starting from this commit castellan trying to
reuse existing token constructed from RequestContext
if get_auth_plugin() is available.

Change-Id: I10a12b9a2a7f796eca37dd20a280d3a4015a6903
Closes-Bug: #1827047
Depends-On: https://review.opendev.org/#/c/664558/
2019-06-13 15:44:44 +04:00
Zuul 62a078c261 Merge "vault: support configuration of KV mountpoint" 2019-01-24 12:07:05 +00:00
Zuul 3b2d2e3b13 Merge "vault: add AppRole support" 2019-01-23 22:16:17 +00:00
Moises Guimaraes de Medeiros 6e03a68c14 Add Castellan Oslo Config Driver.
This driver is an oslo.config backend driver implemented with
Castellan. It extends oslo.config's capabilities by enabling it
to retrieve configuration values from a secret manager behind
Castellan.

Change-Id: Id7cf99bea5788e0a6309461a75eaa8d08d29641b
Signed-off-by: Moises Guimaraes de Medeiros <moguimar@redhat.com>
2019-01-09 23:17:17 +01:00
James Page afb539f748 vault: support configuration of KV mountpoint
Support end user configuration of KV store in Vault to use for
key storage allowing more flexibility in Vault configuration.

Change-Id: I625a819c2b9b542677258de709a9c520fb86858b
Closes-Bug: 1797148
2018-10-12 10:05:50 +01:00
James Page bc7f7a4c36 vault: add AppRole support
Add support for use of AppRole's for authentication to Vault; this
feature provides a more application centric approach to managing
long term access to Vault.

The functional tests exercise this integration with a restricted
policy which only allows access to the default 'secret' backend.

Change-Id: I59dfe31adb72712c53d49f66d9ac894e43e8bbad
Closes-Bug: 1796851
2018-10-12 10:03:21 +01:00
Ade Lee 55026461d2 Add code to generate private keys
Change-Id: I05d0cb71406769ebf8ccbd63644ae27a4da6d405
2018-07-04 13:31:32 -04:00
Ellen Batbouta 777b1cce10 Add config option for Barbican endpoint type
This change willl allow the user to specify the endpoint
type for Barbican.  The allowed values are: public, internal,
and admin.  The default value will be 'public' since this is
the current value.

Change-Id: Ic89519ed3a9c347a9fff245ec231aa575b42f1ac
Closes-bug: 1767473
2018-05-01 13:58:58 -04:00
Zuul d3446f51b0 Merge "Support handling legacy all-zeros key ID" 2017-11-28 03:31:10 +00:00
Alan Bishop fc0fc79eb6 Support handling legacy all-zeros key ID
This patch addresses a specific use case, where a user has encrypted
volumes based on the fixed_key used by Cinder's and Nova's
ConfKeyManager. The user wishes to switch to Barbican, but existing
volumes must continue to function during the migration period.

The code conditionally adds a shim around the backend KeyManager when
both of these conditions are met:

1) The configuration contains a fixed_key value. This essentially
   signals the ConfKeyManager has been in use at one time
2) The current backend is *not* the ConfKeyManager

When the shim is active, a MigrationKeyManager class is dynamically
created that extends the backend's KeyManager class. The
MigrationKeyManager exists solely to override two functions:

o The KeyManager.get() function detects requests for the secret
  associated with the fixed_key, which is identified by an all-zeros
  key ID.

  - Requests for the all-zeros key ID are handled by mimicing the
    ConfKeyManager's response, which is a secret derived from the
    fixed_key.
  - Requests for any other key ID are passed on to the real backend.

o The KeyManager.delete() function is similar:

  - Requests to delete the all-zeros key ID are essentially ignored,
    just as is done by the ConfKeyManager.
  - Requests to delete any other key ID are passed on to the real
    backend.

All other KeyManager functions are not overridden, and will therefore be
handled directly by the real backend.

SecurityImpact
Change-Id: Ia5316490201c33e23a4206838d5a4fb3dd00f527
2017-11-21 09:23:09 -05:00
Davanum Srinivas a972da32a9 Vault based key manager
* Uses https://www.vaultproject.io/ to store/fetch secrets
* All we need is the URL and a Token to talk to the vault server
* tox target "functional-vault" sets up a server in development mode
  and runs functional tests
* Supports both http:// and https:// url(s)
* the https support was tested by setting up a vault server by hand
  (https://gist.github.com/dims/47674cf2c3b0a953df69246c2ea1ff78)
* create_key_pair is the only API that is not implemented

Change-Id: I6436e5841c8e77a7262b4d5aa39201b40a985255
2017-11-13 20:56:34 -05:00
Dai Dang Van 6d15c1156f Use generic user for both zuul v2 and v3
Zuul v2 uses 'jenkins' as user, but Zuul v3 uses 'zuul'.
Using $USER solves it for both cases.

Change-Id: Ifb7fb3c7028054e773c0f5a0e8c29807b5d187d3
2017-11-02 07:19:52 +00:00
Kaitlin Farr b13187b34d Remove genconfig from functional tests
Try to run the tests without running generating the config file.

Change-Id: I72ff88e86ba9c02c3fde2f500f4881c8e9935d11
2017-10-16 16:24:46 -04:00
Jenkins 35c2a9912e Merge "Add ID to managed objects" 2017-09-18 13:15:26 +00:00
Kaitlin Farr d8fb4f1794 Add ID to managed objects
The managed objects did not have an ID associated with them. This is most
helpful for the list command, where once you have more than one object,
it's hard to track unique identifiers for the objects.

Change-Id: Ibc48762e7c2c71659fb96826c53301bc6f55ddf7
2017-08-31 21:08:08 +00:00
Kaitlin Farr 233febb0c1 Append a forward slash to the base_url
six.moves.urllib.parse.urljoin strips everything that doesn't end
with a forward slash, so for example, if the barbican URL is
http://ip-address/key-manager, the "key-manager" part will be removed.
If the URL is http://ip-address/key-manager/, everything will be fine.

Change-Id: I1afcd7ae460633e451bc365fdb87f6e30bb3a60b
2017-08-08 18:25:56 -04:00
Davanum Srinivas 8980bf7da5 Use Stevedore for better extensions
Since all Oslo library drivers are discoverable via
stevedore, we should use stevedore in Castellan as well.
This will make it easier for folks to write their own
custom drivers. Stevedore uses setuptools entry points
for implementing the common patterns for dynamically
loading extensions.

We add [key_manager]/backend as the new option to set
the custom driver. For a while, we should support the
older values that used to be specified using
[key_manager]/apiclass.

Change-Id: I2610459839806a5591da1efa314dfa52bcfb7cda
2017-08-01 09:01:35 -04:00
Jenkins dfce4df2f5 Merge "Fix retrieving barbican endpoint from service catalog" 2017-07-28 09:07:40 +00:00
Paul Bourke 17e8b29067 Fix retrieving barbican endpoint from service catalog
The context wrapper classes under castellan.common.credentials were
missing an auth_url property resulting in calls to get_endpoint()
failing with 'Could not determine a suitable URL for the plugin' unless
users set barbican/auth_endpoint.

Change-Id: I1be3a1e11e3f4c2170062927ad359bf679eb25d9
Closes-Bug: #1497993
2017-07-19 09:40:25 +00:00
Kaitlin Farr 1a13c2b203 Add list capability
Adds ability to list secrets, and adds initial filtering ability. Can
filter by secret_type.

Depends-On: I583f27f91cb3c6bdb23438dff6b539407b4005ed
Depends-On: I99cd72724e11bab362bcaaeb773f33b2abfe815c
Change-Id: I245d5846aa8d3b9586bea6dc4e0b24db86c911c9
2017-07-18 09:46:59 -04:00
Kiran_totad 34373ca719 Replaces uuid.uuid4 with uuidutils.generate_uuid()
Change-Id: I8ca34402bb5e8944062f2cb27cb840f0a2479dd2
2017-06-27 09:04:54 +00:00
Jeremy Liu 310fc84652 Correct config path in functional test
We provide two ways to load castellan-functional.conf, but specify a wrong path
in the repo, this patch fixes that. Also clarify the description in doc.

Change-Id: Id05b11e70a0ed46fcdd922a5f22f86df87b930ae
2017-06-05 15:18:41 +08:00
Jenkins 922f75f1de Merge "Replacing six.iteritems() with .items()" 2017-05-19 02:21:31 +00:00
Kaitlin Farr 30427808a3 MockKeyManager should return a copy of the object instead of actual object
If someone called MockKeyManager.get(context, key_uuid, metadata_only=True),
it would wipe out the key data.

Change-Id: I371eb6e8753725e07558b79e978bad01c65d180c
2017-05-17 14:58:44 -04:00
rajat29 067c76509f Replacing six.iteritems() with .items()
We should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will be more readable.
For more information, please refer to [1][2].

[1] https://wiki.openstack.org/wiki/Python3#Common_patterns
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html

Change-Id: Ib1a5c6c4770d052d3e1c87eda037126442cb732c
2017-05-17 09:00:58 +00:00
Kaitlin Farr 64207e3035 Change keystone endpoint
DevStack was changed so that keystone uses uwsgi [1]. This
means we can't call keystone with the port number anymore.

1. https://review.openstack.org/#/c/456344/

Change-Id: I349b689e8030c8c2a7313b9781973952ead29c75
2017-04-19 15:38:50 -04:00