Prohibit certificate order resource
It was announced that this resource will be removed in Pike release. Multiple cycles have passed since then, so we may be really ready to remove it. Note that this is the first step and removes only API layer logic. Further logic removal will be done in the subsequent change. Change-Id: Ib0eb3b11815b40237d42735097076b7c89cf9516
This commit is contained in:
parent
2316790cda
commit
901cf2cc39
@ -26,9 +26,6 @@ from barbican.queue import client as async_client
|
|||||||
|
|
||||||
LOG = utils.getLogger(__name__)
|
LOG = utils.getLogger(__name__)
|
||||||
|
|
||||||
_DEPRECATION_MSG = '%s has been deprecated in the Newton release. ' \
|
|
||||||
'It will be removed in the Pike release.'
|
|
||||||
|
|
||||||
|
|
||||||
def _order_not_found():
|
def _order_not_found():
|
||||||
"""Throw exception indicating order not found."""
|
"""Throw exception indicating order not found."""
|
||||||
|
@ -20,7 +20,6 @@ import re
|
|||||||
import jsonschema as schema
|
import jsonschema as schema
|
||||||
from ldap3.core import exceptions as ldap_exceptions
|
from ldap3.core import exceptions as ldap_exceptions
|
||||||
from ldap3.utils.dn import parse_dn
|
from ldap3.utils.dn import parse_dn
|
||||||
from OpenSSL import crypto
|
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
|
|
||||||
from barbican.api import controllers
|
from barbican.api import controllers
|
||||||
@ -449,7 +448,7 @@ class TypeOrderValidator(ValidatorBase, CACommonHelpersMixin):
|
|||||||
"type": {
|
"type": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"required": True,
|
"required": True,
|
||||||
"enum": ['key', 'asymmetric', 'certificate']
|
"enum": ['key', 'asymmetric']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -461,11 +460,7 @@ class TypeOrderValidator(ValidatorBase, CACommonHelpersMixin):
|
|||||||
|
|
||||||
order_type = json_data.get('type').lower()
|
order_type = json_data.get('type').lower()
|
||||||
|
|
||||||
if order_type == models.OrderType.CERTIFICATE:
|
if order_type == models.OrderType.ASYMMETRIC:
|
||||||
certificate_meta = json_data.get('meta')
|
|
||||||
self._validate_certificate_meta(certificate_meta, schema_name)
|
|
||||||
|
|
||||||
elif order_type == models.OrderType.ASYMMETRIC:
|
|
||||||
asymmetric_meta = json_data.get('meta')
|
asymmetric_meta = json_data.get('meta')
|
||||||
self._validate_asymmetric_meta(asymmetric_meta, schema_name)
|
self._validate_asymmetric_meta(asymmetric_meta, schema_name)
|
||||||
|
|
||||||
@ -515,122 +510,6 @@ class TypeOrderValidator(ValidatorBase, CACommonHelpersMixin):
|
|||||||
raise exception.MissingMetadataField(required=key)
|
raise exception.MissingMetadataField(required=key)
|
||||||
return data
|
return data
|
||||||
|
|
||||||
def _validate_certificate_meta(self, certificate_meta, schema_name):
|
|
||||||
"""Validation specific to meta for certificate type order."""
|
|
||||||
|
|
||||||
self._assert_validity(certificate_meta.get('payload') is None,
|
|
||||||
schema_name,
|
|
||||||
u._("'payload' not allowed "
|
|
||||||
"for certificate type order"), "meta")
|
|
||||||
|
|
||||||
if 'profile' in certificate_meta:
|
|
||||||
if 'ca_id' not in certificate_meta:
|
|
||||||
raise exception.MissingMetadataField(required='ca_id')
|
|
||||||
|
|
||||||
jump_table = {
|
|
||||||
'simple-cmc': self._validate_simple_cmc_request,
|
|
||||||
'full-cmc': self._validate_full_cmc_request,
|
|
||||||
'stored-key': self._validate_stored_key_request,
|
|
||||||
'custom': self._validate_custom_request
|
|
||||||
}
|
|
||||||
|
|
||||||
request_type = certificate_meta.get("request_type", "custom")
|
|
||||||
if request_type not in jump_table:
|
|
||||||
raise exception.InvalidCertificateRequestType(request_type)
|
|
||||||
|
|
||||||
jump_table[request_type](certificate_meta)
|
|
||||||
|
|
||||||
def _validate_simple_cmc_request(self, certificate_meta):
|
|
||||||
"""Validates simple CMC (which are PKCS10 requests)."""
|
|
||||||
request_data = self._get_required_metadata_value(
|
|
||||||
certificate_meta, "request_data")
|
|
||||||
self._validate_pkcs10_data(request_data)
|
|
||||||
|
|
||||||
def _validate_full_cmc_request(self, certificate_meta):
|
|
||||||
"""Validate full CMC request.
|
|
||||||
|
|
||||||
:param certificate_meta: request data from the order
|
|
||||||
:raises: FullCMCNotSupported
|
|
||||||
"""
|
|
||||||
raise exception.FullCMCNotSupported()
|
|
||||||
|
|
||||||
def _validate_stored_key_request(self, certificate_meta):
|
|
||||||
"""Validate stored-key cert request."""
|
|
||||||
self._get_required_metadata_value(
|
|
||||||
certificate_meta, "container_ref")
|
|
||||||
subject_dn = self._get_required_metadata_value(
|
|
||||||
certificate_meta, "subject_dn")
|
|
||||||
self._validate_subject_dn_data(subject_dn)
|
|
||||||
# container will be validated by validate_stored_key_rsa_container()
|
|
||||||
|
|
||||||
extensions = certificate_meta.get("extensions", None)
|
|
||||||
if extensions:
|
|
||||||
self._validate_extensions_data(extensions)
|
|
||||||
|
|
||||||
def _validate_custom_request(self, certificate_meta):
|
|
||||||
"""Validate custom data request
|
|
||||||
|
|
||||||
We cannot do any validation here because the request
|
|
||||||
parameters are custom. Validation will be done by the
|
|
||||||
plugin. We may choose to select the relevant plugin and
|
|
||||||
call the supports() method to raise validation errors.
|
|
||||||
"""
|
|
||||||
pass
|
|
||||||
|
|
||||||
def _validate_pkcs10_data(self, request_data):
|
|
||||||
"""Confirm that the request_data is valid base64 encoded PKCS#10.
|
|
||||||
|
|
||||||
Base64 decode the request, if it fails raise PayloadDecodingError.
|
|
||||||
Then parse data into the ASN.1 structure defined by PKCS10 and
|
|
||||||
verify the signing information.
|
|
||||||
If parsing of verifying fails, raise InvalidPKCS10Data.
|
|
||||||
"""
|
|
||||||
try:
|
|
||||||
csr_pem = base64.b64decode(request_data)
|
|
||||||
except Exception:
|
|
||||||
raise exception.PayloadDecodingError()
|
|
||||||
|
|
||||||
try:
|
|
||||||
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM,
|
|
||||||
csr_pem)
|
|
||||||
except Exception:
|
|
||||||
reason = u._("Bad format")
|
|
||||||
raise exception.InvalidPKCS10Data(reason=reason)
|
|
||||||
|
|
||||||
try:
|
|
||||||
pubkey = csr.get_pubkey()
|
|
||||||
csr.verify(pubkey)
|
|
||||||
except Exception:
|
|
||||||
reason = u._("Signing key incorrect")
|
|
||||||
raise exception.InvalidPKCS10Data(reason=reason)
|
|
||||||
|
|
||||||
def _validate_full_cmc_data(self, request_data):
|
|
||||||
"""Confirm that request_data is valid Full CMC data."""
|
|
||||||
"""
|
|
||||||
TODO(alee-3) complete this function
|
|
||||||
|
|
||||||
Parse data into the ASN.1 structure defined for full CMC.
|
|
||||||
If parsing fails, raise InvalidCMCData
|
|
||||||
"""
|
|
||||||
pass
|
|
||||||
|
|
||||||
def _validate_extensions_data(self, extensions):
|
|
||||||
"""Confirm that the extensions data is valid.
|
|
||||||
|
|
||||||
:param extensions: base 64 encoded ASN.1 string of extension data
|
|
||||||
:raises: CertificateExtensionsNotSupported
|
|
||||||
"""
|
|
||||||
"""
|
|
||||||
TODO(alee-3) complete this function
|
|
||||||
|
|
||||||
Parse the extensions data into the correct ASN.1 structure.
|
|
||||||
If the parsing fails, throw InvalidExtensionsData.
|
|
||||||
|
|
||||||
For now, fail this validation because extensions parsing is not
|
|
||||||
supported.
|
|
||||||
"""
|
|
||||||
raise exception.CertificateExtensionsNotSupported()
|
|
||||||
|
|
||||||
def _validate_meta_parameters(self, meta, order_type, schema_name):
|
def _validate_meta_parameters(self, meta, order_type, schema_name):
|
||||||
self._assert_validity(meta.get('algorithm'),
|
self._assert_validity(meta.get('algorithm'),
|
||||||
schema_name,
|
schema_name,
|
||||||
|
@ -17,11 +17,9 @@ import datetime
|
|||||||
import unittest
|
import unittest
|
||||||
|
|
||||||
from oslo_serialization import base64
|
from oslo_serialization import base64
|
||||||
import testtools
|
|
||||||
|
|
||||||
from barbican.common import exception as excep
|
from barbican.common import exception as excep
|
||||||
from barbican.common import validators
|
from barbican.common import validators
|
||||||
from barbican.tests import certificate_utils as certs
|
|
||||||
from barbican.tests import keys
|
from barbican.tests import keys
|
||||||
from barbican.tests import utils
|
from barbican.tests import utils
|
||||||
|
|
||||||
@ -1191,11 +1189,6 @@ class WhenTestingKeyTypeOrderValidator(utils.BaseTestCase):
|
|||||||
|
|
||||||
self.validator = validators.TypeOrderValidator()
|
self.validator = validators.TypeOrderValidator()
|
||||||
|
|
||||||
def test_should_pass_with_certificate_type_in_order_refs(self):
|
|
||||||
self.key_order_req['type'] = 'certificate'
|
|
||||||
result = self.validator.validate(self.key_order_req)
|
|
||||||
self.assertEqual('certificate', result['type'])
|
|
||||||
|
|
||||||
def test_should_pass_with_null_content_type_in_meta(self):
|
def test_should_pass_with_null_content_type_in_meta(self):
|
||||||
self.key_order_req['meta']['payload_content_type'] = None
|
self.key_order_req['meta']['payload_content_type'] = None
|
||||||
result = self.validator.validate(self.key_order_req)
|
result = self.validator.validate(self.key_order_req)
|
||||||
@ -1365,238 +1358,6 @@ class WhenTestingAsymmetricTypeOrderValidator(utils.BaseTestCase):
|
|||||||
self.assertEqual("bit_length", exception.invalid_property)
|
self.assertEqual("bit_length", exception.invalid_property)
|
||||||
|
|
||||||
|
|
||||||
class WhenTestingSimpleCMCOrderValidator(utils.BaseTestCase):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(WhenTestingSimpleCMCOrderValidator, self).setUp()
|
|
||||||
self.type = 'certificate'
|
|
||||||
request_data = base64.encode_as_text(certs.create_good_csr())
|
|
||||||
self.meta = {'request_type': 'simple-cmc',
|
|
||||||
'request_data': request_data,
|
|
||||||
'requestor_name': 'Barbican User',
|
|
||||||
'requestor_email': 'barbican_user@example.com',
|
|
||||||
'requestor_phone': '555-1212'}
|
|
||||||
self._set_order()
|
|
||||||
self.validator = validators.TypeOrderValidator()
|
|
||||||
|
|
||||||
def _set_order(self):
|
|
||||||
self.order_req = {'type': self.type,
|
|
||||||
'meta': self.meta}
|
|
||||||
|
|
||||||
def test_should_pass_good_data(self):
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_no_metadata(self):
|
|
||||||
self.order_req = {'type': self.type}
|
|
||||||
self.assertRaises(excep.InvalidObject,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_bad_request_type(self):
|
|
||||||
self.meta['request_type'] = 'bad_request_type'
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.InvalidCertificateRequestType,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_no_request_data(self):
|
|
||||||
del self.meta['request_data']
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.MissingMetadataField,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_pkcs10_data_with_bad_base64(self):
|
|
||||||
self.meta['request_data'] = certs.create_bad_csr()
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.PayloadDecodingError,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_bad_pkcs10_data(self):
|
|
||||||
request_data = base64.encode_as_text(certs.create_bad_csr())
|
|
||||||
self.meta['request_data'] = request_data
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.InvalidPKCS10Data,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_signed_wrong_key_pkcs10_data(self):
|
|
||||||
self.meta['request_data'] = base64.encode_as_text(
|
|
||||||
certs.create_csr_signed_with_wrong_key())
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.InvalidPKCS10Data,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_unsigned_pkcs10_data(self):
|
|
||||||
self.meta['request_data'] = base64.encode_as_text(
|
|
||||||
certs.create_csr_that_has_not_been_signed())
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.InvalidPKCS10Data,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_payload_in_order(self):
|
|
||||||
self.meta['payload'] = 'payload'
|
|
||||||
self.assertRaises(excep.InvalidObject,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
|
|
||||||
class WhenTestingFullCMCOrderValidator(utils.BaseTestCase):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(WhenTestingFullCMCOrderValidator, self).setUp()
|
|
||||||
self.type = 'certificate'
|
|
||||||
self.meta = {'request_type': 'full-cmc',
|
|
||||||
'request_data': VALID_FULL_CMC,
|
|
||||||
'requestor_name': 'Barbican User',
|
|
||||||
'requestor_email': 'barbican_user@example.com',
|
|
||||||
'requestor_phone': '555-1212'}
|
|
||||||
self._set_order()
|
|
||||||
self.validator = validators.TypeOrderValidator()
|
|
||||||
|
|
||||||
def _set_order(self):
|
|
||||||
self.order_req = {'type': self.type,
|
|
||||||
'meta': self.meta}
|
|
||||||
|
|
||||||
def test_should_raise_not_yet_implemented(self):
|
|
||||||
self.assertRaises(excep.FullCMCNotSupported,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
@testtools.skip("Feature not yet implemented")
|
|
||||||
def test_should_pass_good_data(self):
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
@testtools.skip("Feature not yet implemented")
|
|
||||||
def test_should_raise_with_no_request_data(self):
|
|
||||||
del self.meta['request_data']
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.MissingMetadataField,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
@testtools.skip("Not yet implemented")
|
|
||||||
def test_should_raise_with_bad_cmc_data(self):
|
|
||||||
self.meta['request_data'] = 'Bad CMC Data'
|
|
||||||
self._set_order()
|
|
||||||
self.assertRaises(excep.InvalidCMCData,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
|
|
||||||
class WhenTestingCustomOrderValidator(utils.BaseTestCase):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(WhenTestingCustomOrderValidator, self).setUp()
|
|
||||||
self.type = 'certificate'
|
|
||||||
self.meta = {'request_type': 'custom',
|
|
||||||
'ca_param_1': 'value_1',
|
|
||||||
'ca_param_2': 'value_2',
|
|
||||||
'requestor_name': 'Barbican User',
|
|
||||||
'requestor_email': 'barbican_user@example.com',
|
|
||||||
'requestor_phone': '555-1212'}
|
|
||||||
self._set_order()
|
|
||||||
self.validator = validators.TypeOrderValidator()
|
|
||||||
|
|
||||||
def _set_order(self):
|
|
||||||
self.order_req = {'type': self.type,
|
|
||||||
'meta': self.meta}
|
|
||||||
|
|
||||||
def test_should_pass_good_data(self):
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
def test_should_pass_with_no_request_type(self):
|
|
||||||
# defaults to custom
|
|
||||||
del self.meta['request_type']
|
|
||||||
self._set_order()
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
|
|
||||||
class WhenTestingStoredKeyOrderValidator(utils.BaseTestCase):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(WhenTestingStoredKeyOrderValidator, self).setUp()
|
|
||||||
self.type = 'certificate'
|
|
||||||
self.meta = {'request_type': 'stored-key',
|
|
||||||
'container_ref':
|
|
||||||
'https://localhost/v1/containers/good_container_ref',
|
|
||||||
'subject_dn': 'cn=barbican-server,o=example.com',
|
|
||||||
'requestor_name': 'Barbican User',
|
|
||||||
'requestor_email': 'barbican_user@example.com',
|
|
||||||
'requestor_phone': '555-1212'}
|
|
||||||
self.order_req = {'type': self.type,
|
|
||||||
'meta': self.meta}
|
|
||||||
self.validator = validators.TypeOrderValidator()
|
|
||||||
|
|
||||||
def test_should_pass_good_data(self):
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_no_container_ref(self):
|
|
||||||
del self.meta['container_ref']
|
|
||||||
self.assertRaises(excep.MissingMetadataField,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_no_subject_dn(self):
|
|
||||||
del self.meta['subject_dn']
|
|
||||||
self.assertRaises(excep.MissingMetadataField,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_pass_with_profile_and_ca_id(self):
|
|
||||||
self.meta['ca_id'] = 'my_ca_id'
|
|
||||||
self.meta['profile'] = 'my_profile'
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_profile_and_no_ca_id(self):
|
|
||||||
self.meta['profile'] = 'my_profile'
|
|
||||||
self.assertRaises(excep.MissingMetadataField,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_extensions_data(self):
|
|
||||||
self.meta['extensions'] = VALID_EXTENSIONS
|
|
||||||
self.assertRaises(excep.CertificateExtensionsNotSupported,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
@testtools.skip("Not yet implemented")
|
|
||||||
def test_should_raise_with_bad_extensions_data(self):
|
|
||||||
self.meta['extensions'] = 'Bad extensions data'
|
|
||||||
self.assertRaises(excep.InvalidExtensionsData,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_pass_with_one_cn_in_dn(self):
|
|
||||||
self.meta['subject_dn'] = "CN=example1"
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
def test_should_pass_with_two_cn_in_dn(self):
|
|
||||||
self.meta['subject_dn'] = "CN=example1,CN=example2"
|
|
||||||
self.validator.validate(self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_blank_dn(self):
|
|
||||||
self.meta['subject_dn'] = ""
|
|
||||||
self.assertRaises(excep.InvalidSubjectDN,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_bad_subject_dn(self):
|
|
||||||
self.meta['subject_dn'] = "Bad subject DN data"
|
|
||||||
self.assertRaises(excep.InvalidSubjectDN,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
def test_should_raise_with_payload_in_order(self):
|
|
||||||
self.meta['payload'] = 'payload'
|
|
||||||
self.assertRaises(excep.InvalidObject,
|
|
||||||
self.validator.validate,
|
|
||||||
self.order_req)
|
|
||||||
|
|
||||||
|
|
||||||
@utils.parameterized_test_case
|
@utils.parameterized_test_case
|
||||||
class WhenTestingAclValidator(utils.BaseTestCase):
|
class WhenTestingAclValidator(utils.BaseTestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -2,11 +2,6 @@
|
|||||||
Orders API - Reference
|
Orders API - Reference
|
||||||
**********************
|
**********************
|
||||||
|
|
||||||
.. warning::
|
|
||||||
|
|
||||||
DEPRECATION WARNING: The Certificates Order resource has been deprecated
|
|
||||||
and will be removed in the P release.
|
|
||||||
|
|
||||||
.. _get_orders:
|
.. _get_orders:
|
||||||
|
|
||||||
GET /v1/orders
|
GET /v1/orders
|
||||||
@ -144,7 +139,7 @@ Parameters
|
|||||||
| Attribute Name | Type | Description | Default |
|
| Attribute Name | Type | Description | Default |
|
||||||
+============================+=========+==============================================+============+
|
+============================+=========+==============================================+============+
|
||||||
| type | string | The type of key to be generated. Valid types | None |
|
| type | string | The type of key to be generated. Valid types | None |
|
||||||
| | | are key, asymmetric, and certificate | |
|
| | | are key and asymmetric | |
|
||||||
+----------------------------+---------+----------------------------------------------+------------+
|
+----------------------------+---------+----------------------------------------------+------------+
|
||||||
| meta | | Dictionary containing the secret metadata | None |
|
| meta | | Dictionary containing the secret metadata | None |
|
||||||
| | dict | used to generate the secret. | |
|
| | dict | used to generate the secret. | |
|
||||||
|
@ -95,25 +95,6 @@ def get_order_rsa_container_with_passphrase():
|
|||||||
"mode": "cbc"}}
|
"mode": "cbc"}}
|
||||||
|
|
||||||
|
|
||||||
def get_order_certificate(container_ref):
|
|
||||||
return {'type': 'certificate',
|
|
||||||
'meta': {'request_type': 'stored-key',
|
|
||||||
'container_ref': container_ref,
|
|
||||||
'subject_dn': 'cn=server.example.com,o=example.com',
|
|
||||||
'requestor_name': 'Barbican User',
|
|
||||||
'requestor_email': 'user@example.com',
|
|
||||||
'requestor_phone': '555-1212'}}
|
|
||||||
|
|
||||||
|
|
||||||
def get_order_certificate_simple_cmc(csr):
|
|
||||||
return {'type': 'certificate',
|
|
||||||
'meta': {'request_type': 'simple-cmc',
|
|
||||||
'requestor_name': 'Barbican User',
|
|
||||||
'requestor_email': 'user@example.com',
|
|
||||||
'requestor_phone': '555-1212',
|
|
||||||
'request_data': csr}}
|
|
||||||
|
|
||||||
|
|
||||||
@utils.parameterized_test_case
|
@utils.parameterized_test_case
|
||||||
class RSATestCase(base.TestCase):
|
class RSATestCase(base.TestCase):
|
||||||
"""Positive test cases for all ways of working with RSA keys
|
"""Positive test cases for all ways of working with RSA keys
|
||||||
@ -267,70 +248,6 @@ class RSATestCase(base.TestCase):
|
|||||||
secrets = self.get_container(container_ref)
|
secrets = self.get_container(container_ref)
|
||||||
self.verify_container_keys_equal(secrets)
|
self.verify_container_keys_equal(secrets)
|
||||||
|
|
||||||
@testcase.attr('positive')
|
|
||||||
@testtools.skipIf(utils.is_pkcs11_enabled(),
|
|
||||||
"PKCS11 does not support this operation")
|
|
||||||
def test_rsa_order_certificate_from_ordered_container(self):
|
|
||||||
"""Post an order for a certificate"""
|
|
||||||
order_ref = self.order_container()
|
|
||||||
container_ref = self.get_container_order(order_ref)
|
|
||||||
secrets = self.get_container(container_ref)
|
|
||||||
self.verify_container_keys_valid(secrets)
|
|
||||||
order_ref = self.order_certificate(container_ref)
|
|
||||||
order_status = self.get_certificate_order(order_ref)
|
|
||||||
self.verify_certificate_order_status(order_status)
|
|
||||||
|
|
||||||
@testcase.attr('positive')
|
|
||||||
@testtools.skipIf(utils.is_kmip_enabled() or utils.is_vault_enabled()
|
|
||||||
or utils.is_pkcs11_enabled(),
|
|
||||||
"PyKMIP does not support this operation")
|
|
||||||
def test_rsa_order_certificate_from_ordered_container_with_pass(self):
|
|
||||||
"""Post an order for a certificate"""
|
|
||||||
order_ref = self.order_container(with_passphrase=True)
|
|
||||||
container_ref = self.get_container_order(order_ref)
|
|
||||||
secrets = self.get_container(container_ref)
|
|
||||||
self.verify_container_keys_valid(secrets, with_passphrase=True)
|
|
||||||
order_ref = self.order_certificate(container_ref)
|
|
||||||
order_status = self.get_certificate_order(order_ref)
|
|
||||||
self.verify_certificate_order_status(order_status)
|
|
||||||
|
|
||||||
@testcase.attr('positive')
|
|
||||||
def test_rsa_order_certificate_from_stored_container(self):
|
|
||||||
"""Post an order for a certificate"""
|
|
||||||
public_ref = self.create_public_key()
|
|
||||||
self.update_public_key(public_ref)
|
|
||||||
private_ref = self.create_private_key()
|
|
||||||
self.update_private_key(private_ref)
|
|
||||||
container_ref = self.store_container(public_ref, private_ref)
|
|
||||||
secrets = self.get_container(container_ref)
|
|
||||||
self.verify_container_keys_equal(secrets)
|
|
||||||
order_ref = self.order_certificate(container_ref)
|
|
||||||
order_status = self.get_certificate_order(order_ref)
|
|
||||||
self.verify_certificate_order_status(order_status)
|
|
||||||
|
|
||||||
@testcase.attr('positive')
|
|
||||||
@testtools.skipIf(utils.is_kmip_enabled(),
|
|
||||||
"PyKMIP does not support this operation")
|
|
||||||
def test_rsa_order_certificate_from_stored_container_with_pass(self):
|
|
||||||
"""Post an order for a certificate"""
|
|
||||||
public_ref = self.store_public_key()
|
|
||||||
private_ref = self.store_encrypted_private_key()
|
|
||||||
phrase_ref = self.store_passphrase()
|
|
||||||
container_ref = self.store_container(
|
|
||||||
public_ref, private_ref, phrase_ref)
|
|
||||||
secrets = self.get_container(container_ref)
|
|
||||||
self.verify_container_keys_equal(secrets, with_passphrase=True)
|
|
||||||
order_ref = self.order_certificate(container_ref)
|
|
||||||
order_status = self.get_certificate_order(order_ref)
|
|
||||||
self.verify_certificate_order_status(order_status)
|
|
||||||
|
|
||||||
@testcase.attr('positive')
|
|
||||||
def test_rsa_order_certificate_from_csr(self):
|
|
||||||
"""Post an order for a certificate"""
|
|
||||||
order_ref = self.order_certificate_from_csr()
|
|
||||||
order_status = self.get_certificate_order(order_ref)
|
|
||||||
self.verify_certificate_order_status(order_status)
|
|
||||||
|
|
||||||
# ----------------------- Helper Functions ---------------------------
|
# ----------------------- Helper Functions ---------------------------
|
||||||
def store_private_key(self):
|
def store_private_key(self):
|
||||||
pem = keys.get_private_key_pem()
|
pem = keys.get_private_key_pem()
|
||||||
@ -583,29 +500,3 @@ class RSATestCase(base.TestCase):
|
|||||||
resp = self.order_behaviors.get_order(order_ref)
|
resp = self.order_behaviors.get_order(order_ref)
|
||||||
self.assertEqual(200, resp.status_code)
|
self.assertEqual(200, resp.status_code)
|
||||||
return resp.model.container_ref
|
return resp.model.container_ref
|
||||||
|
|
||||||
def order_certificate(self, container_ref):
|
|
||||||
test_model = order_models.OrderModel(
|
|
||||||
**get_order_certificate(container_ref))
|
|
||||||
resp, order_ref = self.order_behaviors.create_order(test_model)
|
|
||||||
self.assertEqual(202, resp.status_code)
|
|
||||||
return order_ref
|
|
||||||
|
|
||||||
def get_certificate_order(self, order_ref):
|
|
||||||
resp = self.order_behaviors.get_order(order_ref)
|
|
||||||
self.assertEqual(200, resp.status_code)
|
|
||||||
order_status = (resp.model.status,
|
|
||||||
resp.model.sub_status)
|
|
||||||
return order_status
|
|
||||||
|
|
||||||
def verify_certificate_order_status(self, order_status):
|
|
||||||
self.assertEqual(("PENDING", "cert_request_pending"),
|
|
||||||
order_status)
|
|
||||||
|
|
||||||
def order_certificate_from_csr(self):
|
|
||||||
csr = keys.get_csr_pem()
|
|
||||||
test_model = order_models.OrderModel(
|
|
||||||
**get_order_certificate_simple_cmc(base64.b64encode(csr)))
|
|
||||||
resp, order_ref = self.order_behaviors.create_order(test_model)
|
|
||||||
self.assertEqual(202, resp.status_code)
|
|
||||||
return order_ref
|
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The deprecated certificate order resource was removed. Because of this,
|
||||||
|
create order API no longer accepts ``certificate`` type.
|
Loading…
Reference in New Issue
Block a user