Adding client certificates to connection credentials

- this changes requires PyKMIP 0.2.0 Change-Id: I32c958ec70d963d79c287d4720b67120b9f3d8d6 Also-By: Robert Clark <robert.clark@hp.com>
2014-11-18 10:33:59 +00:00 · 2014-11-18 10:33:59 +00:00 · ac161fc456
commit ac161fc456
parent 82478bb4ad
4 changed files with 27 additions and 4 deletions
--- a/barbican/plugin/kmip_secret_store.py
+++ b/barbican/plugin/kmip_secret_store.py
@ -27,7 +27,8 @@ from kmip.core.factories import credentials
 from kmip.core.factories import secrets
 from kmip.core import objects as kmip_objects

-from barbican import i18n as u
+
+from barbican import i18n as u  # noqa
 from barbican.openstack.common import log as logging
 from barbican.plugin.interface import secret_store as ss

@ -63,6 +64,14 @@ kmip_opts = [
               default=None,
               help=u._('File path to concatenated "certification authority" '
                        'certificates'),
+               ),
+    cfg.StrOpt('certfile',
+               default=None,
+               help=u._('File path to local client certificate'),
+               ),
+    cfg.StrOpt('keyfile',
+               default=None,
+               help=u._('File path to local client certificate keyfile'),
               )
 ]
 CONF.register_group(kmip_opt_group)
@ -101,6 +110,8 @@ class KMIPSecretStore(ss.SecretStoreBase):
                enums.CryptographicAlgorithm.TRIPLE_DES}
        }

+        # TODO(tkelsey): check the certificate file has good permissions
+
        credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
        credential_value = {'Username': conf.kmip_plugin.username,
                            'Password': conf.kmip_plugin.password}
@ -111,7 +122,11 @@ class KMIPSecretStore(ss.SecretStoreBase):
            host=conf.kmip_plugin.host,
            port=int(conf.kmip_plugin.port),
            ssl_version=conf.kmip_plugin.ssl_version,
-            ca_certs=conf.kmip_plugin.ca_certs)
+            ca_certs=conf.kmip_plugin.ca_certs,
+            certfile=conf.kmip_plugin.certfile,
+            keyfile=conf.kmip_plugin.keyfile,
+            username=conf.kmip_plugin.username,
+            password=conf.kmip_plugin.password)

    def generate_symmetric_key(self, key_spec):
        """Generate a symmetric key.
--- a/barbican/tests/plugin/test_kmip.py
+++ b/barbican/tests/plugin/test_kmip.py
@ -27,6 +27,7 @@ from kmip.core.messages import contents
 from kmip.core import objects
 from kmip.services import kmip_client as proxy
 from kmip.services import results
+from oslo.config import cfg

 from barbican.plugin import kmip_secret_store as kss

@ -39,9 +40,11 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase):

        self.kmipclient_mock = mock.MagicMock(name="KMIP client mock")

-        self.credential = None
+        CONF = cfg.CONF
+        CONF.kmip_plugin.keyfile = None

-        self.secret_store = kss.KMIPSecretStore()
+        self.credential = None
+        self.secret_store = kss.KMIPSecretStore(CONF)
        self.secret_store.client = self.kmipclient_mock
        self.secret_store.credential = self.credential

--- a/etc/barbican/barbican-api.conf
+++ b/etc/barbican/barbican-api.conf
@ -228,6 +228,10 @@ username = 'admin'
 password = 'password'
 host = localhost
 port = 9090
+keyfile = '/path/to/certs/cert.key'
+certfile = '/path/to/certs/cert.crt'
+ca_certs = '/path/to/certs/LocalCA.crt'
+

 # ================= Certificate plugin ===================
 [certificate]
--- a/setup.cfg
+++ b/setup.cfg
@ -31,6 +31,7 @@ scripts =
 barbican.secretstore.plugin =
    store_crypto = barbican.plugin.store_crypto:StoreCryptoAdapterPlugin
    dogtag_crypto = barbican.plugin.dogtag:DogtagKRAPlugin
+    kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore
 barbican.crypto.plugin =
    p11_crypto = barbican.plugin.crypto.p11_crypto:P11CryptoPlugin
    simple_crypto = barbican.plugin.crypto.simple_crypto:SimpleCryptoPlugin