From ac161fc45661c30cf8f8049d93105e001e986551 Mon Sep 17 00:00:00 2001 From: Tim Kelsey Date: Tue, 18 Nov 2014 10:33:59 +0000 Subject: [PATCH] Adding client certificates to connection credentials - this changes requires PyKMIP 0.2.0 Change-Id: I32c958ec70d963d79c287d4720b67120b9f3d8d6 Also-By: Robert Clark --- barbican/plugin/kmip_secret_store.py | 19 +++++++++++++++++-- barbican/tests/plugin/test_kmip.py | 7 +++++-- etc/barbican/barbican-api.conf | 4 ++++ setup.cfg | 1 + 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/barbican/plugin/kmip_secret_store.py b/barbican/plugin/kmip_secret_store.py index 44b7b3b72..57ccef2fb 100644 --- a/barbican/plugin/kmip_secret_store.py +++ b/barbican/plugin/kmip_secret_store.py @@ -27,7 +27,8 @@ from kmip.core.factories import credentials from kmip.core.factories import secrets from kmip.core import objects as kmip_objects -from barbican import i18n as u + +from barbican import i18n as u # noqa from barbican.openstack.common import log as logging from barbican.plugin.interface import secret_store as ss @@ -63,6 +64,14 @@ kmip_opts = [ default=None, help=u._('File path to concatenated "certification authority" ' 'certificates'), + ), + cfg.StrOpt('certfile', + default=None, + help=u._('File path to local client certificate'), + ), + cfg.StrOpt('keyfile', + default=None, + help=u._('File path to local client certificate keyfile'), ) ] CONF.register_group(kmip_opt_group) @@ -101,6 +110,8 @@ class KMIPSecretStore(ss.SecretStoreBase): enums.CryptographicAlgorithm.TRIPLE_DES} } + # TODO(tkelsey): check the certificate file has good permissions + credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD credential_value = {'Username': conf.kmip_plugin.username, 'Password': conf.kmip_plugin.password} @@ -111,7 +122,11 @@ class KMIPSecretStore(ss.SecretStoreBase): host=conf.kmip_plugin.host, port=int(conf.kmip_plugin.port), ssl_version=conf.kmip_plugin.ssl_version, - ca_certs=conf.kmip_plugin.ca_certs) + ca_certs=conf.kmip_plugin.ca_certs, + certfile=conf.kmip_plugin.certfile, + keyfile=conf.kmip_plugin.keyfile, + username=conf.kmip_plugin.username, + password=conf.kmip_plugin.password) def generate_symmetric_key(self, key_spec): """Generate a symmetric key. diff --git a/barbican/tests/plugin/test_kmip.py b/barbican/tests/plugin/test_kmip.py index ab4eac0f5..0375f1f38 100644 --- a/barbican/tests/plugin/test_kmip.py +++ b/barbican/tests/plugin/test_kmip.py @@ -27,6 +27,7 @@ from kmip.core.messages import contents from kmip.core import objects from kmip.services import kmip_client as proxy from kmip.services import results +from oslo.config import cfg from barbican.plugin import kmip_secret_store as kss @@ -39,9 +40,11 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase): self.kmipclient_mock = mock.MagicMock(name="KMIP client mock") - self.credential = None + CONF = cfg.CONF + CONF.kmip_plugin.keyfile = None - self.secret_store = kss.KMIPSecretStore() + self.credential = None + self.secret_store = kss.KMIPSecretStore(CONF) self.secret_store.client = self.kmipclient_mock self.secret_store.credential = self.credential diff --git a/etc/barbican/barbican-api.conf b/etc/barbican/barbican-api.conf index 21c4e3dcf..5b8ff63fb 100644 --- a/etc/barbican/barbican-api.conf +++ b/etc/barbican/barbican-api.conf @@ -228,6 +228,10 @@ username = 'admin' password = 'password' host = localhost port = 9090 +keyfile = '/path/to/certs/cert.key' +certfile = '/path/to/certs/cert.crt' +ca_certs = '/path/to/certs/LocalCA.crt' + # ================= Certificate plugin =================== [certificate] diff --git a/setup.cfg b/setup.cfg index 197534ff7..68711e6c2 100644 --- a/setup.cfg +++ b/setup.cfg @@ -31,6 +31,7 @@ scripts = barbican.secretstore.plugin = store_crypto = barbican.plugin.store_crypto:StoreCryptoAdapterPlugin dogtag_crypto = barbican.plugin.dogtag:DogtagKRAPlugin + kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore barbican.crypto.plugin = p11_crypto = barbican.plugin.crypto.p11_crypto:P11CryptoPlugin simple_crypto = barbican.plugin.crypto.simple_crypto:SimpleCryptoPlugin