Adding client certificates to connection credentials

- this changes requires PyKMIP 0.2.0

Change-Id: I32c958ec70d963d79c287d4720b67120b9f3d8d6
Also-By: Robert Clark <robert.clark@hp.com>

barbican/plugin/kmip_secret_store.py

@@ -27,7 +27,8 @@ from kmip.core.factories import credentials
 from kmip.core.factories import secrets
 from kmip.core import objects as kmip_objects
 
-from barbican import i18n as u
+
+from barbican import i18n as u  # noqa
 from barbican.openstack.common import log as logging
 from barbican.plugin.interface import secret_store as ss
 
@@ -63,6 +64,14 @@ kmip_opts = [
                default=None,
                help=u._('File path to concatenated "certification authority" '
                         'certificates'),
+               ),
+    cfg.StrOpt('certfile',
+               default=None,
+               help=u._('File path to local client certificate'),
+               ),
+    cfg.StrOpt('keyfile',
+               default=None,
+               help=u._('File path to local client certificate keyfile'),
                )
 ]
 CONF.register_group(kmip_opt_group)
@@ -101,6 +110,8 @@ class KMIPSecretStore(ss.SecretStoreBase):
                 enums.CryptographicAlgorithm.TRIPLE_DES}
         }
 
+        # TODO(tkelsey): check the certificate file has good permissions
+
         credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
         credential_value = {'Username': conf.kmip_plugin.username,
                             'Password': conf.kmip_plugin.password}
@@ -111,7 +122,11 @@ class KMIPSecretStore(ss.SecretStoreBase):
             host=conf.kmip_plugin.host,
             port=int(conf.kmip_plugin.port),
             ssl_version=conf.kmip_plugin.ssl_version,
-            ca_certs=conf.kmip_plugin.ca_certs)
+            ca_certs=conf.kmip_plugin.ca_certs,
+            certfile=conf.kmip_plugin.certfile,
+            keyfile=conf.kmip_plugin.keyfile,
+            username=conf.kmip_plugin.username,
+            password=conf.kmip_plugin.password)
 
     def generate_symmetric_key(self, key_spec):
         """Generate a symmetric key.

barbican/tests/plugin/test_kmip.py

@@ -27,6 +27,7 @@ from kmip.core.messages import contents
 from kmip.core import objects
 from kmip.services import kmip_client as proxy
 from kmip.services import results
+from oslo.config import cfg
 
 from barbican.plugin import kmip_secret_store as kss
 
@@ -39,9 +40,11 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase):
 
         self.kmipclient_mock = mock.MagicMock(name="KMIP client mock")
 
-        self.credential = None
+        CONF = cfg.CONF
+        CONF.kmip_plugin.keyfile = None
 
-        self.secret_store = kss.KMIPSecretStore()
+        self.credential = None
+        self.secret_store = kss.KMIPSecretStore(CONF)
         self.secret_store.client = self.kmipclient_mock
         self.secret_store.credential = self.credential
 

etc/barbican/barbican-api.conf

@@ -228,6 +228,10 @@ username = 'admin'
 password = 'password'
 host = localhost
 port = 9090
+keyfile = '/path/to/certs/cert.key'
+certfile = '/path/to/certs/cert.crt'
+ca_certs = '/path/to/certs/LocalCA.crt'
+
 
 # ================= Certificate plugin ===================
 [certificate]

setup.cfg

@@ -31,6 +31,7 @@ scripts =
 barbican.secretstore.plugin =
     store_crypto = barbican.plugin.store_crypto:StoreCryptoAdapterPlugin
     dogtag_crypto = barbican.plugin.dogtag:DogtagKRAPlugin
+    kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore
 barbican.crypto.plugin =
     p11_crypto = barbican.plugin.crypto.p11_crypto:P11CryptoPlugin
     simple_crypto = barbican.plugin.crypto.simple_crypto:SimpleCryptoPlugin