diff --git a/barbican/plugin/kmip_secret_store.py b/barbican/plugin/kmip_secret_store.py index 9162f23b7..7f3034d41 100644 --- a/barbican/plugin/kmip_secret_store.py +++ b/barbican/plugin/kmip_secret_store.py @@ -239,13 +239,9 @@ class KMIPSecretStore(ss.SecretStoreBase): config = conf.kmip_plugin - # Use TLSv1_2, if present - tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None) - if tlsv12: - config.ssl_version = 'PROTOCOL_TLSv1_2' - LOG.info(u._LI('Going to use TLS1.2...')) - else: - LOG.warning(u._LW('TLSv1_2 is not present on the System')) + if not getattr(ssl, config.ssl_version, None): + LOG.error(u._LE("The configured SSL version (%s) is not available" + " on the system."), config.ssl_version) self.client = client.ProxyKmipClient( hostname=config.host, diff --git a/barbican/tests/plugin/test_kmip.py b/barbican/tests/plugin/test_kmip.py index 8e1464f50..59c55ab3e 100644 --- a/barbican/tests/plugin/test_kmip.py +++ b/barbican/tests/plugin/test_kmip.py @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. import base64 -import ssl import stat import mock @@ -146,11 +145,18 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase): self.assertTrue(secret_store.pkcs1_only) def test_enable_tlsv12_config_option(self): - ssl.PROTOCOL_TLSv1_2 = 5 + ssl_version = "PROTOCOL_TLSv1_2" CONF = kss.CONF - secret_store = kss.KMIPSecretStore(CONF) - self.assertTrue(secret_store) - self.assertEqual(CONF.kmip_plugin.ssl_version, 'PROTOCOL_TLSv1_2') + CONF.kmip_plugin.ssl_version = ssl_version + kss.KMIPSecretStore(CONF) + self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version) + + def test_enable_tlsv1_config_option(self): + ssl_version = "PROTOCOL_TLSv1" + CONF = kss.CONF + CONF.kmip_plugin.ssl_version = ssl_version + kss.KMIPSecretStore(CONF) + self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version) # --------------- TEST GENERATE_SUPPORTS --------------------------------- diff --git a/devstack/lib/barbican b/devstack/lib/barbican index dc05552e7..ac00fba85 100644 --- a/devstack/lib/barbican +++ b/devstack/lib/barbican @@ -376,6 +376,7 @@ function install_pykmip { if is_service_enabled pykmip-server; then [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR} sudo chown ${USER} ${PYKMIP_CONF_DIR} + [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR} sudo chown ${USER} ${PYKMIP_LOG_DIR} @@ -397,7 +398,7 @@ port=5696 certificate_path=${PYKMIP_SERVER_CERT} key_path=${PYKMIP_SERVER_KEY} ca_path=${PYKMIP_CA_PATH} -auth_suite=Basic +auth_suite=TLS1.2 EOF fi fi @@ -415,7 +416,7 @@ function configure_pykmip { # start_pykmip - start the PyKMIP server function start_pykmip { - run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'" + run_process pykmip-server "pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log" } # Dogtag functions diff --git a/functionaltests/post_test_hook.sh b/functionaltests/post_test_hook.sh index 48c9be184..4d2cad1c4 100755 --- a/functionaltests/post_test_hook.sh +++ b/functionaltests/post_test_hook.sh @@ -18,8 +18,10 @@ set -ex +plugin=$1 + sudo pip install -r /opt/stack/new/barbican/test-requirements.txt cd /opt/stack/new/barbican/functionaltests echo 'Running Functional Tests' -sudo ./run_tests.sh +sudo ./run_tests.sh $plugin diff --git a/functionaltests/run_tests.sh b/functionaltests/run_tests.sh index c6c3d0c56..d0cc10103 100755 --- a/functionaltests/run_tests.sh +++ b/functionaltests/run_tests.sh @@ -22,6 +22,12 @@ fi echo "Successfully contacted the Barbican API" +plugin=$1 + +if [[ "$plugin" == "kmip" ]]; then + export KMIP_PLUGIN_ENABLED=1 +fi + # run the tests sequentially testr init testr run --subunit | subunit-trace --no-failure-debug -f