From 10e7a5491a74e9ce4d5d3291867ebe2ae3109299 Mon Sep 17 00:00:00 2001
From: Kaitlin Farr <kaitlin.farr@jhuapl.edu>
Date: Thu, 23 Feb 2017 18:15:57 -0500
Subject: [PATCH] Fix KMIP gate

Switches KMIP server configuration and KMIP plugin to use TLSv1.2
by default. This is the most secure option. In case the system is
older and does not have TLSv1.2, an error message is printed out.

Removes the behavior of switching to TLSv1.2 despite
the user's configuration that was added with
I7018262cb74a95dfa24d6b94d49f1ebd62bdeebd. This behavior was
confusing -- it is much clearer to have the user-configurable options
default to TLSv1.2.

Sets KMIP_PLUGIN_ENABLED before running the tests, so that the
tests that won't work for KMIP will be skipped.
See Id908bf57233af84bff56d90c75d175b04ccd4373 for more details.

Cleans up the quotes around the paths to the log files and server
conf files when they are passed to the pykmip server.

Depends-On: I9fe7b156c4a825c8bfe94a3c48ce686ce0dee01e
Change-Id: I64e27a26dfe02d794b725763c55d0197bc2c46bd
---
 barbican/plugin/kmip_secret_store.py | 12 ++++--------
 barbican/tests/plugin/test_kmip.py   | 16 +++++++++++-----
 devstack/lib/barbican                |  5 +++--
 functionaltests/post_test_hook.sh    |  4 +++-
 functionaltests/run_tests.sh         |  6 ++++++
 5 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/barbican/plugin/kmip_secret_store.py b/barbican/plugin/kmip_secret_store.py
index e72dc3ea7..8db9b3bca 100644
--- a/barbican/plugin/kmip_secret_store.py
+++ b/barbican/plugin/kmip_secret_store.py
@@ -61,7 +61,7 @@ kmip_opts = [
                help=u._('Port for the KMIP server'),
                ),
     cfg.StrOpt('ssl_version',
-               default='PROTOCOL_TLSv1',
+               default='PROTOCOL_TLSv1_2',
                help=u._('SSL version, maps to the module ssl\'s constants'),
                ),
     cfg.StrOpt('ca_certs',
@@ -239,13 +239,9 @@ class KMIPSecretStore(ss.SecretStoreBase):
 
         config = conf.kmip_plugin
 
-        # Use TLSv1_2, if present
-        tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None)
-        if tlsv12:
-            config.ssl_version = 'PROTOCOL_TLSv1_2'
-            LOG.info(u._LI('Going to use TLS1.2...'))
-        else:
-            LOG.warning(u._LW('TLSv1_2 is not present on the System'))
+        if not getattr(ssl, config.ssl_version, None):
+            LOG.error(u._LE("The configured SSL version (%s) is not available"
+                            " on the system."), config.ssl_version)
 
         self.client = client.ProxyKmipClient(
             hostname=config.host,
diff --git a/barbican/tests/plugin/test_kmip.py b/barbican/tests/plugin/test_kmip.py
index 8e1464f50..59c55ab3e 100644
--- a/barbican/tests/plugin/test_kmip.py
+++ b/barbican/tests/plugin/test_kmip.py
@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import base64
-import ssl
 import stat
 
 import mock
@@ -146,11 +145,18 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase):
         self.assertTrue(secret_store.pkcs1_only)
 
     def test_enable_tlsv12_config_option(self):
-        ssl.PROTOCOL_TLSv1_2 = 5
+        ssl_version = "PROTOCOL_TLSv1_2"
         CONF = kss.CONF
-        secret_store = kss.KMIPSecretStore(CONF)
-        self.assertTrue(secret_store)
-        self.assertEqual(CONF.kmip_plugin.ssl_version, 'PROTOCOL_TLSv1_2')
+        CONF.kmip_plugin.ssl_version = ssl_version
+        kss.KMIPSecretStore(CONF)
+        self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
+
+    def test_enable_tlsv1_config_option(self):
+        ssl_version = "PROTOCOL_TLSv1"
+        CONF = kss.CONF
+        CONF.kmip_plugin.ssl_version = ssl_version
+        kss.KMIPSecretStore(CONF)
+        self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
 
     # --------------- TEST GENERATE_SUPPORTS ---------------------------------
 
diff --git a/devstack/lib/barbican b/devstack/lib/barbican
index dc05552e7..ac00fba85 100644
--- a/devstack/lib/barbican
+++ b/devstack/lib/barbican
@@ -376,6 +376,7 @@ function install_pykmip {
     if is_service_enabled pykmip-server; then
         [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
         sudo chown ${USER} ${PYKMIP_CONF_DIR}
+
         [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
         sudo chown ${USER} ${PYKMIP_LOG_DIR}
 
@@ -397,7 +398,7 @@ port=5696
 certificate_path=${PYKMIP_SERVER_CERT}
 key_path=${PYKMIP_SERVER_KEY}
 ca_path=${PYKMIP_CA_PATH}
-auth_suite=Basic
+auth_suite=TLS1.2
 EOF
        fi
    fi
@@ -415,7 +416,7 @@ function configure_pykmip {
 
 # start_pykmip - start the PyKMIP server
 function start_pykmip {
-    run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
+    run_process pykmip-server "pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log"
 }
 
 # Dogtag functions
diff --git a/functionaltests/post_test_hook.sh b/functionaltests/post_test_hook.sh
index 48c9be184..4d2cad1c4 100755
--- a/functionaltests/post_test_hook.sh
+++ b/functionaltests/post_test_hook.sh
@@ -18,8 +18,10 @@
 
 set -ex
 
+plugin=$1
+
 sudo pip install -r /opt/stack/new/barbican/test-requirements.txt
 
 cd /opt/stack/new/barbican/functionaltests
 echo 'Running Functional Tests'
-sudo ./run_tests.sh
+sudo ./run_tests.sh $plugin
diff --git a/functionaltests/run_tests.sh b/functionaltests/run_tests.sh
index c6c3d0c56..d0cc10103 100755
--- a/functionaltests/run_tests.sh
+++ b/functionaltests/run_tests.sh
@@ -22,6 +22,12 @@ fi
 
 echo "Successfully contacted the Barbican API"
 
+plugin=$1
+
+if [[ "$plugin" == "kmip" ]]; then
+    export KMIP_PLUGIN_ENABLED=1
+fi
+
 # run the tests sequentially
 testr init
 testr run --subunit | subunit-trace --no-failure-debug -f