Merge "Fix KMIP gate"

barbican/plugin/kmip_secret_store.py

@@ -239,13 +239,9 @@ class KMIPSecretStore(ss.SecretStoreBase):
 
         config = conf.kmip_plugin
 
-        # Use TLSv1_2, if present
+        if not getattr(ssl, config.ssl_version, None):
-        tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None)
+            LOG.error(u._LE("The configured SSL version (%s) is not available"
-        if tlsv12:
+                            " on the system."), config.ssl_version)
-            config.ssl_version = 'PROTOCOL_TLSv1_2'
-            LOG.info(u._LI('Going to use TLS1.2...'))
-        else:
-            LOG.warning(u._LW('TLSv1_2 is not present on the System'))
 
         self.client = client.ProxyKmipClient(
             hostname=config.host,

barbican/tests/plugin/test_kmip.py

@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import base64
-import ssl
 import stat
 
 import mock
@@ -146,11 +145,18 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase):
         self.assertTrue(secret_store.pkcs1_only)
 
     def test_enable_tlsv12_config_option(self):
-        ssl.PROTOCOL_TLSv1_2 = 5
+        ssl_version = "PROTOCOL_TLSv1_2"
         CONF = kss.CONF
-        secret_store = kss.KMIPSecretStore(CONF)
+        CONF.kmip_plugin.ssl_version = ssl_version
-        self.assertTrue(secret_store)
+        kss.KMIPSecretStore(CONF)
-        self.assertEqual(CONF.kmip_plugin.ssl_version, 'PROTOCOL_TLSv1_2')
+        self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
+
+    def test_enable_tlsv1_config_option(self):
+        ssl_version = "PROTOCOL_TLSv1"
+        CONF = kss.CONF
+        CONF.kmip_plugin.ssl_version = ssl_version
+        kss.KMIPSecretStore(CONF)
+        self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
 
     # --------------- TEST GENERATE_SUPPORTS ---------------------------------
 

devstack/lib/barbican

@@ -376,6 +376,7 @@ function install_pykmip {
     if is_service_enabled pykmip-server; then
         [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
         sudo chown ${USER} ${PYKMIP_CONF_DIR}
+
         [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
         sudo chown ${USER} ${PYKMIP_LOG_DIR}
 
@@ -397,7 +398,7 @@ port=5696
 certificate_path=${PYKMIP_SERVER_CERT}
 key_path=${PYKMIP_SERVER_KEY}
 ca_path=${PYKMIP_CA_PATH}
-auth_suite=Basic
+auth_suite=TLS1.2
 EOF
        fi
    fi
@@ -415,7 +416,7 @@ function configure_pykmip {
 
 # start_pykmip - start the PyKMIP server
 function start_pykmip {
-    run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
+    run_process pykmip-server "pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log"
 }
 
 # Dogtag functions

functionaltests/post_test_hook.sh

@@ -18,8 +18,10 @@
 
 set -ex
 
+plugin=$1
+
 sudo pip install -r /opt/stack/new/barbican/test-requirements.txt
 
 cd /opt/stack/new/barbican/functionaltests
 echo 'Running Functional Tests'
-sudo ./run_tests.sh
+sudo ./run_tests.sh $plugin

functionaltests/run_tests.sh

@@ -22,6 +22,12 @@ fi
 
 echo "Successfully contacted the Barbican API"
 
+plugin=$1
+
+if [[ "$plugin" == "kmip" ]]; then
+    export KMIP_PLUGIN_ENABLED=1
+fi
+
 # run the tests sequentially
 testr init
 testr run --subunit | subunit-trace --no-failure-debug -f