Implement validators and tests for stored key certificate orders

Adding validators for the stored key method of the Certificate Order API. Validate the container ref is valid and the container exists and is of the right type. Some test infrastructure code will be useful for other work. Change-Id: I93ad6b630424795be9d3d4d2b599a7100c4568f9 Implements: blueprint certificate-order-api
2015-03-24 10:10:14 -04:00 · 2015-03-24 10:10:14 -04:00 · ebe09dbda0
parent 9e038a5e73
commit ebe09dbda0
8 changed files with 346 additions and 89 deletions
--- a/barbican/api/controllers/orders.py
+++ b/barbican/api/controllers/orders.py
@ -192,11 +192,21 @@ class OrdersController(object):

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)
+
        order_type = body.get('type')
-        LOG.debug('Processing order type %s', order_type)
+        order_meta = body.get('meta')
+        request_type = order_meta.get('request_type')
+
+        LOG.debug('Processing order type %s, request type %s',
+                  order_type, request_type)

        if order_type == models.OrderType.CERTIFICATE:
            validators.validate_ca_id(project.id, body.get('meta'))
+            if request_type == 'stored-key':
+                container_ref = order_meta.get('container_ref')
+                validators.validate_stored_key_rsa_container(
+                    external_project_id,
+                    container_ref)

        new_order = models.Order()
        new_order.meta = body.get('meta')
--- a/barbican/common/hrefs.py
+++ b/barbican/common/hrefs.py
@ -150,3 +150,26 @@ def add_nav_hrefs(resources_name, offset, limit,
                                       offset,
                                       limit)})
    return data
+
+
+def get_container_id_from_ref(container_ref):
+    """Parse a container reference and return the container ID
+
+    TODO(Dave) Add some extra checking for valid prefix
+
+    The container ID is the right-most element of the URL
+    :param container_ref: HTTP reference of container
+    :return: a string containing the ID of the container
+    """
+    container_id = container_ref.rsplit('/', 1)[1]
+    return container_id
+
+
+def get_secret_id_from_ref(secret_ref):
+    """Parse a secret reference and return the secret ID
+
+    TODO(Dave) Implement this, or make one generic ID from REF function
+
+    :param secret_ref: HTTP reference of secret
+    :return: a string containing the ID of the secret
+    """
--- a/barbican/common/validators.py
+++ b/barbican/common/validators.py
@ -23,6 +23,7 @@ from oslo_config import cfg
 import six

 from barbican.common import exception
+from barbican.common import hrefs
 from barbican.common import utils
 from barbican import i18n as u
 from barbican.model import models
@ -88,6 +89,33 @@ def validate_ca_id(project_id, order_meta):
        project_id=project_id)


+def validate_stored_key_rsa_container(project_id, container_ref):
+        try:
+            container_id = hrefs.get_container_id_from_ref(container_ref)
+        except Exception:
+            reason = u._("Bad Container Reference {ref}").format(
+                ref=container_ref
+            )
+            raise exception.InvalidContainer(reason=reason)
+
+        container_repo = repo.get_container_repository()
+        container = container_repo.get(container_id,
+                                       external_project_id=project_id,
+                                       suppress_exception=True)
+        if not container:
+            reason = u._("Container Not Found")
+            raise exception.InvalidContainer(reason=reason)
+
+        if container.type != 'rsa':
+            reason = u._("Container Wrong Type")
+            raise exception.InvalidContainer(reason=reason)
+
+        # TODO(dave) Validation should be done to determine if the
+        # requester of the certificate has permissions to access the
+        # keys in this container.  This can be done after the ACL patch
+        # has landed.
+
+
@six.add_metaclass(abc.ABCMeta)
 class ValidatorBase(object):
    """Base class for validators."""
@ -449,12 +477,12 @@ class TypeOrderValidator(ValidatorBase):

    def _validate_stored_key_request(self, certificate_meta):
        """Validate stored-key cert request."""
-        container_ref = self._get_required_metadata_value(
+        self._get_required_metadata_value(
            certificate_meta, "container_ref")
-        self._validate_certificate_container(container_ref)
        subject_dn = self._get_required_metadata_value(
            certificate_meta, "subject_dn")
        self._validate_subject_dn_data(subject_dn)
+        # container will be validated by validate_stored_key_rsa_container()

        extensions = certificate_meta.get("extensions", None)
        if extensions:
@ -500,21 +528,6 @@ class TypeOrderValidator(ValidatorBase):
        """
        pass

-    def _validate_certificate_container(self, public_key_ref):
-        """Confirm that the container contains the proper data."""
-        """
-        TODO(alee-3) complete this function
-
-        Check that the container:
-        * exists
-        * is of certificate type
-        * contains a public key which is accessible by the user
-        * contains a private key which is accessible by the user (note, this
-          is like POP-lite.  Someone should not be able to have the server
-          generate a CSR without being able to retrieve the private key.
-        """
-        pass
-
    def _validate_subject_dn_data(self, subject_dn):
        """Confirm that the subject_dn contains valid data

--- a/barbican/tasks/certificate_resources.py
+++ b/barbican/tasks/certificate_resources.py
@ -283,7 +283,7 @@ def _generate_csr(order_model):
    container_ref = order_model.meta.get('container_ref')

    # extract container_id as the last part of the URL
-    container_id = container_ref.rsplit('/', 1)[1]
+    container_id = hrefs.get_container_id_from_ref(container_ref)

    container_repo = repos.get_container_repository()
    container = container_repo.get(container_id)
--- a/barbican/tests/api/controllers/test_orders.py
+++ b/barbican/tests/api/controllers/test_orders.py
@ -16,6 +16,7 @@ import os
 import uuid

 import mock
+import testtools

 from barbican.common import resources
 from barbican.model import models
@ -26,6 +27,7 @@ order_repo = repositories.get_order_repository()
 project_repo = repositories.get_project_repository()
 ca_repo = repositories.get_ca_repository()
 project_ca_repo = repositories.get_project_ca_repository()
+container_repo = repositories.get_container_repository()

 generic_key_meta = {
    'name': 'secretname',
@ -340,7 +342,6 @@ class WhenCreatingCertificateOrders(utils.BarbicanAPIBaseTestCase):
            ca_model = models.CertificateAuthority(ca_information)
            ca = ca_repo.create_from(ca_model)
            self.available_ca_ids.append(ca.id)
-
        repositories.commit()

    def test_can_create_new_cert_order(self):
@ -426,6 +427,105 @@ class WhenCreatingCertificateOrders(utils.BarbicanAPIBaseTestCase):
        self.assertEqual(403, create_resp.status_int)


+class WhenCreatingStoredKeyOrders(utils.BarbicanAPIBaseTestCase):
+    def setUp(self):
+        super(WhenCreatingStoredKeyOrders, self).setUp()
+
+        # Make sure we have a project
+        self.project = resources.get_or_create_project(self.project_id)
+
+    def test_can_create_new_stored_key_order(self):
+        container_name = 'rsa container name'
+        container_type = 'rsa'
+        secret_refs = []
+        resp, container_id = create_container(
+            self.app,
+            name=container_name,
+            container_type=container_type,
+            secret_refs=secret_refs
+        )
+        stored_key_meta = {
+            'request_type': 'stored-key',
+            'subject_dn': 'cn=barbican-server,o=example.com',
+            'container_ref': 'https://localhost/v1/containers/' + container_id
+        }
+        create_resp, order_uuid = create_order(
+            self.app,
+            order_type='certificate',
+            meta=stored_key_meta
+        )
+        self.assertEqual(202, create_resp.status_int)
+
+        order = order_repo.get(order_uuid, self.project_id)
+        self.assertIsInstance(order, models.Order)
+
+    def test_should_raise_with_bad_container_ref(self):
+        stored_key_meta = {
+            'request_type': 'stored-key',
+            'subject_dn': 'cn=barbican-server,o=example.com',
+            'container_ref': 'bad_ref'
+        }
+        create_resp, order_uuid = create_order(
+            self.app,
+            order_type='certificate',
+            meta=stored_key_meta,
+            expect_errors=True
+        )
+        self.assertEqual(400, create_resp.status_int)
+
+    def test_should_raise_with_container_not_found(self):
+        stored_key_meta = {
+            'request_type': 'stored-key',
+            'subject_dn': 'cn=barbican-server,o=example.com',
+            'container_ref': 'https://localhost/v1/containers/not_found'
+        }
+        create_resp, order_uuid = create_order(
+            self.app,
+            order_type='certificate',
+            meta=stored_key_meta,
+            expect_errors=True
+        )
+        self.assertEqual(400, create_resp.status_int)
+
+    def test_should_raise_with_container_wrong_type(self):
+        container_name = 'generic container name'
+        container_type = 'generic'
+        secret_refs = []
+        resp, container_id = create_container(
+            self.app,
+            name=container_name,
+            container_type=container_type,
+            secret_refs=secret_refs
+        )
+        stored_key_meta = {
+            'request_type': 'stored-key',
+            'subject_dn': 'cn=barbican-server,o=example.com',
+            'container_ref': 'https://localhost/v1/containers/' + container_id
+        }
+        create_resp, order_uuid = create_order(
+            self.app,
+            order_type='certificate',
+            meta=stored_key_meta,
+            expect_errors=True
+        )
+        self.assertEqual(400, create_resp.status_int)
+
+    @testtools.skip("TODO(dave) Not yet implemented")
+    def test_should_raise_with_container_no_access(self):
+        stored_key_meta = {
+            'request_type': 'stored-key',
+            'subject_dn': 'cn=barbican-server,o=example.com',
+            'container_ref': 'https://localhost/v1/containers/no_access'
+        }
+        create_resp, order_uuid = create_order(
+            self.app,
+            order_type='certificate',
+            meta=stored_key_meta,
+            expect_errors=True
+        )
+        self.assertEqual(400, create_resp.status_int)
+
+
 class WhenPerformingUnallowedOperations(utils.BarbicanAPIBaseTestCase):
    def test_should_not_allow_put_orders(self):
        resp = self.app.put_json('/orders/', expect_errors=True)
@ -453,6 +553,7 @@ class WhenPerformingUnallowedOperations(utils.BarbicanAPIBaseTestCase):
        self.assertEqual(405, resp.status_int)


+# ----------------------- Helper Functions ---------------------------
 def create_order(app, order_type=None, meta=None, expect_errors=False):
    # TODO(jvrbanac): Once test resources is split out, refactor this
    # and similar functions into a generalized helper module and reduce
@ -476,3 +577,28 @@ def create_order(app, order_type=None, meta=None, expect_errors=False):
        _, created_uuid = os.path.split(order_ref)

    return (resp, created_uuid)
+
+
+def create_container(app, name=None, container_type=None, secret_refs=None,
+                     expect_errors=False, headers=None):
+    request = {
+        'name': name,
+        'type': container_type,
+        'secret_refs': secret_refs if secret_refs else []
+    }
+    cleaned_request = {key: val for key, val in request.items()
+                       if val is not None}
+
+    resp = app.post_json(
+        '/containers/',
+        cleaned_request,
+        expect_errors=expect_errors,
+        headers=headers
+    )
+
+    created_uuid = None
+    if resp.status_int == 201:
+        container_ref = resp.json.get('container_ref', '')
+        _, created_uuid = os.path.split(container_ref)
+
+    return (resp, created_uuid)
--- a/barbican/tests/common/test_hrefs.py
+++ b/barbican/tests/common/test_hrefs.py
@ -0,0 +1,34 @@
+# Copyright (c) 2015, Cisco Systems
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from barbican.common import hrefs
+from barbican.tests import utils as test_utils
+
+
+class WhenTestingGetContainerID(test_utils.BaseTestCase):
+
+    def setUp(self):
+        super(WhenTestingGetContainerID, self).setUp()
+
+    def test_get_container_id_passes(self):
+        test_ref = 'https://localhost/v1/containers/good_container_ref'
+        result = hrefs.get_container_id_from_ref(test_ref)
+        self.assertEqual('good_container_ref', result)
+
+    def test_get_container_id_raises(self):
+        test_ref = 'bad_container_ref'
+        self.assertRaises(IndexError,
+                          hrefs.get_container_id_from_ref,
+                          test_ref)
--- a/barbican/tests/common/test_validators.py
+++ b/barbican/tests/common/test_validators.py
@ -1195,7 +1195,8 @@ class WhenTestingStoredKeyOrderValidator(utils.BaseTestCase):
        super(WhenTestingStoredKeyOrderValidator, self).setUp()
        self.type = 'certificate'
        self.meta = {'request_type': 'stored-key',
-                     'container_ref': 'good_container_ref',
+                     'container_ref':
+                         'https://localhost/v1/containers/good_container_ref',
                     'subject_dn': 'cn=barbican-server,o=example.com',
                     'extensions': VALID_EXTENSIONS,
                     'requestor_name': 'Barbican User',
@ -1256,48 +1257,6 @@ class WhenTestingStoredKeyOrderValidator(utils.BaseTestCase):
                          self.validator.validate,
                          self.order_req)

-    @testtools.skip("Not yet implemented")
-    def test_should_raise_with_missing_container(self):
-        self.meta['container_ref'] = 'missing_container_ref'
-        self.assertRaises(excep.InvalidContainer,
-                          self.validator.validate,
-                          self.order_req)
-
-    @testtools.skip("Not yet implemented")
-    def test_should_raise_with_container_not_cert_type(self):
-        self.meta['container_ref'] = 'bad_type_container_ref'
-        self.assertRaises(excep.InvalidContainer,
-                          self.validator.validate,
-                          self.order_req)
-
-    @testtools.skip("Not yet implemented")
-    def test_should_raise_with_inaccessible_container(self):
-        self.meta['container_ref'] = 'inaccessible_container_ref'
-        self.assertRaises(excep.InvalidContainer,
-                          self.validator.validate,
-                          self.order_req)
-
-    @testtools.skip("Not yet implemented")
-    def test_should_raise_with_missing_public_key(self):
-        self.meta['container_ref'] = 'missing_public_key_ref'
-        self.assertRaises(excep.InvalidContainer,
-                          self.validator.validate,
-                          self.order_req)
-
-    @testtools.skip("Not yet implemented")
-    def test_should_raise_with_inaccessible_public_key(self):
-        self.meta['container_ref'] = 'inaccessible_public_key_ref'
-        self.assertRaises(excep.InvalidContainer,
-                          self.validator.validate,
-                          self.order_req)
-
-    @testtools.skip("Not yet implemented")
-    def test_should_raise_with_missing_private_key(self):
-        self.meta['container_ref'] = 'missing_private_key_ref'
-        self.assertRaises(excep.InvalidContainer,
-                          self.validator.validate,
-                          self.order_req)
-

 if __name__ == '__main__':
    unittest.main()
--- a/functionaltests/api/v1/functional/test_certificate_orders.py
+++ b/functionaltests/api/v1/functional/test_certificate_orders.py
@ -18,13 +18,19 @@ import time

 import testtools

+from barbican.plugin.interface import secret_store as s
+
 from barbican.tests import certificate_utils as certutil
+from barbican.tests import utils
 from functionaltests.api import base
 from functionaltests.api.v1.behaviors import ca_behaviors
 from functionaltests.api.v1.behaviors import container_behaviors
 from functionaltests.api.v1.behaviors import order_behaviors
 from functionaltests.api.v1.behaviors import secret_behaviors
 from functionaltests.api.v1.models import order_models
+from functionaltests.api.v1.models import secret_models
+from functionaltests.api.v1.models import container_models
+

 try:
    import pki  # flake8: noqa
@ -33,6 +39,11 @@ except ImportError:
    # dogtag libraries not available, assume dogtag not installed
    dogtag_imports_ok = False

+
+NOT_FOUND_CONTAINER_REF = "http://localhost:9311/v1/containers/not_found"
+INVALID_CONTAINER_REF = "invalid"
+
+
 order_simple_cmc_request_data = {
    'type': 'certificate',
    'meta': {
@ -73,6 +84,58 @@ order_dogtag_custom_request_data = {
    }
 }

+create_container_rsa_data = {
+    "name": "rsacontainer",
+    "type": "rsa",
+    "secret_refs": [
+        {
+            "name": "public_key",
+        },
+        {
+            "name": "private_key",
+        },
+        {
+            "name": "private_key_passphrase"
+        }
+    ]
+}
+
+def get_private_key_req():
+    return {'name': 'myprivatekey',
+            'payload_content_type': 'application/octet-stream',
+            'payload_content_encoding': 'base64',
+            'algorithm': 'rsa',
+            'bit_length': 1024,
+            'secret_type': s.SecretType.PRIVATE,
+            'payload': utils.get_private_key()}
+
+
+def get_public_key_req():
+    return {'name': 'mypublickey',
+            'payload_content_type': 'application/octet-stream',
+            'payload_content_encoding': 'base64',
+            'algorithm': 'rsa',
+            'bit_length': 1024,
+            'secret_type': s.SecretType.PUBLIC,
+            'payload': utils.get_public_key()}
+
+
+create_generic_container_data = {
+    "name": "containername",
+    "type": "generic",
+    "secret_refs": [
+        {
+            "name": "secret1",
+        },
+        {
+            "name": "secret2",
+        },
+        {
+            "name": "secret3"
+        }
+    ]
+}
+

 class CertificatesTestCase(base.TestCase):

@ -107,16 +170,39 @@ class CertificatesTestCase(base.TestCase):
        return order_resp

    def create_asymmetric_key_container(self):
-        # TODO(alee) Complete this
-        return "valid_container_ref"
+        secret_model = secret_models.SecretModel(**get_private_key_req())
+        secret_model.secret_type = s.SecretType.PRIVATE
+        resp, secret_ref_priv = self.secret_behaviors.create_secret(secret_model)
+        self.assertEqual(201, resp.status_code)
+
+        secret_model = secret_models.SecretModel(**get_public_key_req())
+        secret_model.secret_type = s.SecretType.PUBLIC
+        resp, secret_ref_pub = self.secret_behaviors.create_secret(secret_model)
+        self.assertEqual(201, resp.status_code)
+
+        pub_key_ref = {'name': 'public_key', 'secret_ref': secret_ref_pub}
+        priv_key_ref = {'name': 'private_key', 'secret_ref': secret_ref_priv}
+        test_model = container_models.ContainerModel(**create_container_rsa_data)
+        test_model.secret_refs = [pub_key_ref, priv_key_ref]
+        resp, container_ref = self.container_behaviors.create_container(test_model)
+        self.assertEqual(resp.status_code, 201)
+
+        return container_ref

    def create_generic_container(self):
-        # TODO(alee) Complete this.
-        return "valid_non_asymmetric_container_ref"
+        secret_model = secret_models.SecretModel(**get_private_key_req())
+        secret_model.secret_type = s.SecretType.PRIVATE
+        resp, secret_ref = self.secret_behaviors.create_secret(secret_model)
+        self.assertEqual(201, resp.status_code)

-    def create_asymmetric_key_container_without_secrets(self):
-        # TODO(alee) Complete this.
-        return "asym_container_without_secrets"
+        test_model = container_models.ContainerModel(**create_generic_container_data)
+        test_model.secret_refs = [{
+            'name': 'my_secret',
+            'secret_ref': secret_ref
+        }]
+        resp, container_ref = self.container_behaviors.create_container(test_model)
+        self.assertEqual(resp.status_code, 201)
+        return container_ref

    def get_dogtag_ca_id(self):
        (resp, cas, total, next_ref, prev_ref) = self.ca_behaviors.get_cas()
@ -392,15 +478,31 @@ class CertificatesTestCase(base.TestCase):
        self.verify_cert_returned(order_resp)

    @testtools.testcase.attr('negative')
-    @testtools.skip("broken pending dave's validator code")
    def test_create_stored_key_order_with_invalid_container_ref(self):
-        # TODO(alee) Now returns 204, pending Dave's code changes
        test_model = order_models.OrderModel(**self.stored_key_data)
-        test_model.meta['container_ref'] = "invalid"
+        test_model.meta['container_ref'] = INVALID_CONTAINER_REF

        create_resp, order_ref = self.behaviors.create_order(test_model)
        self.assertEqual(400, create_resp.status_code)
-        # confirm error message
+        self.confirm_error_message(
+            create_resp,
+            "Order creation issue seen - "
+            "Invalid container: Bad Container Reference "
+            + INVALID_CONTAINER_REF + "."
+        )
+
+    @testtools.testcase.attr('negative')
+    def test_create_stored_key_order_with_not_found_container_ref(self):
+        test_model = order_models.OrderModel(**self.stored_key_data)
+        test_model.meta['container_ref'] = NOT_FOUND_CONTAINER_REF
+
+        create_resp, order_ref = self.behaviors.create_order(test_model)
+        self.assertEqual(400, create_resp.status_code)
+        self.confirm_error_message(
+            create_resp,
+            "Order creation issue seen - "
+            "Invalid container: Container Not Found."
+        )

    @testtools.testcase.attr('negative')
    def test_create_stored_key_order_with_missing_container_ref(self):
@ -419,27 +521,17 @@ class CertificatesTestCase(base.TestCase):
        pass

    @testtools.testcase.attr('negative')
-    @testtools.skip("broken pending dave's validator code")
    def test_create_stored_key_order_with_invalid_container_type(self):
-        # TODO(alee) Now returns 204, pending Dave's code changes
        test_model = order_models.OrderModel(**self.stored_key_data)
        test_model.meta['container_ref'] = (self.create_generic_container())

        create_resp, order_ref = self.behaviors.create_order(test_model)
        self.assertEqual(400, create_resp.status_code)
-        # confirm error message
-
-    @testtools.testcase.attr('negative')
-    @testtools.skip("broken pending dave's validator code")
-    def test_create_stored_key_order_with_container_secrets_missing(self):
-        # TODO(alee) Now returns 204, pending Dave's code changes
-        test_model = order_models.OrderModel(**self.stored_key_data)
-        test_model.meta['container_ref'] = (
-            self.create_asymmetric_key_container_without_secrets())
-
-        create_resp, order_ref = self.behaviors.create_order(test_model)
-        self.assertEqual(400, create_resp.status_code)
-        # confirm error message
+        self.confirm_error_message(
+            create_resp,
+            "Order creation issue seen - "
+            "Invalid container: Container Wrong Type."
+        )

    @testtools.testcase.attr('negative')
    def test_create_stored_key_order_with_container_secrets_inaccessible(self):