Currently etc/barbican/barbican.conf is maintained by hand and can not
be regenerated based on the config settings defined in the code.
A common pattern for OpenStack projects is to use oslo-config-generator
for that task.
Co-Authored-By: Randall Burt <randall.burt@rackspace.com>
Depends-On: I90870dcb49cd96f6bf0fe353fa6e779ffd87a5af
Closes-Bug: #1584789
Change-Id: I5f3dcd2fc982f1178ef7dd662c24d3166f91b266
The gating on python 3.4 is restricted to <= Mitaka. This is due to
the change from Ubuntu Trusty to Xenial, where only python3.5 is
available. There is no need to continue to keep these settings.
Change-Id: I4373f5ee1a7addfe981818ef059c73a57594d624
dogtag imports pki so mention it as requirement. python-nss
is needed by dogtag-pki.
Also add a bindep.txt file which is used by bindep to install system
packages.
To install python-nss via pip, header files from nss-devel and
mozilla-nss-devel are needed.
Change-Id: Ia3276ad4be56d40fddbf458f215ab93e44ed6907
Depends-On: Ibedae54e631e9c3d3726453adcd204ce96b19d77
Closes-Bug: #1604417
Set "summary" equal to "OpenStack Secure Key Management".
This value is consumed by various bots and services.
Change-Id: I6d90c66b2eed408d182e2244f9415de4302d5c62
Now that there is a passing gate job, we can claim support for
Python 3.5 in the classifier. This patch also adds the convenience
py35 venv.
Review that added the gate jobs:
https://review.openstack.org/#/c/336272/
Change-Id: I97ef7eef2d6adaec6bd1cd978b7e357c8560eba0
Moving files from doc/source/api/userguide/*.rst
to api-guide/source/*.rst,
also add api-guide/source/conf.py for building api-guide,
add a new tox target named api-guide
Taking a reference from this patch which was used for the
similar migration of Nova api guide:
https://review.openstack.org/#/c/230186
Change-Id: I725e7939f9a88185de6ef32b311159b0924b7183
Partial-Bug: #1540665
Needed-By: I7b7c623e6299c803930e41d72510f1a67d909fa3
Barbican is tested with py34, but the classifier states only 2.7
is supported. This adds 3.4 to the list.
Change-Id: Ic7b14714d9a17a3370a8eb138bf4940ffa4ba999
A new 'barbican-manage' utility command is introduced as Barbican
admin tool. This command interacts with Barbican service for
management operations which usually cannot be accomplished with
REST APIs. This can improve usability and extensibility in the
future.
The related blueprint is https://review.openstack.org/#/c/253719/
This CR includes
1) implementation of barbican_manage.py
2) unit test code
3) document of barbican-manage command
Co-Authored-By: Michael Perng <mperng@us.ibm.com>
Change-Id: I784b46df86742d00d1737e3f8964280514a7fa1b
Moves the keygeneration script from bin to cmd folder.
This is preferred because other scripts for HSM interaction
such as the PKEK re-wrap are located here.
Change-Id: I731ec087e96114d00bd983edd60d2e1806399e16
Bump preversion to mark the start of the Mitaka development branch.
The liberty release branch will be cut from the previous commit.
Change-Id: I0008ef88d5dc7aae070a91695a573e97c8bb76b0
Add a retry scheduler server process to the DevStack start/stop
processes. This includes adding a PBR entry point and barbican.cmd
script for the retry scheduler process, as other projects such as
Glance and Nova are doing now. Eventually we'll want to move over all
our boot scripts to the entry point approach. Verify functional test
for generating a simple certificate order, which is the first of the
extended-workflow order types that utilize the retry processing logic.
Also add try/catch around the retry process because if we don't pass
back a retry interval to the Oslo periodic task framework, it stops
rescheduling tasks! Also added delays to the functional test order
status check as for SQLite I was noticing disk I/O concurrency errors
otherwise. Yes, I'd still like to support SQLite for local functional
testing.
Change-Id: Ib7b50ab7f7354fefebfdf654689427ae7bf59e58
This script pulls all project available KEKs and rewraps them
with a MKEK specified in the barbican config file.
Change-Id: I5f130b8f6d744195e3ed6c708e96b23b200eea2b
Previously there were 4 python scripts being installed
into /usr/{local/}bin/ which contained the extension *.py.
There was also a developers script called barbican.sh
to create a developer's environment.
This change switches away from installing them as scripts,
preferring to use pbr's console_scripts entry point. This
means that the scripts were moved to be part of a 'cmd'
module within the barbican module.
The barbican.sh script is also no longer installed as it
seems inappropriate to install this on consumers machines.
A few cosmetic changes were added to achieve pep8.
Change-Id: I452b56535ec18228060370be899af2a63d138472
Closes-Bug: 1454587
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
This fixes creation of certificates using the snakeoil_ca plugin, like
passing the configuration properly and encoding resulting data, and adds
support for stored-key requests.
Closes-Bug: #1451456
Change-Id: Ida24a192595429829e870838a487a9c100691b4c
Bump pre-version in setup.cfg to formally open Liberty development.
Kilo release branch will be cut from the previous commit.
Change-Id: I430691b373a06d8cc3cddb8597e90efe05e99abd
This plugin is very useful for dev/testing setups (and Octavia).
Implements: blueprint barbican-snakeoil-ca
Co-authored-by: Adam Harwell <flux.adam@gmail.com>
Change-Id: I15f2ef8559ee5b95c8eef4eeb42edda68859e003
Notification listener processes only keystone project delete events.
It uses keystone project id to identify if related barbican resources are there
and deletes that project related barbican resources.
10/07/2014: Keep resolving rebase conflicts as this change is pending for a while.
Modified listener transaction logic as per related recent change in barbican.
Fixed missing patcher stop in few places which was causing failure in new tests.
Implements: blueprint consume-keystone-events
Change-Id: Iba7d50eb222edd43352ef82f629df2b3187c76ec
The SSL certificate generation and workflow blueprint called for adding
support for a certificate events plugin. This CR defines an interface for this
plugin, a simple default logging-based implementation, and an example
integration with the task resource logic.
Change-Id: Ia46793a1ce767ff03d77da06bf5a2803e7dce121
Implements: blueprint add-ssl-ca-support
Also included in this patch are changes to change the name of the
DRM to KRA, and changes to reflect the latest Dogtag API.
Implements: blueprint orders-add-cert-workflow-plugin
Change-Id: I34cb0b70f2c5c06d91ef69e486aa5d03f0b945e6
The pbr library is used to generate version numbers for Barbican, and
should typically do so by forming the version using the latest tag
(such as '2014.2.b2') as a base version, and then appending git commit
info if after the tag. However, if setup.cfg has a 'version' property
set, this overrides the base version essentially 'hard coding' it. This
CR removes that override and instead lets the versionbuild.py script,
used during deployment processing, generate this version override based
on the current PBR generated version with a timestamp injected into it.
Closes-Bug: #1349238
Change-Id: I32cf9b32265569c1e2ae182efa32a0d1449de15c
Move the HSM-style crypto source modules into the new plugin structure, and
integrate this into the rest of the Barbican API and worker source flows, via
the secret-store to HSM-style plugin adapter store_crypto.py. Removed
crypto source and unit test files from the old locations.
Implements: blueprint restructure-for-plugins
Change-Id: Ie31531ac71a32b14598b903632e8a3127a263e56
This patch adds the dogtag plugin (and tests) to the new plugin
structure under plugins/ and converts the plugin to an implementation
of the SecretStore interface.
The old dogtag_crypto_plugin will be retained until the top level
plugin manager and resources have been switched over, allowing us to
fully test the new dogtag plugin.
Change-Id: I20e2daca6dad2339d228e850a03868ac587089c0
Setup configuration for localization and add
initial translation template like it's done for all other OpenStack
projects. Once this is in, we can add the usual translation bot job
to sync translations with transifex.
Remove unneeded files from locale directory.
Change-Id: I0f1f7fff517028d4e64a3f5c544bc69df8b42ebd
This patch adds an initial version of the Dogtag plugin
that implements the decrypt(), encrypt() and generate()
functions. In this version, we will create and initialize
an NSS database on the server to do crypto operations
within the Dogtag DRM python client. This allows us to
decrypt() and encrypt() secrets without passing in wrapping
keys.
When the barbican-client and the Barbican server API have
been changed to pass through the wrapping keys, this plugin
will need to enhanced to make the relevant DRM client calls.
This plugin has been tested by running the barbican server
within a virtual environment. There are several steps
needed to get things configured, which are detailed in the
blueprint.
Added unit tests. These unit tests will be skipped if the
dogtag dependencies are not present to import.
Change-Id: Ib53bf3df5a65af7ac602ec7f7895e9c723c36c06
Implements: blueprint dogtag-plugin
Universal is used to identify pure-Python module(by bdist_wheel). For
these, it is sufficient to build a wheel with _any_ Python ABI version
and publish that to PyPI (by whatever means).
Change-Id: I9dcb15633c32f670f39283e0d0cb3bcd9133ddac
OpenStack uses pbr for setuptools/build and version releases. As
barbican looks towards incubation, migrate to being pbr based.
Change-Id: I3c7a389596ca579a5613ea98b21cdc6967e49cc7
