Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
This CR implements the spec for date filters. The only difference
between the spec and this CR is the use of the alternative ISO format
(without the "Z") for specifying the dates. This change was made to
have a more consistent API since the Zulu designation is not used
anywhere in the API where dates are shown to the user. Additionaly the
libraries used for date-time parsing do not make use of the Zulu
designation either.
Implements: blueprint date-filters
DocImpact
APIImpact
Change-Id: Ic8fbe3d0e8b309bb192aaddf30291d1333756064
_setup_nss_db_services() can return None in case the config option
[dogtag_plugin]nss_db_path is not set.
In that case, don't call the initialize() method which would fail with:
AttributeError: 'NoneType' object has no attribute 'initialize'
Change-Id: Ia6ffc8945d8125047273872ba75f0b084dc5810f
Configuration with oslo.messaging is listed in the DEFAULT section
in etc/barbican/barbican.conf.
According to this Change "I96a9682afe7eb0caf1fbf47bbb0291833aec245b"
of oslo.messaging, we now prefer to set them in "oslo_messaging_rabbit"
section.
Closes-Bug: #1590231
Change-Id: I2b952012b2192cfb95e28cf11f78cf56d6a414ca
The default TLSv1 protocol version used by the KMIP plugin is insecure.
This can cause potential information disclosure by attacking connections
using vulnerable TLS protocols. This change will use TLSv1_2 if present.
Change-Id: I7018262cb74a95dfa24d6b94d49f1ebd62bdeebd
When specifying the mkek length via the cli, the key generation fails
as the length is being passed as string instead of int.
Co-Authored-By: Jan Stodt <stodtj@de.ibm.com>
Change-Id: If41d13bb4c99b8823642920d894900a9ce33294a
This adds POST and DELETE support for a 'secrets' sub-resource on the
containers resource. This will allow a user to add or remove secret
references to an existing container. Only generic containers are
supported per the blueprint for this feature.
If a secret reference already exists in the container, an appropriate
error will be returned indicating that the secret already exists in
the container. I chose this approach over silently accepting the
update, as the name for the container secret could change, so a delete
and re-add seems to be the safer option if a user just wants to change
the name, which is not something that I see happening too often.
Additionally, the action is a POST and not a PUT, so it shouldn't
really update an existing resource.
APIImpact
Add support for POST and DELETE on container secrets sub-resources
DocImpact
Implements: blueprint api-containers-add-put
Change-Id: I6dfa6715385f421e4f173cf73c2b75b68da67051
* normalize_before_encryption(): on Python 3, unencrypted is already a Unicode
string (no need to decode).
* test_secrets: don't pass bytes string but native string (py2: bytes,
py3: Unicode) as payload
* test_secrets: Decode HTTP bytes from UTF-8 for comparison
* test_get_secret_is_decoded_for_binary(): expect a binary string,
not a Unicode string
* test_secrets: replace map() with a reglar loop (for) to execute
child.delete() on Python 3. On Python 3, map() is now lazy and only
execute the expression when the map is consumed.
* Remove tests-py3-blacklist.txt and the testenv:py34 section from
tox.ini since all unit tests now pass on Python 3.4
Partially implements: blueprint barbican-py3
Change-Id: Ief8531c3b7201f884d5d4ca7a47a381d0bb9cb2c
* barbican_manage.py: only decode bytes, not Unicode.
six.string_types is str (Unicode) on Python 3.
* Replace long(1) with 1
* test_transport_keys_resource: decode HTTP body from UTF-8 to get
Unicode.
* Replace ord(bytes[-1]) with ord(bytes[-1:]). On Python 3,
bytes[int] returns an integer: use bytes[int:int] to get a
substring.
* Remove following tests from tests-py3-blacklist.txt:
- crypto.test_pkcs11
- test_barbican_manage
- test_transport_keys_resource
Partially implements: blueprint barbican-py3
Change-Id: I9189ac4106d05001ee0aee1299d100dd0d56bce0
Currently, test_cmd fails or not depending if
database_utils.setup_in_memory_db() was already called. It looks like
the test doesn't fail on Python 2, but it fails *sometimes* on
Python 3.
Maybe the tests are run in a diffrent order on Python 3 because of
the randomized hash function (it can be tried on Python 2 using -R
Python command line option).
The bug can been reproduced easily be running only test_cmd
on Python 2.7:
$ . .tox/py27/bin/activate
$ testr run barbican.tests.cmd.test_cmd
...
FAIL: barbican.tests.cmd.test_cmd.WhenInvokingWorkerCommand.test_should_launch_service
...
BarbicanException: No SQL connection configured
Change-Id: Ic68582193fa4a5002cab8333797eb3fe2881f051
When retrieving secret's payload without providing payload_content_type,
if the payload_content_type is not default as "text/plain", we get 500 error.
Since this is generated by invalid input, we should mark this as 406 error.
Closes-bug: #1590097
Change-Id: I9ca94b7c66995991a9b0df37a46bd082e9795b74
Auth_token middleware is expected to be configured by use of
oslo.config. Paste is really only mainted for swift. However paste
overrides the values provided in oslo.config so for anyone using
default barbican paste files and configuring auth_token middleware via
oslo.config they will have unexpected config overrides from the barbian
defaults.
Change-Id: I6bc49c4b62167410eaa70432f73abab2e829dc39
We should not count secrets that are expired when retrieving Secrets associated
with a given project.
Change-Id: I3a6e82ad60f484bac8046e7563270804ff665450
Closes-Bug: 1582872
When using the p11_crypto module with an HSM, certain errors can be thrown by
the device that currently require the Barbican application to be restarted to
recover. This CR adds to work already done to the pkcs11 module that will trap
known errors and will raise a specific exception that can be handled gracefully
without the need to restart the entire application.
In addition, the p11_crypto module has been enhanced to use a retry mechanism
when these known errors are raised after reinitializing the pkcs11 library.
This was done specifically to trap the CKR_TOKEN_NOT_PRESENT error from an HSM,
but can be enhanced further in the future to handle additional error conditions
that are recoverable with a simple reinitialization of the library to prevent
the need to restart the entire Barbican application.
Change-Id: Ic43f3729bff00560d4a344f785416546c019e016
Closes-Bug: 1582884
* _do_enforce_content_types(): only decode content type if it's a
byte string (don't decode on Python 3)
* Decode bytes HTTP body to compare it to text string. On Python 3,
bytes == str is always false (or emit/raise a BytesWarning).
* Use byte strings rather than text strings for literal HTTP body:
HTTP body type is bytes.
* Remove test_resources from tests-py3-blacklist.py to run it
Partially implements: blueprint barbican-py3
Change-Id: I6d830ea620ac5a237b5e2929077eb2f4504b5e59
* Replace base64.b64encode() with
oslo_serialization.base64.encode_as_text() which accepts bytes and
text strings but only outputs text string.
* Use a text string for the JSON payload
* Remove test_validators from tests-py3-blacklist to run it
Partially implements: blueprint barbican-py3
Change-Id: Id97104ca9fb0d2acd6e72e6254ca985237e27859
* Open files in binary mode: "rb" or "wb" mode
* Replace bytes.decode('base64') with base64.b64decode(bytes)
* Remove test_snakeoil_ca from tests-py3-blacklist.txt to run it
Partially implements: blueprint barbican-py3
Change-Id: Ib4ec41c280bf48e6c425b0a6161d2591997f0d28
