eb4b711679
This CR adds the remaining pieces need to allow worker task processing to add tasks needing retries to the order retry tasks table, and then to have the periodic task service pick these retry tasks up and enqueue them for retries. With this initial CR no attempt is made to protect against concurrency between the existing worker RPC process and the separate periodic retry scheduler process. A subsequent CR will add concurrency protection. This CR does allow the retry behavior to be demonstrated locally as follows: 1) run the 'barbican.sh start', then 2) run the new barbican-worker-retry-scheduler.py script, then 3) POST to the orders resource a 'certificate' type order, and finally poll this new order until it becomes ACTIVE. The simple certificate plugin will call for a retry for the status check method after the initial certificate request is made. The retry processing will eventually call the plugins status check method, which then produces a fake certificate. Change-Id: Idee08abcd3bf2920039f91a7f5b6125eacd1f785
162 lines
6.9 KiB
Python
162 lines
6.9 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
"""
|
|
Default implementation of Barbican certificate processing plugins and support.
|
|
"""
|
|
from barbican.common import utils
|
|
from barbican import i18n as u
|
|
from barbican.plugin.interface import certificate_manager as cert
|
|
|
|
LOG = utils.getLogger(__name__)
|
|
|
|
|
|
MSEC_UNTIL_CHECK_STATUS = 5000
|
|
|
|
|
|
class SimpleCertificatePlugin(cert.CertificatePluginBase):
|
|
"""Simple/default certificate plugin."""
|
|
|
|
def get_default_ca_name(self):
|
|
return "Simple CA"
|
|
|
|
def get_default_signing_cert(self):
|
|
return "XXXXXXXXXXXXXXXXX"
|
|
|
|
def get_default_intermediates(self):
|
|
return "YYYYYYYYYYYYYYYY"
|
|
|
|
def issue_certificate_request(self, order_id, order_meta, plugin_meta,
|
|
barbican_meta_dto):
|
|
"""Create the initial order with CA
|
|
|
|
:param order_id: ID associated with the order
|
|
:param order_meta: Dict of meta-data associated with the order.
|
|
:param plugin_meta: Plugin meta-data previously set by calls to
|
|
this plugin. Plugins may also update/add
|
|
information here which Barbican will persist
|
|
on their behalf.
|
|
:param barbican_meta_dto: additional data needed to process order.
|
|
:returns: A :class:`ResultDTO` instance containing the result
|
|
populated by the plugin implementation
|
|
:rtype: :class:`ResultDTO`
|
|
"""
|
|
LOG.info(u._LI('Invoking issue_certificate_request()'))
|
|
return cert.ResultDTO(
|
|
cert.CertificateStatus.WAITING_FOR_CA,
|
|
retry_msec=MSEC_UNTIL_CHECK_STATUS)
|
|
|
|
def modify_certificate_request(self, order_id, order_meta, plugin_meta,
|
|
barbican_meta_dto):
|
|
"""Update the order meta-data
|
|
|
|
:param order_id: ID associated with the order
|
|
:param order_meta: Dict of meta-data associated with the order.
|
|
:param plugin_meta: Plugin meta-data previously set by calls to
|
|
this plugin. Plugins may also update/add
|
|
information here which Barbican will persist
|
|
on their behalf.
|
|
:param barbican_meta_dto: additional data needed to process order.
|
|
:returns: A :class:`ResultDTO` instance containing the result
|
|
populated by the plugin implementation
|
|
:rtype: :class:`ResultDTO`
|
|
"""
|
|
LOG.info(u._LI('Invoking modify_certificate_request()'))
|
|
return cert.ResultDTO(cert.CertificateStatus.WAITING_FOR_CA)
|
|
|
|
def cancel_certificate_request(self, order_id, order_meta, plugin_meta,
|
|
barbican_meta_dto):
|
|
"""Cancel the order
|
|
|
|
:param order_id: ID associated with the order
|
|
:param order_meta: Dict of meta-data associated with the order.
|
|
:param plugin_meta: Plugin meta-data previously set by calls to
|
|
this plugin. Plugins may also update/add
|
|
information here which Barbican will persist
|
|
on their behalf.
|
|
:param barbican_meta_dto: additional data needed to process order.
|
|
:returns: A :class:`ResultDTO` instance containing the result
|
|
populated by the plugin implementation
|
|
:rtype: :class:`ResultDTO`
|
|
"""
|
|
LOG.info(u._LI('Invoking cancel_certificate_request()'))
|
|
return cert.ResultDTO(cert.CertificateStatus.REQUEST_CANCELED)
|
|
|
|
def check_certificate_status(self, order_id, order_meta, plugin_meta,
|
|
barbican_meta_dto):
|
|
"""Check status of the order
|
|
|
|
:param order_id: ID associated with the order
|
|
:param order_meta: Dict of meta-data associated with the order.
|
|
:param plugin_meta: Plugin meta-data previously set by calls to
|
|
this plugin. Plugins may also update/add
|
|
information here which Barbican will persist
|
|
on their behalf.
|
|
:param barbican_meta_dto: additional data needed to process order.
|
|
:returns: A :class:`ResultDTO` instance containing the result
|
|
populated by the plugin implementation
|
|
:rtype: :class:`ResultDTO`
|
|
"""
|
|
LOG.info(u._LI('Invoking check_certificate_status()'))
|
|
return cert.ResultDTO(cert.CertificateStatus.CERTIFICATE_GENERATED)
|
|
|
|
def supports(self, certificate_spec):
|
|
"""Indicates whether the plugin supports the certificate type.
|
|
|
|
:param certificate_spec: Contains details on the certificate to
|
|
generate the certificate order
|
|
:returns: boolean indicating if the plugin supports the certificate
|
|
type
|
|
"""
|
|
return True
|
|
|
|
def supported_request_types(self):
|
|
"""Returns the request types supported by this plugin.
|
|
|
|
:returns: dict containing Barbican-core defined request types
|
|
supported by this plugin.
|
|
"""
|
|
return [cert.CertificateRequestType.CUSTOM_REQUEST,
|
|
cert.CertificateRequestType.SIMPLE_CMC_REQUEST,
|
|
cert.CertificateRequestType.FULL_CMC_REQUEST,
|
|
cert.CertificateRequestType.STORED_KEY_REQUEST]
|
|
|
|
|
|
class SimpleCertificateEventPlugin(cert.CertificateEventPluginBase):
|
|
"""Simple/default certificate event plugin."""
|
|
|
|
def notify_certificate_is_ready(
|
|
self, project_id, order_ref, container_ref):
|
|
"""Notify that a certificate has been generated and is ready to use.
|
|
|
|
:param project_id: Project ID associated with this certificate
|
|
:param order_ref: HATEOS reference URI to the submitted Barbican Order
|
|
:param container_ref: HATEOS reference URI to the Container storing
|
|
the certificate
|
|
:returns: None
|
|
"""
|
|
LOG.info(u._LI('Invoking notify_certificate_is_ready()'))
|
|
|
|
def notify_ca_is_unavailable(
|
|
self, project_id, order_ref, error_msg, retry_in_msec):
|
|
"""Notify that the certificate authority (CA) isn't available.
|
|
|
|
:param project_id: Project ID associated with this order
|
|
:param order_ref: HATEOS reference URI to the submitted Barbican Order
|
|
:param error_msg: Error message if it is available
|
|
:param retry_in_msec: Delay before attempting to talk to the CA again.
|
|
If this is 0, then no attempt will be made.
|
|
:returns: None
|
|
"""
|
|
LOG.info(u._LI('Invoking notify_ca_is_unavailable()'))
|