Browse Source

Removes context "validation".

The Vault backend doesn't really care about context. Even an empty
string would suffice these checks.

Change-Id: I1c0d00675a479cf05d92cec7b69fd720a88023d3
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
tags/3.0.0^0
Moisés Guimarães de Medeiros 4 months ago
parent
commit
8e88919f02
3 changed files with 4 additions and 80 deletions
  1. +0
    -30
      castellan/key_manager/vault_key_manager.py
  2. +1
    -0
      castellan/tests/functional/key_manager/test_key_manager.py
  3. +3
    -50
      castellan/tests/functional/key_manager/test_vault_key_manager.py

+ 0
- 30
castellan/key_manager/vault_key_manager.py View File

@@ -205,11 +205,6 @@ class VaultKeyManager(key_manager.KeyManager):
expiration=None, name=None):
"""Creates an asymmetric key pair."""

# Confirm context is provided, if not raise forbidden
if not context:
msg = _("User is not authorized to use key manager.")
raise exception.Forbidden(msg)

if algorithm.lower() != 'rsa':
raise NotImplementedError(
"VaultKeyManager only implements rsa keys"
@@ -281,11 +276,6 @@ class VaultKeyManager(key_manager.KeyManager):
def create_key(self, context, algorithm, length, name=None, **kwargs):
"""Creates a symmetric key."""

# Confirm context is provided, if not raise forbidden
if not context:
msg = _("User is not authorized to use key manager.")
raise exception.Forbidden(msg)

if length % 8:
msg = _("Length must be multiple of 8.")
raise ValueError(msg)
@@ -303,22 +293,12 @@ class VaultKeyManager(key_manager.KeyManager):
def store(self, context, key_value, **kwargs):
"""Stores (i.e., registers) a key with the key manager."""

# Confirm context is provided, if not raise forbidden
if not context:
msg = _("User is not authorized to use key manager.")
raise exception.Forbidden(msg)

key_id = uuid.uuid4().hex
return self._store_key_value(key_id, key_value)

def get(self, context, key_id, metadata_only=False):
"""Retrieves the key identified by the specified id."""

# Confirm context is provided, if not raise forbidden
if not context:
msg = _("User is not authorized to use key manager.")
raise exception.Forbidden(msg)

if not key_id:
raise exception.KeyManagerError('key identifier not provided')

@@ -359,11 +339,6 @@ class VaultKeyManager(key_manager.KeyManager):
def delete(self, context, key_id):
"""Represents deleting the key."""

# Confirm context is provided, if not raise forbidden
if not context:
msg = _("User is not authorized to use key manager.")
raise exception.Forbidden(msg)

if not key_id:
raise exception.KeyManagerError('key identifier not provided')

@@ -376,11 +351,6 @@ class VaultKeyManager(key_manager.KeyManager):
def list(self, context, object_type=None, metadata_only=False):
"""Lists the managed objects given the criteria."""

# Confirm context is provided, if not raise forbidden
if not context:
msg = _("User is not authorized to use key manager.")
raise exception.Forbidden(msg)

if object_type and object_type not in self._secret_type_dict:
msg = _("Invalid secret type: %s") % object_type
raise exception.KeyManagerError(reason=msg)


+ 1
- 0
castellan/tests/functional/key_manager/test_key_manager.py View File

@@ -77,6 +77,7 @@ class KeyManagerTestCase(object):
def setUp(self):
super(KeyManagerTestCase, self).setUp()
self.key_mgr = self._create_key_manager()
self.ctxt = None

def _get_valid_object_uuid(self, managed_object):
object_uuid = self.key_mgr.store(self.ctxt, managed_object)


+ 3
- 50
castellan/tests/functional/key_manager/test_vault_key_manager.py View File

@@ -15,12 +15,10 @@ Functional test cases for the Vault key manager.

Note: This requires local running instance of Vault.
"""
import abc
import os
import uuid

from oslo_config import cfg
from oslo_context import context
from oslo_utils import uuidutils
from oslotest import base
import requests
@@ -34,7 +32,8 @@ from castellan.tests.functional.key_manager import test_key_manager
CONF = config.get_config()


class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase):
class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase,
base.BaseTestCase):
def _create_key_manager(self):
key_mgr = vault_key_manager.VaultKeyManager(cfg.CONF)

@@ -46,26 +45,6 @@ class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase):
key_mgr._vault_url = os.environ['VAULT_TEST_URL']
return key_mgr

@abc.abstractmethod
def get_context(self):
"""Retrieves Context for Authentication"""
return

def setUp(self):
super(VaultKeyManagerTestCase, self).setUp()
self.ctxt = self.get_context()

def tearDown(self):
super(VaultKeyManagerTestCase, self).tearDown()

def test_create_null_context(self):
self.assertRaises(exception.Forbidden,
self.key_mgr.create_key, None, 'AES', 256)

def test_create_key_pair_null_context(self):
self.assertRaises(exception.Forbidden,
self.key_mgr.create_key_pair, None, 'RSA', 2048)

def test_create_key_pair_bad_algorithm(self):
self.assertRaises(
NotImplementedError,
@@ -73,24 +52,10 @@ class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase):
self.ctxt, 'DSA', 2048
)

def test_delete_null_context(self):
key_uuid = self._get_valid_object_uuid(
test_key_manager._get_test_symmetric_key())
self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid)
self.assertRaises(exception.Forbidden,
self.key_mgr.delete, None, key_uuid)

def test_delete_null_object(self):
self.assertRaises(exception.KeyManagerError,
self.key_mgr.delete, self.ctxt, None)

def test_get_null_context(self):
key_uuid = self._get_valid_object_uuid(
test_key_manager._get_test_symmetric_key())
self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid)
self.assertRaises(exception.Forbidden,
self.key_mgr.get, None, key_uuid)

def test_get_null_object(self):
self.assertRaises(exception.KeyManagerError,
self.key_mgr.get, self.ctxt, None)
@@ -100,18 +65,6 @@ class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase):
self.assertRaises(exception.ManagedObjectNotFoundError,
self.key_mgr.get, self.ctxt, bad_key_uuid)

def test_store_null_context(self):
key = test_key_manager._get_test_symmetric_key()

self.assertRaises(exception.Forbidden,
self.key_mgr.store, None, key)


class VaultKeyManagerOSLOContextTestCase(VaultKeyManagerTestCase,
base.BaseTestCase):
def get_context(self):
return context.get_admin_context()


TEST_POLICY = '''
path "{backend}/*" {{
@@ -128,7 +81,7 @@ POLICY_ENDPOINT = 'v1/sys/policy/{policy_name}'
APPROLE_ENDPOINT = 'v1/auth/approle/role/{role_name}'


class VaultKeyManagerAppRoleTestCase(VaultKeyManagerOSLOContextTestCase):
class VaultKeyManagerAppRoleTestCase(VaultKeyManagerTestCase):

mountpoint = 'secret'



Loading…
Cancel
Save