From 8e88919f02781d699a73e815cf8f7be72d4db352 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es=20de=20Medeiros?= Date: Fri, 28 Feb 2020 12:17:54 +0100 Subject: [PATCH] Removes context "validation". MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Vault backend doesn't really care about context. Even an empty string would suffice these checks. Change-Id: I1c0d00675a479cf05d92cec7b69fd720a88023d3 Signed-off-by: Moisés Guimarães de Medeiros --- castellan/key_manager/vault_key_manager.py | 30 ----------- .../key_manager/test_key_manager.py | 1 + .../key_manager/test_vault_key_manager.py | 53 ++----------------- 3 files changed, 4 insertions(+), 80 deletions(-) diff --git a/castellan/key_manager/vault_key_manager.py b/castellan/key_manager/vault_key_manager.py index 2510f2db..ad1424f0 100644 --- a/castellan/key_manager/vault_key_manager.py +++ b/castellan/key_manager/vault_key_manager.py @@ -205,11 +205,6 @@ class VaultKeyManager(key_manager.KeyManager): expiration=None, name=None): """Creates an asymmetric key pair.""" - # Confirm context is provided, if not raise forbidden - if not context: - msg = _("User is not authorized to use key manager.") - raise exception.Forbidden(msg) - if algorithm.lower() != 'rsa': raise NotImplementedError( "VaultKeyManager only implements rsa keys" @@ -281,11 +276,6 @@ class VaultKeyManager(key_manager.KeyManager): def create_key(self, context, algorithm, length, name=None, **kwargs): """Creates a symmetric key.""" - # Confirm context is provided, if not raise forbidden - if not context: - msg = _("User is not authorized to use key manager.") - raise exception.Forbidden(msg) - if length % 8: msg = _("Length must be multiple of 8.") raise ValueError(msg) @@ -303,22 +293,12 @@ class VaultKeyManager(key_manager.KeyManager): def store(self, context, key_value, **kwargs): """Stores (i.e., registers) a key with the key manager.""" - # Confirm context is provided, if not raise forbidden - if not context: - msg = _("User is not authorized to use key manager.") - raise exception.Forbidden(msg) - key_id = uuid.uuid4().hex return self._store_key_value(key_id, key_value) def get(self, context, key_id, metadata_only=False): """Retrieves the key identified by the specified id.""" - # Confirm context is provided, if not raise forbidden - if not context: - msg = _("User is not authorized to use key manager.") - raise exception.Forbidden(msg) - if not key_id: raise exception.KeyManagerError('key identifier not provided') @@ -359,11 +339,6 @@ class VaultKeyManager(key_manager.KeyManager): def delete(self, context, key_id): """Represents deleting the key.""" - # Confirm context is provided, if not raise forbidden - if not context: - msg = _("User is not authorized to use key manager.") - raise exception.Forbidden(msg) - if not key_id: raise exception.KeyManagerError('key identifier not provided') @@ -376,11 +351,6 @@ class VaultKeyManager(key_manager.KeyManager): def list(self, context, object_type=None, metadata_only=False): """Lists the managed objects given the criteria.""" - # Confirm context is provided, if not raise forbidden - if not context: - msg = _("User is not authorized to use key manager.") - raise exception.Forbidden(msg) - if object_type and object_type not in self._secret_type_dict: msg = _("Invalid secret type: %s") % object_type raise exception.KeyManagerError(reason=msg) diff --git a/castellan/tests/functional/key_manager/test_key_manager.py b/castellan/tests/functional/key_manager/test_key_manager.py index 1f8eaf6b..021cb0fb 100644 --- a/castellan/tests/functional/key_manager/test_key_manager.py +++ b/castellan/tests/functional/key_manager/test_key_manager.py @@ -77,6 +77,7 @@ class KeyManagerTestCase(object): def setUp(self): super(KeyManagerTestCase, self).setUp() self.key_mgr = self._create_key_manager() + self.ctxt = None def _get_valid_object_uuid(self, managed_object): object_uuid = self.key_mgr.store(self.ctxt, managed_object) diff --git a/castellan/tests/functional/key_manager/test_vault_key_manager.py b/castellan/tests/functional/key_manager/test_vault_key_manager.py index f72cf6ab..180189e0 100644 --- a/castellan/tests/functional/key_manager/test_vault_key_manager.py +++ b/castellan/tests/functional/key_manager/test_vault_key_manager.py @@ -15,12 +15,10 @@ Functional test cases for the Vault key manager. Note: This requires local running instance of Vault. """ -import abc import os import uuid from oslo_config import cfg -from oslo_context import context from oslo_utils import uuidutils from oslotest import base import requests @@ -34,7 +32,8 @@ from castellan.tests.functional.key_manager import test_key_manager CONF = config.get_config() -class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase): +class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase, + base.BaseTestCase): def _create_key_manager(self): key_mgr = vault_key_manager.VaultKeyManager(cfg.CONF) @@ -46,26 +45,6 @@ class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase): key_mgr._vault_url = os.environ['VAULT_TEST_URL'] return key_mgr - @abc.abstractmethod - def get_context(self): - """Retrieves Context for Authentication""" - return - - def setUp(self): - super(VaultKeyManagerTestCase, self).setUp() - self.ctxt = self.get_context() - - def tearDown(self): - super(VaultKeyManagerTestCase, self).tearDown() - - def test_create_null_context(self): - self.assertRaises(exception.Forbidden, - self.key_mgr.create_key, None, 'AES', 256) - - def test_create_key_pair_null_context(self): - self.assertRaises(exception.Forbidden, - self.key_mgr.create_key_pair, None, 'RSA', 2048) - def test_create_key_pair_bad_algorithm(self): self.assertRaises( NotImplementedError, @@ -73,24 +52,10 @@ class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase): self.ctxt, 'DSA', 2048 ) - def test_delete_null_context(self): - key_uuid = self._get_valid_object_uuid( - test_key_manager._get_test_symmetric_key()) - self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid) - self.assertRaises(exception.Forbidden, - self.key_mgr.delete, None, key_uuid) - def test_delete_null_object(self): self.assertRaises(exception.KeyManagerError, self.key_mgr.delete, self.ctxt, None) - def test_get_null_context(self): - key_uuid = self._get_valid_object_uuid( - test_key_manager._get_test_symmetric_key()) - self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid) - self.assertRaises(exception.Forbidden, - self.key_mgr.get, None, key_uuid) - def test_get_null_object(self): self.assertRaises(exception.KeyManagerError, self.key_mgr.get, self.ctxt, None) @@ -100,18 +65,6 @@ class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase): self.assertRaises(exception.ManagedObjectNotFoundError, self.key_mgr.get, self.ctxt, bad_key_uuid) - def test_store_null_context(self): - key = test_key_manager._get_test_symmetric_key() - - self.assertRaises(exception.Forbidden, - self.key_mgr.store, None, key) - - -class VaultKeyManagerOSLOContextTestCase(VaultKeyManagerTestCase, - base.BaseTestCase): - def get_context(self): - return context.get_admin_context() - TEST_POLICY = ''' path "{backend}/*" {{ @@ -128,7 +81,7 @@ POLICY_ENDPOINT = 'v1/sys/policy/{policy_name}' APPROLE_ENDPOINT = 'v1/auth/approle/role/{role_name}' -class VaultKeyManagerAppRoleTestCase(VaultKeyManagerOSLOContextTestCase): +class VaultKeyManagerAppRoleTestCase(VaultKeyManagerTestCase): mountpoint = 'secret'