Start generating our own key pairs

Nova API microversion 2.92 removed the ability to generate a private
key. The user or client is now responsible for generating the key pair.
Start doing that using cryptography, which is in our requirements
(unlike paramiko, which nova uses).

included:
https://review.opendev.org/c/openstack/ec2-api/+/857880
https://review.opendev.org/c/openstack/ec2-api/+/859192

Change-Id: I0032de8cd779beafbd6848a2aecbcb6455e8eada
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
changes/43/858143/6
Stephen Finucane 5 months ago committed by Andrey Pavlov
parent 299c898cf4
commit af83b08216

@ -7,6 +7,5 @@
jobs:
- ec2api-tempest-plugin-functional
gate:
queue: ec2-api
jobs:
- ec2api-tempest-plugin-functional

@ -14,6 +14,9 @@
import base64
from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization as crypt_serialization
from novaclient import exceptions as nova_exception
from oslo_config import cfg
from oslo_log import log as logging
@ -81,17 +84,38 @@ def _validate_name(name):
reason='lenght is exceeds maximum of 255')
# We may wish to make the algorithm configurable. This would require API
# changes.
def _generate_key_pair():
key = rsa.generate_private_key(
backend=backends.default_backend(),
public_exponent=65537,
key_size=2048
)
private_key = key.private_bytes(
crypt_serialization.Encoding.PEM,
crypt_serialization.PrivateFormat.TraditionalOpenSSL,
crypt_serialization.NoEncryption(),
).decode()
public_key = key.public_key().public_bytes(
crypt_serialization.Encoding.OpenSSH,
crypt_serialization.PublicFormat.OpenSSH,
).decode()
return private_key, public_key
def create_key_pair(context, key_name):
_validate_name(key_name)
nova = clients.nova(context)
private_key, public_key = _generate_key_pair()
try:
key_pair = nova.keypairs.create(key_name)
key_pair = nova.keypairs.create(key_name, public_key)
except nova_exception.OverLimit:
raise exception.ResourceLimitExceeded(resource='keypairs')
except nova_exception.Conflict:
raise exception.InvalidKeyPairDuplicate(key_name=key_name)
formatted_key_pair = _format_key_pair(key_pair)
formatted_key_pair['keyMaterial'] = key_pair.private_key
formatted_key_pair['keyMaterial'] = private_key
return formatted_key_pair

@ -41,7 +41,11 @@ def _create_facade_lazily():
global _MASTER_FACADE
if _MASTER_FACADE is None:
_MASTER_FACADE = db_session.EngineFacade.from_config(CONF)
# FIXME(priteau): Remove autocommit=True (and ideally use of
# LegacyEngineFacade) asap since it's not compatible with SQLAlchemy
# 2.0.
_MASTER_FACADE = db_session.EngineFacade.from_config(CONF,
autocommit=True)
return _MASTER_FACADE

@ -13,6 +13,8 @@
# limitations under the License.
import base64
from unittest import mock
from novaclient import exceptions as nova_exception
@ -24,12 +26,15 @@ from ec2api.tests.unit import tools
class KeyPairCase(base.ApiTestCase):
def test_create_key_pair(self):
@mock.patch('ec2api.api.key_pair._generate_key_pair')
def test_create_key_pair(self, _generate_key_pair):
_generate_key_pair.return_value = (
fakes.PRIVATE_KEY_KEY_PAIR, fakes.PUBLIC_KEY_KEY_PAIR)
self.nova.keypairs.create.return_value = (
fakes.NovaKeyPair(fakes.OS_KEY_PAIR))
resp = self.execute('CreateKeyPair', {'KeyName': fakes.NAME_KEY_PAIR})
self.assertThat(fakes.EC2_KEY_PAIR, matchers.DictMatches(resp))
self.nova.keypairs.create.assert_called_once_with(fakes.NAME_KEY_PAIR)
_generate_key_pair.assert_called_once_with()
def test_create_key_pair_invalid(self):
self.nova.keypairs.create.side_effect = (

Loading…
Cancel
Save