Start generating our own key pairs
Nova API microversion 2.92 removed the ability to generate a private key. The user or client is now responsible for generating the key pair. Start doing that using cryptography, which is in our requirements (unlike paramiko, which nova uses). included: https://review.opendev.org/c/openstack/ec2-api/+/857880 https://review.opendev.org/c/openstack/ec2-api/+/859192 Change-Id: I0032de8cd779beafbd6848a2aecbcb6455e8eada Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This commit is contained in:
parent
299c898cf4
commit
af83b08216
|
@ -7,6 +7,5 @@
|
||||||
jobs:
|
jobs:
|
||||||
- ec2api-tempest-plugin-functional
|
- ec2api-tempest-plugin-functional
|
||||||
gate:
|
gate:
|
||||||
queue: ec2-api
|
|
||||||
jobs:
|
jobs:
|
||||||
- ec2api-tempest-plugin-functional
|
- ec2api-tempest-plugin-functional
|
||||||
|
|
|
@ -14,6 +14,9 @@
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
|
|
||||||
|
from cryptography.hazmat import backends
|
||||||
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
|
from cryptography.hazmat.primitives import serialization as crypt_serialization
|
||||||
from novaclient import exceptions as nova_exception
|
from novaclient import exceptions as nova_exception
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
@ -81,17 +84,38 @@ def _validate_name(name):
|
||||||
reason='lenght is exceeds maximum of 255')
|
reason='lenght is exceeds maximum of 255')
|
||||||
|
|
||||||
|
|
||||||
|
# We may wish to make the algorithm configurable. This would require API
|
||||||
|
# changes.
|
||||||
|
def _generate_key_pair():
|
||||||
|
key = rsa.generate_private_key(
|
||||||
|
backend=backends.default_backend(),
|
||||||
|
public_exponent=65537,
|
||||||
|
key_size=2048
|
||||||
|
)
|
||||||
|
private_key = key.private_bytes(
|
||||||
|
crypt_serialization.Encoding.PEM,
|
||||||
|
crypt_serialization.PrivateFormat.TraditionalOpenSSL,
|
||||||
|
crypt_serialization.NoEncryption(),
|
||||||
|
).decode()
|
||||||
|
public_key = key.public_key().public_bytes(
|
||||||
|
crypt_serialization.Encoding.OpenSSH,
|
||||||
|
crypt_serialization.PublicFormat.OpenSSH,
|
||||||
|
).decode()
|
||||||
|
return private_key, public_key
|
||||||
|
|
||||||
|
|
||||||
def create_key_pair(context, key_name):
|
def create_key_pair(context, key_name):
|
||||||
_validate_name(key_name)
|
_validate_name(key_name)
|
||||||
nova = clients.nova(context)
|
nova = clients.nova(context)
|
||||||
|
private_key, public_key = _generate_key_pair()
|
||||||
try:
|
try:
|
||||||
key_pair = nova.keypairs.create(key_name)
|
key_pair = nova.keypairs.create(key_name, public_key)
|
||||||
except nova_exception.OverLimit:
|
except nova_exception.OverLimit:
|
||||||
raise exception.ResourceLimitExceeded(resource='keypairs')
|
raise exception.ResourceLimitExceeded(resource='keypairs')
|
||||||
except nova_exception.Conflict:
|
except nova_exception.Conflict:
|
||||||
raise exception.InvalidKeyPairDuplicate(key_name=key_name)
|
raise exception.InvalidKeyPairDuplicate(key_name=key_name)
|
||||||
formatted_key_pair = _format_key_pair(key_pair)
|
formatted_key_pair = _format_key_pair(key_pair)
|
||||||
formatted_key_pair['keyMaterial'] = key_pair.private_key
|
formatted_key_pair['keyMaterial'] = private_key
|
||||||
return formatted_key_pair
|
return formatted_key_pair
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -41,7 +41,11 @@ def _create_facade_lazily():
|
||||||
global _MASTER_FACADE
|
global _MASTER_FACADE
|
||||||
|
|
||||||
if _MASTER_FACADE is None:
|
if _MASTER_FACADE is None:
|
||||||
_MASTER_FACADE = db_session.EngineFacade.from_config(CONF)
|
# FIXME(priteau): Remove autocommit=True (and ideally use of
|
||||||
|
# LegacyEngineFacade) asap since it's not compatible with SQLAlchemy
|
||||||
|
# 2.0.
|
||||||
|
_MASTER_FACADE = db_session.EngineFacade.from_config(CONF,
|
||||||
|
autocommit=True)
|
||||||
return _MASTER_FACADE
|
return _MASTER_FACADE
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,8 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
|
from unittest import mock
|
||||||
|
|
||||||
|
|
||||||
from novaclient import exceptions as nova_exception
|
from novaclient import exceptions as nova_exception
|
||||||
|
|
||||||
|
@ -24,12 +26,15 @@ from ec2api.tests.unit import tools
|
||||||
|
|
||||||
class KeyPairCase(base.ApiTestCase):
|
class KeyPairCase(base.ApiTestCase):
|
||||||
|
|
||||||
def test_create_key_pair(self):
|
@mock.patch('ec2api.api.key_pair._generate_key_pair')
|
||||||
|
def test_create_key_pair(self, _generate_key_pair):
|
||||||
|
_generate_key_pair.return_value = (
|
||||||
|
fakes.PRIVATE_KEY_KEY_PAIR, fakes.PUBLIC_KEY_KEY_PAIR)
|
||||||
self.nova.keypairs.create.return_value = (
|
self.nova.keypairs.create.return_value = (
|
||||||
fakes.NovaKeyPair(fakes.OS_KEY_PAIR))
|
fakes.NovaKeyPair(fakes.OS_KEY_PAIR))
|
||||||
resp = self.execute('CreateKeyPair', {'KeyName': fakes.NAME_KEY_PAIR})
|
resp = self.execute('CreateKeyPair', {'KeyName': fakes.NAME_KEY_PAIR})
|
||||||
self.assertThat(fakes.EC2_KEY_PAIR, matchers.DictMatches(resp))
|
self.assertThat(fakes.EC2_KEY_PAIR, matchers.DictMatches(resp))
|
||||||
self.nova.keypairs.create.assert_called_once_with(fakes.NAME_KEY_PAIR)
|
_generate_key_pair.assert_called_once_with()
|
||||||
|
|
||||||
def test_create_key_pair_invalid(self):
|
def test_create_key_pair_invalid(self):
|
||||||
self.nova.keypairs.create.side_effect = (
|
self.nova.keypairs.create.side_effect = (
|
||||||
|
|
Loading…
Reference in New Issue