Support for Certificate data handling

Create an interface CertManager for handling certificate data.
Create an interface CertGenerator for signing certificates from CSRs.

Change-Id: I7a18496b9665b74c6ca89c503e68ef33a8581d0f
Partially-implements: blueprint tls-data-security

etc/octavia.conf

@@ -23,3 +23,7 @@
 # admin_user = octavia
 # admin_password = password
 # admin_project_id = service
+
+[certificates]
+# cert_generator_class =
+# cert_manager_class =

octavia/certificates/common/cert.py

@@ -0,0 +1,43 @@
+# Copyright (c) 2014 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class Cert(object):
+    """Base class to represent all certificates."""
+
+    @abc.abstractmethod
+    def get_certificate(self):
+        """Returns the certificate."""
+        pass
+
+    @abc.abstractmethod
+    def get_intermediates(self):
+        """Returns the intermediate certificates."""
+        pass
+
+    @abc.abstractmethod
+    def get_private_key(self):
+        """Returns the private key for the certificate."""
+        pass
+
+    @abc.abstractmethod
+    def get_private_key_passphrase(self):
+        """Returns the passphrase for the private key."""
+        pass

octavia/certificates/generator/__init__.py

@@ -0,0 +1,32 @@
+# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo.config import cfg
+
+from octavia.openstack.common import importutils
+
+certgen_opts = [
+    cfg.StrOpt('cert_generator_class',
+               default='octavia.certificates.barbican.BarbicanCertGenerator',
+               help='The full class name of the cert generator API class'),
+]
+
+CONF = cfg.CONF
+CONF.register_opts(certgen_opts, group='certificates')
+
+
+def API():
+    cls = importutils.import_class(CONF.certgen.cert_generator_class)
+    return cls()

octavia/certificates/generator/cert_gen.py

@@ -0,0 +1,44 @@
+# Copyright (c) 2014 Rackspace US, Inc
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""
+Certificate Generator API
+"""
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class CertGenerator(object):
+    """Base Cert Generator Interface
+
+    A Certificate Generator is responsible for signing TLS certificates.
+    """
+
+    @abc.abstractmethod
+    def sign_cert(self, csr, validity):
+        """Generates a signed certificate from the provided CSR
+
+        This call is designed to block until a signed certificate can be
+        returned.
+
+        :param csr: A Certificate Signing Request
+        :param validity: Valid for <validity> seconds from the current time
+
+        :return: Signed certificate
+        :raises Exception: If certificate signing fails
+        """
+        pass

octavia/certificates/manager/__init__.py

@@ -0,0 +1,32 @@
+# Copyright (c) 2014 Rackspace, Inc
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo.config import cfg
+
+from octavia.openstack.common import importutils
+
+certmgr_opts = [
+    cfg.StrOpt('cert_manager_class',
+               default='octavia.certificates.barbican.BarbicanCertManager',
+               help='The full class name of the cert manager API class'),
+]
+
+CONF = cfg.CONF
+CONF.register_opts(certmgr_opts, group='certificates')
+
+
+def API():
+    cls = importutils.import_class(CONF.certmgr.cert_manager_class)
+    return cls()

octavia/certificates/manager/cert_mgr.py

@@ -0,0 +1,59 @@
+# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""
+Certificate manager API
+"""
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class CertManager(object):
+    """Base Cert Manager Interface
+
+    A Cert Manager is responsible for managing certificates for TLS.
+    """
+
+    @abc.abstractmethod
+    def store_cert(self, certificate, private_key, intermediates=None,
+                   private_key_passphrase=None, **kwargs):
+        """Stores (i.e., registers) a cert with the cert manager.
+
+        This method stores the specified cert and returns its UUID that
+        identifies it within the cert manager.
+        If storage of the certificate data fails, a CertificateStorageException
+        should be raised.
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_cert(self, cert_ref, **kwargs):
+        """Retrieves the specified cert.
+
+        If the specified cert does not exist, a CertificateStorageException
+        should be raised.
+        """
+        pass
+
+    @abc.abstractmethod
+    def delete_cert(self, cert_ref, **kwargs):
+        """Deletes the specified cert.
+
+        If the specified cert does not exist, a CertificateStorageException
+        should be raised.
+        """
+        pass

octavia/common/exceptions.py

@@ -61,3 +61,11 @@ class NotAuthorized(OctaviaException):
 
 class MissingArguments(OctaviaException):
     message = _("Missing arguments.")
+
+
+class CertificateStorageException(OctaviaException):
+    message = _('Could not store certificate: %(msg)s')
+
+
+class CertificateGenerationException(OctaviaException):
+    message = _('Could not sign the certificate request: %(msg)s')