100 lines
3.5 KiB
Python
100 lines
3.5 KiB
Python
# Copyright (c) 2014 Rackspace US, Inc
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""
|
|
Barbican ACL auth class for Barbican certificate handling
|
|
"""
|
|
from barbicanclient import client as barbican_client
|
|
from keystoneauth1 import session
|
|
from keystoneauth1 import token_endpoint
|
|
|
|
from oslo_config import cfg
|
|
from oslo_log import log as logging
|
|
from oslo_utils import excutils
|
|
|
|
from octavia.certificates.common import barbican as barbican_common
|
|
from octavia.common import keystone
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
CONF = cfg.CONF
|
|
|
|
|
|
class BarbicanACLAuth(barbican_common.BarbicanAuth):
|
|
_barbican_client = None
|
|
|
|
@classmethod
|
|
def get_barbican_client(cls, project_id=None):
|
|
if not cls._barbican_client:
|
|
try:
|
|
ksession = keystone.KeystoneSession()
|
|
cls._barbican_client = barbican_client.Client(
|
|
session=ksession.get_session(),
|
|
region_name=CONF.certificates.region_name,
|
|
interface=CONF.certificates.endpoint_type
|
|
)
|
|
except Exception:
|
|
with excutils.save_and_reraise_exception():
|
|
LOG.exception("Error creating Barbican client")
|
|
return cls._barbican_client
|
|
|
|
@classmethod
|
|
def ensure_secret_access(cls, context, ref):
|
|
# get a normal session
|
|
ksession = keystone.KeystoneSession()
|
|
user_id = ksession.get_service_user_id()
|
|
|
|
# use barbican client to set the ACLs
|
|
bc = cls.get_barbican_client_user_auth(context)
|
|
acl = bc.acls.get(ref)
|
|
read_oper = acl.get('read')
|
|
if user_id not in read_oper.users:
|
|
read_oper.users.append(user_id)
|
|
acl.submit()
|
|
|
|
@classmethod
|
|
def revoke_secret_access(cls, context, ref):
|
|
# get a normal session
|
|
ksession = keystone.KeystoneSession()
|
|
user_id = ksession.get_service_user_id()
|
|
|
|
# use barbican client to set the ACLs
|
|
bc = cls.get_barbican_client_user_auth(context)
|
|
acl = bc.acls.get(ref)
|
|
read_oper = acl.get('read')
|
|
if user_id in read_oper.users:
|
|
read_oper.users.remove(user_id)
|
|
acl.submit()
|
|
|
|
@classmethod
|
|
def get_barbican_client_user_auth(cls, context):
|
|
barbican_endpoint = CONF.certificates.endpoint
|
|
if not barbican_endpoint:
|
|
ksession = keystone.KeystoneSession().get_session()
|
|
endpoint_data = ksession.get_endpoint_data(
|
|
service_type='key-manager',
|
|
region_name=CONF.certificates.region_name,
|
|
interface=CONF.certificates.endpoint_type)
|
|
barbican_endpoint = endpoint_data.catalog_url
|
|
|
|
auth_token = token_endpoint.Token(barbican_endpoint,
|
|
context.auth_token)
|
|
|
|
user_session = session.Session(
|
|
auth=auth_token,
|
|
verify=CONF.certificates.ca_certificates_file)
|
|
return barbican_client.Client(
|
|
session=user_session,
|
|
endpoint=barbican_endpoint)
|