From b7fda3b4a23fbb86c2341ab60cdc435889b880f9 Mon Sep 17 00:00:00 2001
From: Tim Burke <tim.burke@gmail.com>
Date: Mon, 24 Sep 2018 16:26:20 -0700
Subject: [PATCH] Allow kmip_keymaster to be configured in proxy-server.conf

... and in particular, in the filter:kmip_keymaster section. We thought
we'd done that before, but we didn't: __name__ is *just* the filter
name, and doesn't include the "filter:" prefix for the section.

Change-Id: Iede1d7450e94ba05d2610030e975f566275da88b
---
 .../middleware/crypto/kmip_keymaster.py       |  4 +++-
 .../middleware/crypto/test_kmip_keymaster.py  | 23 ++++++++++---------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/swift/common/middleware/crypto/kmip_keymaster.py b/swift/common/middleware/crypto/kmip_keymaster.py
index e1ea989348..11566a1fb4 100644
--- a/swift/common/middleware/crypto/kmip_keymaster.py
+++ b/swift/common/middleware/crypto/kmip_keymaster.py
@@ -108,7 +108,9 @@ class KmipKeyMaster(keymaster.BaseKeyMaster):
         if self.keymaster_config_path:
             section = self.keymaster_conf_section
         else:
-            section = conf['__name__']
+            # __name__ is just the filter name, not the whole section name.
+            # Luckily, PasteDeploy only uses the one prefix for filters.
+            section = 'filter:' + conf['__name__']
 
         if os.path.isdir(conf['__file__']):
             raise ValueError(
diff --git a/test/unit/common/middleware/crypto/test_kmip_keymaster.py b/test/unit/common/middleware/crypto/test_kmip_keymaster.py
index 2e43b2e723..3eb50e7e9d 100644
--- a/test/unit/common/middleware/crypto/test_kmip_keymaster.py
+++ b/test/unit/common/middleware/crypto/test_kmip_keymaster.py
@@ -72,7 +72,7 @@ class TestKmipKeymaster(unittest.TestCase):
 
     def test_config_in_filter_section(self):
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'key_id': '1234'}
         secrets = {'1234': create_secret('AES', 256, b'x' * 32)}
         calls = []
@@ -91,7 +91,7 @@ class TestKmipKeymaster(unittest.TestCase):
 
     def test_multikey_config_in_filter_section(self):
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip-keymaster',
                 'key_id': '1234',
                 'key_id_xyzzy': 'foobar',
                 'key_id_alt_secret_id': 'foobar',
@@ -110,14 +110,14 @@ class TestKmipKeymaster(unittest.TestCase):
         self.assertIsNone(km.keymaster_config_path)
         self.assertEqual(calls, [
             ('__init__', {'config_file': '/etc/swift/proxy-server.conf',
-                          'config': 'filter:kmip_keymaster'}),
+                          'config': 'filter:kmip-keymaster'}),
             ('get', '1234'),
             ('get', 'foobar'),
         ])
 
     def test_bad_active_key(self):
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'key_id': '1234',
                 'key_id_xyzzy': 'foobar',
                 'active_root_secret_id': 'unknown'}
@@ -141,7 +141,7 @@ class TestKmipKeymaster(unittest.TestCase):
             fd.write(dedent(km_conf))
 
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'keymaster-kmip',
                 'keymaster_config_path': km_config_file}
         secrets = {'4321': create_secret('AES', 256, b'x' * 32)}
         calls = []
@@ -168,7 +168,7 @@ class TestKmipKeymaster(unittest.TestCase):
             fd.write(dedent(km_conf))
 
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'keymaster_config_path': km_config_file}
         secrets = {'4321': create_secret('AES', 256, b'x' * 32),
                    'another id': create_secret('AES', 256, b'y' * 32)}
@@ -192,7 +192,7 @@ class TestKmipKeymaster(unittest.TestCase):
 
         # KmipClient can't read conf from a dir, so check that is caught early
         conf = {'__file__': proxy_server_conf_dir,
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'key_id': '789'}
         with self.assertRaises(ValueError) as cm:
             KmipKeyMaster(None, conf)
@@ -213,7 +213,7 @@ class TestKmipKeymaster(unittest.TestCase):
             fd.write(dedent(km_conf))
 
         conf = {'__file__': proxy_server_conf_dir,
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'keymaster_config_path': km_config_file}
         secrets = {'789': create_secret('AES', 256, b'x' * 32)}
         calls = []
@@ -225,12 +225,13 @@ class TestKmipKeymaster(unittest.TestCase):
         self.assertEqual(km_config_file, km.keymaster_config_path)
         self.assertEqual(calls, [
             ('__init__', {'config_file': km_config_file,
+                          # NB: no "filter:"
                           'config': 'kmip_keymaster'}),
             ('get', '789')])
 
     def test_bad_key_length(self):
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'key_id': '1234'}
         secrets = {'1234': create_secret('AES', 128, b'x' * 16)}
         calls = []
@@ -247,7 +248,7 @@ class TestKmipKeymaster(unittest.TestCase):
 
     def test_bad_key_algorithm(self):
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster',
+                '__name__': 'kmip_keymaster',
                 'key_id': '1234'}
         secrets = {'1234': create_secret('notAES', 256, b'x' * 32)}
         calls = []
@@ -264,7 +265,7 @@ class TestKmipKeymaster(unittest.TestCase):
 
     def test_missing_key_id(self):
         conf = {'__file__': '/etc/swift/proxy-server.conf',
-                '__name__': 'filter:kmip_keymaster'}
+                '__name__': 'kmip_keymaster'}
         with self.assertRaises(ValueError) as cm:
             KmipKeyMaster(None, conf)
         self.assertIn('key_id option is required', str(cm.exception))