Secret present, Sign image
Aded states and modules to allow using
secret_present, secret_absent states.
Change-Id: Idad75a8445a874e62c2e2d729cb8e98d7a37d6bd
Related-Issue: PROD-18731
diff --git a/_modules/barbicanv1/__init__.py b/_modules/barbicanv1/__init__.py
new file mode 100644
index 0000000..482f067
--- /dev/null
+++ b/_modules/barbicanv1/__init__.py
@@ -0,0 +1,35 @@
+try:
+ import os_client_config
+ from keystoneauth1 import exceptions as ka_exceptions
+ REQUIREMENTS_MET = True
+except ImportError:
+ REQUIREMENTS_MET = False
+
+from barbicanv1 import secrets
+from barbicanv1 import acl
+
+secret_list = secrets.secret_list
+secret_create = secrets.secret_create
+secret_delete = secrets.secret_delete
+secret_get_details = secrets.secret_get_details
+secret_payload_get = secrets.secret_payload_get
+secret_payload_set = secrets.secret_payload_set
+secret_acl_get = acl.secret_acl_get
+secret_acl_put = acl.secret_acl_put
+secret_acl_patch = acl.secret_acl_patch
+secret_acl_delete = acl.secret_acl_delete
+
+__all__ = (
+ 'secret_list', 'secret_create', 'secret_delete', 'secret_get_details',
+ 'secret_payload_get', 'secret_payload_set', 'secret_acl_delete',
+ 'secret_acl_get', 'secret_acl_patch', 'secret_acl_put',
+)
+
+
+def __virtual__():
+ """Only load barbicanv1 if requirements are available."""
+ if REQUIREMENTS_MET:
+ return 'barbicanv1'
+ else:
+ return False, ("The barbicanv1 execution module cannot be loaded: "
+ "os_client_config or keystoneauth are unavailable.")
diff --git a/_modules/barbicanv1/acl.py b/_modules/barbicanv1/acl.py
new file mode 100644
index 0000000..8f3c024
--- /dev/null
+++ b/_modules/barbicanv1/acl.py
@@ -0,0 +1,36 @@
+from barbicanv1.common import send, get_by_name_or_uuid
+from barbicanv1.secrets import secret_list, RESOURCE_LIST_KEY
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('get')
+def secret_acl_get(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}/acl'.format(secret_uuid)
+ return url, {}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('put')
+def secret_acl_put(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}/acl'.format(secret_uuid)
+ json = {
+ 'read': kwargs,
+ }
+ return url, {'json': json}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('patch')
+def secret_acl_patch(secret_uuid, **kwargs):
+ url = 'v1/secrets/{}/acl'.format(secret_uuid)
+ json = {
+ 'read': kwargs,
+ }
+ return url, {'json': json}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('delete')
+def secret_acl_delete(secret_uuid, **kwargs):
+ url = 'v1/secrets/{}/acl'.format(secret_uuid)
+ return url, {}
diff --git a/_modules/barbicanv1/common.py b/_modules/barbicanv1/common.py
new file mode 100644
index 0000000..dd32025
--- /dev/null
+++ b/_modules/barbicanv1/common.py
@@ -0,0 +1,130 @@
+import logging
+import os_client_config
+from uuid import UUID
+try:
+ from urllib.parse import urlsplit
+except ImportError:
+ from urlparse import urlsplit
+
+log = logging.getLogger(__name__)
+
+
+class BarbicanException(Exception):
+
+ _msg = "Barbican module exception occured."
+
+ def __init__(self, message=None, **kwargs):
+ super(BarbicanException, self).__init__(message or self._msg)
+
+
+class NoBarbicanEndpoint(BarbicanException):
+ _msg = "Barbican endpoint not found in keystone catalog."
+
+
+class NoAuthPluginConfigured(BarbicanException):
+ _msg = ("You are using keystoneauth auth plugin that does not support "
+ "fetching endpoint list from token (noauth or admin_token).")
+
+
+class NoCredentials(BarbicanException):
+ _msg = "Please provide cloud name present in clouds.yaml."
+
+
+class ResourceNotFound(BarbicanException):
+ _msg = "Uniq resource: {resource} with name: {name} not found."
+
+ def __init__(self, resource, name, **kwargs):
+ super(BarbicanException, self).__init__(
+ self._msg.format(resource=resource, name=name))
+
+
+class MultipleResourcesFound(BarbicanException):
+ _msg = "Multiple resource: {resource} with name: {name} found."
+
+ def __init__(self, resource, name, **kwargs):
+ super(BarbicanException, self).__init__(
+ self._msg.format(resource=resource, name=name))
+
+
+def _get_raw_client(cloud_name):
+ service_type = 'key-manager'
+ adapter = os_client_config.make_rest_client(service_type,
+ cloud=cloud_name)
+ try:
+ access_info = adapter.session.auth.get_access(adapter.session)
+ endpoints = access_info.service_catalog.get_endpoints()
+ except (AttributeError, ValueError):
+ e = NoAuthPluginConfigured()
+ log.exception('%s' % e)
+ raise e
+ if service_type not in endpoints:
+ if not service_type:
+ e = NoBarbicanEndpoint()
+ log.error('%s' % e)
+ raise e
+ return adapter
+
+
+def send(method):
+ def wrap(func):
+ def wrapped_f(*args, **kwargs):
+ cloud_name = kwargs.pop('cloud_name')
+ if not cloud_name:
+ e = NoCredentials()
+ log.error('%s' % e)
+ raise e
+ adapter = _get_raw_client(cloud_name)
+ # Remove salt internal kwargs
+ kwarg_keys = list(kwargs.keys())
+ for k in kwarg_keys:
+ if k.startswith('__'):
+ kwargs.pop(k)
+ url, request_kwargs = func(*args, **kwargs)
+ response = getattr(adapter, method)(url, **request_kwargs)
+ if not response.content:
+ return {}
+ try:
+ resp = response.json()
+ except:
+ resp = response.content
+ return resp
+ return wrapped_f
+ return wrap
+
+
+def _check_uuid(val):
+ try:
+ return str(UUID(val)).replace('-', '') == val
+ except (TypeError, ValueError, AttributeError):
+ return False
+
+
+def _parse_secret_href(href):
+ return urlsplit(href).path.split('/')[-1]
+
+
+def get_by_name_or_uuid(resource_list, resp_key):
+ def wrap(func):
+ def wrapped_f(*args, **kwargs):
+ if 'name' in kwargs:
+ ref = kwargs.pop('name', None)
+ start_arg = 0
+ else:
+ start_arg = 1
+ ref = args[0]
+ cloud_name = kwargs['cloud_name']
+ if _check_uuid(ref):
+ uuid = ref
+ else:
+ # Then we have name not uuid
+ resp = resource_list(
+ name=ref, cloud_name=cloud_name)[resp_key]
+ if len(resp) == 0:
+ raise ResourceNotFound(resp_key, ref)
+ elif len(resp) > 1:
+ raise MultipleResourcesFound(resp_key, ref)
+ href = resp[0]['secret_ref']
+ uuid = _parse_secret_href(href)
+ return func(uuid, *args[start_arg:], **kwargs)
+ return wrapped_f
+ return wrap
diff --git a/_modules/barbicanv1/secrets.py b/_modules/barbicanv1/secrets.py
new file mode 100644
index 0000000..eda7382
--- /dev/null
+++ b/_modules/barbicanv1/secrets.py
@@ -0,0 +1,61 @@
+try:
+ from urllib.parse import urlencode
+except ImportError:
+ from urllib import urlencode
+
+from barbicanv1.common import send, get_by_name_or_uuid
+
+RESOURCE_LIST_KEY = 'secrets'
+
+
+@send('get')
+def secret_list(**kwargs):
+ url = '/v1/secrets?{}'.format(urlencode(kwargs))
+ return url, {}
+
+
+@send('post')
+def secret_create(**kwargs):
+ url = '/v1/secrets'
+ return url, {'json': kwargs}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('get')
+def secret_get_details(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}'.format(secret_uuid)
+ return url, {}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('delete')
+def secret_delete(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}'.format(secret_uuid)
+ return url, {}
+
+# NOTE::
+# ** payload get and sett requires headers passed in kwargs that describe
+# ** content type of the payload
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('put')
+def secret_payload_set(secret_uuid, payload, **kwargs):
+ url = '/v1/secrets/{}'.format(secret_uuid)
+ # Work around content headers
+ content_type = 'payload_content_type'
+ content_encoding = 'payload_content_encoding'
+ headers = kwargs.get('headers', {})
+ if content_type in kwargs:
+ headers['Content-Type'] = kwargs[content_type]
+ if content_type == 'application/octet-stream':
+ headers['Content-Encoding'] = kwargs[content_encoding]
+
+ return url, {'json': payload, 'headers': headers}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('get')
+def secret_payload_get(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}/payload'.format(secret_uuid)
+ return url, {}
diff --git a/_states/barbicanv1.py b/_states/barbicanv1.py
new file mode 100644
index 0000000..0d29dbc
--- /dev/null
+++ b/_states/barbicanv1.py
@@ -0,0 +1,298 @@
+import logging
+import tempfile
+import shutil
+import os
+
+try:
+ from urllib.parse import urlsplit
+except ImportError:
+ from urlparse import urlsplit
+
+GLANCE_LOADED = False
+CMD_LOADED = False
+
+
+def __virtual__():
+ if 'glancev2.image_list' in __salt__:
+ global GLANCE_LOADED
+ GLANCE_LOADED = True
+ if 'cmd.run_all' in __salt__:
+ global CMD_LOADED
+ CMD_LOADED = True
+ return 'barbicanv1' if 'barbicanv1.secret_list' in __salt__ else False
+
+
+log = logging.getLogger(__name__)
+
+
+def _barbicanv1_call(fname, *args, **kwargs):
+ return __salt__['barbicanv1.{}'.format(fname)](*args, **kwargs)
+
+
+def _glancev2_call(fname, *args, **kwargs):
+ return __salt__['glancev2.{}'.format(fname)](*args, **kwargs)
+
+
+def _cmd_call(fname, *args, **kwargs):
+ return __salt__['cmd.{}'.format(fname)](*args, **kwargs)
+
+
+def secret_present(name, cloud_name, **kwargs):
+ try:
+ exact_secret = _barbicanv1_call(
+ 'secret_get_details', name=name, cloud_name=cloud_name
+ )
+ except Exception as e:
+ if 'ResourceNotFound' in repr(e):
+ try:
+ if not kwargs:
+ kwargs = {}
+ resp = _barbicanv1_call(
+ 'secret_create', name=name, cloud_name=cloud_name, **kwargs
+ )
+ except Exception as e:
+ log.error('Barbicanv1 create secret failed with {}'.format(e))
+ return _create_failed(name, 'secret')
+ return _created(name, 'secret', resp)
+ if 'MultipleResourcesFound' in repr(e):
+ return _find_failed(name, 'secret')
+ if 'payload' in kwargs:
+ try:
+ _barbicanv1_call(
+ 'secret_payload_get', name=name, cloud_name=cloud_name
+ )
+ except Exception:
+ try:
+ _barbicanv1_call(
+ 'secret_payload_set', name=name, payload=kwargs['payload'],
+ cloud_name=cloud_name, **kwargs
+ )
+ except Exception as e:
+ log.error(
+ 'Barbicanv1 Secret set payload failed with {}'.format(e)
+ )
+ return _update_failed(name, 'secret_payload')
+ return _updated(
+ name, 'secret_payload', {'payload': kwargs['payload']}
+ )
+ return _no_changes(name, 'secret')
+
+
+def secret_absent(name, cloud_name, **kwargs):
+ try:
+ secret = _barbicanv1_call(
+ 'secret_get_details', name=name, cloud_name=cloud_name
+ )
+ except Exception as e:
+ if 'ResourceNotFound' in repr(e):
+ return _absent(name, 'secret')
+ if 'MultipleResourcesFound' in repr(e):
+ return _find_failed(name, 'secret')
+ try:
+ _barbicanv1_call('secret_delete', name=name, cloud_name=cloud_name)
+ except Exception as e:
+ log.error('Barbicanv1 delete failed with {}'.format(e))
+ return _delete_failed(name, 'secret')
+ return _deleted(name, 'secret')
+
+
+def glance_image_signed(image_name, secret_name, pk_fname, out_fname,
+ cloud_name, file_name=None, force_resign=False):
+ """
+
+ :param image_name: The name of the image to sign
+ :param secret_name: Secret's name with certificate
+ :param pk_fname: private_key file name
+ :param out_fname: output filename for signature
+ :param cloud_name: name of the cloud in cloud_yaml
+ :param file_name: name of the file where downloaded image is.
+ :param force_resign: if the image is already signed, resign it.
+ """
+ if not GLANCE_LOADED or not CMD_LOADED:
+ return {
+ 'name': image_name,
+ 'changes': {},
+ 'comment': 'Cant sign an image, glancev2 and/or cmd module '
+ 'are/is absent',
+ 'result': False,
+ }
+ try:
+ image = _glancev2_call(
+ 'image_get_details', name=image_name, cloud_name=cloud_name
+ )
+ except Exception as e:
+ log.error('Barbicanv1 sign_image find image failed with {}'.format(e))
+ return _create_failed(image_name, 'image')
+
+ sign_properties = (
+ 'img_signature', 'img_signature_certificate_uuid',
+ 'img_signature_hash_method', 'img_signature_key_type',
+ )
+
+ if not force_resign and all(key in image for key in sign_properties):
+ return _no_changes(image_name, 'image_signature')
+
+ file_name = file_name or image['id']
+ dir_path = tempfile.mkdtemp()
+ try:
+ file_path = os.path.join(dir_path, file_name)
+
+ _glancev2_call(
+ 'image_download', name=image_name,
+ file_name=file_path,
+ cloud_name=cloud_name
+ )
+ except Exception as e:
+ log.error(
+ "Barbicanv1 sign image can't download image."
+ " failed with {}".format(e)
+ )
+ return _create_failed(image_name, 'downloading_image')
+
+ try:
+ retcode = _cmd_call(
+ 'run_all',
+ 'openssl dgst -sha256 -sign {} '.format(pk_fname) +
+ '-sigopt rsa_padding_mode:pss -out {} '.format(out_fname) +
+ file_path
+ )['retcode']
+ if not retcode == 0:
+ raise Exception('Cant sign image')
+ image_signature = _cmd_call(
+ 'run_all', 'base64 -w 0 {}'.format(out_fname)
+ )['stdout']
+ except Exception as e:
+ log.error(
+ 'Barbicanv1 sign image failed because of cmd with {}'.format(e)
+ )
+ return _create_failed(image_name, 'cmd_module')
+ shutil.rmtree(dir_path)
+
+ secret_ref = _barbicanv1_call(
+ 'secret_get_details', name=secret_name, cloud_name=cloud_name
+ )['secret_ref']
+
+ def _parse_secret_href(href):
+ return urlsplit(href).path.split('/')[-1]
+
+ secret_uuid = _parse_secret_href(secret_ref)
+
+ to_update = [
+ {
+ 'op': 'add',
+ 'path': '/img_signature',
+ 'value': image_signature,
+ },
+ {
+ 'op': 'add',
+ 'path': '/img_signature_certificate_uuid',
+ 'value': secret_uuid,
+ },
+ {
+ 'op': 'add',
+ 'path': '/img_signature_hash_method',
+ 'value': 'SHA-256',
+ },
+ {
+ 'op': 'add',
+ 'path': '/img_signature_key_type',
+ 'value': 'RSA-PSS'
+ }
+
+ ]
+ try:
+ resp = _glancev2_call(
+ 'image_update', image_name, to_update, cloud_name=cloud_name,
+ headers={
+ "Content-Type": "application/openstack-images-v2.1-json-patch"
+ }
+ )
+ except Exception as e:
+ log.error('Barbicanv1 sign image failed with {}'.format(e))
+ return _create_failed(image_name, 'sign_image')
+ return _created(image_name, 'sign_image', resp)
+
+
+def _created(name, resource, resource_definition):
+ changes_dict = {
+ 'name': name,
+ 'changes': resource_definition,
+ 'result': True,
+ 'comment': '{}{} created'.format(resource, name)
+ }
+ return changes_dict
+
+
+def _updated(name, resource, resource_definition):
+ changes_dict = {
+ 'name': name,
+ 'changes': resource_definition,
+ 'result': True,
+ 'comment': '{}{} updated'.format(resource, name)
+ }
+ return changes_dict
+
+
+def _no_changes(name, resource):
+ changes_dict = {
+ 'name': name,
+ 'changes': {},
+ 'result': True,
+ 'comment': '{}{} is in desired state'.format(resource, name)
+ }
+ return changes_dict
+
+
+def _deleted(name, resource):
+ changes_dict = {
+ 'name': name,
+ 'changes': {},
+ 'result': True,
+ 'comment': '{}{} removed'.format(resource, name)
+ }
+ return changes_dict
+
+
+def _absent(name, resource):
+ changes_dict = {'name': name,
+ 'changes': {},
+ 'comment': '{0} {1} not present'.format(resource, name),
+ 'result': True}
+ return changes_dict
+
+
+def _delete_failed(name, resource):
+ changes_dict = {'name': name,
+ 'changes': {},
+ 'comment': '{0} {1} failed to delete'.format(resource,
+ name),
+ 'result': False}
+ return changes_dict
+
+
+def _create_failed(name, resource):
+ changes_dict = {'name': name,
+ 'changes': {},
+ 'comment': '{0} {1} failed to create'.format(resource,
+ name),
+ 'result': False}
+ return changes_dict
+
+
+def _update_failed(name, resource):
+ changes_dict = {'name': name,
+ 'changes': {},
+ 'comment': '{0} {1} failed to update'.format(resource,
+ name),
+ 'result': False}
+ return changes_dict
+
+
+def _find_failed(name, resource):
+ changes_dict = {
+ 'name': name,
+ 'changes': {},
+ 'comment': '{0} {1} found multiple {0}'.format(resource, name),
+ 'result': False,
+ }
+ return changes_dict