Merge tag '3.10.1' into debian/yoga
castellan 3.10.1 release
meta:version: 3.10.1
meta:diff-start: -
meta:series: yoga
meta:release-type: release
meta:pypi: no
meta:first: no
meta:release:Author: Daniel Bengtsson <dbengt@redhat.com>
meta:release:Commit: Daniel Bengtsson <dbengt@redhat.com>
meta:release:Change-Id: I5975a5917c875817bc2faed18a0dc7c3f9705372
meta:release:Code-Review+2: Hervé Beraud <herveberaud.pro@gmail.com>
meta:release:Code-Review+2: Elod Illes <elod.illes@est.tech>
meta:release:Workflow+1: Elod Illes <elod.illes@est.tech>
Thomas Goirand
1 year, 7 months ago
| 58 | 58 | - barbican-tempest-plugin-simple-crypto-castellan-src |
| 59 | 59 | templates: |
| 60 | 60 | - check-requirements |
| 61 | - openstack-python3-xena-jobs | |
| 61 | - openstack-python3-yoga-jobs | |
| 62 | 62 | - periodic-stable-jobs |
| 63 | 63 | - publish-openstack-docs-pti |
| 64 | 64 | - release-notes-jobs-python3 |
| 432 | 432 | Barbican key creation is done asynchronously, so this loop continues |
| 433 | 433 | checking until the order is active or a timeout occurs. |
| 434 | 434 | """ |
| 435 | active_status = u'ACTIVE' | |
| 436 | error_status = u'ERROR' | |
| 435 | active_status = 'ACTIVE' | |
| 436 | error_status = 'ERROR' | |
| 437 | 437 | number_of_retries = self.conf.barbican.number_of_retries |
| 438 | 438 | retry_delay = self.conf.barbican.retry_delay |
| 439 | 439 | order = barbican_client.orders.get(order_ref) |
| 66 | 66 | cfg.BoolOpt('use_ssl', |
| 67 | 67 | default=False, |
| 68 | 68 | help=_('SSL Enabled/Disabled')), |
| 69 | cfg.StrOpt("namespace", | |
| 70 | help=_("Vault Namespace to use for all requests to Vault. " | |
| 71 | "Vault Namespaces feature is available only in " | |
| 72 | "Vault Enterprise")), | |
| 69 | 73 | ] |
| 70 | 74 | |
| 71 | 75 | _VAULT_OPT_GROUP = 'vault' |
| 98 | 102 | self._kv_mountpoint = self._conf.vault.kv_mountpoint |
| 99 | 103 | self._kv_version = self._conf.vault.kv_version |
| 100 | 104 | self._vault_url = self._conf.vault.vault_url |
| 105 | self._namespace = self._conf.vault.namespace | |
| 101 | 106 | if self._vault_url.startswith("https://"): |
| 102 | 107 | self._verify_server = self._conf.vault.ssl_ca_crt_file or True |
| 103 | 108 | else: |
| 127 | 132 | self._cached_approle_token_id = None |
| 128 | 133 | return self._cached_approle_token_id |
| 129 | 134 | |
| 135 | def _set_namespace(self, headers): | |
| 136 | if self._namespace: | |
| 137 | headers["X-Vault-Namespace"] = self._namespace | |
| 138 | return headers | |
| 139 | ||
| 130 | 140 | def _build_auth_headers(self): |
| 131 | 141 | if self._root_token_id: |
| 132 | return {'X-Vault-Token': self._root_token_id} | |
| 142 | return self._set_namespace( | |
| 143 | {'X-Vault-Token': self._root_token_id}) | |
| 133 | 144 | |
| 134 | 145 | if self._approle_token_id: |
| 135 | return {'X-Vault-Token': self._approle_token_id} | |
| 146 | return self._set_namespace( | |
| 147 | {'X-Vault-Token': self._approle_token_id}) | |
| 136 | 148 | |
| 137 | 149 | if self._approle_role_id: |
| 138 | 150 | params = { |
| 144 | 156 | self._get_url() |
| 145 | 157 | ) |
| 146 | 158 | token_issue_utc = timeutils.utcnow() |
| 159 | headers = self._set_namespace({}) | |
| 147 | 160 | try: |
| 148 | 161 | resp = self._session.post(url=approle_login_url, |
| 149 | 162 | json=params, |
| 163 | headers=headers, | |
| 150 | 164 | verify=self._verify_server) |
| 151 | 165 | except requests.exceptions.Timeout as ex: |
| 152 | 166 | raise exception.KeyManagerError(str(ex)) |
| 168 | 182 | self._cached_approle_token_id = resp_data['auth']['client_token'] |
| 169 | 183 | self._approle_token_issue = token_issue_utc |
| 170 | 184 | self._approle_token_ttl = resp_data['auth']['lease_duration'] |
| 171 | return {'X-Vault-Token': self._approle_token_id} | |
| 185 | return self._set_namespace( | |
| 186 | {'X-Vault-Token': self._approle_token_id}) | |
| 172 | 187 | |
| 173 | 188 | return {} |
| 174 | 189 | |
| 45 | 45 | vault_approle_role_id=None, vault_approle_secret_id=None, |
| 46 | 46 | vault_kv_mountpoint=None, vault_url=None, |
| 47 | 47 | vault_ssl_ca_crt_file=None, vault_use_ssl=None, |
| 48 | barbican_endpoint_type=None): | |
| 48 | vault_namespace=None, | |
| 49 | barbican_endpoint_type=None, | |
| 50 | vault_kv_version=None): | |
| 49 | 51 | """Set defaults for configuration values. |
| 50 | 52 | |
| 51 | 53 | Overrides the default options values. |
| 66 | 68 | :param vault_url: Use this for the url for vault. |
| 67 | 69 | :param vault_use_ssl: Use this to force vault driver to use ssl. |
| 68 | 70 | :param vault_ssl_ca_crt_file: Use this for the CA file for vault. |
| 71 | :param vault_namespace: Namespace to use for all requests to Vault. | |
| 69 | 72 | :param barbican_endpoint_type: Use this to specify the type of URL. |
| 70 | 73 | : Valid values are: public, internal or admin. |
| 74 | :param vault_kv_version: Use this for the kv version for vault. | |
| 71 | 75 | """ |
| 72 | 76 | conf.register_opts(key_manager.key_manager_opts, group='key_manager') |
| 73 | 77 | |
| 133 | 137 | if vault_use_ssl is not None: |
| 134 | 138 | conf.set_default('use_ssl', vault_use_ssl, |
| 135 | 139 | group=vkm._VAULT_OPT_GROUP) |
| 140 | if vault_namespace is not None: | |
| 141 | conf.set_default('namespace', vault_namespace, | |
| 142 | group=vkm._VAULT_OPT_GROUP) | |
| 143 | if vault_kv_version is not None: | |
| 144 | conf.set_default('kv_version', vault_kv_version, | |
| 145 | group=vkm._VAULT_OPT_GROUP) | |
| 136 | 146 | |
| 137 | 147 | |
| 138 | 148 | def enable_logging(conf=None, app_name='castellan'): |
| 292 | 292 | # Create order and assign return value |
| 293 | 293 | order = mock.Mock() |
| 294 | 294 | order.secret_ref = self.secret_ref |
| 295 | order.status = u'ACTIVE' | |
| 295 | order.status = 'ACTIVE' | |
| 296 | 296 | self.mock_barbican.orders.get.return_value = order |
| 297 | 297 | |
| 298 | 298 | # Create the key, get the UUID |
| 329 | 329 | container_id = "16caa8f4-dd34-4fb3-bf67-6c20533a30e4" |
| 330 | 330 | container_ref = ("http://localhost:9311/v1/containers/" + container_id) |
| 331 | 331 | order.container_ref = container_ref |
| 332 | order.status = u'ACTIVE' | |
| 332 | order.status = 'ACTIVE' | |
| 333 | 333 | self.mock_barbican.orders.get.return_value = order |
| 334 | 334 | |
| 335 | 335 | # Create container and assign return value |
| 502 | 502 | "4fe939b7-72bc-49aa-bd1e-e979589858af") |
| 503 | 503 | |
| 504 | 504 | pending_order = mock.Mock() |
| 505 | pending_order.status = u'PENDING' | |
| 505 | pending_order.status = 'PENDING' | |
| 506 | 506 | pending_order.order_ref = order_ref_url |
| 507 | 507 | |
| 508 | 508 | active_order = mock.Mock() |
| 509 | 509 | active_order.secret_ref = self.secret_ref |
| 510 | active_order.status = u'ACTIVE' | |
| 510 | active_order.status = 'ACTIVE' | |
| 511 | 511 | active_order.order_ref = order_ref_url |
| 512 | 512 | |
| 513 | 513 | self.mock_barbican.orders.get.side_effect = [pending_order, |
| 527 | 527 | number_of_retries = self.key_mgr.conf.barbican.number_of_retries |
| 528 | 528 | |
| 529 | 529 | pending_order = mock.Mock() |
| 530 | pending_order.status = u'PENDING' | |
| 530 | pending_order.status = 'PENDING' | |
| 531 | 531 | pending_order.order_ref = order_ref_url |
| 532 | 532 | |
| 533 | 533 | self.mock_barbican.orders.get.return_value = pending_order |
| 545 | 545 | "4fe939b7-72bc-49aa-bd1e-e979589858af") |
| 546 | 546 | |
| 547 | 547 | error_order = mock.Mock() |
| 548 | error_order.status = u'ERROR' | |
| 548 | error_order.status = 'ERROR' | |
| 549 | 549 | error_order.order_ref = order_ref_url |
| 550 | 550 | error_order.error_status_code = u"500" |
| 551 | 551 | error_order.error_reason = u"Test Error" |
| 0 | # Copyright (c) 2021 Mirantis Inc | |
| 1 | # All Rights Reserved. | |
| 2 | # | |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | |
| 4 | # not use this file except in compliance with the License. You may obtain | |
| 5 | # a copy of the License at | |
| 6 | # | |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 | |
| 8 | # | |
| 9 | # Unless required by applicable law or agreed to in writing, software | |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | |
| 12 | # License for the specific language governing permissions and limitations | |
| 13 | # under the License. | |
| 14 | ||
| 15 | """ | |
| 16 | Test cases for Vault key manager. | |
| 17 | """ | |
| 18 | import requests_mock | |
| 19 | ||
| 20 | from castellan.key_manager import vault_key_manager | |
| 21 | from castellan.tests.unit.key_manager import test_key_manager | |
| 22 | ||
| 23 | ||
| 24 | class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase): | |
| 25 | ||
| 26 | def _create_key_manager(self): | |
| 27 | return vault_key_manager.VaultKeyManager(self.conf) | |
| 28 | ||
| 29 | def test_auth_headers_root_token(self): | |
| 30 | self.key_mgr._root_token_id = "spam" | |
| 31 | expected_headers = {"X-Vault-Token": "spam"} | |
| 32 | self.assertEqual(expected_headers, | |
| 33 | self.key_mgr._build_auth_headers()) | |
| 34 | ||
| 35 | def test_auth_headers_root_token_with_namespace(self): | |
| 36 | self.key_mgr._root_token_id = "spam" | |
| 37 | self.key_mgr._namespace = "ham" | |
| 38 | expected_headers = {"X-Vault-Token": "spam", | |
| 39 | "X-Vault-Namespace": "ham"} | |
| 40 | self.assertEqual(expected_headers, | |
| 41 | self.key_mgr._build_auth_headers()) | |
| 42 | ||
| 43 | @requests_mock.Mocker() | |
| 44 | def test_auth_headers_app_role(self, m): | |
| 45 | self.key_mgr._approle_role_id = "spam" | |
| 46 | self.key_mgr._approle_secret_id = "secret" | |
| 47 | m.post( | |
| 48 | "http://127.0.0.1:8200/v1/auth/approle/login", | |
| 49 | json={"auth": {"client_token": "token", "lease_duration": 3600}} | |
| 50 | ) | |
| 51 | expected_headers = {"X-Vault-Token": "token"} | |
| 52 | self.assertEqual(expected_headers, self.key_mgr._build_auth_headers()) | |
| 53 | ||
| 54 | @requests_mock.Mocker() | |
| 55 | def test_auth_headers_app_role_with_namespace(self, m): | |
| 56 | self.key_mgr._approle_role_id = "spam" | |
| 57 | self.key_mgr._approle_secret_id = "secret" | |
| 58 | self.key_mgr._namespace = "ham" | |
| 59 | m.post( | |
| 60 | "http://127.0.0.1:8200/v1/auth/approle/login", | |
| 61 | json={"auth": {"client_token": "token", "lease_duration": 3600}} | |
| 62 | ) | |
| 63 | expected_headers = {"X-Vault-Token": "token", | |
| 64 | "X-Vault-Namespace": "ham"} | |
| 65 | self.assertEqual(expected_headers, self.key_mgr._build_auth_headers()) |
| 37 | 37 | master_doc = 'index' |
| 38 | 38 | |
| 39 | 39 | # General information about the project. |
| 40 | project = u'castellan' | |
| 41 | copyright = u'2013, OpenStack Foundation' | |
| 40 | project = 'castellan' | |
| 41 | copyright = '2013, OpenStack Foundation' | |
| 42 | 42 | |
| 43 | 43 | # If true, '()' will be appended to :func: etc. cross-reference text. |
| 44 | 44 | add_function_parentheses = True |
| 71 | 71 | latex_documents = [ |
| 72 | 72 | ('index', |
| 73 | 73 | 'doc-castellan.tex', |
| 74 | u'%s Documentation' % project, | |
| 75 | u'OpenStack Foundation', 'manual'), | |
| 74 | '%s Documentation' % project, | |
| 75 | 'OpenStack Foundation', 'manual'), | |
| 76 | 76 | ] |
| 77 | 77 | |
| 78 | 78 | latex_elements = { |
| 0 | --- | |
| 1 | features: | |
| 2 | - | | |
| 3 | Added support for Vault Namespaces, which is a `feature of Vault Enterprise | |
| 4 | <https://www.vaultproject.io/docs/enterprise/namespaces>`_. | |
| 5 | A new config option ``namespace`` is added to the configuration of Vault | |
| 6 | key manager to support this feature. |
| 55 | 55 | openstackdocs_auto_name = False |
| 56 | 56 | openstackdocs_bug_project = 'castellan' |
| 57 | 57 | openstackdocs_bug_tag = 'doc' |
| 58 | project = u'Castellan Release Notes' | |
| 59 | copyright = u'2017, Castellan Developers' | |
| 58 | project = 'Castellan Release Notes' | |
| 59 | copyright = '2017, Castellan Developers' | |
| 60 | 60 | |
| 61 | 61 | # Release notes do not need a version number in the title, they |
| 62 | 62 | # cover multiple releases. |
| 203 | 203 | # author, documentclass [howto, manual, or own class]). |
| 204 | 204 | latex_documents = [ |
| 205 | 205 | ('index', 'CastellanReleaseNotes.tex', |
| 206 | u'Castellan Release Notes Documentation', | |
| 207 | u'Castellan Developers', 'manual'), | |
| 206 | 'Castellan Release Notes Documentation', | |
| 207 | 'Castellan Developers', 'manual'), | |
| 208 | 208 | ] |
| 209 | 209 | |
| 210 | 210 | # The name of an image file (relative to this directory) to place at the top of |
| 234 | 234 | # (source start file, name, description, authors, manual section). |
| 235 | 235 | man_pages = [ |
| 236 | 236 | ('index', 'castellanreleasenotes', |
| 237 | u'Castellan Release Notes Documentation', | |
| 238 | [u'Castellan Developers'], 1) | |
| 237 | 'Castellan Release Notes Documentation', | |
| 238 | ['Castellan Developers'], 1) | |
| 239 | 239 | ] |
| 240 | 240 | |
| 241 | 241 | # If true, show URL addresses after external links. |
| 249 | 249 | # dir menu entry, description, category) |
| 250 | 250 | texinfo_documents = [ |
| 251 | 251 | ('index', 'CastellanReleaseNotes', |
| 252 | u'Castellan Release Notes Documentation', | |
| 253 | u'Castellan Developers', 'CastellanReleaseNotes', | |
| 252 | 'Castellan Release Notes Documentation', | |
| 253 | 'Castellan Developers', 'CastellanReleaseNotes', | |
| 254 | 254 | 'One line description of project.', |
| 255 | 255 | 'Miscellaneous'), |
| 256 | 256 | ] |