swift/test/functional/mock_swift_key_manager.py
Mathias Bjoerkqvist 77bd74da09 Retrieve encryption root secret from Barbican
This patch adds support for retrieving the encryption root secret from
an external key management system. In practice, this is currently
limited to Barbican.

Change-Id: I1700e997f4ae6fa1a7e68be6b97539a24046e80b
2017-08-02 15:53:09 +03:00

60 lines
2.5 KiB
Python

# Copyright (c) 2017 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from castellan.tests.unit.key_manager.mock_key_manager import MockKeyManager
class MockSwiftKeyManager(MockKeyManager):
"""Mocking key manager for Swift functional tests.
This mock key manager implementation extends the Castellan mock key
manager with support for a pre-existing key that the Swift proxy server
can use as the root encryption secret. The actual key material bytes
for the root encryption secret changes each time this mock key manager is
instantiated, meaning that data written earlier is no longer accessible
once the proxy server is restarted.
To use this mock key manager instead of the default Barbican key manager,
set the following property in the [kms_keymaster] section in the
keymaster.conf configuration file pointed to using the
keymaster_config_path property in the [filter:kms_keymaster] section in the
proxy-server.conf file:
api_class = test.functional.mock_swift_key_manager.MockSwiftKeyManager
In case of a Python import error, make sure that the swift directory under
which this mock key manager resides is early in the sys.path, e.g., by
setting it in the PYTHONPATH environment variable before starting the
proxy server.
This key manager is not suitable for use in production deployments.
"""
def __init__(self, configuration=None):
super(MockSwiftKeyManager, self).__init__(configuration)
'''
Create a new, random symmetric key for use as the encryption root
secret.
'''
existing_key = self._generate_key(algorithm='AES', length=256)
'''
Store the key under the UUID 'mock_key_manager_existing_key', from
where it can be retrieved by the proxy server. In the kms_keymaster
configuration, set the following property to use this key:
key_id = mock_key_manager_existing_key
'''
self.keys['mock_key_manager_existing_key'] = existing_key