KMIP plugin broken in newton branch

Bug #1620860 reported by Arun Kant on 2016-09-07
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Invalid
Undecided
Unassigned

Bug Description

As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality.

The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device.

Steps to reproduce with kmip plugin and address it.

#1 ) Create new secret with payload

arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets

#2) verify secret is stored via kmip plugin

mysql> select * from secrets;
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | name | secret_type | expiration | algorithm | bit_length | mode | creator_id | project_id |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| 54150f4c-a0cf-4612-9b0e-84217505fcc1 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | ACTIVE | HLM Test KMIP key | symmetric | 2018-12-28 19:14:44 | aes | 256 | cbc | 030a8e263ae642c6ba57a29f39034b77 | e220d294-8308-49eb-918b-5390c88edb29 |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
1 row in set (0.01 sec)

mysql> select * from secret_store_metadata;
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | key | value | secret_id |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| 3a5a4794-9359-4378-9590-4bb1475411f3 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | key_uuid | 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| 4279382e-3e6d-400d-b4ce-c0b0834f6817 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | content_type | application/octet-stream | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| cc53fec7-00c0-448a-8eb3-410022663146 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | plugin_name | barbican.plugin.kmip_secret_store.KMIPSecretStore | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
3 rows in set (0.00 sec)

mysql> select * from encrypted_data;
Empty set (0.00 sec)

mysql>

#3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1'

curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1

{"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"}

arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
{"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"}

#4) Now when I reverted related change in secrets controller, it works fine.

arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
��o�R�Ќ;��޿)}��`�`#q� Ba

or

curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload | python -m base64
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53
lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=

Arun Kant (arunkant-uws) on 2016-09-07
description: updated
description: updated
Arun Kant (arunkant-uws) wrote :

This issue has been addressed by another fix (https://review.openstack.org/#/c/303202/) in newton branch which handles KMIP case as well. So this issue is no longer valid. I will close it.

Changed in barbican:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers