Barbican

Bug #1620860
Activity log

Activity log for bug #1620860

Date	Who	What changed	Old value	New value	Message
2016-09-07 00:09:23	Arun Kant	bug			added bug
2016-09-07 09:22:20	Arun Kant	description	As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality. The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device. arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload {"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"} Now when I comment related change in secrets controller, it works fine. arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload ��o�R�Ќ;��޿)}��`�`#q� Ba	As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality. The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device. Steps to reproduce with kmip plugin and address it. 1 ) Create new secret with payload arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets 2) verify secret is stored via kmip plugin mysql> select * from secrets; +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ \| id \| created_at \| updated_at \| deleted_at \| deleted \| status \| name \| secret_type \| expiration \| algorithm \| bit_length \| mode \| creator_id \| project_id \| +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| ACTIVE \| HLM Test KMIP key \| symmetric \| 2018-12-28 19:14:44 \| aes \| 256 \| cbc \| 030a8e263ae642c6ba57a29f39034b77 \| e220d294-8308-49eb-918b-5390c88edb29 \| +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ 1 row in set (0.01 sec) mysql> select * from secret_store_metadata; +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ \| id \| created_at \| updated_at \| deleted_at \| deleted \| status \| key \| value \| secret_id \| +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ \| 3a5a4794-9359-4378-9590-4bb1475411f3 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| key_uuid \| 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| \| 4279382e-3e6d-400d-b4ce-c0b0834f6817 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| content_type \| application/octet-stream \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| \| cc53fec7-00c0-448a-8eb3-410022663146 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| plugin_name \| barbican.plugin.kmip_secret_store.KMIPSecretStore \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ 3 rows in set (0.00 sec) 3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1' curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1 {"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"} arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload {"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"} 4) Now when I reverted related change in secrets controller, it works fine. arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload ��o�R�Ќ;��޿)}��`�`#q� Ba or curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload \| python -m base64 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53 lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=
2016-09-07 09:25:07	Arun Kant	description	As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality. The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device. Steps to reproduce with kmip plugin and address it. 1 ) Create new secret with payload arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets 2) verify secret is stored via kmip plugin mysql> select * from secrets; +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ \| id \| created_at \| updated_at \| deleted_at \| deleted \| status \| name \| secret_type \| expiration \| algorithm \| bit_length \| mode \| creator_id \| project_id \| +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| ACTIVE \| HLM Test KMIP key \| symmetric \| 2018-12-28 19:14:44 \| aes \| 256 \| cbc \| 030a8e263ae642c6ba57a29f39034b77 \| e220d294-8308-49eb-918b-5390c88edb29 \| +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ 1 row in set (0.01 sec) mysql> select * from secret_store_metadata; +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ \| id \| created_at \| updated_at \| deleted_at \| deleted \| status \| key \| value \| secret_id \| +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ \| 3a5a4794-9359-4378-9590-4bb1475411f3 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| key_uuid \| 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| \| 4279382e-3e6d-400d-b4ce-c0b0834f6817 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| content_type \| application/octet-stream \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| \| cc53fec7-00c0-448a-8eb3-410022663146 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| plugin_name \| barbican.plugin.kmip_secret_store.KMIPSecretStore \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ 3 rows in set (0.00 sec) 3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1' curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1 {"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"} arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload {"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"} 4) Now when I reverted related change in secrets controller, it works fine. arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload ��o�R�Ќ;��޿)}��`�`#q� Ba or curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload \| python -m base64 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53 lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=	As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality. The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device. Steps to reproduce with kmip plugin and address it. #1 ) Create new secret with payload arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets #2) verify secret is stored via kmip plugin mysql> select * from secrets; +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ \| id \| created_at \| updated_at \| deleted_at \| deleted \| status \| name \| secret_type \| expiration \| algorithm \| bit_length \| mode \| creator_id \| project_id \| +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| ACTIVE \| HLM Test KMIP key \| symmetric \| 2018-12-28 19:14:44 \| aes \| 256 \| cbc \| 030a8e263ae642c6ba57a29f39034b77 \| e220d294-8308-49eb-918b-5390c88edb29 \| +--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+ 1 row in set (0.01 sec) mysql> select * from secret_store_metadata; +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ \| id \| created_at \| updated_at \| deleted_at \| deleted \| status \| key \| value \| secret_id \| +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ \| 3a5a4794-9359-4378-9590-4bb1475411f3 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| key_uuid \| 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| \| 4279382e-3e6d-400d-b4ce-c0b0834f6817 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| content_type \| application/octet-stream \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| \| cc53fec7-00c0-448a-8eb3-410022663146 \| 2016-09-06 23:12:20 \| 2016-09-06 23:12:20 \| NULL \| 0 \| PENDING \| plugin_name \| barbican.plugin.kmip_secret_store.KMIPSecretStore \| 54150f4c-a0cf-4612-9b0e-84217505fcc1 \| +--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+ 3 rows in set (0.00 sec) mysql> select * from encrypted_data; Empty set (0.00 sec) mysql> #3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1' curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1 {"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"} arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload {"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"} #4) Now when I reverted related change in secrets controller, it works fine. arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload ��o�R�Ќ;��޿)}��`�`#q� Ba or curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload \| python -m base64 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53 lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=
2016-09-07 09:34:10	Arun Kant	bug			added subscriber Kaitlin Farr
2016-09-07 09:34:35	Arun Kant	removed subscriber Kaitlin Farr
2016-09-07 09:35:01	Arun Kant	bug			added subscriber Kaitlin Farr
2016-09-07 17:55:04	Arun Kant	barbican: status	New	Invalid