2016-09-07 09:22:20 |
Arun Kant |
description |
As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality.
The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device.
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
{"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"}
Now when I comment related change in secrets controller, it works fine.
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
��o�R�Ќ;��)}��`�`#q� Ba |
As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality.
The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device.
Steps to reproduce with kmip plugin and address it.
1 ) Create new secret with payload
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets
2) verify secret is stored via kmip plugin
mysql> select * from secrets;
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | name | secret_type | expiration | algorithm | bit_length | mode | creator_id | project_id |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| 54150f4c-a0cf-4612-9b0e-84217505fcc1 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | ACTIVE | HLM Test KMIP key | symmetric | 2018-12-28 19:14:44 | aes | 256 | cbc | 030a8e263ae642c6ba57a29f39034b77 | e220d294-8308-49eb-918b-5390c88edb29 |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
1 row in set (0.01 sec)
mysql> select * from secret_store_metadata;
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | key | value | secret_id |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| 3a5a4794-9359-4378-9590-4bb1475411f3 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | key_uuid | 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| 4279382e-3e6d-400d-b4ce-c0b0834f6817 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | content_type | application/octet-stream | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| cc53fec7-00c0-448a-8eb3-410022663146 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | plugin_name | barbican.plugin.kmip_secret_store.KMIPSecretStore | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
3 rows in set (0.00 sec)
3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1'
curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1
{"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"}
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
{"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"}
4) Now when I reverted related change in secrets controller, it works fine.
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
��o�R�Ќ;��)}��`�`#q� Ba
or
curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload | python -m base64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53
lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM= |
|
2016-09-07 09:25:07 |
Arun Kant |
description |
As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality.
The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device.
Steps to reproduce with kmip plugin and address it.
1 ) Create new secret with payload
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets
2) verify secret is stored via kmip plugin
mysql> select * from secrets;
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | name | secret_type | expiration | algorithm | bit_length | mode | creator_id | project_id |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| 54150f4c-a0cf-4612-9b0e-84217505fcc1 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | ACTIVE | HLM Test KMIP key | symmetric | 2018-12-28 19:14:44 | aes | 256 | cbc | 030a8e263ae642c6ba57a29f39034b77 | e220d294-8308-49eb-918b-5390c88edb29 |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
1 row in set (0.01 sec)
mysql> select * from secret_store_metadata;
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | key | value | secret_id |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| 3a5a4794-9359-4378-9590-4bb1475411f3 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | key_uuid | 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| 4279382e-3e6d-400d-b4ce-c0b0834f6817 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | content_type | application/octet-stream | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| cc53fec7-00c0-448a-8eb3-410022663146 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | plugin_name | barbican.plugin.kmip_secret_store.KMIPSecretStore | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
3 rows in set (0.00 sec)
3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1'
curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1
{"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"}
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
{"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"}
4) Now when I reverted related change in secrets controller, it works fine.
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
��o�R�Ќ;��)}��`�`#q� Ba
or
curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload | python -m base64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53
lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM= |
As part of bug fix for https://bugs.launchpad.net/barbican/+bug/1561701, related review (https://review.openstack.org/#/c/299108/) has broken kmip plugin payload read functionality.
The issue is related to line # 157 in https://review.openstack.org/#/c/299108/3/barbican/api/controllers/secrets.py . Here change is looking for 'encrypted_data' (relationship to encrypted_data table) from secrets to check if there is encrypted key material defined for given secret id. This works for db and pkcs11 backend as those plugins store encrypted key material in database whereas kmip plugin stores key material in kmip device and NOT in db. So it fails only for kmip device and its merged upstream as there is no voting gate to check against kmip device.
Steps to reproduce with kmip plugin and address it.
#1 ) Create new secret with payload
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' -d '{"name": "HLM Test KMIP key", "expiration": "2018-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload": "lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM=", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "secret_type": "symmetric" }' http://localhost:9311/v1/secrets
#2) verify secret is stored via kmip plugin
mysql> select * from secrets;
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | name | secret_type | expiration | algorithm | bit_length | mode | creator_id | project_id |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
| 54150f4c-a0cf-4612-9b0e-84217505fcc1 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | ACTIVE | HLM Test KMIP key | symmetric | 2018-12-28 19:14:44 | aes | 256 | cbc | 030a8e263ae642c6ba57a29f39034b77 | e220d294-8308-49eb-918b-5390c88edb29 |
+--------------------------------------+---------------------+---------------------+------------+---------+--------+-------------------+-------------+---------------------+-----------+------------+------+----------------------------------+--------------------------------------+
1 row in set (0.01 sec)
mysql> select * from secret_store_metadata;
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| id | created_at | updated_at | deleted_at | deleted | status | key | value | secret_id |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
| 3a5a4794-9359-4378-9590-4bb1475411f3 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | key_uuid | 9fdc8f21-8f96-47d3-aa90-d89a1901ad67 | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| 4279382e-3e6d-400d-b4ce-c0b0834f6817 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | content_type | application/octet-stream | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
| cc53fec7-00c0-448a-8eb3-410022663146 | 2016-09-06 23:12:20 | 2016-09-06 23:12:20 | NULL | 0 | PENDING | plugin_name | barbican.plugin.kmip_secret_store.KMIPSecretStore | 54150f4c-a0cf-4612-9b0e-84217505fcc1 |
+--------------------------------------+---------------------+---------------------+------------+---------+---------+--------------+---------------------------------------------------+--------------------------------------+
3 rows in set (0.00 sec)
mysql> select * from encrypted_data;
Empty set (0.00 sec)
mysql>
#3) Now read secret and then its payload for secret id = '54150f4c-a0cf-4612-9b0e-84217505fcc1'
curl -X GET -H 'content-type:application/json' -H ''X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1
{"status": "ACTIVE", "secret_type": "symmetric", "updated": "2016-09-06T23:12:20", "name": "HLM Test KMIP key", "algorithm": "aes", "created": "2016-09-06T23:12:20", "secret_ref": "http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1", "content_types": {"default": "application/octet-stream"}, "creator_id": "030a8e263ae642c6ba57a29f39034b77", "mode": "cbc", "bit_length": 256, "expiration": "2018-12-28T19:14:44"}
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
{"code": 404, "description": "Not Found. Sorry but your secret has no payload.", "title": "Not Found"}
#4) Now when I reverted related change in secrets controller, it works fine.
arun@arun-hp-z620-ws:~/myFolder/myWork/hp_gerrit/barbican$ curl -X GET -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload
��o�R�Ќ;��)}��`�`#q� Ba
or
curl -X GET -H 'content-type:application/json' -H 'X-Auth-Token:b24025f6678845aea89d60f4f39e746a' http://localhost:9311/v1/secrets/54150f4c-a0cf-4612-9b0e-84217505fcc1/payload | python -m base64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 32 100 32 0 0 53 0 --:--:-- --:--:-- --:--:-- 53
lbVv+1Ke0Iw7h6Pevyl8CH2z7hRgh2AjGXHGAglCFOM= |
|