Comment 8 for bug 1182797

It's a bit complicated than that. You can retrieve keypair by name if you add API for that (novaclient(request).keypairs.get is already here), but neither 'list' nor 'get' will return you the PRIVATE key (and this is what you need to return to user when he tries to redownload keypair).

Actually, the whole concept of generating PKI keypair on a server is very very wrong because then you have to download your private key through the open channels and it would compromise your security. You can say that you should use HTTPS for that, but a) horizon won't enforce you to do that and b) this is really not how security supposed to work. All this is actually not a horizon's fault and it just implements the API that was here long ago. And yes, it is convenient, but still wrong.

I had dig a bit deeper and found that you actually don't need :download view at all. If user can't redownload the key, than we shouldn't show him the link in the first place, then we have nothing to show at that page and should probably remove it completely and point user straight to :generate. And it would work flawlessly right until we would notice that our key wouldn't show up in key pair list until we reload the page. So, now we need the way to both reload the page and download the key. You can do that by intercepting form's onsubmit event and opening the popup window for download while at the same time reloading the page. But now you don't know where to point your window.open since {% url 'horizon:project:access_and_security:keypairs:generate' keypair_name %} populates itself before the user picked a name for keypair... It's like a Carol's Rabbit hole, gets bigger every step you make.

I'll take over the bug when i'll be sure i can handle it, but please stop me if i'm going the wrong way.