barbican  12.0.0
About: OpenStack Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data.
The "Wallaby" series (latest release).
  Fossies Dox: barbican-12.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

barbican.plugin.crypto.base.CryptoPluginBase Class Reference
Inheritance diagram for barbican.plugin.crypto.base.CryptoPluginBase:
[legend]
Collaboration diagram for barbican.plugin.crypto.base.CryptoPluginBase:
[legend]

Public Member Functions

def get_plugin_name (self)
 
def encrypt (self, encrypt_dto, kek_meta_dto, project_id)
 
def decrypt (self, decrypt_dto, kek_meta_dto, kek_meta_extended, project_id)
 
def bind_kek_metadata (self, kek_meta_dto)
 
def generate_symmetric (self, generate_dto, kek_meta_dto, project_id)
 
def generate_asymmetric (self, generate_dto, kek_meta_dto, project_id)
 
def supports (self, type_enum, algorithm=None, bit_length=None, mode=None)
 

Detailed Description

Base class for all Crypto plugins.

Barbican requests operations by invoking the methods on an instance of the
implementing class.  Barbican's plugin manager handles the life-cycle of
the Data Transfer Objects (DTOs) that are passed into these methods, and
persist the data that is assigned to these DTOs by the plugin.

Definition at line 241 of file base.py.

Member Function Documentation

◆ bind_kek_metadata()

def barbican.plugin.crypto.base.CryptoPluginBase.bind_kek_metadata (   self,
  kek_meta_dto 
)
Key Encryption Key Metadata binding function

Bind a key encryption key (KEK) metadata to the sub-system
handling encryption/decryption, updating information about the
key encryption key (KEK) metadata in the supplied 'kek_metadata'
data-transfer-object instance, and then returning this instance.

This method is invoked prior to the encrypt() method above.
Implementors should fill out the supplied 'kek_meta_dto' instance
(an instance of KEKMetadata above) as needed to completely describe
the kek metadata and to complete the binding process. Barbican will
persist the contents of this instance once this method returns.

:param kek_meta_dto: Key encryption key metadata to bind, with the
       'kek_label' attribute guaranteed to be unique, and the
       and 'plugin_name' attribute already configured.
:returns: kek_meta_dto: Returns the specified DTO, after
          modifications.

Definition at line 301 of file base.py.

◆ decrypt()

def barbican.plugin.crypto.base.CryptoPluginBase.decrypt (   self,
  decrypt_dto,
  kek_meta_dto,
  kek_meta_extended,
  project_id 
)
Decrypt encrypted_datum in the context of the provided project.

:param decrypt_dto: data transfer object containing the cyphertext
       to be decrypted.
:param kek_meta_dto: Key encryption key metadata to use for decryption
:param kek_meta_extended: Optional per-secret KEK metadata to use for
    decryption.
:param project_id: Project ID associated with the encrypted datum.
:returns: str -- unencrypted byte data

Definition at line 285 of file base.py.

◆ encrypt()

def barbican.plugin.crypto.base.CryptoPluginBase.encrypt (   self,
  encrypt_dto,
  kek_meta_dto,
  project_id 
)
Encryption handler function

This method will be called by Barbican when requesting an encryption
operation on a secret on behalf of a project.

:param encrypt_dto: :class:`EncryptDTO` instance containing the raw
    secret byte data to be encrypted.
:type encrypt_dto: :class:`EncryptDTO`
:param kek_meta_dto: :class:`KEKMetaDTO` instance containing
    information about the project's Key Encryption Key (KEK) to be
    used for encryption.  Plugins may assume that binding via
    :meth:`bind_kek_metadata` has already taken place before this
    instance is passed in.
:type kek_meta_dto: :class:`KEKMetaDTO`
:param project_id: Project ID associated with the unencrypted data.
:return: A response DTO containing the cyphertext and KEK information.
:rtype: :class:`ResponseDTO`

Definition at line 263 of file base.py.

Referenced by barbican.plugin.crypto.simple_crypto.SimpleCryptoPlugin.generate_asymmetric(), and barbican.plugin.crypto.simple_crypto.SimpleCryptoPlugin.generate_symmetric().

◆ generate_asymmetric()

def barbican.plugin.crypto.base.CryptoPluginBase.generate_asymmetric (   self,
  generate_dto,
  kek_meta_dto,
  project_id 
)
Create a new asymmetric key.

:param generate_dto: data transfer object for the record
       associated with this generation request.  Some relevant
       parameters can be extracted from this object, including
       bit_length, algorithm and passphrase
:param kek_meta_dto: Key encryption key metadata to use for decryption
:param project_id: Project ID associated with the data.
:returns: A tuple containing  objects for private_key, public_key and
    optionally one for passphrase. The objects will be of type
    ResponseDTO.
    Each object containing encrypted data and kek_meta_extended, the
    former the resultant cypher text, the latter being optional
    per-secret metadata needed to decrypt (over and above the
    per-project metadata managed outside of the plugins)

Definition at line 341 of file base.py.

◆ generate_symmetric()

def barbican.plugin.crypto.base.CryptoPluginBase.generate_symmetric (   self,
  generate_dto,
  kek_meta_dto,
  project_id 
)
Generate a new key.

:param generate_dto: data transfer object for the record
       associated with this generation request.  Some relevant
       parameters can be extracted from this object, including
       bit_length, algorithm and mode
:param kek_meta_dto: Key encryption key metadata to use for decryption
:param project_id: Project ID associated with the data.
:returns: An object of type ResponseDTO containing encrypted data and
    kek_meta_extended, the former the resultant cypher text, the latter
    being optional per-secret metadata needed to decrypt (over and
    above the per-project metadata managed outside of the plugins)

Definition at line 324 of file base.py.

◆ get_plugin_name()

def barbican.plugin.crypto.base.CryptoPluginBase.get_plugin_name (   self)
Gets user friendly plugin name.

This plugin name is expected to be read from config file.
There will be a default defined for plugin name which can be customized
in specific deployment if needed.

This name needs to be unique across a deployment.

Definition at line 251 of file base.py.

◆ supports()

def barbican.plugin.crypto.base.CryptoPluginBase.supports (   self,
  type_enum,
  algorithm = None,
  bit_length = None,
  mode = None 
)
Used to determine if the plugin supports the requested operation.

:param type_enum: Enumeration from PluginSupportsType class
:param algorithm: String algorithm name if needed

Definition at line 361 of file base.py.


The documentation for this class was generated from the following file: