From 1872ea54d8801992a5537b0a280ff60023976db0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es=20de=20Medeiros?=
 <moguimar@redhat.com>
Date: Tue, 9 Oct 2018 16:20:31 +0200
Subject: [PATCH] Add 'barbican-manage hsm check_[mkek|hmac].
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New command to check if a label exists, so
that a script that generate the keys can use
it to determine wheteher gen_mkek/gejn_hmac
needs to be called or not.

Change-Id: I6eb0d138fe3d3f322d94e47d21ec6ec58469995e
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
---
 barbican/cmd/barbican_manage.py               | 51 +++++++++++++++++--
 barbican/tests/cmd/test_barbican_manage.py    | 20 ++++++++
 ...ge-check-subcommands-38835078f5cc0ce2.yaml |  7 +++
 3 files changed, 74 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/add-barbican-manage-check-subcommands-38835078f5cc0ce2.yaml

diff --git a/barbican/cmd/barbican_manage.py b/barbican/cmd/barbican_manage.py
index 520c570e9..d1572c997 100644
--- a/barbican/cmd/barbican_manage.py
+++ b/barbican/cmd/barbican_manage.py
@@ -172,6 +172,27 @@ class HSMCommands(object):
 
     description = "Subcommands for managing HSM/PKCS11"
 
+    check_mkek_description = "Checks if a MKEK label is available"
+
+    @args('--library-path', metavar='<library-path>', dest='libpath',
+          default='/usr/lib/libCryptoki2_64.so',
+          help='Path to vendor PKCS11 library')
+    @args('--slot-id', metavar='<slot-id>', dest='slotid', default=1,
+          help='HSM Slot id (Should correspond to a configured PKCS11 slot, \
+          default is 1)')
+    @args('--passphrase', metavar='<passphrase>', default=None, required=True,
+          help='Password to login to PKCS11 session')
+    @args('--label', '-L', metavar='<label>', default='primarymkek',
+          help='The label of the Master Key Encrypt Key')
+    def check_mkek(self, passphrase, libpath=None, slotid=None, label=None):
+        CKK_AES = 'CKK_AES'
+        self._create_pkcs11_session(str(passphrase), str(libpath), int(slotid))
+        handle = self.pkcs11.get_key_handle(CKK_AES, str(label), self.session)
+        self.pkcs11.return_session(self.session)
+        if not handle:
+            print("Label {label} is not set.".format(label=label))
+            sys.exit(1)
+
     gen_mkek_description = "Generates a new MKEK"
 
     @args('--library-path', metavar='<library-path>', dest='libpath',
@@ -199,6 +220,30 @@ class HSMCommands(object):
         self.pkcs11.return_session(self.session)
         print("MKEK successfully generated!")
 
+    check_hmac_description = "Checks if a HMAC key label is available"
+
+    @args('--library-path', metavar='<library-path>', dest='libpath',
+          default='/usr/lib/libCryptoki2_64.so',
+          help='Path to vendor PKCS11 library')
+    @args('--slot-id', metavar='<slot-id>', dest='slotid', default=1,
+          help='HSM Slot id (Should correspond to a configured PKCS11 slot, \
+          default is 1)')
+    @args('--passphrase', metavar='<passphrase>', default=None, required=True,
+          help='Password to login to PKCS11 session')
+    @args('--label', '-L', metavar='<label>', default='primarymkek',
+          help='The label of the Master HMAC key')
+    @args('--key-type', '-t', metavar='<key type>', dest='keytype',
+          default='CKK_AES', help='The HMAC Key Type (e.g. CKK_AES)')
+    def check_hmac(self, passphrase, libpath=None, slotid=None, label=None,
+                   keytype=None):
+        self._create_pkcs11_session(str(passphrase), str(libpath), int(slotid))
+        handle = self.pkcs11.get_key_handle(str(keytype), str(label),
+                                            self.session)
+        self.pkcs11.return_session(self.session)
+        if not handle:
+            print("Label {label} is not set.".format(label=label))
+            sys.exit(1)
+
     gen_hmac_description = "Generates a new HMAC key"
 
     @args('--library-path', metavar='<library-path>', dest='libpath',
@@ -248,10 +293,7 @@ class HSMCommands(object):
     def _verify_label_does_not_exist(self, key_type, label, session):
         key_handle = self.pkcs11.get_key_handle(key_type, label, session)
         if key_handle:
-            print(
-                "The label {label} already exists! "
-                "Please try again.".format(label=label)
-            )
+            print("The label {label} already exists!".format(label=label))
             sys.exit(1)
 
 
@@ -358,5 +400,6 @@ def main():
     except Exception as e:
         sys.exit("ERROR: %s" % e)
 
+
 if __name__ == '__main__':
     main()
diff --git a/barbican/tests/cmd/test_barbican_manage.py b/barbican/tests/cmd/test_barbican_manage.py
index b4324f470..d9b04e64a 100644
--- a/barbican/tests/cmd/test_barbican_manage.py
+++ b/barbican/tests/cmd/test_barbican_manage.py
@@ -156,6 +156,16 @@ class TestBarbicanManage(TestBarbicanManageBase):
             ['barbican.cmd.barbican_manage', 'db', 'current'], mock_current,
             False, sql_url='mockdburl')
 
+    @mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
+    def test_hsm_check_mkek(self, mock_pkcs11):
+        mock_pkcs11.return_value.get_session.return_value = 1
+        mock_pkcs11.return_value.get_key_handle.return_value = 1
+        mock_getkey = mock_pkcs11.return_value.get_key_handle
+        self._main_test_helper(
+            ['barbican.cmd.barbican_manage', 'hsm', 'check_mkek',
+             '--library-path', 'mocklib', '--passphrase', 'mockpassewd',
+             '--label', 'mocklabel'], mock_getkey, 'CKK_AES', 'mocklabel', 1)
+
     @mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
     def test_hsm_gen_mkek(self, mock_pkcs11):
         mock_pkcs11.return_value.get_session.return_value = 1
@@ -194,6 +204,16 @@ class TestBarbicanManage(TestBarbicanManageBase):
             mock_genkey, 'CKK_AES', 48, 'CKM_AES_KEY_GEN', 1, 'mocklabel',
             encrypt=True, wrap=True, master_key=True)
 
+    @mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
+    def test_hsm_check_hmac(self, mock_pkcs11):
+        mock_pkcs11.return_value.get_session.return_value = 1
+        mock_pkcs11.return_value.get_key_handle.return_value = 1
+        mock_getkey = mock_pkcs11.return_value.get_key_handle
+        self._main_test_helper(
+            ['barbican.cmd.barbican_manage', 'hsm', 'check_hmac',
+             '--library-path', 'mocklib', '--passphrase', 'mockpassewd',
+             '--label', 'mocklabel'], mock_getkey, 'CKK_AES', 'mocklabel', 1)
+
     @mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
     def test_hsm_gen_hmac_non_default_length(self, mock_pkcs11):
         mock_pkcs11.return_value.get_session.return_value = 1
diff --git a/releasenotes/notes/add-barbican-manage-check-subcommands-38835078f5cc0ce2.yaml b/releasenotes/notes/add-barbican-manage-check-subcommands-38835078f5cc0ce2.yaml
new file mode 100644
index 000000000..ee8c13d4f
--- /dev/null
+++ b/releasenotes/notes/add-barbican-manage-check-subcommands-38835078f5cc0ce2.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added two new subcommands to `barbican-manage hsm` that can query the HSM
+    to check if a MKEK or HMAC key with the given label already exists.  See
+    `barbican-manage hsm check_mkek --help` and
+    `barbican-manage hsm check_hmac --help` for details.