mirror of
https://github.com/vmware/vsphere-automation-sdk-python.git
synced 2024-11-21 09:19:59 -05:00
Demonstrate the Native Key Provider APIs (#390)
This is a short demo of native key provider APIs in the Autpmation SDK. The demo includes how native key provider can be set as default for the system using pyvmomi. Signed-off-by: Kiril Karaatanssov <kkaraatanassov@vmware.com>
This commit is contained in:
parent
3a1023dc6a
commit
9f33a73ac4
@ -0,0 +1,185 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
* *******************************************************
|
||||
* Copyright (c) VMware, Inc. 2023. All Rights Reserved.
|
||||
* SPDX-License-Identifier: MIT
|
||||
* *******************************************************
|
||||
*
|
||||
* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,
|
||||
* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED
|
||||
* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY,
|
||||
* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
"""
|
||||
|
||||
|
||||
__author__ = 'Kiril Karaatanssov <kkaraatanassov@vmware.com>'
|
||||
__vcenter_version__ = '7.0.2.0'
|
||||
|
||||
|
||||
import requests
|
||||
import sys, time
|
||||
|
||||
from samples.vsphere.common import sample_cli
|
||||
from samples.vsphere.common import sample_util
|
||||
from samples.vsphere.common.ssl_helper import get_unverified_session
|
||||
|
||||
from vmware.vapi.vsphere.client import create_vsphere_client, VsphereClient
|
||||
from com.vmware.vcenter.crypto_manager import kms_client
|
||||
from com.vmware.vapi.std.errors_client import AlreadyExists
|
||||
from pyVim.connect import SmartConnect
|
||||
from pyVmomi import vim
|
||||
|
||||
"""
|
||||
Demonstrates common operations with vCenter Native Key Provider functionality.
|
||||
|
||||
This sample is a simple scenario that provisions native key provider, backs it
|
||||
up (which also activates it), deletes it, restores from back up, sets the new
|
||||
provider as default, reverts the defaults and deletes the new key provider.
|
||||
|
||||
There is one tricky part with export of the key provider data. This requires
|
||||
raw HTTP request to download the p12 key provider data with HTTP Authorization
|
||||
Bearer header and the token value from the API.
|
||||
|
||||
The APIs are described under:
|
||||
https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/crypto_manager/kms.providers/
|
||||
|
||||
Setting and reading the default key provider is achieved using the
|
||||
CryptoMangerKmip API:
|
||||
https://developer.vmware.com/apis/vi-json/latest/crypto-manager-kmip/
|
||||
|
||||
Sample Prerequisites:
|
||||
- vCenter
|
||||
- Python 3.9
|
||||
"""
|
||||
|
||||
def get_kms_providers(client: VsphereClient) -> kms_client.Providers:
|
||||
return vsphere_client.vcenter.crypto_manager.kms.Providers
|
||||
|
||||
def print_kms_configurations(kmsProviders: kms_client.Providers):
|
||||
for provider in kmsProviders.list():
|
||||
print(f"Native Key Provider summary: {provider}")
|
||||
print(f"Native Key Provider details: {kmsProviders.get(provider.provider)}")
|
||||
print()
|
||||
|
||||
|
||||
def connect(host: str, user: str, pwd: str, insecure: bool) -> tuple[VsphereClient, vim.ServiceInstance]:
|
||||
session = requests.session()
|
||||
session = get_unverified_session() if insecure else None
|
||||
vsphere_client = create_vsphere_client(host, user, pwd, session=session)
|
||||
si = SmartConnect(host=host, user=user, pwd=pwd, disableSslCertValidation=insecure)
|
||||
return vsphere_client, si
|
||||
|
||||
|
||||
# Create argument parser for standard inputs:
|
||||
# server, username, password, cleanup and skipverification
|
||||
parser = sample_cli.build_arg_parser()
|
||||
|
||||
# Add your custom input arguments
|
||||
parser.add_argument('--key_provider',
|
||||
action='store',
|
||||
default='native_kms',
|
||||
help='Name/ID of native key provider to use in the demo scenario.')
|
||||
|
||||
parser.add_argument('--export_password',
|
||||
action='store',
|
||||
default='$up3r$3cr3t!',
|
||||
help='Password ot use in import and export of key provider.')
|
||||
|
||||
|
||||
args = sample_util.process_cli_args(parser.parse_args())
|
||||
|
||||
# Skip server cert verification if needed.
|
||||
# This is not recommended in production code.
|
||||
|
||||
# Connect to vSphere
|
||||
vsphere_client, si = connect(args.server, args.username, args.password, args.skipverification)
|
||||
|
||||
# Initialize stubs
|
||||
|
||||
# Automation API Kms.Providers
|
||||
kmsProviders = get_kms_providers(vsphere_client)
|
||||
|
||||
# PyVmomi vim.encryption.CryptoManagerKmip
|
||||
cm = si.content.cryptoManager
|
||||
if not isinstance(cm, vim.encryption.CryptoManagerKmip):
|
||||
raise TypeError("Expected CryptoManagerKmip")
|
||||
|
||||
# read demo args
|
||||
provider_name = args.key_provider
|
||||
password=args.export_password
|
||||
|
||||
|
||||
# Print baseline state
|
||||
print_kms_configurations(kmsProviders=kmsProviders)
|
||||
|
||||
print("Create Native Key Provider.")
|
||||
try:
|
||||
kmsProviders.create(kmsProviders.CreateSpec(provider_name,
|
||||
constraints=kmsProviders.ConstraintsSpec(tpm_required=False)))
|
||||
except AlreadyExists as ex:
|
||||
print(f"Nice Native Key Provider is already set up: {ex}")
|
||||
|
||||
print_kms_configurations(kmsProviders=kmsProviders)
|
||||
|
||||
|
||||
print('Backup Native Key Provider')
|
||||
res = kmsProviders.export(kmsProviders.ExportSpec(provider=provider_name,
|
||||
password=password))
|
||||
|
||||
# Download the back up data to complete the backup process. Without this
|
||||
# request the state of the provider will indicate it is not ready for use as it
|
||||
# is not backed up.
|
||||
url = res.location.url
|
||||
token = res.location.download_token
|
||||
response = requests.post(
|
||||
url,
|
||||
headers={'Authorization': 'Bearer %s' % token.token},
|
||||
verify=False)
|
||||
if not response.status_code == 200:
|
||||
print(f"Backup failed {response}")
|
||||
sys.exit(1)
|
||||
p12data = response.content
|
||||
print(f'Backup completed ok')
|
||||
|
||||
print_kms_configurations(kmsProviders=kmsProviders)
|
||||
|
||||
print("Delete Native Key Provider")
|
||||
kmsProviders.delete(provider=provider_name)
|
||||
|
||||
print_kms_configurations(kmsProviders=kmsProviders)
|
||||
|
||||
# Restore Native Key Provider
|
||||
ir = kmsProviders.import_provider(kmsProviders.ImportSpec(config=p12data,
|
||||
password=password,
|
||||
constraints=kmsProviders.ConstraintsSpec(tpm_required=False)))
|
||||
print(f'Restore Native Key Provider: {ir}')
|
||||
|
||||
# vCenter seems to need respite to set the key provider to all hosts. Immediate
|
||||
# read shows warnings.
|
||||
time.sleep(1)
|
||||
print_kms_configurations(kmsProviders=kmsProviders)
|
||||
|
||||
# Set default Key Native Provider via pyVMOMI CryptoManagerKmip
|
||||
|
||||
# Keep the current setting for default key provider
|
||||
defaultProvider = cm.GetDefaultKmsCluster()
|
||||
print(f"Default Key Provider {defaultProvider}")
|
||||
|
||||
# Convert Automation API ID (str) to PyVMOMI KeyProviderId
|
||||
providerId = vim.encryption.KeyProviderId()
|
||||
providerId.id = provider_name
|
||||
|
||||
# Set the new default
|
||||
cm.SetDefaultKmsCluster(clusterId=providerId)
|
||||
print(f"Updated default key provider to {cm.GetDefaultKmsCluster()}")
|
||||
|
||||
cm.SetDefaultKmsCluster(clusterId=defaultProvider)
|
||||
print(f"Restored default key provider to {cm.GetDefaultKmsCluster()}")
|
||||
|
||||
print("Delete Native Key Provider")
|
||||
kmsProviders.delete(provider=provider_name)
|
||||
|
||||
print("Done.")
|
||||
|
Loading…
Reference in New Issue
Block a user