1
0
mirror of https://github.com/vmware/vsphere-automation-sdk-python.git synced 2024-11-24 18:30:00 -05:00

Demonstrate the Native Key Provider APIs (#390)

This is a short demo of native key provider APIs in the Autpmation SDK.
The demo includes how native key provider can be set as default for the
system using pyvmomi.

Signed-off-by: Kiril Karaatanssov <kkaraatanassov@vmware.com>
This commit is contained in:
Kiril Karaatanassov 2023-07-31 09:42:06 +03:00 committed by GitHub
parent 3a1023dc6a
commit 9f33a73ac4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -0,0 +1,185 @@
#!/usr/bin/env python
"""
* *******************************************************
* Copyright (c) VMware, Inc. 2023. All Rights Reserved.
* SPDX-License-Identifier: MIT
* *******************************************************
*
* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,
* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED
* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY,
* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.
"""
__author__ = 'Kiril Karaatanssov <kkaraatanassov@vmware.com>'
__vcenter_version__ = '7.0.2.0'
import requests
import sys, time
from samples.vsphere.common import sample_cli
from samples.vsphere.common import sample_util
from samples.vsphere.common.ssl_helper import get_unverified_session
from vmware.vapi.vsphere.client import create_vsphere_client, VsphereClient
from com.vmware.vcenter.crypto_manager import kms_client
from com.vmware.vapi.std.errors_client import AlreadyExists
from pyVim.connect import SmartConnect
from pyVmomi import vim
"""
Demonstrates common operations with vCenter Native Key Provider functionality.
This sample is a simple scenario that provisions native key provider, backs it
up (which also activates it), deletes it, restores from back up, sets the new
provider as default, reverts the defaults and deletes the new key provider.
There is one tricky part with export of the key provider data. This requires
raw HTTP request to download the p12 key provider data with HTTP Authorization
Bearer header and the token value from the API.
The APIs are described under:
https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/crypto_manager/kms.providers/
Setting and reading the default key provider is achieved using the
CryptoMangerKmip API:
https://developer.vmware.com/apis/vi-json/latest/crypto-manager-kmip/
Sample Prerequisites:
- vCenter
- Python 3.9
"""
def get_kms_providers(client: VsphereClient) -> kms_client.Providers:
return vsphere_client.vcenter.crypto_manager.kms.Providers
def print_kms_configurations(kmsProviders: kms_client.Providers):
for provider in kmsProviders.list():
print(f"Native Key Provider summary: {provider}")
print(f"Native Key Provider details: {kmsProviders.get(provider.provider)}")
print()
def connect(host: str, user: str, pwd: str, insecure: bool) -> tuple[VsphereClient, vim.ServiceInstance]:
session = requests.session()
session = get_unverified_session() if insecure else None
vsphere_client = create_vsphere_client(host, user, pwd, session=session)
si = SmartConnect(host=host, user=user, pwd=pwd, disableSslCertValidation=insecure)
return vsphere_client, si
# Create argument parser for standard inputs:
# server, username, password, cleanup and skipverification
parser = sample_cli.build_arg_parser()
# Add your custom input arguments
parser.add_argument('--key_provider',
action='store',
default='native_kms',
help='Name/ID of native key provider to use in the demo scenario.')
parser.add_argument('--export_password',
action='store',
default='$up3r$3cr3t!',
help='Password ot use in import and export of key provider.')
args = sample_util.process_cli_args(parser.parse_args())
# Skip server cert verification if needed.
# This is not recommended in production code.
# Connect to vSphere
vsphere_client, si = connect(args.server, args.username, args.password, args.skipverification)
# Initialize stubs
# Automation API Kms.Providers
kmsProviders = get_kms_providers(vsphere_client)
# PyVmomi vim.encryption.CryptoManagerKmip
cm = si.content.cryptoManager
if not isinstance(cm, vim.encryption.CryptoManagerKmip):
raise TypeError("Expected CryptoManagerKmip")
# read demo args
provider_name = args.key_provider
password=args.export_password
# Print baseline state
print_kms_configurations(kmsProviders=kmsProviders)
print("Create Native Key Provider.")
try:
kmsProviders.create(kmsProviders.CreateSpec(provider_name,
constraints=kmsProviders.ConstraintsSpec(tpm_required=False)))
except AlreadyExists as ex:
print(f"Nice Native Key Provider is already set up: {ex}")
print_kms_configurations(kmsProviders=kmsProviders)
print('Backup Native Key Provider')
res = kmsProviders.export(kmsProviders.ExportSpec(provider=provider_name,
password=password))
# Download the back up data to complete the backup process. Without this
# request the state of the provider will indicate it is not ready for use as it
# is not backed up.
url = res.location.url
token = res.location.download_token
response = requests.post(
url,
headers={'Authorization': 'Bearer %s' % token.token},
verify=False)
if not response.status_code == 200:
print(f"Backup failed {response}")
sys.exit(1)
p12data = response.content
print(f'Backup completed ok')
print_kms_configurations(kmsProviders=kmsProviders)
print("Delete Native Key Provider")
kmsProviders.delete(provider=provider_name)
print_kms_configurations(kmsProviders=kmsProviders)
# Restore Native Key Provider
ir = kmsProviders.import_provider(kmsProviders.ImportSpec(config=p12data,
password=password,
constraints=kmsProviders.ConstraintsSpec(tpm_required=False)))
print(f'Restore Native Key Provider: {ir}')
# vCenter seems to need respite to set the key provider to all hosts. Immediate
# read shows warnings.
time.sleep(1)
print_kms_configurations(kmsProviders=kmsProviders)
# Set default Key Native Provider via pyVMOMI CryptoManagerKmip
# Keep the current setting for default key provider
defaultProvider = cm.GetDefaultKmsCluster()
print(f"Default Key Provider {defaultProvider}")
# Convert Automation API ID (str) to PyVMOMI KeyProviderId
providerId = vim.encryption.KeyProviderId()
providerId.id = provider_name
# Set the new default
cm.SetDefaultKmsCluster(clusterId=providerId)
print(f"Updated default key provider to {cm.GetDefaultKmsCluster()}")
cm.SetDefaultKmsCluster(clusterId=defaultProvider)
print(f"Restored default key provider to {cm.GetDefaultKmsCluster()}")
print("Delete Native Key Provider")
kmsProviders.delete(provider=provider_name)
print("Done.")