Additional changes as per review.

1. Moved most methods back into the key.py module.
2. Simplified the invocation by combining the KeyClient and KeyRequestClient as just KeyClient.
3.  Added additional invocations in KRAClient - with lots of docuemntation.
These are hopefully more user friendly.
4. Extracted crypto operations to cryptoutil class.  This class has an
NSS implementation provided.
5.  Addressed other issues found in review.

4 files changed, 166 insertions, 5 deletions

diff --git a/base/kra/functional/drmclient.py b/base/kra/functional/drmclient_deprecated.py
index 588b6088b..602057f92 100644
--- a/base/kra/functional/drmclient.py
+++ b/base/kra/functional/drmclient_deprecated.py
@@ -18,6 +18,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 '''
+NOTE: This is an old deprecated client.  The REST interface has changed
+and so this code will likely NOT work.  It will be removed from the code
+base soon.
 
 ============================================================
 Python Test client for KRA using the new RESTful interface
@@ -572,7 +575,7 @@ class kra:
         :param passphrase         passphrase wrapped in session key
         :return doc:              xml doc with archival request
 
-    	"""
+	"""
         self.debug('%s.create_recovery_request()', self.fullname)
         root = etree.Element("KeyRecoveryRequest")
         if key_id != None:
@@ -878,7 +881,7 @@ class kra:
         |data             |String         | Key data (either wrapped using        |
         |                 |               | passphrase or unwrapped)              |
         +-----------------+---------------+---------------------------------------+
-    	"""
+	"""
         self.debug('%s.retrieve_security_data()', self.fullname)
 
         if recovery_request_id == None:
diff --git a/base/kra/functional/drmclient.readme.txt b/base/kra/functional/drmclient_deprecated.readme.txt
index 833c5ce3c..e9a69f95e 100644
--- a/base/kra/functional/drmclient.readme.txt
+++ b/base/kra/functional/drmclient_deprecated.readme.txt
@@ -3,7 +3,7 @@ Running drmclient.py:
 The python drmclient currently requires a little setup to be run.
 
 1. Create a working directory - the code uses /tmp/drmtest
-2. In that directory, create an NSS database.  In this doc, we will use the 
+2. In that directory, create an NSS database.  In this doc, we will use the
    password redhat123 as the password for the NSS db.
 
    certutil -N -d /tmp/drmtest
@@ -19,7 +19,7 @@ The python drmclient currently requires a little setup to be run.
 5. Import the transport certificate into the certificate databse in /tmp/drmtest.
    certutil -A -d /tmp/drmtest -n "DRM Transport Certificate" -i /tmp/drmtest/transport.asc
 
-5. Run GeneratePKIArchiveOptions to generate some test data.   Specifically we will be 
+5. Run GeneratePKIArchiveOptions to generate some test data.   Specifically we will be
    using it to generate a symmetric key and its associated PKIArchoveOptions structure
    to be archived.
 
@@ -47,4 +47,4 @@ optional arguments:
   -n KRA_NICKNAME       DRM Nickname
 
 For example:
-python pki/base/kra/functional/drmclient.py -d /tmp/drmtest -p 10200 -n "DRM Transport Certificate - alee eclipse domain 2" 
+python pki/base/kra/functional/drmclient.py -d /tmp/drmtest -p 10200 -n "DRM Transport Certificate - alee eclipse domain 2"
diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py
new file mode 100644
index 000000000..5c7e41244
--- /dev/null
+++ b/base/kra/functional/drmtest.py
@@ -0,0 +1,130 @@
+# Authors:
+#   Ade Lee <alee@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+'''
+=========================================================================
+Python test code for interacting with the DRM using the RESTful interface
+=========================================================================
+
+This code is to be viewed as example code on how to interact with the DRM
+for Key and KeyRequest resources using the Python REST client framework.
+
+Some setup is required to run the tests here successfully.
+See drmtest.readme.txt.
+'''
+
+import base64
+import pki.cryptoutil as cryptoutil
+import pki.key as key
+import time
+
+from pki.client import PKIConnection
+from pki.kraclient import KRAClient
+
+def print_key_request(request):
+    ''' Prints the relevant fields of a KeyRequestInfo object '''
+    print "RequestURL: " + str(request.requestURL)
+    print "RequestType: " + str(request.requestType)
+    print "RequestStatus: " + str(request.requestStatus)
+    print "KeyURL: " + str(request.keyURL)
+
+def print_key_info(key_info):
+    ''' Prints the relevant fields of a KeyInfo object '''
+    print "Key URL: " + str(key_info.keyURL)
+    print "Client ID: " + str(key_info.clientID)
+    print "Algorithm: " + str(key_info.algorithm)
+    print "Status: " + str(key_info.status)
+    print "Owner Name: " + str(key_info.ownerName)
+    print "Size: " + str(key_info.size)
+
+def print_key_data(key_data):
+    ''' Prints the relevant fields of a KeyData object '''
+    print "Key Algorithm: " + str(key_data.algorithm)
+    print "Key Size: " + str(key_data.size)
+    print "Nonce Data: " + str(key_data.nonceData)
+    print "Wrapped Private Data: " + str(key_data.wrappedPrivateData)
+
+def main():
+    ''' test code execution '''
+    connection = PKIConnection('https', 'localhost', '8443', 'kra')
+    connection.set_authentication_cert('/tmp/temp4.pem')
+    crypto = cryptoutil.NSSCryptoUtil("/tmp/drmtest/certdb", "redhat123")
+    kraclient = KRAClient(connection, crypto, "kra transport cert")
+
+    # Test 1: Get Transport Cert
+    transport_cert = kraclient.system_certs.get_transport_cert()
+    print transport_cert
+
+    # Test 2: Get key request info
+    print "Now getting key request"
+    keyrequest = kraclient.keys.get_request_info('2')
+    print_key_request(keyrequest)
+
+    # Test 3: List requests
+    print "Now listing some requests"
+    keyrequests = kraclient.keys.list_requests('complete', 'securityDataRecovery')
+    print keyrequests.key_requests
+    for request in keyrequests.key_requests:
+        print_key_request(request)
+
+    # Test 4: generate symkey -- same as barbican_encode()
+    print "Now generating symkey on KRA"
+    client_id = "Vek #1" + time.strftime('%X %x %Z')
+    algorithm = "AES"
+    key_size = 128
+    usages = [key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE]
+    response = kraclient.generate_sym_key(client_id, algorithm, key_size, usages)
+    print_key_request(response.requestInfo)
+    print "Request ID is " + response.requestInfo.get_request_id()
+    key_id = response.get_key_id()
+
+    # Test 5: Confirm the key_id matches
+    print "Now getting key ID for clientID=\"" + client_id + "\""
+    key_infos = kraclient.keys.list_keys(client_id=client_id, status="active")
+    for key_info in key_infos.key_infos:
+        print_key_info(key_info)
+        key_id2 = key_info.get_key_id()
+    if key_id == key_id2:
+        print "Success! The keys from generation and search match."
+    else:
+        print "Failure - key_ids for generation do not match!"
+
+    # Test 6: Barbican_decode() - Retrieve while providing trans_wrapped_session_key
+    session_key = crypto.generate_symmetric_key()
+    wrapped_session_key = crypto.asymmetric_wrap(session_key, kraclient.transport_cert)
+    key_data, _unwrapped_key = kraclient.retrieve_key(key_id, trans_wrapped_session_key=wrapped_session_key)
+    print_key_data(key_data)
+    unwrapped_key = crypto.symmetric_unwrap(key_data.wrappedPrivateData, session_key, iv=key_data.nonceData)
+    key1 = base64.encodestring(unwrapped_key)
+
+    # Test 7: Recover key without providing trans_wrapped_session_key
+    key_data, unwrapped_key = kraclient.retrieve_key(key_id)
+    print_key_data(key_data)
+    key2 = base64.encodestring(unwrapped_key)
+
+    # Test 8 - Confirm that keys returned are the same
+    if key1 == key2:
+        print "Success: The keys returned match! Key = " + str(key1)
+    else:
+        print "Failure: The returned keys do not match!"
+        print "key1: " + key1
+        print "key2: " + key2
+
+if __name__ == "__main__":
+    main()
diff --git a/base/kra/functional/drmtest.readme.txt b/base/kra/functional/drmtest.readme.txt
new file mode 100644
index 000000000..4e5c5f308
--- /dev/null
+++ b/base/kra/functional/drmtest.readme.txt
@@ -0,0 +1,28 @@
+You will need to set up a few things first though:
+1.  Install a CA/KRA.  It this is not on the default ports, you will
+need to modify the connection information in KRAClient.__main__
+
+2. The python code uses python-requests to talk to the server, and
+requests uses openssl.  That means you need to export your DRM admin
+cert to a PEM file, so that it can be used for client auth.  I did this
+as follows:
+
+ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out /tmp/temp4.pem -nodes
+
+Without any changes, the code in KRAClient.__main__ assumes this file
+will be in /tmp/temp4.pem.
+
+3.  We do some crypto functions using NSS commands (like generating a
+symmetric key or wrapping using the transport cert).  Therefore, we need
+to create an NSS database and populate it with the transport cert.  The
+code expects it to be at /tmp/drmtest/certdb
+
+I did this as follows:
+mkdir -p /tmp/drmtest/certdb
+certutil -N -d /tmp/drmtest/certdb
+chmod +r /tmp/drmtest/certdb/*
+
+certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "transportCert cert-pki-tomcat KRA" -a > transport_cert.txt
+certutil -A -d /tmp/drmtest/certdb/ -n "kra transport cert" -i ./transport_cert.txt -a -t "u,u,u"
+
+4. Then just run kraclient.__main__ with no arguments.
\ No newline at end of file