From a0dbe15912d09351448d42f680904a15f0943659 Mon Sep 17 00:00:00 2001 From: Ade Lee <alee@redhat.com> Date: Mon, 20 Apr 2020 17:58:42 -0400 Subject: [PATCH] Initial commit --- .gitignore | 1 + .gitreview | 4 + AUTHORS | 2 + LICENSE | 202 ++++++++++++++++++++++++++++++++++++ README.rst | 44 ++++++++ defaults/main.yaml | 12 +++ requirements.txt | 2 + setup.cfg | 34 ++++++ setup.py | 19 ++++ tasks/main.yaml | 89 ++++++++++++++++ tasks/register_hsm.yaml | 63 +++++++++++ templates/list-ha-groups.j2 | 20 ++++ test-requirements.txt | 1 + tox.ini | 11 ++ zuul.d/layout.yaml | 11 ++ 15 files changed, 515 insertions(+) create mode 100644 .gitignore create mode 100644 .gitreview create mode 100644 AUTHORS create mode 100644 LICENSE create mode 100644 README.rst create mode 100644 defaults/main.yaml create mode 100644 requirements.txt create mode 100644 setup.cfg create mode 100644 setup.py create mode 100644 tasks/main.yaml create mode 100644 tasks/register_hsm.yaml create mode 100755 templates/list-ha-groups.j2 create mode 100644 test-requirements.txt create mode 100644 tox.ini create mode 100644 zuul.d/layout.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..33defe4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.tox/ diff --git a/.gitreview b/.gitreview new file mode 100644 index 0000000..8266c53 --- /dev/null +++ b/.gitreview @@ -0,0 +1,4 @@ +[gerrit] +host=review.opendev.org +port=29418 +project=openstack/ansible-role-thales-hsm.git diff --git a/AUTHORS b/AUTHORS new file mode 100644 index 0000000..baf0e41 --- /dev/null +++ b/AUTHORS @@ -0,0 +1,2 @@ +Ade Lee <alee@redhat.com> +Douglas Mendizábal <dmendiza@redhat.com> diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..8359007 --- /dev/null +++ b/README.rst @@ -0,0 +1,44 @@ +lunasa-hsm +========== + +A role to manage Safenet Lunasa Hardware Security Module (HSM) client software. + +Role Variables +-------------- + +.. list-table:: + :widths: auto + :header-rows: 1 + + * - Name + - Default Value + - Description + * - lunasa_client_working_dir + - /tmp/lunasa_client_install + - Working directory in the target host. + * - lunasa_client_tarball_name + - None + - Filename for the Lunasa client software tarball. + * - lunasa_client_tarball_location + - None + - Full URL where a copy of the client software tarball can be downloaded. + * - lunasa_client_installer_path + - None + - Path to the instal.sh script inside the tarball. + * - lunasa_hsm_server_hostname + - None + - Hostnme for the Lunasa HSM. + * - lunasa_hsm_server_admin_password + - None + - Password for the admin user for the Lunasa HSM. + * - lunasa_hsm_partition + - None + - HSM Partition to assign the client. + * - lunasa_client_ip + - None + - IP to use when registering the client. + +Requirements +------------ + + - ansible >= 2.4 diff --git a/defaults/main.yaml b/defaults/main.yaml new file mode 100644 index 0000000..2038406 --- /dev/null +++ b/defaults/main.yaml @@ -0,0 +1,12 @@ +--- +# TODO: maybe use random tmpdir here +lunasa_client_working_dir: /tmp/lunasa_client_install + +# non-defaults +#lunasa_client_tarball_location: http://download-node-02.eng.bos.redhat.com/qa/rhts/lookaside/IdM/rhcs/lunasa_software/610-012382-014_SW_Client_HSM_6.2_RevA.tar.zip +#lunasa_client_tarball_name: 610-012382-014_SW_Client_HSM_6.2_RevA.tar.zip +#lunasa_client_installer_path: 610-012382-014_SW_Client_HSM_6.2_RevA/linux/64/install.sh +#lunasa_hsm_server_hostname: os-luna-hsm-1.perf.lab.eng.rdu2.redhat.com +#lunasa_hsm_server_admin_password: ABC123!!! +#lunasa_hsm_partition: secdfgPartition1 +#lunasa_client_ip: 10.0.79.37 diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..885c2cb --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +pbr>=1.6 +ansible diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000..c430e9a --- /dev/null +++ b/setup.cfg @@ -0,0 +1,34 @@ +[metadata] +name = ansible-role-lunasa-hsm +summary = ansible-role-lunasa-hsm - Ansible role to configure Lunasa HSM clients. +description-file = + README.rst +author = TripleO Team +author-email = alee@redhat.com +home-page = https://github.com/vakwetu/ansible-role-lunasa-hsm +classifier = + License :: OSI Approved :: Apache Software License + Development Status :: 4 - Beta + Intended Audience :: Developers + Intended Audience :: System Administrators + Intended Audience :: Information Technology + Topic :: Utilities + +[global] +setup-hooks = + pbr.hooks.setup_hook + +[files] +data_files = + share/ansible/roles/lunasa-hsm/defaults = defaults/* + share/ansible/roles/lunasa-hsm/meta = meta/* + share/ansible/roles/lunasa-hsm/tasks = tasks/* + share/ansible/roles/lunasa-hsm/templates = templates/* + share/ansible/roles/lunasa-hsm/files = files/* + +[wheel] +universal = 1 + +[pbr] +skip_authors = True +skip_changelog = True diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..6a931a6 --- /dev/null +++ b/setup.py @@ -0,0 +1,19 @@ +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import setuptools + +setuptools.setup( + setup_requires=['pbr'], + pbr=True) diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..e370f49 --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,89 @@ +--- +- name: Create working directory + file: + path: "{{ lunasa_client_working_dir }}" + state: directory + mode: 0755 + +- name: Download Lunasa client tarball + get_url: + url: "{{ lunasa_client_tarball_location }}" + dest: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}" + force: no + +- name: Unpack tarball to working directory + unarchive: + src: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}" + dest: "{{ lunasa_client_working_dir }}" + creates: "{{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }}" + remote_src: yes + +- name: Run the install.sh script + shell: | + set -o pipefail && echo y | {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} \ + -p sa -c sdk + args: + creates: /usr/lib/libCryptoki2_64.so + become: true + +- name: register the client to the HSMs + include_tasks: register_hsm.yaml + loop: "{{ lunasa_hsms }}" + vars: + hsm_name: "{{ item.name }}" + hsm_hostname: "{{ item.hostname }}" + hsm_admin_password: "{{ item.admin_password }}" + client_ip: "{{ item.client_ip }}" + hsm_partition: "{{ item.partition }}" + +- name: verify the NTL connection + command: /usr/safenet/lunaclient/bin/vtl verify + become: true + +# create HA partition +# /vtl haAdmin -newGroup -serialNum 65003001 -label myHAgroup -password userpin +- name: create hsm ha partition + when: lunasa_ha_label is defined + block: + - name: create ha partition + shell: | + echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup createGroup \ + -label {{ lunasa_ha_label }} \ + -serialNumber {{ lunasa_hsms[0].partition_serial }} \ + -password {{ lunasa_partition_password }} + become: yes + + - name: add other hsms to the ha group + shell: | + /usr/safenet/lunaclient/bin/lunacm -c hagroup addMember \ + -group {{ lunasa_ha_label }} \ + -serial {{ item.partition_serial }} \ + -password {{ lunasa_partition_password }} + loop: "{{ lunasa_hsms }}" + loop_control: + extended: yes + when: ansible_loop.first != True + become: yes + + - name: Generate expect script to check HA status + template: + src: list-ha-groups.j2 + dest: /usr/safenet/lunaclient/bin/list-ha-groups + owner: root + group: root + mode: 0755 + become: yes + + - name: Check the HA group + shell: | + /usr/safenet/lunaclient/bin/list-ha-groups | grep 'HA Group Slot ID' | awk '{ print $NF }' + register: ha_slot + become: yes + + - debug: + msg: "{{ ha_slot }}" + +# - name: remove expect script +# file: +# path: /usr/safenet/lunaclient/bin/list-ha-groups +# state: absent diff --git a/tasks/register_hsm.yaml b/tasks/register_hsm.yaml new file mode 100644 index 0000000..512c1ce --- /dev/null +++ b/tasks/register_hsm.yaml @@ -0,0 +1,63 @@ +--- +- debug: + msg: "Registering the following HSM: {{ hsm_name }}" + +- name: Get the hsm server cert from the hsm_server + shell: | + sshpass -p '{{ hsm_admin_password }}' \ + scp -o StrictHostKeyChecking=false admin@{{ hsm_hostname }}:server.pem /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem + become: true + +# TODO: do dns and ip addresses +- name: Register the HSM server cert with the client + shell: | + /usr/safenet/lunaclient/bin/vtl addServer -n {{ hsm_hostname }} \ + -c /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem + register: add_server + become: true + failed_when: + - add_server.rc != 0 + - '"This server is already registered" not in add_server.stdout' + +- name: Set the cert file name + set_fact: + client_name: "{{ inventory_hostname }}" + +- name: Create a client cert for NTL + command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ client_ip }}" + args: + creates: "/usr/safenet/lunaclient/cert/client/{{ client_ip }}.pem" + become: true + +- name: Copy the NTL client cert to the HSM + shell: | + sshpass -p '{{ hsm_admin_password }}' scp /usr/safenet/lunaclient/cert/client/{{ client_ip }}.pem \ + admin@{{ hsm_hostname }}:{{ client_ip }}.pem + become: true + +- name: List clients on the hsm_server + shell: | + sshpass -p '{{ hsm_admin_password }}' \ + ssh admin@{{ hsm_hostname }} -C "client list" + become: true + +# A client with the same hostname has already been registered +- name: Register the client certificate on the hsm_server + shell: | + sshpass -p '{{ hsm_admin_password }}' ssh admin@{{ hsm_hostname }} \ + -C "client register -c {{ client_name }} -ip {{ client_ip }}" + register: client_register + failed_when: + - client_register.rc != 0 + - "'client with the same IP address has already been registered' not in client_register.stdout" + become: true + +- name: Assign client to an HSM partition + shell: | + sshpass -p '{{ hsm_admin_password }}' ssh admin@{{ hsm_hostname }} \ + -C "client assignPartition -c {{ client_name }} -p {{ hsm_partition }}" + register: assign_partition + failed_when: + - assign_partition.rc != 0 + - "'client already has access' not in assign_partition.stdout" + become: true diff --git a/templates/list-ha-groups.j2 b/templates/list-ha-groups.j2 new file mode 100755 index 0000000..ac2f7c5 --- /dev/null +++ b/templates/list-ha-groups.j2 @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f + +set force_conservative 0 ;# set to 1 to force conservative mode even if + ;# script wasn't run conservatively originally +if {$force_conservative} { + set send_slow {1 .1} + proc send {ignore arg} { + sleep .1 + exp_send -s -- $arg + } +} + +set timeout -1 +spawn /usr/safenet/lunaclient/bin/lunacm -c hagroup listgroups +match_max 100000 +expect " Enter the password: " +send -- "{{ lunasa_partition_password }}" +expect -exact "****************" +send -- "\r" +expect eof diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 0000000..6dd128e --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1 @@ +ansible-lint diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..2e0aabd --- /dev/null +++ b/tox.ini @@ -0,0 +1,11 @@ +[tox] +minversion = 2.0 +envlist = linters +skipdist = true + +[testenv] +deps = -r{toxinidir}/test-requirements.txt + +[testenv:linters] +# TODO(redrobot): Don't ignore 301 +commands = ansible-lint -x 301 {toxinidir} diff --git a/zuul.d/layout.yaml b/zuul.d/layout.yaml new file mode 100644 index 0000000..2b85502 --- /dev/null +++ b/zuul.d/layout.yaml @@ -0,0 +1,11 @@ +--- +- project: + check: + jobs: + - openstack-tox-linters + gate: + jobs: + - openstack-tox-linters + post: + jobs: + - publish-openstack-python-branch-tarball