From a0dbe15912d09351448d42f680904a15f0943659 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 20 Apr 2020 17:58:42 -0400
Subject: [PATCH] Initial commit

---
 .gitignore                  |   1 +
 .gitreview                  |   4 +
 AUTHORS                     |   2 +
 LICENSE                     | 202 ++++++++++++++++++++++++++++++++++++
 README.rst                  |  44 ++++++++
 defaults/main.yaml          |  12 +++
 requirements.txt            |   2 +
 setup.cfg                   |  34 ++++++
 setup.py                    |  19 ++++
 tasks/main.yaml             |  89 ++++++++++++++++
 tasks/register_hsm.yaml     |  63 +++++++++++
 templates/list-ha-groups.j2 |  20 ++++
 test-requirements.txt       |   1 +
 tox.ini                     |  11 ++
 zuul.d/layout.yaml          |  11 ++
 15 files changed, 515 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .gitreview
 create mode 100644 AUTHORS
 create mode 100644 LICENSE
 create mode 100644 README.rst
 create mode 100644 defaults/main.yaml
 create mode 100644 requirements.txt
 create mode 100644 setup.cfg
 create mode 100644 setup.py
 create mode 100644 tasks/main.yaml
 create mode 100644 tasks/register_hsm.yaml
 create mode 100755 templates/list-ha-groups.j2
 create mode 100644 test-requirements.txt
 create mode 100644 tox.ini
 create mode 100644 zuul.d/layout.yaml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..33defe4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.tox/
diff --git a/.gitreview b/.gitreview
new file mode 100644
index 0000000..8266c53
--- /dev/null
+++ b/.gitreview
@@ -0,0 +1,4 @@
+[gerrit]
+host=review.opendev.org
+port=29418
+project=openstack/ansible-role-thales-hsm.git
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..baf0e41
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,2 @@
+Ade Lee <alee@redhat.com>
+Douglas Mendizábal <dmendiza@redhat.com>
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d645695
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/README.rst b/README.rst
new file mode 100644
index 0000000..8359007
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,44 @@
+lunasa-hsm
+==========
+
+A role to manage Safenet Lunasa Hardware Security Module (HSM) client software.
+
+Role Variables
+--------------
+
+.. list-table::
+   :widths: auto
+   :header-rows: 1
+
+   * - Name
+     - Default Value
+     - Description
+   * - lunasa_client_working_dir
+     - /tmp/lunasa_client_install
+     - Working directory in the target host.
+   * - lunasa_client_tarball_name
+     - None
+     - Filename for the Lunasa client software tarball.
+   * - lunasa_client_tarball_location
+     - None
+     - Full URL where a copy of the client software tarball can be downloaded.
+   * - lunasa_client_installer_path
+     - None
+     - Path to the instal.sh script inside the tarball.
+   * - lunasa_hsm_server_hostname
+     - None
+     - Hostnme for the Lunasa HSM.
+   * - lunasa_hsm_server_admin_password
+     - None
+     - Password for the admin user for the Lunasa HSM.
+   * - lunasa_hsm_partition
+     - None
+     - HSM Partition to assign the client.
+   * - lunasa_client_ip
+     - None
+     - IP to use when registering the client.
+
+Requirements
+------------
+
+ - ansible >= 2.4
diff --git a/defaults/main.yaml b/defaults/main.yaml
new file mode 100644
index 0000000..2038406
--- /dev/null
+++ b/defaults/main.yaml
@@ -0,0 +1,12 @@
+---
+# TODO: maybe use random tmpdir here
+lunasa_client_working_dir: /tmp/lunasa_client_install
+
+# non-defaults
+#lunasa_client_tarball_location: http://download-node-02.eng.bos.redhat.com/qa/rhts/lookaside/IdM/rhcs/lunasa_software/610-012382-014_SW_Client_HSM_6.2_RevA.tar.zip
+#lunasa_client_tarball_name: 610-012382-014_SW_Client_HSM_6.2_RevA.tar.zip
+#lunasa_client_installer_path: 610-012382-014_SW_Client_HSM_6.2_RevA/linux/64/install.sh
+#lunasa_hsm_server_hostname: os-luna-hsm-1.perf.lab.eng.rdu2.redhat.com
+#lunasa_hsm_server_admin_password: ABC123!!!
+#lunasa_hsm_partition: secdfgPartition1
+#lunasa_client_ip: 10.0.79.37
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..885c2cb
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,2 @@
+pbr>=1.6
+ansible
diff --git a/setup.cfg b/setup.cfg
new file mode 100644
index 0000000..c430e9a
--- /dev/null
+++ b/setup.cfg
@@ -0,0 +1,34 @@
+[metadata]
+name = ansible-role-lunasa-hsm
+summary = ansible-role-lunasa-hsm - Ansible role to configure Lunasa HSM clients.
+description-file =
+    README.rst
+author = TripleO Team
+author-email = alee@redhat.com
+home-page = https://github.com/vakwetu/ansible-role-lunasa-hsm
+classifier =
+  License :: OSI Approved :: Apache Software License
+  Development Status :: 4 - Beta
+  Intended Audience :: Developers
+  Intended Audience :: System Administrators
+  Intended Audience :: Information Technology
+  Topic :: Utilities
+
+[global]
+setup-hooks =
+    pbr.hooks.setup_hook
+
+[files]
+data_files =
+    share/ansible/roles/lunasa-hsm/defaults = defaults/*
+    share/ansible/roles/lunasa-hsm/meta = meta/*
+    share/ansible/roles/lunasa-hsm/tasks = tasks/*
+    share/ansible/roles/lunasa-hsm/templates = templates/*
+    share/ansible/roles/lunasa-hsm/files = files/*
+
+[wheel]
+universal = 1
+
+[pbr]
+skip_authors = True
+skip_changelog = True
diff --git a/setup.py b/setup.py
new file mode 100644
index 0000000..6a931a6
--- /dev/null
+++ b/setup.py
@@ -0,0 +1,19 @@
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+
+import setuptools
+
+setuptools.setup(
+    setup_requires=['pbr'],
+    pbr=True)
diff --git a/tasks/main.yaml b/tasks/main.yaml
new file mode 100644
index 0000000..e370f49
--- /dev/null
+++ b/tasks/main.yaml
@@ -0,0 +1,89 @@
+---
+- name: Create working directory
+  file:
+      path: "{{ lunasa_client_working_dir }}"
+      state: directory
+      mode: 0755
+
+- name: Download Lunasa client tarball
+  get_url:
+    url: "{{ lunasa_client_tarball_location }}"
+    dest: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}"
+    force: no
+
+- name: Unpack tarball to working directory
+  unarchive:
+    src: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}"
+    dest: "{{ lunasa_client_working_dir }}"
+    creates: "{{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }}"
+    remote_src: yes
+
+- name: Run the install.sh script
+  shell: |
+    set -o pipefail  && echo y | {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} \
+      -p sa -c sdk
+  args:
+    creates: /usr/lib/libCryptoki2_64.so
+  become: true
+
+- name: register the client to the HSMs
+  include_tasks: register_hsm.yaml
+  loop: "{{ lunasa_hsms }}"
+  vars:
+    hsm_name: "{{ item.name }}"
+    hsm_hostname: "{{ item.hostname }}"
+    hsm_admin_password: "{{ item.admin_password }}"
+    client_ip: "{{ item.client_ip }}"
+    hsm_partition: "{{ item.partition }}"
+
+- name: verify the NTL connection
+  command: /usr/safenet/lunaclient/bin/vtl verify
+  become: true
+
+# create HA partition
+# /vtl haAdmin -newGroup -serialNum 65003001 -label myHAgroup -password userpin
+- name: create hsm ha partition
+  when: lunasa_ha_label is defined
+  block:
+    - name: create ha partition
+      shell: |
+        echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup createGroup \
+          -label  {{ lunasa_ha_label }} \
+          -serialNumber {{ lunasa_hsms[0].partition_serial }} \
+          -password {{ lunasa_partition_password }}
+      become: yes
+
+    - name: add other hsms to the ha group
+      shell: |
+        /usr/safenet/lunaclient/bin/lunacm -c hagroup addMember \
+          -group {{ lunasa_ha_label }} \
+          -serial {{ item.partition_serial }} \
+          -password {{ lunasa_partition_password }} 
+      loop: "{{ lunasa_hsms }}"
+      loop_control:
+        extended: yes
+      when: ansible_loop.first != True
+      become: yes
+
+    - name: Generate expect script to check  HA status
+      template:
+        src: list-ha-groups.j2
+        dest: /usr/safenet/lunaclient/bin/list-ha-groups
+        owner: root
+        group: root
+        mode: 0755
+      become: yes
+
+    - name: Check the HA group
+      shell: |
+        /usr/safenet/lunaclient/bin/list-ha-groups | grep 'HA Group Slot ID' | awk '{ print $NF }'
+      register: ha_slot
+      become: yes
+
+    - debug:
+        msg: "{{ ha_slot }}"
+
+#    - name: remove expect script
+#      file:
+#        path: /usr/safenet/lunaclient/bin/list-ha-groups
+#        state: absent
diff --git a/tasks/register_hsm.yaml b/tasks/register_hsm.yaml
new file mode 100644
index 0000000..512c1ce
--- /dev/null
+++ b/tasks/register_hsm.yaml
@@ -0,0 +1,63 @@
+---
+- debug:
+    msg: "Registering the following HSM: {{ hsm_name }}"
+ 
+- name: Get the hsm server cert from the hsm_server
+  shell: |
+    sshpass -p '{{ hsm_admin_password }}' \
+      scp -o StrictHostKeyChecking=false admin@{{ hsm_hostname }}:server.pem /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
+  become: true
+
+# TODO: do dns and ip addresses
+- name: Register the HSM server cert with the client
+  shell: |
+    /usr/safenet/lunaclient/bin/vtl addServer -n {{ hsm_hostname }} \
+      -c /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
+  register: add_server
+  become: true
+  failed_when:
+    - add_server.rc != 0
+    - '"This server is already registered" not in add_server.stdout'
+
+- name: Set the cert file name
+  set_fact:
+    client_name: "{{ inventory_hostname }}"
+
+- name: Create a client cert for NTL
+  command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ client_ip }}"
+  args:
+    creates: "/usr/safenet/lunaclient/cert/client/{{ client_ip }}.pem"
+  become: true
+
+- name: Copy the NTL client cert to the HSM
+  shell: |
+    sshpass -p '{{ hsm_admin_password }}' scp /usr/safenet/lunaclient/cert/client/{{ client_ip }}.pem \
+      admin@{{ hsm_hostname }}:{{ client_ip }}.pem
+  become: true
+
+- name: List clients on the hsm_server
+  shell: |
+    sshpass -p '{{ hsm_admin_password }}' \
+      ssh admin@{{ hsm_hostname }} -C "client list"
+  become: true
+
+# A client with the same hostname has already been registered
+- name: Register the client certificate on the hsm_server
+  shell: |
+    sshpass -p '{{ hsm_admin_password }}' ssh admin@{{ hsm_hostname }} \
+      -C "client register -c {{ client_name }} -ip {{ client_ip }}"
+  register: client_register
+  failed_when:
+    - client_register.rc != 0
+    - "'client with the same IP address has already been registered' not in client_register.stdout"
+  become: true
+
+- name: Assign client to an HSM partition
+  shell: |
+    sshpass -p '{{ hsm_admin_password }}' ssh admin@{{ hsm_hostname }} \
+      -C "client assignPartition -c {{ client_name }} -p {{ hsm_partition }}"
+  register: assign_partition
+  failed_when:
+    - assign_partition.rc != 0
+    - "'client already has access' not in assign_partition.stdout"
+  become: true
diff --git a/templates/list-ha-groups.j2 b/templates/list-ha-groups.j2
new file mode 100755
index 0000000..ac2f7c5
--- /dev/null
+++ b/templates/list-ha-groups.j2
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+
+set force_conservative 0  ;# set to 1 to force conservative mode even if
+			  ;# script wasn't run conservatively originally
+if {$force_conservative} {
+	set send_slow {1 .1}
+	proc send {ignore arg} {
+		sleep .1
+		exp_send -s -- $arg
+	}
+}
+
+set timeout -1
+spawn /usr/safenet/lunaclient/bin/lunacm -c hagroup listgroups
+match_max 100000
+expect "	Enter the password: "
+send -- "{{ lunasa_partition_password }}"
+expect -exact "****************"
+send -- "\r"
+expect eof
diff --git a/test-requirements.txt b/test-requirements.txt
new file mode 100644
index 0000000..6dd128e
--- /dev/null
+++ b/test-requirements.txt
@@ -0,0 +1 @@
+ansible-lint
diff --git a/tox.ini b/tox.ini
new file mode 100644
index 0000000..2e0aabd
--- /dev/null
+++ b/tox.ini
@@ -0,0 +1,11 @@
+[tox]
+minversion = 2.0
+envlist = linters
+skipdist = true
+
+[testenv]
+deps = -r{toxinidir}/test-requirements.txt
+
+[testenv:linters]
+# TODO(redrobot): Don't ignore 301
+commands = ansible-lint -x 301 {toxinidir}
diff --git a/zuul.d/layout.yaml b/zuul.d/layout.yaml
new file mode 100644
index 0000000..2b85502
--- /dev/null
+++ b/zuul.d/layout.yaml
@@ -0,0 +1,11 @@
+---
+- project:
+    check:
+      jobs:
+        - openstack-tox-linters
+    gate:
+      jobs:
+        - openstack-tox-linters
+    post:
+      jobs:
+        - publish-openstack-python-branch-tarball