From 5ef6c3e2e40954886c72d7705cddf421966ea0b8 Mon Sep 17 00:00:00 2001
From: Nathan Reller <nathan.s.reller@gmail.com>
Date: Sun, 13 Mar 2016 14:14:04 -0400
Subject: [PATCH] Added KMIP Secret Store to Devstack

Added code to devstack libraries to allow KMIP secret store to be
enabled. This edits barbican.conf to enable the KMIP secret store.

The Barbican PyKMIP client can be configured to connect to an existing
KMIP device or use PyKMIP's server. If the client configuration is all
that is needed then enable the 'barbican-pykmip' service in the
devstack configuration and set the appropriate key, certificate, and
CA path variables. This will allow the Barbican KMIP secret store to
connect to an existing KMIP server.

If a KMIP server is requested then also enable the 'pykmip-server'
service in the devstack configuration. This will install, configure,
and start the KMIP server. This option requires the 'barbican-pykmip'
service be configured as well.

Added passenv command to tox to allow the KMIP_PLUGIN_ENABLED
environment variable to be passed to the underlying command. Without
this the environment variable will not be seen by the tox command.

Change-Id: Ib804fa97545f14ed866bfd73bb251e85923a2e4e
Depends-On: Ifda13a84607bb199b794dc24f5dbba0ee8108dbf
---
 devstack/lib/barbican | 59 +++++++++++++++++++++++++++++++++++++++++++
 devstack/plugin.sh    | 12 +++++++++
 devstack/settings     |  4 +++
 test-requirements.txt |  2 +-
 tox.ini               |  1 +
 5 files changed, 77 insertions(+), 1 deletion(-)

diff --git a/devstack/lib/barbican b/devstack/lib/barbican
index 798743fb2..5daa6cf17 100644
--- a/devstack/lib/barbican
+++ b/devstack/lib/barbican
@@ -25,6 +25,12 @@
 XTRACE=$(set +o | grep xtrace)
 set +o xtrace
 
+# PyKMIP configuration
+PYKMIP_SERVER_KEY=${PYKMIP_SERVER_KEY:-$INT_CA_DIR/private/pykmip-server.key}
+PYKMIP_SERVER_CERT=${PYKMIP_SERVER_CERT:-$INT_CA_DIR/pykmip-server.crt}
+PYKMIP_CLIENT_KEY=${PYKMIP_CLIENT_KEY:-$INT_CA_DIR/private/pykmip-client.key}
+PYKMIP_CLIENT_CERT=${PYKMIP_CLIENT_CERT:-$INT_CA_DIR/pykmip-client.crt}
+PYKMIP_CA_PATH=${PYKMIP_CA_PATH:-$INT_CA_DIR/ca-chain.pem}
 
 # Functions
 # ---------
@@ -355,6 +361,59 @@ function create_barbican_accounts {
 
 }
 
+# PyKMIP functions
+# ----------------
+
+# install_pykmip - install the PyKMIP python module
+# create keys and certificate for server
+function install_pykmip {
+    pip_install 'pykmip'
+
+    if is_service_enabled pykmip-server; then
+        [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
+        sudo chown ${USER} ${PYKMIP_CONF_DIR}
+        [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
+        sudo chown ${USER} ${PYKMIP_LOG_DIR}
+
+        init_CA
+        if [ ! -e ${PYKMIP_SERVER_KEY} ]; then
+            make_cert ${INT_CA_DIR} 'pykmip-server' 'pykmip-server'
+            chmod 400 ${PYKMIP_SERVER_KEY}
+        fi
+        if [ ! -e ${PYKMIP_CLIENT_KEY} ]; then
+            make_cert ${INT_CA_DIR} 'pykmip-client' 'pykmip-client'
+            chmod 400 ${PYKMIP_CLIENT_KEY}
+        fi
+
+        if [ ! -e ${PYKMIP_CONF} ]; then
+            cat > ${PYKMIP_CONF} <<EOF
+[server]
+hostname=127.0.0.1
+port=5696
+certificate_path=${PYKMIP_SERVER_CERT}
+key_path=${PYKMIP_SERVER_KEY}
+ca_path=${PYKMIP_CA_PATH}
+auth_suite=Basic
+EOF
+       fi
+   fi
+}
+
+# configure_pykmip - enable KMIP plugin and configure
+function configure_pykmip {
+    iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins kmip_plugin
+    iniset $BARBICAN_CONF kmip_plugin username demo
+    iniset $BARBICAN_CONF kmip_plugin password secretpassword
+    iniset $BARBICAN_CONF kmip_plugin keyfile ${PYKMIP_CLIENT_KEY}
+    iniset $BARBICAN_CONF kmip_plugin certfile ${PYKMIP_CLIENT_CERT}
+    iniset $BARBICAN_CONF kmip_plugin ca_certs ${PYKMIP_CA_PATH}
+}
+
+# start_pykmip - start the PyKMIP server
+function start_pykmip {
+    run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
+}
+
 # Dogtag functions
 # ----------------
 
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 1b597ddfd..5e41688a3 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -9,6 +9,10 @@ if is_service_enabled barbican; then
         echo_summary "Installing Barbican"
         install_barbican
         install_barbicanclient
+        if is_service_enabled barbican-pykmip; then
+            echo_summary "Installing PyKMIP"
+            install_pykmip
+        fi
         if is_service_enabled barbican-dogtag; then
             echo_summary "Installing Dogtag"
             install_dogtag_components
@@ -16,6 +20,10 @@ if is_service_enabled barbican; then
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
         echo_summary "Configuring Barbican"
         configure_barbican
+        if is_service_enabled barbican-pykmip; then
+            echo_summary "Configuring KMIP plugin"
+            configure_pykmip
+        fi
         if is_service_enabled barbican-dogtag; then
             echo_summary "Configuring Dogtag plugin"
             configure_dogtag_plugin
@@ -29,6 +37,10 @@ if is_service_enabled barbican; then
         echo_summary "Initializing Barbican"
         init_barbican
         start_barbican
+        if is_service_enabled pykmip-server; then
+            echo_summary "Starting PyKMIP server"
+            start_pykmip
+        fi
     fi
 
     if [[ "$1" == "unstack" ]]; then
diff --git a/devstack/settings b/devstack/settings
index cd69c7d54..b4de309a1 100644
--- a/devstack/settings
+++ b/devstack/settings
@@ -10,6 +10,10 @@ BARBICAN_PASTE_CONF=$BARBICAN_CONF_DIR/barbican-api-paste.ini
 BARBICAN_API_LOG_DIR=$DEST/logs
 BARBICAN_AUTH_CACHE_DIR=${BARBICAN_AUTH_CACHE_DIR:-/var/cache/barbican}
 
+PYKMIP_CONF_DIR=${PYKMIP_CONF_DIR:-/etc/pykmip}
+PYKMIP_CONF=${PYKMIP_CONF_DIR}/server.conf
+PYKMIP_LOG_DIR=${PYKMIP_LOG_DIR:-/var/log/pykmip}
+
 # Support potential entry-points console scripts
 BARBICAN_BIN_DIR=$(get_python_exec_prefix)
 
diff --git a/test-requirements.txt b/test-requirements.txt
index 1e17bf7c5..fa4fe2801 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -5,7 +5,7 @@ coverage>=3.6 # Apache-2.0
 hacking<0.11,>=0.10.0
 mock>=1.2 # BSD
 oslotest>=1.10.0 # Apache-2.0
-pykmip>=0.4.0 # Apache 2.0 License
+pykmip>=0.5.0 # Apache 2.0 License
 testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 fixtures<2.0,>=1.3.1 # Apache-2.0/BSD
diff --git a/tox.ini b/tox.ini
index dfa9345ba..ee9e09d0e 100644
--- a/tox.ini
+++ b/tox.ini
@@ -116,6 +116,7 @@ setenv = OS_TEST_PATH={toxinidir}/functionaltests
 commands =
     /usr/bin/find . -type f -name "*.pyc" -delete
     /bin/bash {toxinidir}/functionaltests/pretty_tox.sh '{posargs}'
+passenv = KMIP_PLUGIN_ENABLED
 
 [flake8]
 exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*openstack/common,contrib,