Barbican is a ReST API designed for the secure storage, provisioning and management of secrets, including in OpenStack environments.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

631 lines
20 KiB

  1. #!/usr/bin/env bash
  2. # Install and start **Barbican** service
  3. # To enable a minimal set of Barbican features, add the following to localrc:
  4. # enable_service barbican-svc barbican-retry barbican-keystone-listener
  5. #
  6. # Dependencies:
  7. # - functions
  8. # - OS_AUTH_URL for auth in api
  9. # - DEST set to the destination directory
  10. # - SERVICE_PROTOCOL, SERVICE_HOST to define the API endpoints
  11. # - SERVICE_PASSWORD, SERVICE_PROJECT_NAME for auth in api
  12. # - STACK_USER service user
  13. # stack.sh
  14. # ---------
  15. # install_barbican
  16. # configure_barbican
  17. # init_barbican
  18. # start_barbican
  19. # stop_barbican
  20. # cleanup_barbican
  21. # Save trace setting
  22. XTRACE=$(set +o | grep xtrace)
  23. set +o xtrace
  24. # PyKMIP configuration
  25. PYKMIP_SERVER_KEY=${PYKMIP_SERVER_KEY:-$INT_CA_DIR/private/pykmip-server.key}
  26. PYKMIP_SERVER_CERT=${PYKMIP_SERVER_CERT:-$INT_CA_DIR/pykmip-server.crt}
  27. PYKMIP_CLIENT_KEY=${PYKMIP_CLIENT_KEY:-$INT_CA_DIR/private/pykmip-client.key}
  28. PYKMIP_CLIENT_CERT=${PYKMIP_CLIENT_CERT:-$INT_CA_DIR/pykmip-client.crt}
  29. PYKMIP_CA_PATH=${PYKMIP_CA_PATH:-$INT_CA_DIR/ca-chain.pem}
  30. # Functions
  31. # ---------
  32. # TODO(john-wood-w) These 'magic' functions are called by devstack to enable
  33. # a given service (so the name between 'is_' and '_enabled'). Currently the
  34. # Zuul infra gate configuration (at https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/barbican.yaml)
  35. # only enables the 'barbican' service. So the two functions below, for the two
  36. # services we wish to run, have to key off of that lone 'barbican' selection.
  37. # Once the Zuul config is updated to add these two services properly, then
  38. # these functions should be replaced by the single method below.
  39. # !!!! Special thanks to rm_work for figuring this out !!!!
  40. function is_barbican-retry_enabled {
  41. [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
  42. }
  43. function is_barbican-svc_enabled {
  44. [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
  45. }
  46. function is_barbican-keystone-listener_enabled {
  47. [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
  48. }
  49. # TODO(john-wood-w) Replace the above two functions with the one below once
  50. # Zuul is update per above.
  51. ## Test if any Barbican services are enabled
  52. ## is_barbican_enabled
  53. #function is_barbican_enabled {
  54. # [[ ,${ENABLED_SERVICES} =~ ,"barbican-" ]] && return 0
  55. # return 1
  56. #}
  57. # cleanup_barbican - Remove residual data files, anything left over from previous
  58. # runs that a clean run would need to clean up
  59. function cleanup_barbican {
  60. if is_service_enabled barbican-vault; then
  61. # Kill the vault process, screen session and remove the generated files
  62. # during installation.
  63. local session_name="barbican_vault"
  64. local vault_token_file="${BARBICAN_DIR}/vault_root_token_id"
  65. existing_ses=$(screen -ls | grep ${session_name} | awk '{print $1}')
  66. if [[ -n "${existing_ses}" ]]; then
  67. screen -S ${existing_ses} -X quit
  68. fi
  69. sudo pkill -f -9 "vault server"
  70. sudo rm -f ${vault_token_file} vault.log
  71. fi
  72. }
  73. # configure_barbicanclient - Set config files, create data dirs, etc
  74. function configure_barbicanclient {
  75. setup_dev_lib "python-barbicanclient"
  76. }
  77. # configure_dogtag_plugin - Change config to use dogtag plugin
  78. function configure_dogtag_plugin {
  79. sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
  80. sudo chown $USER $BARBICAN_CONF_DIR/kra_admin_cert.pem
  81. iniset $BARBICAN_CONF dogtag_plugin dogtag_port 8373
  82. iniset $BARBICAN_CONF dogtag_plugin pem_path "$BARBICAN_CONF_DIR/kra_admin_cert.pem"
  83. iniset $BARBICAN_CONF dogtag_plugin dogtag_host localhost
  84. iniset $BARBICAN_CONF dogtag_plugin nss_db_path '/etc/barbican/alias'
  85. iniset $BARBICAN_CONF dogtag_plugin nss_db_path_ca '/etc/barbican/alias-ca'
  86. iniset $BARBICAN_CONF dogtag_plugin nss_password 'password123'
  87. iniset $BARBICAN_CONF dogtag_plugin simple_cmc_profile 'caOtherCert'
  88. iniset $BARBICAN_CONF dogtag_plugin ca_expiration_time 1
  89. iniset $BARBICAN_CONF dogtag_plugin plugin_working_dir '/etc/barbican/dogtag'
  90. iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins dogtag_crypto
  91. iniset $BARBICAN_CONF certificate enabled_certificate_plugins dogtag
  92. }
  93. # configure_barbican - Set config files, create data dirs, etc
  94. function configure_barbican {
  95. setup_develop $BARBICAN_DIR
  96. [ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
  97. sudo chown $USER $BARBICAN_CONF_DIR
  98. [ ! -d $BARBICAN_API_LOG_DIR ] && sudo mkdir -m 755 -p $BARBICAN_API_LOG_DIR
  99. sudo chown $USER $BARBICAN_API_LOG_DIR
  100. [ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
  101. sudo chown $USER $BARBICAN_CONF_DIR
  102. # Copy the barbican config files to the config dir
  103. cp $BARBICAN_DIR/etc/barbican/barbican-api-paste.ini $BARBICAN_CONF_DIR
  104. cp -R $BARBICAN_DIR/etc/barbican/vassals $BARBICAN_CONF_DIR
  105. # Copy functional test config
  106. cp $BARBICAN_DIR/etc/barbican/barbican-functional.conf $BARBICAN_CONF_DIR
  107. # Enable DEBUG
  108. iniset $BARBICAN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
  109. # Set the host_href
  110. iniset $BARBICAN_CONF DEFAULT host_href "$BARBICAN_HOST_HREF"
  111. # Set the log file location
  112. iniset $BARBICAN_CONF DEFAULT log_file "$BARBICAN_API_LOG_DIR/barbican.log"
  113. # Enable logging to stderr to have log also in the screen window
  114. iniset $BARBICAN_CONF DEFAULT use_stderr True
  115. # Format logging
  116. if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
  117. setup_colorized_logging $BARBICAN_CONF DEFAULT project user
  118. fi
  119. # Set the database connection url
  120. iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
  121. # Disable auto-migration when deploying Barbican
  122. iniset $BARBICAN_CONF DEFAULT db_auto_create False
  123. # Increase default request buffer size, keystone auth PKI tokens can be very long
  124. iniset $BARBICAN_CONF_DIR/vassals/barbican-api.ini uwsgi buffer-size 65535
  125. # Rabbit settings
  126. if is_service_enabled rabbit; then
  127. iniset $BARBICAN_CONF DEFAULT transport_url rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672
  128. else
  129. echo_summary "Barbican requires that the RabbitMQ service is enabled"
  130. fi
  131. write_uwsgi_config "$BARBICAN_UWSGI_CONF" "$BARBICAN_WSGI" "/key-manager"
  132. ## Set up keystone
  133. # Turn on the middleware
  134. iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone'
  135. # Set the keystone parameters
  136. configure_keystone_authtoken_middleware $BARBICAN_CONF barbican
  137. # Enable the keystone listener
  138. iniset $BARBICAN_CONF keystone_notifications enable True
  139. iniset $BARBICAN_CONF keystone_notifications control_exchange 'keystone'
  140. }
  141. # init_barbican - Initialize etc.
  142. function init_barbican {
  143. recreate_database barbican utf8
  144. $BARBICAN_BIN_DIR/barbican-manage db upgrade -v head
  145. }
  146. # install_barbican - Collect source and prepare
  147. function install_barbican {
  148. # Install package requirements
  149. if is_fedora; then
  150. install_package sqlite-devel openldap-devel
  151. fi
  152. # TODO(ravips): We need this until barbican gets into devstack
  153. setup_develop $BARBICAN_DIR
  154. pip_install 'uwsgi'
  155. }
  156. # install_barbicanclient - Collect source and prepare
  157. function install_barbicanclient {
  158. if use_library_from_git "python-barbicanclient"; then
  159. git_clone_by_name "python-barbicanclient"
  160. setup_dev_lib "python-barbicanclient"
  161. fi
  162. }
  163. # start_barbican - Start running processes, including screen
  164. function start_barbican {
  165. # Start the Barbican service up.
  166. run_process barbican-svc "$BARBICAN_BIN_DIR/uwsgi --ini $BARBICAN_UWSGI_CONF"
  167. # Pause while the barbican-svc populates the database, otherwise the retry
  168. # service below might try to do this at the same time, leading to race
  169. # conditions.
  170. sleep 10
  171. # Start the retry scheduler server up.
  172. run_process barbican-retry "$BARBICAN_BIN_DIR/barbican-retry --config-file=$BARBICAN_CONF_DIR/barbican.conf"
  173. # Start the barbican-keystone-listener
  174. run_process barbican-keystone-listener "$BARBICAN_BIN_DIR/barbican-keystone-listener --config-file=$BARBICAN_CONF_DIR/barbican.conf"
  175. }
  176. # stop_barbican - Stop running processes
  177. function stop_barbican {
  178. # This will eventually be refactored to work like
  179. # Solum and Manila (script to kick off a wsgiref server)
  180. # For now, this will stop uWSGI rather than have it hang
  181. killall -9 uwsgi
  182. # This cleans up the PID file, but uses pkill so Barbican
  183. # uWSGI emperor process doesn't actually stop
  184. stop_process barbican-svc
  185. stop_process barbican-retry
  186. stop_process barbican-keystone-listener
  187. }
  188. function get_id {
  189. echo `"$@" | awk '/ id / { print $4 }'`
  190. }
  191. function create_barbican_accounts {
  192. #
  193. # Setup Default Admin User
  194. #
  195. SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }")
  196. ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
  197. BARBICAN_USER=$(openstack user create \
  198. --password "$SERVICE_PASSWORD" \
  199. --project $SERVICE_PROJECT \
  200. --email "barbican@example.com" \
  201. barbican \
  202. | grep " id " | get_field 2)
  203. openstack role add --project $SERVICE_PROJECT \
  204. --user $BARBICAN_USER \
  205. $ADMIN_ROLE
  206. #
  207. # Setup Default service-admin User
  208. #
  209. SERVICE_ADMIN=$(get_id openstack user create \
  210. --password "$SERVICE_PASSWORD" \
  211. --email "service-admin@example.com" \
  212. "service-admin")
  213. SERVICE_ADMIN_ROLE=$(get_id openstack role create \
  214. "key-manager:service-admin")
  215. openstack role add \
  216. --user "$SERVICE_ADMIN" \
  217. --project "$SERVICE_PROJECT" \
  218. "$SERVICE_ADMIN_ROLE"
  219. #
  220. # Setup RBAC User Projects and Roles
  221. #
  222. PASSWORD="barbican"
  223. PROJECT_A_ID=$(get_id openstack project create "project_a")
  224. PROJECT_B_ID=$(get_id openstack project create "project_b")
  225. ROLE_ADMIN_ID=$(get_id openstack role show admin)
  226. ROLE_CREATOR_ID=$(get_id openstack role create "creator")
  227. ROLE_OBSERVER_ID=$(get_id openstack role create "observer")
  228. ROLE_AUDIT_ID=$(get_id openstack role create "audit")
  229. #
  230. # Setup RBAC Admin of Project A
  231. #
  232. USER_ID=$(get_id openstack user create \
  233. --password "$PASSWORD" \
  234. --email "admin_a@example.net" \
  235. "project_a_admin")
  236. openstack role add \
  237. --user "$USER_ID" \
  238. --project "$PROJECT_A_ID" \
  239. "$ROLE_ADMIN_ID"
  240. #
  241. # Setup RBAC Creator of Project A
  242. #
  243. USER_ID=$(get_id openstack user create \
  244. --password "$PASSWORD" \
  245. --email "creator_a@example.net" \
  246. "project_a_creator")
  247. openstack role add \
  248. --user "$USER_ID" \
  249. --project "$PROJECT_A_ID" \
  250. "$ROLE_CREATOR_ID"
  251. # Adding second creator user in project_a
  252. USER_ID=$(openstack user create \
  253. --password "$PASSWORD" \
  254. --email "creator2_a@example.net" \
  255. "project_a_creator_2" -f value -c id)
  256. openstack role add \
  257. --user "$USER_ID" \
  258. --project "$PROJECT_A_ID" \
  259. "$ROLE_CREATOR_ID"
  260. #
  261. # Setup RBAC Observer of Project A
  262. #
  263. USER_ID=$(get_id openstack user create \
  264. --password "$PASSWORD" \
  265. --email "observer_a@example.net" \
  266. "project_a_observer")
  267. openstack role add \
  268. --user "$USER_ID" \
  269. --project "$PROJECT_A_ID" \
  270. "$ROLE_OBSERVER_ID"
  271. #
  272. # Setup RBAC Auditor of Project A
  273. #
  274. USER_ID=$(get_id openstack user create \
  275. --password "$PASSWORD" \
  276. --email "auditor_a@example.net" \
  277. "project_a_auditor")
  278. openstack role add \
  279. --user "$USER_ID" \
  280. --project "$PROJECT_A_ID" \
  281. "$ROLE_AUDIT_ID"
  282. #
  283. # Setup RBAC Admin of Project B
  284. #
  285. USER_ID=$(get_id openstack user create \
  286. --password "$PASSWORD" \
  287. --email "admin_b@example.net" \
  288. "project_b_admin")
  289. openstack role add \
  290. --user "$USER_ID" \
  291. --project "$PROJECT_B_ID" \
  292. "$ROLE_ADMIN_ID"
  293. #
  294. # Setup RBAC Creator of Project B
  295. #
  296. USER_ID=$(get_id openstack user create \
  297. --password "$PASSWORD" \
  298. --email "creator_b@example.net" \
  299. "project_b_creator")
  300. openstack role add \
  301. --user "$USER_ID" \
  302. --project "$PROJECT_B_ID" \
  303. "$ROLE_CREATOR_ID"
  304. #
  305. # Setup RBAC Observer of Project B
  306. #
  307. USER_ID=$(get_id openstack user create \
  308. --password "$PASSWORD" \
  309. --email "observer_b@example.net" \
  310. "project_b_observer")
  311. openstack role add \
  312. --user "$USER_ID" \
  313. --project "$PROJECT_B_ID" \
  314. "$ROLE_OBSERVER_ID"
  315. #
  316. # Setup RBAC auditor of Project B
  317. #
  318. USER_ID=$(get_id openstack user create \
  319. --password "$PASSWORD" \
  320. --email "auditor_b@example.net" \
  321. "project_b_auditor")
  322. openstack role add \
  323. --user "$USER_ID" \
  324. --project "$PROJECT_B_ID" \
  325. "$ROLE_AUDIT_ID"
  326. #
  327. # Setup Barbican Endpoint
  328. #
  329. BARBICAN_SERVICE=$(openstack service create \
  330. --name barbican \
  331. --description "Barbican Service" \
  332. 'key-manager' \
  333. | grep " id " | get_field 2)
  334. openstack endpoint create \
  335. --os-identity-api-version 3 \
  336. --region RegionOne \
  337. $BARBICAN_SERVICE \
  338. public "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
  339. openstack endpoint create \
  340. --os-identity-api-version 3 \
  341. --region RegionOne \
  342. $BARBICAN_SERVICE \
  343. internal "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
  344. }
  345. # PyKMIP functions
  346. # ----------------
  347. # install_pykmip - install the PyKMIP python module
  348. # create keys and certificate for server
  349. function install_pykmip {
  350. pip_install 'pykmip'
  351. if is_service_enabled pykmip-server; then
  352. [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
  353. sudo chown ${USER} ${PYKMIP_CONF_DIR}
  354. [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
  355. sudo chown ${USER} ${PYKMIP_LOG_DIR}
  356. init_CA
  357. if [ ! -e ${PYKMIP_SERVER_KEY} ]; then
  358. make_cert ${INT_CA_DIR} 'pykmip-server' 'pykmip-server'
  359. chmod 400 ${PYKMIP_SERVER_KEY}
  360. fi
  361. if [ ! -e ${PYKMIP_CLIENT_KEY} ]; then
  362. make_cert ${INT_CA_DIR} 'pykmip-client' 'pykmip-client'
  363. chmod 400 ${PYKMIP_CLIENT_KEY}
  364. fi
  365. if [ ! -e ${PYKMIP_CONF} ]; then
  366. cat > ${PYKMIP_CONF} <<EOF
  367. [server]
  368. hostname=127.0.0.1
  369. port=5696
  370. certificate_path=${PYKMIP_SERVER_CERT}
  371. key_path=${PYKMIP_SERVER_KEY}
  372. ca_path=${PYKMIP_CA_PATH}
  373. auth_suite=TLS1.2
  374. EOF
  375. fi
  376. fi
  377. }
  378. # configure_pykmip - enable KMIP plugin and configure
  379. function configure_pykmip {
  380. iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins kmip_plugin
  381. iniset $BARBICAN_CONF kmip_plugin username demo
  382. iniset $BARBICAN_CONF kmip_plugin password secretpassword
  383. iniset $BARBICAN_CONF kmip_plugin keyfile ${PYKMIP_CLIENT_KEY}
  384. iniset $BARBICAN_CONF kmip_plugin certfile ${PYKMIP_CLIENT_CERT}
  385. iniset $BARBICAN_CONF kmip_plugin ca_certs ${PYKMIP_CA_PATH}
  386. }
  387. # start_pykmip - start the PyKMIP server
  388. function start_pykmip {
  389. run_process pykmip-server "$BARBICAN_BIN_DIR/pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log"
  390. }
  391. # Dogtag functions
  392. # ----------------
  393. function install_389_directory_server {
  394. # Make sure that 127.0.0.1 resolves to localhost.localdomain (fqdn)
  395. sudo sed -i 's/127.0.0.1[ \t]*localhost localhost.localdomain/127.0.0.1\tlocalhost.localdomain localhost/' /etc/hosts
  396. sudo mkdir -p /etc/389-ds
  397. dscreate create-template ds.tmp
  398. sed -e 's/;root_password = .*/root_password = PASSWORD/g' \
  399. -e 's/;full_machine_name = .*/full_machine_name = localhost.localdomain/g' \
  400. -e 's/;instance_name =.*/instance_name = pki-tomcat/g' \
  401. ds.tmp > ds.inf
  402. rm ds.tmp
  403. sudo mv ds.inf /etc/389-ds/ds.inf
  404. sudo dscreate from-file /etc/389-ds/ds.inf
  405. }
  406. function install_dogtag_ca {
  407. sudo mkdir -p /etc/dogtag
  408. cat > .tmp.ca.cfg <<EOF
  409. [CA]
  410. pki_admin_email=caadmin@example.com
  411. pki_admin_name=caadmin
  412. pki_admin_nickname=caadmin
  413. pki_admin_password=PASSWORD
  414. pki_admin_uid=caadmin
  415. pki_backup_password=PASSWORD
  416. pki_client_database_password=PASSWORD
  417. pki_client_database_purge=False
  418. pki_client_pkcs12_password=PASSWORD
  419. pki_clone_pkcs12_password=PASSWORD
  420. pki_ds_base_dn=dc=ca,dc=example,dc=com
  421. pki_ds_database=ca
  422. pki_ds_password=PASSWORD
  423. pki_hostname=localhost
  424. pki_security_domain_name=EXAMPLE
  425. pki_token_password=PASSWORD
  426. pki_https_port=8373
  427. pki_http_port=8370
  428. pki_ajp_port=8379
  429. pki_tomcat_server_port=8375
  430. EOF
  431. sudo mv .tmp.ca.cfg /etc/dogtag/ca.cfg
  432. sudo pkispawn -v -f /etc/dogtag/ca.cfg -s CA
  433. }
  434. function wait_for_ca {
  435. while true; do
  436. # If the sleep command is executed "as-is", the subprocess that it
  437. # executes will trigger the "exit_trap" and will cause this script to
  438. # fail. To avoid this, we run the sleep command inside this sub-shell,
  439. # so the signal will not be caught in this process.
  440. ca_running=$(sleep 2 && curl -s -k https://localhost:8373/ca/admin/ca/getStatus | grep -c running)
  441. if [[ $ca_running == 1 ]]; then
  442. break
  443. fi
  444. done
  445. }
  446. function install_dogtag_kra {
  447. sudo mkdir -p /etc/dogtag
  448. # Even though we are using localhost.localdomain, the server certificate by
  449. # default will get the real host name for the server. So we need to
  450. # properly configure the KRA to try to communicate with the real host name
  451. # instead of the localhost.
  452. cat > .tmp.kra.cfg <<EOF
  453. [KRA]
  454. pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
  455. pki_admin_email=kraadmin@example.com
  456. pki_admin_name=kraadmin
  457. pki_admin_nickname=kraadmin
  458. pki_admin_password=PASSWORD
  459. pki_admin_uid=kraadmin
  460. pki_backup_password=PASSWORD
  461. pki_client_database_password=PASSWORD
  462. pki_client_database_purge=False
  463. pki_client_pkcs12_password=PASSWORD
  464. pki_clone_pkcs12_password=PASSWORD
  465. pki_ds_base_dn=dc=kra,dc=example,dc=com
  466. pki_ds_database=kra
  467. pki_ds_password=PASSWORD
  468. pki_hostname=localhost
  469. pki_security_domain_name=EXAMPLE
  470. pki_security_domain_user=caadmin
  471. pki_security_domain_password=PASSWORD
  472. pki_token_password=PASSWORD
  473. pki_https_port=8373
  474. pki_http_port=8370
  475. pki_ajp_port=8379
  476. pki_tomcat_server_port=8375
  477. pki_security_domain_hostname=localhost
  478. pki_security_domain_https_port=8373
  479. EOF
  480. sudo mv .tmp.kra.cfg /etc/dogtag/kra.cfg
  481. sudo pkispawn -v -f /etc/dogtag/kra.cfg -s KRA
  482. }
  483. function install_dogtag_plugin_dependencies {
  484. install_package nss-devel 389-ds-base dogtag-pki
  485. }
  486. function install_dogtag_components {
  487. install_dogtag_plugin_dependencies
  488. install_389_directory_server
  489. install_dogtag_ca
  490. wait_for_ca
  491. install_dogtag_kra
  492. }
  493. # Vault functions
  494. # ----------------
  495. function install_vault {
  496. # Install vault if needed
  497. if [[ ! -x "$(command -v vault)" ]]; then
  498. wget https://releases.hashicorp.com/vault/1.3.0/vault_1.3.0_linux_amd64.zip
  499. unzip vault_1.3.0_linux_amd64.zip
  500. sudo mv vault /usr/bin
  501. fi
  502. install_package screen
  503. TOKEN_ID_FILE="${BARBICAN_DIR}/vault_root_token_id"
  504. local session_name="barbican_vault"
  505. # Clean up first before starting new screen session
  506. existing_ses=$(screen -ls | grep ${session_name} | awk '{print $1}')
  507. if [[ -n "${existing_ses}" ]]; then
  508. screen -S ${existing_ses} -X quit
  509. fi
  510. rm -f ${TOKEN_ID_FILE} vault.log
  511. screen -dmS ${session_name}
  512. screen -S ${session_name} -p bash -X stuff 'vault server -dev 2>&1 >vault.log\n'
  513. # get the root_token_id, use tempfile for counter
  514. touch $TOKEN_ID_FILE
  515. COUNTER=0
  516. while [ ! -s $TOKEN_ID_FILE ] && [ "$COUNTER" -lt "20" ]
  517. do
  518. sleep 2
  519. awk '/Root Token:/ {print $3}' vault.log > $TOKEN_ID_FILE
  520. COUNTER=$[COUNTER + 1]
  521. done
  522. if [ ! -s $TOKEN_ID_FILE ]; then
  523. echo "Wah! Need to throw an error code here!"
  524. fi
  525. export VAULT_ADDR="http://127.0.0.1:8200"
  526. # Enable kv version 1
  527. vault secrets disable secret/
  528. vault secrets enable -version=1 -path=secret -description "kv version 1" kv
  529. #debug code follows:
  530. vault status
  531. vault kv put secret/hello foo=world
  532. vault kv get secret/hello
  533. vault kv delete secret/hello
  534. }
  535. function configure_vault_plugin {
  536. root_token_id=`cat ${BARBICAN_DIR}/vault_root_token_id`
  537. iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins vault_plugin
  538. iniset $BARBICAN_CONF vault_plugin root_token_id $root_token_id
  539. iniset $BARBICAN_CONF vault_plugin vault_url "http://127.0.0.1:8200"
  540. iniset $BARBICAN_CONF vault_plugin use_ssl "false"
  541. }
  542. # Restore xtrace
  543. $XTRACE