Barbican is a ReST API designed for the secure storage, provisioning and management of secrets, including in OpenStack environments.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

635 lines
21KB

  1. #!/usr/bin/env bash
  2. # Install and start **Barbican** service
  3. # To enable a minimal set of Barbican features, add the following to localrc:
  4. # enable_service barbican-svc barbican-retry barbican-keystone-listener
  5. #
  6. # Dependencies:
  7. # - functions
  8. # - OS_AUTH_URL for auth in api
  9. # - DEST set to the destination directory
  10. # - SERVICE_PASSWORD, SERVICE_PROJECT_NAME for auth in api
  11. # - STACK_USER service user
  12. # stack.sh
  13. # ---------
  14. # install_barbican
  15. # configure_barbican
  16. # init_barbican
  17. # start_barbican
  18. # stop_barbican
  19. # cleanup_barbican
  20. # Save trace setting
  21. XTRACE=$(set +o | grep xtrace)
  22. set +o xtrace
  23. # PyKMIP configuration
  24. PYKMIP_SERVER_KEY=${PYKMIP_SERVER_KEY:-$INT_CA_DIR/private/pykmip-server.key}
  25. PYKMIP_SERVER_CERT=${PYKMIP_SERVER_CERT:-$INT_CA_DIR/pykmip-server.crt}
  26. PYKMIP_CLIENT_KEY=${PYKMIP_CLIENT_KEY:-$INT_CA_DIR/private/pykmip-client.key}
  27. PYKMIP_CLIENT_CERT=${PYKMIP_CLIENT_CERT:-$INT_CA_DIR/pykmip-client.crt}
  28. PYKMIP_CA_PATH=${PYKMIP_CA_PATH:-$INT_CA_DIR/ca-chain.pem}
  29. # Functions
  30. # ---------
  31. # TODO(john-wood-w) These 'magic' functions are called by devstack to enable
  32. # a given service (so the name between 'is_' and '_enabled'). Currently the
  33. # Zuul infra gate configuration (at https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/barbican.yaml)
  34. # only enables the 'barbican' service. So the two functions below, for the two
  35. # services we wish to run, have to key off of that lone 'barbican' selection.
  36. # Once the Zuul config is updated to add these two services properly, then
  37. # these functions should be replaced by the single method below.
  38. # !!!! Special thanks to rm_work for figuring this out !!!!
  39. function is_barbican-retry_enabled {
  40. [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
  41. }
  42. function is_barbican-svc_enabled {
  43. [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
  44. }
  45. function is_barbican-keystone-listener_enabled {
  46. [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
  47. }
  48. # TODO(john-wood-w) Replace the above two functions with the one below once
  49. # Zuul is update per above.
  50. ## Test if any Barbican services are enabled
  51. ## is_barbican_enabled
  52. #function is_barbican_enabled {
  53. # [[ ,${ENABLED_SERVICES} =~ ,"barbican-" ]] && return 0
  54. # return 1
  55. #}
  56. # cleanup_barbican - Remove residual data files, anything left over from previous
  57. # runs that a clean run would need to clean up
  58. function cleanup_barbican {
  59. if is_service_enabled barbican-vault; then
  60. # Kill the vault process, screen session and remove the generated files
  61. # during installation.
  62. local session_name="barbican_vault"
  63. local vault_token_file="${BARBICAN_DIR}/vault_root_token_id"
  64. existing_ses=$(screen -ls | grep ${session_name} | awk '{print $1}')
  65. if [[ -n "${existing_ses}" ]]; then
  66. screen -S ${existing_ses} -X quit
  67. fi
  68. sudo pkill -f -9 "vault server"
  69. sudo rm -f ${vault_token_file} vault.log
  70. fi
  71. }
  72. # configure_barbicanclient - Set config files, create data dirs, etc
  73. function configure_barbicanclient {
  74. setup_dev_lib "python-barbicanclient"
  75. }
  76. # configure_dogtag_plugin - Change config to use dogtag plugin
  77. function configure_dogtag_plugin {
  78. sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
  79. sudo chown $USER $BARBICAN_CONF_DIR/kra_admin_cert.pem
  80. iniset $BARBICAN_CONF dogtag_plugin dogtag_port 8373
  81. iniset $BARBICAN_CONF dogtag_plugin pem_path "$BARBICAN_CONF_DIR/kra_admin_cert.pem"
  82. iniset $BARBICAN_CONF dogtag_plugin dogtag_host localhost
  83. iniset $BARBICAN_CONF dogtag_plugin nss_db_path '/etc/barbican/alias'
  84. iniset $BARBICAN_CONF dogtag_plugin nss_db_path_ca '/etc/barbican/alias-ca'
  85. iniset $BARBICAN_CONF dogtag_plugin nss_password 'password123'
  86. iniset $BARBICAN_CONF dogtag_plugin simple_cmc_profile 'caOtherCert'
  87. iniset $BARBICAN_CONF dogtag_plugin ca_expiration_time 1
  88. iniset $BARBICAN_CONF dogtag_plugin plugin_working_dir '/etc/barbican/dogtag'
  89. iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins dogtag_crypto
  90. iniset $BARBICAN_CONF certificate enabled_certificate_plugins dogtag
  91. }
  92. # configure_barbican - Set config files, create data dirs, etc
  93. function configure_barbican {
  94. setup_develop $BARBICAN_DIR
  95. [ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
  96. sudo chown $USER $BARBICAN_CONF_DIR
  97. [ ! -d $BARBICAN_API_LOG_DIR ] && sudo mkdir -m 755 -p $BARBICAN_API_LOG_DIR
  98. sudo chown $USER $BARBICAN_API_LOG_DIR
  99. [ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
  100. sudo chown $USER $BARBICAN_CONF_DIR
  101. # Copy the barbican config files to the config dir
  102. cp $BARBICAN_DIR/etc/barbican/barbican-api-paste.ini $BARBICAN_CONF_DIR
  103. cp -R $BARBICAN_DIR/etc/barbican/vassals $BARBICAN_CONF_DIR
  104. # Copy functional test config
  105. cp $BARBICAN_DIR/etc/barbican/barbican-functional.conf $BARBICAN_CONF_DIR
  106. # Enable DEBUG
  107. iniset $BARBICAN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
  108. # Set the host_href
  109. iniset $BARBICAN_CONF DEFAULT host_href "$BARBICAN_HOST_HREF"
  110. # Set the log file location
  111. iniset $BARBICAN_CONF DEFAULT log_file "$BARBICAN_API_LOG_DIR/barbican.log"
  112. # Enable logging to stderr to have log also in the screen window
  113. iniset $BARBICAN_CONF DEFAULT use_stderr True
  114. # Format logging
  115. if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
  116. setup_colorized_logging $BARBICAN_CONF DEFAULT project user
  117. fi
  118. # Set the database connection url
  119. iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
  120. # Disable auto-migration when deploying Barbican
  121. iniset $BARBICAN_CONF DEFAULT db_auto_create False
  122. # Increase default request buffer size, keystone auth PKI tokens can be very long
  123. iniset $BARBICAN_CONF_DIR/vassals/barbican-api.ini uwsgi buffer-size 65535
  124. # Rabbit settings
  125. if is_service_enabled rabbit; then
  126. iniset $BARBICAN_CONF DEFAULT transport_url rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672
  127. else
  128. echo_summary "Barbican requires that the RabbitMQ service is enabled"
  129. fi
  130. write_uwsgi_config "$BARBICAN_UWSGI_CONF" "$BARBICAN_WSGI" "/key-manager"
  131. ## Set up keystone
  132. # Turn on the middleware
  133. iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone'
  134. # Set the keystone parameters
  135. configure_auth_token_middleware $BARBICAN_CONF barbican $BARBICAN_AUTH_CACHE_DIR
  136. # Enable the keystone listener
  137. iniset $BARBICAN_CONF keystone_notifications enable True
  138. iniset $BARBICAN_CONF keystone_notifications control_exchange 'keystone'
  139. }
  140. # init_barbican - Initialize etc.
  141. function init_barbican {
  142. # Create cache dir
  143. sudo mkdir -p $BARBICAN_AUTH_CACHE_DIR
  144. sudo chown $STACK_USER $BARBICAN_AUTH_CACHE_DIR
  145. rm -f $BARBICAN_AUTH_CACHE_DIR/*
  146. recreate_database barbican utf8
  147. $BARBICAN_BIN_DIR/barbican-manage db upgrade -v head
  148. }
  149. # install_barbican - Collect source and prepare
  150. function install_barbican {
  151. # Install package requirements
  152. if is_fedora; then
  153. install_package sqlite-devel openldap-devel
  154. fi
  155. # TODO(ravips): We need this until barbican gets into devstack
  156. setup_develop $BARBICAN_DIR
  157. pip_install 'uwsgi'
  158. }
  159. # install_barbicanclient - Collect source and prepare
  160. function install_barbicanclient {
  161. if use_library_from_git "python-barbicanclient"; then
  162. git_clone_by_name "python-barbicanclient"
  163. setup_dev_lib "python-barbicanclient"
  164. fi
  165. }
  166. # start_barbican - Start running processes, including screen
  167. function start_barbican {
  168. # Start the Barbican service up.
  169. run_process barbican-svc "$BARBICAN_BIN_DIR/uwsgi --ini $BARBICAN_UWSGI_CONF"
  170. # Pause while the barbican-svc populates the database, otherwise the retry
  171. # service below might try to do this at the same time, leading to race
  172. # conditions.
  173. sleep 10
  174. # Start the retry scheduler server up.
  175. run_process barbican-retry "$BARBICAN_BIN_DIR/barbican-retry --config-file=$BARBICAN_CONF_DIR/barbican.conf"
  176. # Start the barbican-keystone-listener
  177. run_process barbican-keystone-listener "$BARBICAN_BIN_DIR/barbican-keystone-listener --config-file=$BARBICAN_CONF_DIR/barbican.conf"
  178. }
  179. # stop_barbican - Stop running processes
  180. function stop_barbican {
  181. # This will eventually be refactored to work like
  182. # Solum and Manila (script to kick off a wsgiref server)
  183. # For now, this will stop uWSGI rather than have it hang
  184. killall -9 uwsgi
  185. # This cleans up the PID file, but uses pkill so Barbican
  186. # uWSGI emperor process doesn't actually stop
  187. stop_process barbican-svc
  188. stop_process barbican-retry
  189. stop_process barbican-keystone-listener
  190. }
  191. function get_id {
  192. echo `"$@" | awk '/ id / { print $4 }'`
  193. }
  194. function create_barbican_accounts {
  195. #
  196. # Setup Default Admin User
  197. #
  198. SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }")
  199. ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
  200. BARBICAN_USER=$(openstack user create \
  201. --password "$SERVICE_PASSWORD" \
  202. --project $SERVICE_PROJECT \
  203. --email "barbican@example.com" \
  204. barbican \
  205. | grep " id " | get_field 2)
  206. openstack role add --project $SERVICE_PROJECT \
  207. --user $BARBICAN_USER \
  208. $ADMIN_ROLE
  209. #
  210. # Setup Default service-admin User
  211. #
  212. SERVICE_ADMIN=$(get_id openstack user create \
  213. --password "$SERVICE_PASSWORD" \
  214. --email "service-admin@example.com" \
  215. "service-admin")
  216. SERVICE_ADMIN_ROLE=$(get_id openstack role create \
  217. "key-manager:service-admin")
  218. openstack role add \
  219. --user "$SERVICE_ADMIN" \
  220. --project "$SERVICE_PROJECT" \
  221. "$SERVICE_ADMIN_ROLE"
  222. #
  223. # Setup RBAC User Projects and Roles
  224. #
  225. PASSWORD="barbican"
  226. PROJECT_A_ID=$(get_id openstack project create "project_a")
  227. PROJECT_B_ID=$(get_id openstack project create "project_b")
  228. ROLE_ADMIN_ID=$(get_id openstack role show admin)
  229. ROLE_CREATOR_ID=$(get_id openstack role create "creator")
  230. ROLE_OBSERVER_ID=$(get_id openstack role create "observer")
  231. ROLE_AUDIT_ID=$(get_id openstack role create "audit")
  232. #
  233. # Setup RBAC Admin of Project A
  234. #
  235. USER_ID=$(get_id openstack user create \
  236. --password "$PASSWORD" \
  237. --email "admin_a@example.net" \
  238. "project_a_admin")
  239. openstack role add \
  240. --user "$USER_ID" \
  241. --project "$PROJECT_A_ID" \
  242. "$ROLE_ADMIN_ID"
  243. #
  244. # Setup RBAC Creator of Project A
  245. #
  246. USER_ID=$(get_id openstack user create \
  247. --password "$PASSWORD" \
  248. --email "creator_a@example.net" \
  249. "project_a_creator")
  250. openstack role add \
  251. --user "$USER_ID" \
  252. --project "$PROJECT_A_ID" \
  253. "$ROLE_CREATOR_ID"
  254. # Adding second creator user in project_a
  255. USER_ID=$(openstack user create \
  256. --password "$PASSWORD" \
  257. --email "creator2_a@example.net" \
  258. "project_a_creator_2" -f value -c id)
  259. openstack role add \
  260. --user "$USER_ID" \
  261. --project "$PROJECT_A_ID" \
  262. "$ROLE_CREATOR_ID"
  263. #
  264. # Setup RBAC Observer of Project A
  265. #
  266. USER_ID=$(get_id openstack user create \
  267. --password "$PASSWORD" \
  268. --email "observer_a@example.net" \
  269. "project_a_observer")
  270. openstack role add \
  271. --user "$USER_ID" \
  272. --project "$PROJECT_A_ID" \
  273. "$ROLE_OBSERVER_ID"
  274. #
  275. # Setup RBAC Auditor of Project A
  276. #
  277. USER_ID=$(get_id openstack user create \
  278. --password "$PASSWORD" \
  279. --email "auditor_a@example.net" \
  280. "project_a_auditor")
  281. openstack role add \
  282. --user "$USER_ID" \
  283. --project "$PROJECT_A_ID" \
  284. "$ROLE_AUDIT_ID"
  285. #
  286. # Setup RBAC Admin of Project B
  287. #
  288. USER_ID=$(get_id openstack user create \
  289. --password "$PASSWORD" \
  290. --email "admin_b@example.net" \
  291. "project_b_admin")
  292. openstack role add \
  293. --user "$USER_ID" \
  294. --project "$PROJECT_B_ID" \
  295. "$ROLE_ADMIN_ID"
  296. #
  297. # Setup RBAC Creator of Project B
  298. #
  299. USER_ID=$(get_id openstack user create \
  300. --password "$PASSWORD" \
  301. --email "creator_b@example.net" \
  302. "project_b_creator")
  303. openstack role add \
  304. --user "$USER_ID" \
  305. --project "$PROJECT_B_ID" \
  306. "$ROLE_CREATOR_ID"
  307. #
  308. # Setup RBAC Observer of Project B
  309. #
  310. USER_ID=$(get_id openstack user create \
  311. --password "$PASSWORD" \
  312. --email "observer_b@example.net" \
  313. "project_b_observer")
  314. openstack role add \
  315. --user "$USER_ID" \
  316. --project "$PROJECT_B_ID" \
  317. "$ROLE_OBSERVER_ID"
  318. #
  319. # Setup RBAC auditor of Project B
  320. #
  321. USER_ID=$(get_id openstack user create \
  322. --password "$PASSWORD" \
  323. --email "auditor_b@example.net" \
  324. "project_b_auditor")
  325. openstack role add \
  326. --user "$USER_ID" \
  327. --project "$PROJECT_B_ID" \
  328. "$ROLE_AUDIT_ID"
  329. #
  330. # Setup Barbican Endpoint
  331. #
  332. BARBICAN_SERVICE=$(openstack service create \
  333. --name barbican \
  334. --description "Barbican Service" \
  335. 'key-manager' \
  336. | grep " id " | get_field 2)
  337. openstack endpoint create \
  338. --os-identity-api-version 3 \
  339. --region RegionOne \
  340. $BARBICAN_SERVICE \
  341. public "http://$SERVICE_HOST/key-manager"
  342. openstack endpoint create \
  343. --os-identity-api-version 3 \
  344. --region RegionOne \
  345. $BARBICAN_SERVICE \
  346. internal "http://$SERVICE_HOST/key-manager"
  347. }
  348. # PyKMIP functions
  349. # ----------------
  350. # install_pykmip - install the PyKMIP python module
  351. # create keys and certificate for server
  352. function install_pykmip {
  353. pip_install 'pykmip'
  354. if is_service_enabled pykmip-server; then
  355. [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
  356. sudo chown ${USER} ${PYKMIP_CONF_DIR}
  357. [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
  358. sudo chown ${USER} ${PYKMIP_LOG_DIR}
  359. init_CA
  360. if [ ! -e ${PYKMIP_SERVER_KEY} ]; then
  361. make_cert ${INT_CA_DIR} 'pykmip-server' 'pykmip-server'
  362. chmod 400 ${PYKMIP_SERVER_KEY}
  363. fi
  364. if [ ! -e ${PYKMIP_CLIENT_KEY} ]; then
  365. make_cert ${INT_CA_DIR} 'pykmip-client' 'pykmip-client'
  366. chmod 400 ${PYKMIP_CLIENT_KEY}
  367. fi
  368. if [ ! -e ${PYKMIP_CONF} ]; then
  369. cat > ${PYKMIP_CONF} <<EOF
  370. [server]
  371. hostname=127.0.0.1
  372. port=5696
  373. certificate_path=${PYKMIP_SERVER_CERT}
  374. key_path=${PYKMIP_SERVER_KEY}
  375. ca_path=${PYKMIP_CA_PATH}
  376. auth_suite=TLS1.2
  377. EOF
  378. fi
  379. fi
  380. }
  381. # configure_pykmip - enable KMIP plugin and configure
  382. function configure_pykmip {
  383. iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins kmip_plugin
  384. iniset $BARBICAN_CONF kmip_plugin username demo
  385. iniset $BARBICAN_CONF kmip_plugin password secretpassword
  386. iniset $BARBICAN_CONF kmip_plugin keyfile ${PYKMIP_CLIENT_KEY}
  387. iniset $BARBICAN_CONF kmip_plugin certfile ${PYKMIP_CLIENT_CERT}
  388. iniset $BARBICAN_CONF kmip_plugin ca_certs ${PYKMIP_CA_PATH}
  389. }
  390. # start_pykmip - start the PyKMIP server
  391. function start_pykmip {
  392. run_process pykmip-server "$BARBICAN_BIN_DIR/pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log"
  393. }
  394. # Dogtag functions
  395. # ----------------
  396. function install_389_directory_server {
  397. # Make sure that 127.0.0.1 resolves to localhost.localdomain (fqdn)
  398. sudo sed -i 's/127.0.0.1[ \t]*localhost localhost.localdomain/127.0.0.1\tlocalhost.localdomain localhost/' /etc/hosts
  399. sudo mkdir -p /etc/389-ds
  400. dscreate create-template ds.tmp
  401. sed -e 's/;root_password = .*/root_password = PASSWORD/g' \
  402. -e 's/;full_machine_name = .*/full_machine_name = localhost.localdomain/g' \
  403. -e 's/;instance_name =.*/instance_name = pki-tomcat/g' \
  404. ds.tmp > ds.inf
  405. rm ds.tmp
  406. sudo mv ds.inf /etc/389-ds/ds.inf
  407. sudo dscreate from-file /etc/389-ds/ds.inf
  408. }
  409. function install_dogtag_ca {
  410. sudo mkdir -p /etc/dogtag
  411. cat > .tmp.ca.cfg <<EOF
  412. [CA]
  413. pki_admin_email=caadmin@example.com
  414. pki_admin_name=caadmin
  415. pki_admin_nickname=caadmin
  416. pki_admin_password=PASSWORD
  417. pki_admin_uid=caadmin
  418. pki_backup_password=PASSWORD
  419. pki_client_database_password=PASSWORD
  420. pki_client_database_purge=False
  421. pki_client_pkcs12_password=PASSWORD
  422. pki_clone_pkcs12_password=PASSWORD
  423. pki_ds_base_dn=dc=ca,dc=example,dc=com
  424. pki_ds_database=ca
  425. pki_ds_password=PASSWORD
  426. pki_hostname=localhost
  427. pki_security_domain_name=EXAMPLE
  428. pki_token_password=PASSWORD
  429. pki_https_port=8373
  430. pki_http_port=8370
  431. pki_ajp_port=8379
  432. pki_tomcat_server_port=8375
  433. EOF
  434. sudo mv .tmp.ca.cfg /etc/dogtag/ca.cfg
  435. sudo pkispawn -v -f /etc/dogtag/ca.cfg -s CA
  436. }
  437. function wait_for_ca {
  438. while true; do
  439. # If the sleep command is executed "as-is", the subprocess that it
  440. # executes will trigger the "exit_trap" and will cause this script to
  441. # fail. To avoid this, we run the sleep command inside this sub-shell,
  442. # so the signal will not be caught in this process.
  443. ca_running=$(sleep 2 && curl -s -k https://localhost:8373/ca/admin/ca/getStatus | grep -c running)
  444. if [[ $ca_running == 1 ]]; then
  445. break
  446. fi
  447. done
  448. }
  449. function install_dogtag_kra {
  450. sudo mkdir -p /etc/dogtag
  451. # Even though we are using localhost.localdomain, the server certificate by
  452. # default will get the real host name for the server. So we need to
  453. # properly configure the KRA to try to communicate with the real host name
  454. # instead of the localhost.
  455. cat > .tmp.kra.cfg <<EOF
  456. [KRA]
  457. pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
  458. pki_admin_email=kraadmin@example.com
  459. pki_admin_name=kraadmin
  460. pki_admin_nickname=kraadmin
  461. pki_admin_password=PASSWORD
  462. pki_admin_uid=kraadmin
  463. pki_backup_password=PASSWORD
  464. pki_client_database_password=PASSWORD
  465. pki_client_database_purge=False
  466. pki_client_pkcs12_password=PASSWORD
  467. pki_clone_pkcs12_password=PASSWORD
  468. pki_ds_base_dn=dc=kra,dc=example,dc=com
  469. pki_ds_database=kra
  470. pki_ds_password=PASSWORD
  471. pki_hostname=localhost
  472. pki_security_domain_name=EXAMPLE
  473. pki_security_domain_user=caadmin
  474. pki_security_domain_password=PASSWORD
  475. pki_token_password=PASSWORD
  476. pki_https_port=8373
  477. pki_http_port=8370
  478. pki_ajp_port=8379
  479. pki_tomcat_server_port=8375
  480. pki_security_domain_hostname=localhost
  481. pki_security_domain_https_port=8373
  482. EOF
  483. sudo mv .tmp.kra.cfg /etc/dogtag/kra.cfg
  484. sudo pkispawn -v -f /etc/dogtag/kra.cfg -s KRA
  485. }
  486. function install_dogtag_plugin_dependencies {
  487. install_package nss-devel 389-ds-base dogtag-pki
  488. }
  489. function install_dogtag_components {
  490. install_dogtag_plugin_dependencies
  491. install_389_directory_server
  492. install_dogtag_ca
  493. wait_for_ca
  494. install_dogtag_kra
  495. }
  496. # Vault functions
  497. # ----------------
  498. function install_vault {
  499. # Install vault if needed
  500. if [[ ! -x "$(command -v vault)" ]]; then
  501. wget https://releases.hashicorp.com/vault/1.3.0/vault_1.3.0_linux_amd64.zip
  502. unzip vault_1.3.0_linux_amd64.zip
  503. sudo mv vault /usr/bin
  504. fi
  505. install_package screen
  506. TOKEN_ID_FILE="${BARBICAN_DIR}/vault_root_token_id"
  507. local session_name="barbican_vault"
  508. # Clean up first before starting new screen session
  509. existing_ses=$(screen -ls | grep ${session_name} | awk '{print $1}')
  510. if [[ -n "${existing_ses}" ]]; then
  511. screen -S ${existing_ses} -X quit
  512. fi
  513. rm -f ${TOKEN_ID_FILE} vault.log
  514. screen -dmS ${session_name}
  515. screen -S ${session_name} -p bash -X stuff 'vault server -dev 2>&1 >vault.log\n'
  516. # get the root_token_id, use tempfile for counter
  517. touch $TOKEN_ID_FILE
  518. COUNTER=0
  519. while [ ! -s $TOKEN_ID_FILE ] && [ "$COUNTER" -lt "20" ]
  520. do
  521. sleep 2
  522. awk '/Root Token:/ {print $3}' vault.log > $TOKEN_ID_FILE
  523. COUNTER=$[COUNTER + 1]
  524. done
  525. if [ ! -s $TOKEN_ID_FILE ]; then
  526. echo "Wah! Need to throw an error code here!"
  527. fi
  528. export VAULT_ADDR="http://127.0.0.1:8200"
  529. # Enable kv version 1
  530. vault secrets disable secret/
  531. vault secrets enable -version=1 -path=secret -description "kv version 1" kv
  532. #debug code follows:
  533. vault status
  534. vault kv put secret/hello foo=world
  535. vault kv get secret/hello
  536. vault kv delete secret/hello
  537. }
  538. function configure_vault_plugin {
  539. root_token_id=`cat ${BARBICAN_DIR}/vault_root_token_id`
  540. iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins vault_plugin
  541. iniset $BARBICAN_CONF vault_plugin root_token_id $root_token_id
  542. iniset $BARBICAN_CONF vault_plugin vault_url "http://127.0.0.1:8200"
  543. iniset $BARBICAN_CONF vault_plugin use_ssl "false"
  544. }
  545. # Restore xtrace
  546. $XTRACE