Added KMIP Secret Store to Devstack

Added code to devstack libraries to allow KMIP secret store to be
enabled. This edits barbican.conf to enable the KMIP secret store.

The Barbican PyKMIP client can be configured to connect to an existing
KMIP device or use PyKMIP's server. If the client configuration is all
that is needed then enable the 'barbican-pykmip' service in the
devstack configuration and set the appropriate key, certificate, and
CA path variables. This will allow the Barbican KMIP secret store to
connect to an existing KMIP server.

If a KMIP server is requested then also enable the 'pykmip-server'
service in the devstack configuration. This will install, configure,
and start the KMIP server. This option requires the 'barbican-pykmip'
service be configured as well.

Added passenv command to tox to allow the KMIP_PLUGIN_ENABLED
environment variable to be passed to the underlying command. Without
this the environment variable will not be seen by the tox command.

Change-Id: Ib804fa97545f14ed866bfd73bb251e85923a2e4e
Depends-On: Ifda13a84607bb199b794dc24f5dbba0ee8108dbf

devstack/lib/barbican

@@ -25,6 +25,12 @@
 XTRACE=$(set +o | grep xtrace)
 set +o xtrace
 
+# PyKMIP configuration
+PYKMIP_SERVER_KEY=${PYKMIP_SERVER_KEY:-$INT_CA_DIR/private/pykmip-server.key}
+PYKMIP_SERVER_CERT=${PYKMIP_SERVER_CERT:-$INT_CA_DIR/pykmip-server.crt}
+PYKMIP_CLIENT_KEY=${PYKMIP_CLIENT_KEY:-$INT_CA_DIR/private/pykmip-client.key}
+PYKMIP_CLIENT_CERT=${PYKMIP_CLIENT_CERT:-$INT_CA_DIR/pykmip-client.crt}
+PYKMIP_CA_PATH=${PYKMIP_CA_PATH:-$INT_CA_DIR/ca-chain.pem}
 
 # Functions
 # ---------
@@ -355,6 +361,59 @@ function create_barbican_accounts {
 
 }
 
+# PyKMIP functions
+# ----------------
+
+# install_pykmip - install the PyKMIP python module
+# create keys and certificate for server
+function install_pykmip {
+    pip_install 'pykmip'
+
+    if is_service_enabled pykmip-server; then
+        [ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
+        sudo chown ${USER} ${PYKMIP_CONF_DIR}
+        [ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
+        sudo chown ${USER} ${PYKMIP_LOG_DIR}
+
+        init_CA
+        if [ ! -e ${PYKMIP_SERVER_KEY} ]; then
+            make_cert ${INT_CA_DIR} 'pykmip-server' 'pykmip-server'
+            chmod 400 ${PYKMIP_SERVER_KEY}
+        fi
+        if [ ! -e ${PYKMIP_CLIENT_KEY} ]; then
+            make_cert ${INT_CA_DIR} 'pykmip-client' 'pykmip-client'
+            chmod 400 ${PYKMIP_CLIENT_KEY}
+        fi
+
+        if [ ! -e ${PYKMIP_CONF} ]; then
+            cat > ${PYKMIP_CONF} <<EOF
+[server]
+hostname=127.0.0.1
+port=5696
+certificate_path=${PYKMIP_SERVER_CERT}
+key_path=${PYKMIP_SERVER_KEY}
+ca_path=${PYKMIP_CA_PATH}
+auth_suite=Basic
+EOF
+       fi
+   fi
+}
+
+# configure_pykmip - enable KMIP plugin and configure
+function configure_pykmip {
+    iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins kmip_plugin
+    iniset $BARBICAN_CONF kmip_plugin username demo
+    iniset $BARBICAN_CONF kmip_plugin password secretpassword
+    iniset $BARBICAN_CONF kmip_plugin keyfile ${PYKMIP_CLIENT_KEY}
+    iniset $BARBICAN_CONF kmip_plugin certfile ${PYKMIP_CLIENT_CERT}
+    iniset $BARBICAN_CONF kmip_plugin ca_certs ${PYKMIP_CA_PATH}
+}
+
+# start_pykmip - start the PyKMIP server
+function start_pykmip {
+    run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
+}
+
 # Dogtag functions
 # ----------------
 

devstack/plugin.sh

@@ -9,6 +9,10 @@ if is_service_enabled barbican; then
         echo_summary "Installing Barbican"
         install_barbican
         install_barbicanclient
+        if is_service_enabled barbican-pykmip; then
+            echo_summary "Installing PyKMIP"
+            install_pykmip
+        fi
         if is_service_enabled barbican-dogtag; then
             echo_summary "Installing Dogtag"
             install_dogtag_components
@@ -16,6 +20,10 @@ if is_service_enabled barbican; then
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
         echo_summary "Configuring Barbican"
         configure_barbican
+        if is_service_enabled barbican-pykmip; then
+            echo_summary "Configuring KMIP plugin"
+            configure_pykmip
+        fi
         if is_service_enabled barbican-dogtag; then
             echo_summary "Configuring Dogtag plugin"
             configure_dogtag_plugin
@@ -29,6 +37,10 @@ if is_service_enabled barbican; then
         echo_summary "Initializing Barbican"
         init_barbican
         start_barbican
+        if is_service_enabled pykmip-server; then
+            echo_summary "Starting PyKMIP server"
+            start_pykmip
+        fi
     fi
 
     if [[ "$1" == "unstack" ]]; then

devstack/settings

@@ -10,6 +10,10 @@ BARBICAN_PASTE_CONF=$BARBICAN_CONF_DIR/barbican-api-paste.ini
 BARBICAN_API_LOG_DIR=$DEST/logs
 BARBICAN_AUTH_CACHE_DIR=${BARBICAN_AUTH_CACHE_DIR:-/var/cache/barbican}
 
+PYKMIP_CONF_DIR=${PYKMIP_CONF_DIR:-/etc/pykmip}
+PYKMIP_CONF=${PYKMIP_CONF_DIR}/server.conf
+PYKMIP_LOG_DIR=${PYKMIP_LOG_DIR:-/var/log/pykmip}
+
 # Support potential entry-points console scripts
 BARBICAN_BIN_DIR=$(get_python_exec_prefix)
 

test-requirements.txt

@@ -5,7 +5,7 @@ coverage>=3.6 # Apache-2.0
 hacking<0.11,>=0.10.0
 mock>=1.2 # BSD
 oslotest>=1.10.0 # Apache-2.0
-pykmip>=0.4.0 # Apache 2.0 License
+pykmip>=0.5.0 # Apache 2.0 License
 testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 fixtures<2.0,>=1.3.1 # Apache-2.0/BSD

tox.ini

@@ -116,6 +116,7 @@ setenv = OS_TEST_PATH={toxinidir}/functionaltests
 commands =
     /usr/bin/find . -type f -name "*.pyc" -delete
     /bin/bash {toxinidir}/functionaltests/pretty_tox.sh '{posargs}'
+passenv = KMIP_PLUGIN_ENABLED
 
 [flake8]
 exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*openstack/common,contrib,