From 6d0e31f2320d382b40747a75c56b069baa28c445 Mon Sep 17 00:00:00 2001
From: zhubingbing <1392607554@qq.com>
Date: Sat, 11 Mar 2017 15:29:45 +0800
Subject: [PATCH] Fix can't find /usr/lib/libCryptoki2_64.so in barbican

Link https://docs.openstack.org/project-install-guide/key-manager/newton/barbican-backend.html#simple-crypto-plugin

Change-Id: I351738c2a98090c56ac69e477fbe5ddec4cc5b26
Closes-Bug: #1672001
---
 ansible/group_vars/all.yml                        |  7 +++++++
 ansible/roles/barbican/templates/barbican.conf.j2 | 12 +++++++++---
 etc/kolla/globals.yml                             |  8 ++++++++
 etc/kolla/passwords.yml                           |  2 ++
 kolla_ansible/cmd/genpwd.py                       |  8 ++++++++
 5 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 75b0c3bf80..12f0f3b202 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -437,6 +437,13 @@ ceilometer_database_type: "mongodb"
 ceilometer_event_type: "mongodb"
 
 
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+barbican_crypto_plugin: "simple_crypto"
+barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 ########################
 ### Panko options
 ########################
diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
index c3515938bc..a5616a560b 100644
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -2,7 +2,6 @@
 debug = {{ barbican_logging_debug }}
 log_dir = /var/log/kolla/barbican
 
-
 bind_port = {{ barbican_api_port }}
 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
@@ -23,11 +22,12 @@ enabled_secretstore_plugins = store_crypto
 # ================= Crypto plugin ===================
 [crypto]
 namespace = barbican.crypto.plugin
-enabled_crypto_plugins = p11_crypto
+enabled_crypto_plugins = {{ barbican_crypto_plugin }}
 
+{% if barbican_crypto_plugin == 'p11_crypto' %}
 [p11_crypto_plugin]
 # Path to vendor PKCS11 library
-library_path = '/usr/lib/libCryptoki2_64.so'
+library_path = {{ barbican_library_path }}
 # Password to login to PKCS11 session
 login = '{{ barbican_p11_password }}'
 # Label to identify master KEK in the HSM (must not be the same as HMAC label)
@@ -36,6 +36,12 @@ mkek_label = 'kolla_master_kek'
 mkek_length = 32
 # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
 hmac_label = 'kolla_hmac'
+{% endif %}
+{% if barbican_crypto_plugin == 'simple_crypto' %}
+[simple_crypto_plugin]
+# the kek should be a 32-byte value which is base64 encoded
+kek = '{{ barbican_crypto_password }}'
+{% endif %}
 
 
 [keystone_notifications]
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index dbb5348a6d..f3dfcd18a6 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -240,6 +240,14 @@ kolla_internal_vip_address: "10.10.10.254"
 # Valid options are [ mongodb, gnocchi, panko ]
 #ceilometer_event_type: "mongodb"
 
+
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+#barbican_crypto_plugin: "simple_crypto"
+#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 #######################
 ## Panko options
 #######################
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index dec1a22a0e..50262c1dfb 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -30,6 +30,8 @@ aodh_keystone_password:
 barbican_database_password:
 barbican_keystone_password:
 barbican_p11_password:
+barbican_crypto_key:
+
 
 keystone_admin_password:
 keystone_database_password:
diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py
index cfd3319c43..34d4c713cf 100755
--- a/kolla_ansible/cmd/genpwd.py
+++ b/kolla_ansible/cmd/genpwd.py
@@ -21,6 +21,7 @@ import sys
 
 from Crypto.PublicKey import RSA
 from hashlib import md5
+from hashlib import sha256
 from oslo_utils import uuidutils
 import yaml
 
@@ -70,6 +71,9 @@ def main():
     # HMAC-MD5 keys
     hmac_md5_keys = ['designate_rndc_key']
 
+    # HMAC-SHA256 keys
+    hmac_sha256_keys = ['barbican_crypto_key']
+
     # length of password
     length = 40
 
@@ -96,6 +100,10 @@ def main():
                 passwords[k] = (hmac.new(
                     uuidutils.generate_uuid(), '', md5)
                     .digest().encode('base64')[:-1])
+            elif k in hmac_sha256_keys:
+                passwords[k] = (hmac.new(
+                    uuidutils.generate_uuid(), '', sha256)
+                    .digest().encode('base64')[:-1])
             else:
                 passwords[k] = ''.join([
                     random.SystemRandom().choice(