Browse Source

puppet-barbican: Initial commit

This is the initial commit for puppet-barbican.
It has been automatically generated using cookiecutter[1] and msync[2]

[1] https://github.com/openstack/puppet-openstack-cookiecutter
[2] https://github.com/openstack/puppet-modulesync-configs

Change-Id: I52b10cb17701bba20ad64d3f4cc15950c1038c54
changes/71/229871/2
Emilien Macchi 7 years ago
parent
commit
18e92427eb
  1. 13
      .fixtures.yml
  2. 10
      .gitignore
  3. 36
      Gemfile
  4. 13
      LICENSE
  5. 78
      README.md
  6. 21
      Rakefile
  7. 10
      lib/puppet/provider/barbican_config/ini_setting.rb
  8. 51
      lib/puppet/type/barbican_config.rb
  9. 30
      manifests/config.pp
  10. 94
      manifests/db.pp
  11. 69
      manifests/db/mysql.pp
  12. 55
      manifests/db/postgresql.pp
  13. 23
      manifests/db/sync.pp
  14. 14
      manifests/init.pp
  15. 92
      manifests/keystone/auth.pp
  16. 211
      manifests/logging.pp
  17. 19
      manifests/params.pp
  18. 39
      manifests/policy.pp
  19. 34
      metadata.json
  20. 11
      spec/acceptance/nodesets/centos-70-x64.yml
  21. 10
      spec/acceptance/nodesets/default.yml
  22. 10
      spec/acceptance/nodesets/nodepool-centos7.yml
  23. 10
      spec/acceptance/nodesets/nodepool-trusty.yml
  24. 11
      spec/acceptance/nodesets/ubuntu-server-1404-x64.yml
  25. 62
      spec/classes/barbican_db_mysql_spec.rb
  26. 58
      spec/classes/barbican_db_postgresql_spec.rb
  27. 124
      spec/classes/barbican_keystone_auth_spec.rb
  28. 107
      spec/classes/barbican_logging_spec.rb
  29. 41
      spec/classes/barbican_policy_spec.rb
  30. 5
      spec/shared_examples.rb
  31. 10
      spec/spec_helper.rb
  32. 56
      spec/spec_helper_acceptance.rb
  33. 68
      spec/unit/provider/barbican_config/ini_setting_spec.rb
  34. 63
      spec/unit/type/barbican_config_spec.rb
  35. 12
      tests/init.pp

13
.fixtures.yml

@ -0,0 +1,13 @@
fixtures:
repositories:
'concat':
'repo': 'git://github.com/puppetlabs/puppetlabs-concat.git'
'ref': '1.2.2'
'inifile': 'git://github.com/puppetlabs/puppetlabs-inifile'
'keystone': 'git://github.com/openstack/puppet-keystone.git'
'mysql': 'git://github.com/puppetlabs/puppetlabs-mysql.git'
'openstacklib': 'git://github.com/openstack/puppet-openstacklib.git'
'postgresql': 'git://github.com/puppetlabs/puppetlabs-postgresql.git'
'stdlib': 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
symlinks:
barbican: "#{source_dir}"

10
.gitignore vendored

@ -0,0 +1,10 @@
pkg/
Gemfile.lock
vendor/
spec/fixtures/
.vagrant/
.bundle/
coverage/
.idea/
*.swp
*.iml

36
Gemfile

@ -0,0 +1,36 @@
source ENV['GEM_SOURCE'] || "https://rubygems.org"
group :development, :test do
gem 'puppetlabs_spec_helper', :require => 'false'
gem 'rspec-puppet', '~> 2.2.0', :require => 'false'
gem 'metadata-json-lint', :require => 'false'
gem 'puppet-lint-param-docs', :require => 'false'
gem 'puppet-lint-absolute_classname-check', :require => 'false'
gem 'puppet-lint-absolute_template_path', :require => 'false'
gem 'puppet-lint-trailing_newline-check', :require => 'false'
gem 'puppet-lint-unquoted_string-check', :require => 'false'
gem 'puppet-lint-leading_zero-check', :require => 'false'
gem 'puppet-lint-variable_contains_upcase', :require => 'false'
gem 'puppet-lint-numericvariable', :require => 'false'
gem 'json', :require => 'false'
gem 'webmock', :require => 'false'
end
group :system_tests do
gem 'beaker-rspec', :require => 'false'
gem 'beaker-puppet_install_helper', :require => 'false'
end
if facterversion = ENV['FACTER_GEM_VERSION']
gem 'facter', facterversion, :require => false
else
gem 'facter', :require => false
end
if puppetversion = ENV['PUPPET_GEM_VERSION']
gem 'puppet', puppetversion, :require => false
else
gem 'puppet', :require => false
end
# vim:ft=ruby

13
LICENSE

@ -0,0 +1,13 @@
Copyright 2015 OpenStack Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

78
README.md

@ -0,0 +1,78 @@
barbican
=======
#### Table of Contents
1. [Overview - What is the barbican module?](#overview)
2. [Module Description - What does the module do?](#module-description)
3. [Setup - The basics of getting started with barbican](#setup)
4. [Implementation - An under-the-hood peek at what the module is doing](#implementation)
5. [Limitations - OS compatibility, etc.](#limitations)
6. [Development - Guide for contributing to the module](#development)
7. [Contributors - Those with commits](#contributors)
Overview
--------
The barbican module is a part of [OpenStack](https://github.com/openstack), an effort by the Openstack infrastructure team to provide continuous integration testing and code review for Openstack and Openstack community projects not part of the core software. The module its self is used to flexibly configure and manage the Key management service for Openstack.
Module Description
------------------
The barbican module is a thorough attempt to make Puppet capable of managing the entirety of barbican. This includes manifests to provision region specific endpoint and database connections. Types are shipped as part of the barbican module to assist in manipulation of configuration files.
Setup
-----
**What the barbican module affects**
* [Barbican](https://wiki.openstack.org/wiki/Barbican), the Key management service for Openstack.
### Installing barbican
barbican is not currently in Puppet Forge, but is anticipated to be added soon. Once that happens, you'll be able to install barbican with:
puppet module install openstack/barbican
### Beginning with barbican
To utilize the barbican module's functionality you will need to declare multiple resources. The following is a modified excerpt from the [openstack module](https://github.com/stackfoge/puppet-openstack). This is not an exhaustive list of all the components needed, we recommend you consult and understand the [openstack module](https://github.com/stackforge/puppet-openstack) and the [core openstack](http://docs.openstack.org) documentation.
Implementation
--------------
### barbican
barbican is a combination of Puppet manifest and ruby code to delivery configuration and extra functionality through types and providers.
Limitations
------------
* All the barbican types use the CLI tools and so need to be ran on the barbican node.
Beaker-Rspec
------------
This module has beaker-rspec tests
To run the tests on the default vagrant node:
```shell
bundle install
bundle exec rake acceptance
```
For more information on writing and running beaker-rspec tests visit the documentation:
* https://github.com/puppetlabs/beaker/wiki/How-to-Write-a-Beaker-Test-for-a-Module
Development
-----------
Developer documentation for the entire puppet-openstack project.
* https://wiki.openstack.org/wiki/Puppet
Contributors
------------
* https://github.com/openstack/puppet-barbican/graphs/contributors

21
Rakefile

@ -0,0 +1,21 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppet-syntax/tasks/puppet-syntax'
PuppetSyntax.exclude_paths ||= []
PuppetSyntax.exclude_paths << "spec/fixtures/**/*"
PuppetSyntax.exclude_paths << "pkg/**/*"
PuppetSyntax.exclude_paths << "vendor/**/*"
Rake::Task[:lint].clear
PuppetLint::RakeTask.new :lint do |config|
config.ignore_paths = ["spec/**/*.pp", "vendor/**/*.pp"]
config.fail_on_warnings = true
config.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}'
config.disable_checks = ["80chars", "class_inherits_from_params_class", "class_parameter_defaults", "only_variable_string"]
end
desc "Run acceptance tests"
RSpec::Core::RakeTask.new(:acceptance) do |t|
t.pattern = 'spec/acceptance'
end

10
lib/puppet/provider/barbican_config/ini_setting.rb

@ -0,0 +1,10 @@
Puppet::Type.type(:barbican_config).provide(
:ini_setting,
:parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
) do
def self.file_path
'/etc/barbican/barbican.conf'
end
end

51
lib/puppet/type/barbican_config.rb

@ -0,0 +1,51 @@
Puppet::Type.newtype(:barbican_config) do
ensurable
newparam(:name, :namevar => true) do
desc 'Section/setting name to manage from barbican.conf'
newvalues(/\S+\/\S+/)
end
newproperty(:value) do
desc 'The value of the setting to be defined.'
munge do |value|
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
newvalues(/^[\S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
newparam(:ensure_absent_val) do
desc 'A value that is specified as the value property will behave as if ensure => absent was specified'
defaultto('<SERVICE DEFAULT>')
end
autorequire(:package) do
'barbican'
end
end

30
manifests/config.pp

@ -0,0 +1,30 @@
# == Class: barbican::config
#
# This class is used to manage arbitrary barbican configurations.
#
# === Parameters
#
# [*barbican_config*]
# (optional) Allow configuration of arbitrary barbican configurations.
# The value is an hash of barbican_config resources. Example:
# { 'DEFAULT/foo' => { value => 'fooValue'},
# 'DEFAULT/bar' => { value => 'barValue'}
# }
# In yaml format, Example:
# barbican_config:
# DEFAULT/foo:
# value: fooValue
# DEFAULT/bar:
# value: barValue
#
# NOTE: The configuration MUST NOT be already handled by this module
# or Puppet catalog compilation will fail with duplicate resources.
#
class barbican::config (
$barbican_config = {},
) {
validate_hash($barbican_config)
create_resources('barbican_config', $barbican_config)
}

94
manifests/db.pp

@ -0,0 +1,94 @@
# == Class: barbican::db
#
# Configure the barbican database
#
# === Parameters
#
# [*database_connection*]
# Url used to connect to database.
# (Optional) Defaults to "sqlite:////var/lib/barbican/barbican.sqlite".
#
# [*database_idle_timeout*]
# Timeout when db connections should be reaped.
# (Optional) Defaults to 3600.
#
# [*database_max_retries*]
# Maximum number of database connection retries during startup.
# Setting -1 implies an infinite retry count.
# (Optional) Defaults to 10.
#
# [*database_retry_interval*]
# Interval between retries of opening a database connection.
# (Optional) Defaults to 10.
#
# [*database_min_pool_size*]
# Minimum number of SQL connections to keep open in a pool.
# (Optional) Defaults to 1.
#
# [*database_max_pool_size*]
# Maximum number of SQL connections to keep open in a pool.
# (Optional) Defaults to 10.
#
# [*database_max_overflow*]
# If set, use this value for max_overflow with sqlalchemy.
# (Optional) Defaults to 20.
#
class barbican::db (
$database_connection = 'sqlite:////var/lib/barbican/barbican.sqlite',
$database_idle_timeout = 3600,
$database_min_pool_size = 1,
$database_max_pool_size = 10,
$database_max_retries = 10,
$database_retry_interval = 10,
$database_max_overflow = 20,
) {
$database_connection_real = pick($::barbican::database_connection, $database_connection)
$database_idle_timeout_real = pick($::barbican::database_idle_timeout, $database_idle_timeout)
$database_min_pool_size_real = pick($::barbican::database_min_pool_size, $database_min_pool_size)
$database_max_pool_size_real = pick($::barbican::database_max_pool_size, $database_max_pool_size)
$database_max_retries_real = pick($::barbican::database_max_retries, $database_max_retries)
$database_retry_interval_real = pick($::barbican::database_retry_interval, $database_retry_interval)
$database_max_overflow_real = pick($::barbican::database_max_overflow, $database_max_overflow)
validate_re($database_connection_real,
'(sqlite|mysql|postgresql):\/\/(\S+:\S+@\S+\/\S+)?')
if $database_connection_real {
case $database_connection_real {
/^mysql:\/\//: {
$backend_package = false
require 'mysql::bindings'
require 'mysql::bindings::python'
}
/^postgresql:\/\//: {
$backend_package = $::barbican::params::psycopg_package_name
}
/^sqlite:\/\//: {
$backend_package = $::barbican::params::sqlite_package_name
}
default: {
fail('Unsupported backend configured')
}
}
if $backend_package and !defined(Package[$backend_package]) {
package {'barbican-backend-package':
ensure => present,
name => $backend_package,
tag => 'openstack',
}
}
barbican_config {
'database/connection': value => $database_connection_real, secret => true;
'database/idle_timeout': value => $database_idle_timeout_real;
'database/min_pool_size': value => $database_min_pool_size_real;
'database/max_retries': value => $database_max_retries_real;
'database/retry_interval': value => $database_retry_interval_real;
'database/max_pool_size': value => $database_max_pool_size_real;
'database/max_overflow': value => $database_max_overflow_real;
}
}
}

69
manifests/db/mysql.pp

@ -0,0 +1,69 @@
# The barbican::db::mysql class implements mysql backend for barbican
#
# This class can be used to create tables, users and grant
# privelege for a mysql barbican database.
#
# == parameters
#
# [*password*]
# (Mandatory) Password to connect to the database.
# Defaults to 'false'.
#
# [*dbname*]
# (Optional) Name of the database.
# Defaults to 'barbican'.
#
# [*user*]
# (Optional) User to connect to the database.
# Defaults to 'barbican'.
#
# [*host*]
# (Optional) The default source host user is allowed to connect from.
# Defaults to '127.0.0.1'
#
# [*allowed_hosts*]
# (Optional) Other hosts the user is allowed to connect from.
# Defaults to 'undef'.
#
# [*charset*]
# (Optional) The database charset.
# Defaults to 'utf8'
#
# [*collate*]
# (Optional) The database collate.
# Only used with mysql modules >= 2.2.
# Defaults to 'utf8_general_ci'
#
# == Dependencies
# Class['mysql::server']
#
# == Examples
#
# == Authors
#
# == Copyright
#
class barbican::db::mysql(
$password,
$dbname = 'barbican',
$user = 'barbican',
$host = '127.0.0.1',
$charset = 'utf8',
$collate = 'utf8_general_ci',
$allowed_hosts = undef
) {
validate_string($password)
::openstacklib::db::mysql { 'barbican':
user => $user,
password_hash => mysql_password($password),
dbname => $dbname,
host => $host,
charset => $charset,
collate => $collate,
allowed_hosts => $allowed_hosts,
}
::Openstacklib::Db::Mysql['barbican'] ~> Exec<| title == 'barbican-manage db_sync' |>
}

55
manifests/db/postgresql.pp

@ -0,0 +1,55 @@
# == Class: barbican::db::postgresql
#
# Class that configures postgresql for barbican
# Requires the Puppetlabs postgresql module.
#
# === Parameters
#
# [*password*]
# (Required) Password to connect to the database.
#
# [*dbname*]
# (Optional) Name of the database.
# Defaults to 'barbican'.
#
# [*user*]
# (Optional) User to connect to the database.
# Defaults to 'barbican'.
#
# [*encoding*]
# (Optional) The charset to use for the database.
# Default to undef.
#
# [*privileges*]
# (Optional) Privileges given to the database user.
# Default to 'ALL'
#
# == Dependencies
#
# == Examples
#
# == Authors
#
# == Copyright
#
class barbican::db::postgresql(
$password,
$dbname = 'barbican',
$user = 'barbican',
$encoding = undef,
$privileges = 'ALL',
) {
Class['barbican::db::postgresql'] -> Service<| title == 'barbican' |>
::openstacklib::db::postgresql { 'barbican':
password_hash => postgresql_password($user, $password),
dbname => $dbname,
user => $user,
encoding => $encoding,
privileges => $privileges,
}
::Openstacklib::Db::Postgresql['barbican'] ~> Exec<| title == 'barbican-manage db_sync' |>
}

23
manifests/db/sync.pp

@ -0,0 +1,23 @@
#
# Class to execute barbican-db-manage upgrade
#
# == Parameters
#
# [*extra_params*]
# (optional) String of extra command line parameters to append
# to the barbican-db-manage command.
# Defaults to undef
#
class barbican::db::sync(
$extra_params = undef,
) {
exec { 'barbican-db-manage':
command => "barbican-db-manage upgrade ${extra_params}",
path => '/usr/bin',
user => 'barbican',
refreshonly => true,
subscribe => [Package['barbican'], Barbican_config['database/connection']],
}
Exec['barbican-db-manage'] ~> Service<| title == 'barbican' |>
}

14
manifests/init.pp

@ -0,0 +1,14 @@
# == Class: barbican
#
# Full description of class barbican here.
#
# === Parameters
#
# [*sample_parameter*]
# Explanation of what this parameter affects and what it defaults to.
#
class barbican {
include ::barbican::params
}

92
manifests/keystone/auth.pp

@ -0,0 +1,92 @@
# == Class: barbican::keystone::auth
#
# Configures barbican user, service and endpoint in Keystone.
#
# === Parameters
#
# [*password*]
# (required) Password for barbican user.
#
# [*auth_name*]
# Username for barbican service. Defaults to 'barbican'.
#
# [*email*]
# Email for barbican user. Defaults to 'barbican@localhost'.
#
# [*tenant*]
# Tenant for barbican user. Defaults to 'services'.
#
# [*configure_endpoint*]
# Should barbican endpoint be configured? Defaults to 'true'.
#
# [*configure_user*]
# (Optional) Should the service user be configured?
# Defaults to 'true'.
#
# [*configure_user_role*]
# (Optional) Should the admin role be configured for the service user?
# Defaults to 'true'.
#
# [*service_type*]
# Type of service. Defaults to 'key-manager'.
#
# [*region*]
# Region for endpoint. Defaults to 'RegionOne'.
#
# [*service_name*]
# (optional) Name of the service.
# Defaults to the value of auth_name.
#
# [*public_url*]
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:9311')
# This url should *not* contain any trailing '/'.
#
# [*admin_url*]
# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:9311')
# This url should *not* contain any trailing '/'.
#
# [*internal_url*]
# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:9311')
# This url should *not* contain any trailing '/'.
#
class barbican::keystone::auth (
$password,
$auth_name = 'barbican',
$email = 'barbican@localhost',
$tenant = 'services',
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
$service_name = undef,
$service_type = 'key-manager',
$region = 'RegionOne',
$public_url = 'http://127.0.0.1:9311',
$internal_url = 'http://127.0.0.1:9311',
$admin_url = 'http://127.0.0.1:9311',
) {
$real_service_name = pick($service_name, $auth_name)
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-server' |>
}
Keystone_endpoint["${region}/${real_service_name}"] ~> Service <| name == 'barbican-server' |>
keystone::resource::service_identity { 'barbican':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
configure_endpoint => $configure_endpoint,
service_name => $real_service_name,
service_type => $service_type,
service_description => 'Key management Service',
region => $region,
auth_name => $auth_name,
password => $password,
email => $email,
tenant => $tenant,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,
}
}

211
manifests/logging.pp

@ -0,0 +1,211 @@
# Class barbican::logging
#
# barbican extended logging configuration
#
# == parameters
#
# [*logging_context_format_string*]
# (optional) Format string to use for log messages with context.
# Defaults to undef.
# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
# [%(request_id)s %(user_identity)s] %(instance)s%(message)s'
#
# [*logging_default_format_string*]
# (optional) Format string to use for log messages without context.
# Defaults to undef.
# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
# [-] %(instance)s%(message)s'
#
# [*logging_debug_format_suffix*]
# (optional) Formatted data to append to log format when level is DEBUG.
# Defaults to undef.
# Example: '%(funcName)s %(pathname)s:%(lineno)d'
#
# [*logging_exception_prefix*]
# (optional) Prefix each line of exception output with this format.
# Defaults to undef.
# Example: '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s'
#
# [*log_config_append*]
# The name of an additional logging configuration file.
# Defaults to undef.
# See https://docs.python.org/2/howto/logging.html
#
# [*default_log_levels*]
# (optional) Hash of logger (keys) and level (values) pairs.
# Defaults to undef.
# Example:
# { 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
# 'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
# 'oslo.messaging' => 'INFO', 'iso8601' => 'WARN',
# 'requests.packages.urllib3.connectionpool' => 'WARN',
# 'urllib3.connectionpool' => 'WARN',
# 'websocket' => 'WARN', 'barbicanmiddleware' => 'WARN',
# 'routes.middleware' => 'WARN', stevedore => 'WARN' }
#
# [*publish_errors*]
# (optional) Publish error events (boolean value).
# Defaults to undef (false if unconfigured).
#
# [*fatal_deprecations*]
# (optional) Make deprecations fatal (boolean value)
# Defaults to undef (false if unconfigured).
#
# [*instance_format*]
# (optional) If an instance is passed with the log message, format it
# like this (string value).
# Defaults to undef.
# Example: '[instance: %(uuid)s] '
#
# [*instance_uuid_format*]
# (optional) If an instance UUID is passed with the log message, format
# it like this (string value).
# Defaults to undef.
# Example: instance_uuid_format='[instance: %(uuid)s] '
# [*log_date_format*]
# (optional) Format string for %%(asctime)s in log records.
# Defaults to undef.
# Example: 'Y-%m-%d %H:%M:%S'
class barbican::logging(
$logging_context_format_string = undef,
$logging_default_format_string = undef,
$logging_debug_format_suffix = undef,
$logging_exception_prefix = undef,
$log_config_append = undef,
$default_log_levels = undef,
$publish_errors = undef,
$fatal_deprecations = undef,
$instance_format = undef,
$instance_uuid_format = undef,
$log_date_format = undef,
) {
if $logging_context_format_string {
barbican_config {
'DEFAULT/logging_context_format_string' :
value => $logging_context_format_string;
}
}
else {
barbican_config {
'DEFAULT/logging_context_format_string' : ensure => absent;
}
}
if $logging_default_format_string {
barbican_config {
'DEFAULT/logging_default_format_string' :
value => $logging_default_format_string;
}
}
else {
barbican_config {
'DEFAULT/logging_default_format_string' : ensure => absent;
}
}
if $logging_debug_format_suffix {
barbican_config {
'DEFAULT/logging_debug_format_suffix' :
value => $logging_debug_format_suffix;
}
}
else {
barbican_config {
'DEFAULT/logging_debug_format_suffix' : ensure => absent;
}
}
if $logging_exception_prefix {
barbican_config {
'DEFAULT/logging_exception_prefix' : value => $logging_exception_prefix;
}
}
else {
barbican_config {
'DEFAULT/logging_exception_prefix' : ensure => absent;
}
}
if $log_config_append {
barbican_config {
'DEFAULT/log_config_append' : value => $log_config_append;
}
}
else {
barbican_config {
'DEFAULT/log_config_append' : ensure => absent;
}
}
if $default_log_levels {
barbican_config {
'DEFAULT/default_log_levels' :
value => join(sort(join_keys_to_values($default_log_levels, '=')), ',');
}
}
else {
barbican_config {
'DEFAULT/default_log_levels' : ensure => absent;
}
}
if $publish_errors {
barbican_config {
'DEFAULT/publish_errors' : value => $publish_errors;
}
}
else {
barbican_config {
'DEFAULT/publish_errors' : ensure => absent;
}
}
if $fatal_deprecations {
barbican_config {
'DEFAULT/fatal_deprecations' : value => $fatal_deprecations;
}
}
else {
barbican_config {
'DEFAULT/fatal_deprecations' : ensure => absent;
}
}
if $instance_format {
barbican_config {
'DEFAULT/instance_format' : value => $instance_format;
}
}
else {
barbican_config {
'DEFAULT/instance_format' : ensure => absent;
}
}
if $instance_uuid_format {
barbican_config {
'DEFAULT/instance_uuid_format' : value => $instance_uuid_format;
}
}
else {
barbican_config {
'DEFAULT/instance_uuid_format' : ensure => absent;
}
}
if $log_date_format {
barbican_config {
'DEFAULT/log_date_format' : value => $log_date_format;
}
}
else {
barbican_config {
'DEFAULT/log_date_format' : ensure => absent;
}
}
}

19
manifests/params.pp

@ -0,0 +1,19 @@
# Parameters for puppet-barbican
#
class barbican::params {
case $::osfamily {
'RedHat': {
$psycopg_package_name = 'python-psycopg2'
$sqlite_package_name = undef
}
'Debian': {
$psycopg_package_name = 'python-psycopg2'
$sqlite_package_name = 'python-pysqlite2'
}
default: {
fail("Unsupported osfamily: ${::osfamily} operatingsystem")
}
} # Case $::osfamily
}

39
manifests/policy.pp

@ -0,0 +1,39 @@
# == Class: barbican::policy
#
# Configure the barbican policies
#
# === Parameters
#
# [*policies*]
# (optional) Set of policies to configure for barbican
# Example :
# {
# 'barbican-context_is_admin' => {
# 'key' => 'context_is_admin',
# 'value' => 'true'
# },
# 'barbican-default' => {
# 'key' => 'default',
# 'value' => 'rule:admin_or_owner'
# }
# }
# Defaults to empty hash.
#
# [*policy_path*]
# (optional) Path to the nova policy.json file
# Defaults to /etc/barbican/policy.json
#
class barbican::policy (
$policies = {},
$policy_path = '/etc/barbican/policy.json',
) {
validate_hash($policies)
Openstacklib::Policy::Base {
file_path => $policy_path,
}
create_resources('openstacklib::policy::base', $policies)
}

34
metadata.json

@ -0,0 +1,34 @@
{
"name": "puppet-barbican",
"version": "0.0.1",
"author": "OpenStack Contributors",
"summary": "Puppet module for OpenStack Barbican",
"license": "Apache-2.0",
"source": "git://github.com/openstack/puppet-barbican.git",
"project_page": "https://launchpad.net/puppet-barbican",
"issues_url": "https://bugs.launchpad.net/puppet-barbican",
"description": "Installs and configures OpenStack Barbican.",
"operatingsystem_support": [
{
"operatingsystem": "Debian",
"operatingsystemrelease": ["8"]
},
{
"operatingsystem": "Fedora",
"operatingsystemrelease": ["21","22"]
},
{
"operatingsystem": "RedHat",
"operatingsystemrelease": ["7"]
},
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": ["14.04"]
}
],
"dependencies": [
{ "name": "puppetlabs/inifile", "version_requirement": ">=1.0.0 <2.0.0" },
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 4.2.0 <5.0.0" },
{ "name": "stackforge/openstacklib", "version_requirement": ">=5.0.0 <6.0.0" }
]
}

11
spec/acceptance/nodesets/centos-70-x64.yml

@ -0,0 +1,11 @@
HOSTS:
centos-server-70-x64:
roles:
- master
platform: el-7-x86_64
box: puppetlabs/centos-7.0-64-nocm
box_url: https://vagrantcloud.com/puppetlabs/centos-7.0-64-nocm
hypervisor: vagrant
CONFIG:
log_level: debug
type: foss

10
spec/acceptance/nodesets/default.yml

@ -0,0 +1,10 @@
HOSTS:
ubuntu-server-14.04-amd64:
roles:
- master
platform: ubuntu-14.04-amd64
box: puppetlabs/ubuntu-14.04-64-nocm
box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
hypervisor: vagrant
CONFIG:
type: foss

10
spec/acceptance/nodesets/nodepool-centos7.yml

@ -0,0 +1,10 @@
HOSTS:
centos-70-x64:
roles:
- master
platform: el-7-x86_64
hypervisor: none
ip: 127.0.0.1
CONFIG:
type: foss
set_env: false

10
spec/acceptance/nodesets/nodepool-trusty.yml

@ -0,0 +1,10 @@
HOSTS:
ubuntu-14.04-amd64:
roles:
- master
platform: ubuntu-14.04-amd64
hypervisor: none
ip: 127.0.0.1
CONFIG:
type: foss
set_env: false

11
spec/acceptance/nodesets/ubuntu-server-1404-x64.yml

@ -0,0 +1,11 @@
HOSTS:
ubuntu-server-14.04-amd64:
roles:
- master
platform: ubuntu-14.04-amd64
box: puppetlabs/ubuntu-14.04-64-nocm
box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
hypervisor: vagrant
CONFIG:
log_level: debug
type: foss

62
spec/classes/barbican_db_mysql_spec.rb

@ -0,0 +1,62 @@
require 'spec_helper'
describe 'barbican::db::mysql' do
let :pre_condition do
[
'include mysql::server',
'include barbican::db::sync'
]
end
let :facts do
{ :osfamily => 'Debian' }
end
let :params do
{
'password' => 'fooboozoo_default_password',
}
end
describe 'with only required params' do
it { is_expected.to contain_openstacklib__db__mysql('barbican').with(
'user' => 'barbican',
'password_hash' => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
'dbname' => 'barbican',
'host' => '127.0.0.1',
'charset' => 'utf8',
:collate => 'utf8_general_ci',
)}
end
describe "overriding allowed_hosts param to array" do
let :params do
{
:password => 'barbicanpass',
:allowed_hosts => ['127.0.0.1','%']
}
end
end
describe "overriding allowed_hosts param to string" do
let :params do
{
:password => 'barbicanpass2',
:allowed_hosts => '192.168.1.1'
}
end
end
describe "overriding allowed_hosts param equals to host param " do
let :params do
{
:password => 'barbicanpass2',
:allowed_hosts => '127.0.0.1'
}
end
end
end

58
spec/classes/barbican_db_postgresql_spec.rb

@ -0,0 +1,58 @@
require 'spec_helper'
describe 'barbican::db::postgresql' do
let :req_params do
{ :password => 'pw' }
end
let :pre_condition do
'include postgresql::server'
end
context 'on a RedHat osfamily' do
let :facts do
{
:osfamily => 'RedHat',
:operatingsystemrelease => '7.0',
:concat_basedir => '/var/lib/puppet/concat'
}
end
context 'with only required parameters' do
let :params do
req_params
end
it { is_expected.to contain_postgresql__server__db('barbican').with(
:user => 'barbican',
:password => 'md5699e09b3c7579f59869b882716fd7299'
)}
end
end
context 'on a Debian osfamily' do
let :facts do
{
:operatingsystemrelease => '7.8',
:operatingsystem => 'Debian',
:osfamily => 'Debian',
:concat_basedir => '/var/lib/puppet/concat'
}
end
context 'with only required parameters' do
let :params do
req_params
end
it { is_expected.to contain_postgresql__server__db('barbican').with(
:user => 'barbican',
:password => 'md5699e09b3c7579f59869b882716fd7299'
)}
end
end
end

124
spec/classes/barbican_keystone_auth_spec.rb

@ -0,0 +1,124 @@
#
# Unit tests for barbican::keystone::auth
#
require 'spec_helper'
describe 'barbican::keystone::auth' do
let :facts do
{ :osfamily => 'Debian' }
end
describe 'with default class parameters' do
let :params do
{ :password => 'barbican_password',
:tenant => 'foobar' }
end
it { is_expected.to contain_keystone_user('barbican').with(
:ensure => 'present',
:password => 'barbican_password',
:tenant => 'foobar'
) }
it { is_expected.to contain_keystone_user_role('barbican@foobar').with(
:ensure => 'present',
:roles => ['admin']
)}
it { is_expected.to contain_keystone_service('barbican').with(
:ensure => 'present',
:type => 'key-manager',
:description => 'Key management Service'
) }
it { is_expected.to contain_keystone_endpoint('RegionOne/barbican').with(
:ensure => 'present',
:public_url => 'http://127.0.0.1:9311',
:admin_url => 'http://127.0.0.1:9311',
:internal_url => 'http://127.0.0.1:9311',
) }
end
describe 'when overriding URL parameters' do
let :params do
{ :password => 'barbican_password',
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81' }
end
it { is_expected.to contain_keystone_endpoint('RegionOne/barbican').with(
:ensure => 'present',
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81'
) }
end
describe 'when overriding auth name' do
let :params do
{ :password => 'foo',
:auth_name => 'barbicany' }
end
it { is_expected.to contain_keystone_user('barbicany') }
it { is_expected.to contain_keystone_user_role('barbicany@services') }
it { is_expected.to contain_keystone_service('barbicany') }
it { is_expected.to contain_keystone_endpoint('RegionOne/barbicany') }
end
describe 'when overriding service name' do
let :params do
{ :service_name => 'barbican_service',
:auth_name => 'barbican',
:password => 'barbican_password' }
end
it { is_expected.to contain_keystone_user('barbican') }
it { is_expected.to contain_keystone_user_role('barbican@services') }
it { is_expected.to contain_keystone_service('barbican_service') }
it { is_expected.to contain_keystone_endpoint('RegionOne/barbican_service') }
end
describe 'when disabling user configuration' do
let :params do
{
:password => 'barbican_password',
:configure_user => false
}
end
it { is_expected.not_to contain_keystone_user('barbican') }
it { is_expected.to contain_keystone_user_role('barbican@services') }
it { is_expected.to contain_keystone_service('barbican').with(
:ensure => 'present',
:type => 'key-manager',
:description => 'Key management Service'
) }
end
describe 'when disabling user and user role configuration' do
let :params do
{
:password => 'barbican_password',
:configure_user => false,
:configure_user_role => false
}
end
it { is_expected.not_to contain_keystone_user('barbican') }
it { is_expected.not_to contain_keystone_user_role('barbican@services') }
it { is_expected.to contain_keystone_service('barbican').with(
:ensure => 'present',
:type => 'key-manager',
:description => 'Key management Service'
) }
end
end

107
spec/classes/barbican_logging_spec.rb

@ -0,0 +1,107 @@
require 'spec_helper'
describe 'barbican::logging' do
let :params do
{
}
end
let :log_params do
{
:logging_context_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s',
:logging_default_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s',
:logging_debug_format_suffix => '%(funcName)s %(pathname)s:%(lineno)d',
:logging_exception_prefix => '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s',
:log_config_append => '/etc/barbican/logging.conf',
:publish_errors => true,
:default_log_levels => {
'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
'iso8601' => 'WARN',
'requests.packages.urllib3.connectionpool' => 'WARN' },
:fatal_deprecations => true,
:instance_format => '[instance: %(uuid)s] ',
:instance_uuid_format => '[instance: %(uuid)s] ',
:log_date_format => '%Y-%m-%d %H:%M:%S',
}
end
shared_examples_for 'barbican-logging' do
context 'with extended logging options' do
before { params.merge!( log_params ) }
it_configures 'logging params set'
end
context 'without extended logging options' do
it_configures 'logging params unset'
end
end
shared_examples_for 'logging params set' do
it 'enables logging params' do
is_expected.to contain_barbican_config('DEFAULT/logging_context_format_string').with_value(
'%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s')
is_expected.to contain_barbican_config('DEFAULT/logging_default_format_string').with_value(
'%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s')
is_expected.to contain_barbican_config('DEFAULT/logging_debug_format_suffix').with_value(
'%(funcName)s %(pathname)s:%(lineno)d')
is_expected.to contain_barbican_config('DEFAULT/logging_exception_prefix').with_value(
'%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s')
is_expected.to contain_barbican_config('DEFAULT/log_config_append').with_value(
'/etc/barbican/logging.conf')
is_expected.to contain_barbican_config('DEFAULT/publish_errors').with_value(
true)
is_expected.to contain_barbican_config('DEFAULT/default_log_levels').with_value(
'amqp=WARN,amqplib=WARN,boto=WARN,iso8601=WARN,qpid=WARN,requests.packages.urllib3.connectionpool=WARN,sqlalchemy=WARN,suds=INFO')
is_expected.to contain_barbican_config('DEFAULT/fatal_deprecations').with_value(
true)
is_expected.to contain_barbican_config('DEFAULT/instance_format').with_value(
'[instance: %(uuid)s] ')
is_expected.to contain_barbican_config('DEFAULT/instance_uuid_format').with_value(
'[instance: %(uuid)s] ')
is_expected.to contain_barbican_config('DEFAULT/log_date_format').with_value(
'%Y-%m-%d %H:%M:%S')
end
end
shared_examples_for 'logging params unset' do
[ :logging_context_format_string, :logging_default_format_string,
:logging_debug_format_suffix, :logging_exception_prefix,
:log_config_append, :publish_errors,
:default_log_levels, :fatal_deprecations,
:instance_format, :instance_uuid_format,
:log_date_format, ].each { |param|
it { is_expected.to contain_barbican_config("DEFAULT/#{param}").with_ensure('absent') }
}
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_configures 'barbican-logging'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'barbican-logging'
end
end

41
spec/classes/barbican_policy_spec.rb

@ -0,0 +1,41 @@
require 'spec_helper'
describe 'barbican::policy' do
shared_examples_for 'barbican policies' do
let :params do
{
:policy_path => '/etc/barbican/policy.json',
:policies => {
'context_is_admin' => {
'key' => 'context_is_admin',
'value' => 'foo:bar'
}
}
}
end
it 'set up the policies' do
is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
:key => 'context_is_admin',
:value => 'foo:bar'
})
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_configures 'barbican policies'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'barbican policies'
end
end

5
spec/shared_examples.rb

@ -0,0 +1,5 @@
shared_examples_for "a Puppet::Error" do |description|
it "with message matching #{description.inspect}" do
expect { is_expected.to have_class_count(1) }.to raise_error(Puppet::Error, description)
end
end

10
spec/spec_helper.rb

@ -0,0 +1,10 @@
require 'puppetlabs_spec_helper/module_spec_helper'
require 'shared_examples'
require 'webmock/rspec'
RSpec.configure do |c|
c.alias_it_should_behave_like_to :it_configures, 'configures'
c.alias_it_should_behave_like_to :it_raises, 'raises'
end
at_exit { RSpec::Puppet::Coverage.report! }

56
spec/spec_helper_acceptance.rb

@ -0,0 +1,56 @@
require 'beaker-rspec'
require 'beaker/puppet_install_helper'
run_puppet_install_helper
RSpec.configure do |c|
# Project root
proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
modname = JSON.parse(open('metadata.json').read)['name'].split('-')[1]
# Readable test descriptions
c.formatter = :documentation
# Configure all nodes in nodeset
c.before :suite do
# Install module and dependencies
hosts.each do |host|
# install git
install_package host, 'git'
zuul_ref = ENV['ZUUL_REF']
zuul_branch = ENV['ZUUL_BRANCH']
zuul_url = ENV['ZUUL_URL']
repo = 'openstack/puppet-openstack-integration'
# Start out with clean moduledir, don't trust r10k to purge it
on host, "rm -rf /etc/puppet/modules/*"
# Install dependent modules via git or zuul
r = on host, "test -e /usr/zuul-env/bin/zuul-cloner", { :acceptable_exit_codes => [0,1] }
if r.exit_code == 0
zuul_clone_cmd = '/usr/zuul-env/bin/zuul-cloner '
zuul_clone_cmd += '--cache-dir /opt/git '
zuul_clone_cmd += "--zuul-ref #{zuul_ref} "
zuul_clone_cmd += "--zuul-branch #{zuul_branch} "
zuul_clone_cmd += "--zuul-url #{zuul_url} "
zuul_clone_cmd += "git://git.openstack.org #{repo}"
on host, zuul_clone_cmd
else
on host, "git clone https://git.openstack.org/#{repo} #{repo}"
end
on host, "ZUUL_REF=#{zuul_ref} ZUUL_BRANCH=#{zuul_branch} ZUUL_URL=#{zuul_url} bash #{repo}/install_modules.sh"
# Install the module being tested
on host, "rm -fr /etc/puppet/modules/#{modname}"
puppet_module_install(:source => proj_root, :module_name => modname)
on host, "rm -fr #{repo}"
# List modules installed to help with debugging
on host, puppet('module','list'), { :acceptable_exit_codes => 0 }
end
end
end

68
spec/unit/provider/barbican_config/ini_setting_spec.rb

@ -0,0 +1,68 @@
#
# these tests are a little concerning b/c they are hacking around the
# modulepath, so these tests will not catch issues that may eventually arise
# related to loading these plugins.
# I could not, for the life of me, figure out how to programatcally set the modulepath
$LOAD_PATH.push(
File.join(
File.dirname(__FILE__),
'..',
'..',
'..',
'fixtures',
'modules',
'inifile',
'lib')
)
$LOAD_PATH.push(