openstack/puppet-barbican
Code Issues Proposed changes

Add support for multiple backends

Browse Source 
This will be essential for allowing migrations to
different (more secure) plugins

Change-Id: Ib45708fa6f8770b7737fff1990cc86e71e4bd634
This commit is contained in:
Ade Lee 2017-11-28 00:21:08 -05:00
parent 582058497b
commit 303f85c92b
11 changed files with 143 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
manifests/api.pp
View File

@ -121,13 +121,27 @@
# [*enabled_secretstore_plugins*]
# (optional) Enabled secretstore plugins. Multiple plugins
# are defined in a list eg. ['store_crypto', dogtag_crypto']
# Used when multiple_secret_stores_enabled is not set to true.
# Defaults to $::os_service_default
#
# [*enabled_crypto_plugins*]
# (optional) Enabled crypto_plugins. Multiple plugins
# are defined in a list eg. ['simple_crypto','p11_crypto']
# Used when multiple_secret_stores_enabled is not set to true.
# Defaults to $::os_service_default
#
# [*enabled_secret_stores*]
# (optional) Enabled secretstores. This is the configuration
# parameters when multiple plugin configuration is used.
# Suffixes are defined in a comma separated list eg.
# 'simple_crypto,dogtag,kmip,pkcs11'
# Defaults to 'simple_crypto'
#
# [*multiple_secret_stores_enabled*]
# (optional) Enabled crypto_plugins. Multiple plugins
# are defined in a list eg. ['simple_crypto','p11_crypto']
# Defaults to false
#
# [*enabled_certificate_plugins*]
# (optional) Enabled certificate plugins as a list.
# e.g. ['snakeoil_ca', 'dogtag']
@ -281,6 +295,8 @@ class barbican::api (
$retry_scheduler_periodic_interval_max_seconds = $::os_service_default,
$enabled_secretstore_plugins = $::os_service_default,
$enabled_crypto_plugins = $::os_service_default,
$enabled_secret_stores = 'simple_crypto',
$multiple_secret_stores_enabled = false,
$enabled_certificate_plugins = $::os_service_default,
$enabled_certificate_event_plugins = $::os_service_default,
$kombu_ssl_ca_certs = $::os_service_default,
@ -418,6 +434,13 @@ the future release. Please use barbican::api::package_ensure instead.")
'DEFAULT/max_allowed_request_size_in_bytes': value => $max_allowed_request_size_in_bytes;
}
if $multiple_secret_stores_enabled and !is_service_default($enabled_secretstore_plugins) {
warning("barbican::api::enabled_secretstore_plugins and barbican::api::enabled_crypto_plugins \
will be set by puppet, but will not be used by the server whenever \
barbican::api::multiple_secret_stores_enabled is set to true. Use \
barbican::api::enabled_secret_stores instead")
}
# enabled plugins
barbican_config {
'secretstore/enabled_secretstore_plugins': value => $enabled_secretstore_plugins;
@ -426,6 +449,12 @@ the future release. Please use barbican::api::package_ensure instead.")
'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins;
}
# enabled plugins when multiple plugins is enabled
barbican_config {
'secretstore/enable_multiple_secret_stores': value => $multiple_secret_stores_enabled;
'secretstore/stores_lookup_suffix': value => $enabled_secret_stores;
}
# keystone config
if $auth_strategy == 'keystone' {

11
manifests/plugins/dogtag.pp
View File

@ -40,6 +40,10 @@
# (optional) Working directory for Dogtag plugin
# Defaults to $::os_service_default
#
# [*global_default*]
# (optional) set plugin as global default
# Defaults to false
#
class barbican::plugins::dogtag (
$dogtag_plugin_ensure_package = 'present',
$dogtag_plugin_pem_path = $::os_service_default,
@ -50,6 +54,7 @@ class barbican::plugins::dogtag (
$dogtag_plugin_simple_cmc_profile = $::os_service_default,
$dogtag_plugin_ca_expiration_time = $::os_service_default,
$dogtag_plugin_plugin_working_dir = $::os_service_default,
$global_default = false,
) {
include ::barbican::deps
@ -65,6 +70,11 @@ class barbican::plugins::dogtag (
tag => ['openstack', 'barbican-package']
}
barbican_config {
'secretstore:dogtag/secret_store_plugin': value => 'dogtag_plugin';
'secretstore:dogtag/global_default': value => $global_default;
}
barbican_config {
'dogtag_plugin/pem_path': value => $dogtag_plugin_pem_path;
'dogtag_plugin/dogtag_host': value => $dogtag_plugin_dogtag_host;
@ -75,5 +85,4 @@ class barbican::plugins::dogtag (
'dogtag_plugin/ca_expiration_time': value => $dogtag_plugin_ca_expiration_time;
'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir;
}
}

11
manifests/plugins/kmip.pp
View File

@ -34,6 +34,10 @@
# (optional) ca certs file for KMIP device
# Defaults to undef
#
# [*global_default*]
# (optional) set plugin as global default
# Defaults to false
#
class barbican::plugins::kmip (
$kmip_plugin_username = undef,
$kmip_plugin_password = undef,
@ -42,6 +46,7 @@ class barbican::plugins::kmip (
$kmip_plugin_keyfile = undef,
$kmip_plugin_certfile = undef,
$kmip_plugin_ca_certs = undef,
$global_default = false,
) {
include ::barbican::deps
@ -84,4 +89,10 @@ class barbican::plugins::kmip (
'kmip_plugin/port': value => $kmip_plugin_port;
}
}
barbican_config {
'secretstore:kmip/secret_store_plugin': value => 'kmip_plugin';
'secretstore:kmip/global_default': value => $global_default;
}
}

11
manifests/plugins/p11_crypto.pp
View File

@ -33,6 +33,10 @@
# Required if p11_crypto_plugin is enabled.
# Defaults to undef
#
# [*global_default*]
# (optional) set plugin as global default
# Defaults to false
#
class barbican::plugins::p11_crypto (
$p11_crypto_plugin_library_path = $::os_service_default,
$p11_crypto_plugin_login = undef,
@ -40,6 +44,7 @@ class barbican::plugins::p11_crypto (
$p11_crypto_plugin_mkek_length = undef,
$p11_crypto_plugin_hmac_label = undef,
$p11_crypto_plugin_slot_id = undef,
$global_default = false,
) {
include ::barbican::deps
@ -68,4 +73,10 @@ class barbican::plugins::p11_crypto (
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
}
barbican_config {
'secretstore:pkcs11/secret_store_plugin': value => 'store_crypto';
'secretstore:pkcs11/crypto_plugin': value => 'p11_crypto';
'secretstore:pkcs11/global_default': value => $global_default;
}
}

11
manifests/plugins/simple_crypto.pp
View File

@ -8,12 +8,23 @@
# (optional) base64 encoded 32-byte value
# Defaults to $::os_service_default
#
# [*global_default*]
# (optional) set plugin as global default
# Defaults to false
#
class barbican::plugins::simple_crypto (
$simple_crypto_plugin_kek = $::os_service_default,
$global_default = false,
) {
include ::barbican::deps
barbican_config {
'secretstore:simple_crypto/secret_store_plugin': value => 'store_crypto';
'secretstore:simple_crypto/crypto_plugin': value => 'simple_crypto';
'secretstore:simple_crypto/global_default': value => $global_default;
}
barbican_config {
'simple_crypto_plugin/kek': value => $simple_crypto_plugin_kek;
}

9
releasenotes/notes/add-multiple-backend-config-158138b82dfd3dca.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- Added parameters multiple_secret_stores_enabled and enabled_secret_stores
to configure secret store backends using the newer multiple backend
configuration scheme. This will allow us to specify more than one backend
in case we need to migrate to more secure backends.
- Added parameters in each backend to configure them correctly using
the newer multiple backend scheme, including global_default to specify if
the backend is supposed to be the default backend for new secrets.

11
spec/classes/barbican_api_spec.rb
View File

@ -67,6 +67,8 @@ describe 'barbican::api' do
:retry_scheduler_periodic_interval_max_seconds => '<SERVICE DEFAULT>',
:service_name => platform_params[:service_name],
:enable_proxy_headers_parsing => '<SERVICE DEFAULT>',
:multiple_secret_stores_enabled => false,
:enabled_secret_stores => 'simple_crypto',
}
end
@ -111,6 +113,8 @@ describe 'barbican::api' do
:max_allowed_secret_in_bytes => 20000,
:max_allowed_request_size_in_bytes => 2000000,
:enable_proxy_headers_parsing => false,
:multiple_secret_stores_enabled => true,
:enabled_secret_stores => 'simple_crypto,dogtag,kmip',
}
].each do |param_set|
describe "when #{param_set == {} ? "using default" : "specifying"} class parameters" do
@ -195,6 +199,13 @@ describe 'barbican::api' do
is_expected.to contain_barbican_config('certificate_event/enabled_certificate_event_plugins') \
.with_value(param_hash[:enabled_certificate_event_plugins])
end
it 'configures plugins in multiple plugin config' do
is_expected.to contain_barbican_config('secretstore/stores_lookup_suffix') \
.with_value(param_hash[:enabled_secret_stores])
is_expected.to contain_barbican_config('secretstore/enable_multiple_secret_stores') \
.with_value(param_hash[:multiple_secret_stores_enabled])
end
end
end

8
spec/classes/barbican_plugins_dogtag_spec.rb
View File

@ -40,6 +40,7 @@ describe 'barbican::plugins::dogtag' do
:dogtag_plugin_simple_cmc_profile => '<SERVICE DEFAULT>',
:dogtag_plugin_ca_expiration_time => '<SERVICE DEFAULT>',
:dogtag_plugin_plugin_working_dir => '<SERVICE DEFAULT>',
:global_default => false,
}
end
@ -55,6 +56,7 @@ describe 'barbican::plugins::dogtag' do
:dogtag_plugin_simple_cmc_profile => 'caServerCert',
:dogtag_plugin_ca_expiration_time => '100',
:dogtag_plugin_plugin_working_dir => 'path_to_working_dir',
:global_default => true,
}
].each do |param_set|
@ -90,6 +92,12 @@ describe 'barbican::plugins::dogtag' do
.with_value(param_hash[:dogtag_plugin_ca_expiration_time])
is_expected.to contain_barbican_config('dogtag_plugin/plugin_working_dir')\
.with_value(param_hash[:dogtag_plugin_plugin_working_dir])
is_expected.to contain_barbican_config(
'secretstore:dogtag/secret_store_plugin') \
.with_value('dogtag_plugin')
is_expected.to contain_barbican_config(
'secretstore:dogtag/global_default') \
.with_value(param_hash[:global_default])
end
end
end

13
spec/classes/barbican_plugins_kmip_spec.rb
View File

@ -30,6 +30,7 @@ describe 'barbican::plugins::kmip' do
:kmip_plugin_password => 'kmip_password',
:kmip_plugin_host => 'kmip_host',
:kmip_plugin_port => 9000,
:global_default => true
}
end
@ -42,6 +43,12 @@ describe 'barbican::plugins::kmip' do
.with_value(params[:kmip_plugin_username])
is_expected.to contain_barbican_config('kmip_plugin/password')\
.with_value(params[:kmip_plugin_password]).with_secret(true)
is_expected.to contain_barbican_config(
'secretstore:kmip/secret_store_plugin') \
.with_value('kmip_plugin')
is_expected.to contain_barbican_config(
'secretstore:kmip/global_default') \
.with_value(params[:global_default])
end
end
@ -67,6 +74,12 @@ describe 'barbican::plugins::kmip' do
.with_value(params[:kmip_plugin_host])
is_expected.to contain_barbican_config('kmip_plugin/port')\
.with_value(params[:kmip_plugin_port])
is_expected.to contain_barbican_config(
'secretstore:kmip/secret_store_plugin') \
.with_value('kmip_plugin')
is_expected.to contain_barbican_config(
'secretstore:kmip/global_default') \
.with_value('false')
end
end
end

10
spec/classes/barbican_plugins_p11_crypto_spec.rb
View File

@ -31,6 +31,7 @@ describe 'barbican::plugins::p11_crypto' do
:p11_crypto_plugin_hmac_label => 'hmac_label',
:p11_crypto_plugin_slot_id => 1,
:p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
:global_default => true,
}
end
@ -47,6 +48,15 @@ describe 'barbican::plugins::p11_crypto' do
.with_value(params[:p11_crypto_plugin_slot_id])
is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
.with_value(params[:p11_crypto_plugin_library_path])
is_expected.to contain_barbican_config(
'secretstore:pkcs11/secret_store_plugin') \
.with_value('store_crypto')
is_expected.to contain_barbican_config(
'secretstore:pkcs11/crypto_plugin') \
.with_value('p11_crypto')
is_expected.to contain_barbican_config(
'secretstore:pkcs11/global_default') \
.with_value('true')
end
end
end

21
spec/classes/barbican_plugins_simple_crypto_spec.rb
View File

@ -25,13 +25,23 @@ describe 'barbican::plugins::simple_crypto' do
describe 'with parameter passed into pk11 plugin' do
let :params do
{
:simple_crypto_plugin_kek => 'XXXXXXXXXXXXX'
:simple_crypto_plugin_kek => 'XXXXXXXXXXXXX',
:global_default => true,
}
end
it 'is_expected.to set simple_crypto parameters' do
is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
.with_value(params[:simple_crypto_plugin_kek])
is_expected.to contain_barbican_config(
'secretstore:simple_crypto/secret_store_plugin') \
.with_value('store_crypto')
is_expected.to contain_barbican_config(
'secretstore:simple_crypto/crypto_plugin') \
.with_value('simple_crypto')
is_expected.to contain_barbican_config(
'secretstore:simple_crypto/global_default') \
.with_value('true')
end
end
@ -43,6 +53,15 @@ describe 'barbican::plugins::simple_crypto' do
it 'is_expected.to set default simple_crypto parameters' do
is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
.with_value('<SERVICE DEFAULT>')
is_expected.to contain_barbican_config(
'secretstore:simple_crypto/secret_store_plugin') \
.with_value('store_crypto')
is_expected.to contain_barbican_config(
'secretstore:simple_crypto/crypto_plugin') \
.with_value('simple_crypto')
is_expected.to contain_barbican_config(
'secretstore:simple_crypto/global_default') \
.with_value('false')
end
end
end