From 303f85c92b89132ae714079ad5200ebcb66abc6e Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 28 Nov 2017 00:21:08 -0500 Subject: [PATCH] Add support for multiple backends This will be essential for allowing migrations to different (more secure) plugins Change-Id: Ib45708fa6f8770b7737fff1990cc86e71e4bd634 --- manifests/api.pp | 29 +++++++++++++++++++ manifests/plugins/dogtag.pp | 11 ++++++- manifests/plugins/kmip.pp | 11 +++++++ manifests/plugins/p11_crypto.pp | 11 +++++++ manifests/plugins/simple_crypto.pp | 11 +++++++ ...tiple-backend-config-158138b82dfd3dca.yaml | 9 ++++++ spec/classes/barbican_api_spec.rb | 11 +++++++ spec/classes/barbican_plugins_dogtag_spec.rb | 8 +++++ spec/classes/barbican_plugins_kmip_spec.rb | 13 +++++++++ .../barbican_plugins_p11_crypto_spec.rb | 10 +++++++ .../barbican_plugins_simple_crypto_spec.rb | 21 +++++++++++++- 11 files changed, 143 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-multiple-backend-config-158138b82dfd3dca.yaml diff --git a/manifests/api.pp b/manifests/api.pp index a31088b2..228a6464 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -121,13 +121,27 @@ # [*enabled_secretstore_plugins*] # (optional) Enabled secretstore plugins. Multiple plugins # are defined in a list eg. ['store_crypto', dogtag_crypto'] +# Used when multiple_secret_stores_enabled is not set to true. # Defaults to $::os_service_default # # [*enabled_crypto_plugins*] # (optional) Enabled crypto_plugins. Multiple plugins # are defined in a list eg. ['simple_crypto','p11_crypto'] +# Used when multiple_secret_stores_enabled is not set to true. # Defaults to $::os_service_default # +# [*enabled_secret_stores*] +# (optional) Enabled secretstores. This is the configuration +# parameters when multiple plugin configuration is used. +# Suffixes are defined in a comma separated list eg. +# 'simple_crypto,dogtag,kmip,pkcs11' +# Defaults to 'simple_crypto' +# +# [*multiple_secret_stores_enabled*] +# (optional) Enabled crypto_plugins. Multiple plugins +# are defined in a list eg. ['simple_crypto','p11_crypto'] +# Defaults to false +# # [*enabled_certificate_plugins*] # (optional) Enabled certificate plugins as a list. # e.g. ['snakeoil_ca', 'dogtag'] @@ -281,6 +295,8 @@ class barbican::api ( $retry_scheduler_periodic_interval_max_seconds = $::os_service_default, $enabled_secretstore_plugins = $::os_service_default, $enabled_crypto_plugins = $::os_service_default, + $enabled_secret_stores = 'simple_crypto', + $multiple_secret_stores_enabled = false, $enabled_certificate_plugins = $::os_service_default, $enabled_certificate_event_plugins = $::os_service_default, $kombu_ssl_ca_certs = $::os_service_default, @@ -418,6 +434,13 @@ the future release. Please use barbican::api::package_ensure instead.") 'DEFAULT/max_allowed_request_size_in_bytes': value => $max_allowed_request_size_in_bytes; } + if $multiple_secret_stores_enabled and !is_service_default($enabled_secretstore_plugins) { + warning("barbican::api::enabled_secretstore_plugins and barbican::api::enabled_crypto_plugins \ + will be set by puppet, but will not be used by the server whenever \ + barbican::api::multiple_secret_stores_enabled is set to true. Use \ + barbican::api::enabled_secret_stores instead") + } + # enabled plugins barbican_config { 'secretstore/enabled_secretstore_plugins': value => $enabled_secretstore_plugins; @@ -426,6 +449,12 @@ the future release. Please use barbican::api::package_ensure instead.") 'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins; } + # enabled plugins when multiple plugins is enabled + barbican_config { + 'secretstore/enable_multiple_secret_stores': value => $multiple_secret_stores_enabled; + 'secretstore/stores_lookup_suffix': value => $enabled_secret_stores; + } + # keystone config if $auth_strategy == 'keystone' { diff --git a/manifests/plugins/dogtag.pp b/manifests/plugins/dogtag.pp index 42754c68..1e2d0126 100644 --- a/manifests/plugins/dogtag.pp +++ b/manifests/plugins/dogtag.pp @@ -40,6 +40,10 @@ # (optional) Working directory for Dogtag plugin # Defaults to $::os_service_default # +# [*global_default*] +# (optional) set plugin as global default +# Defaults to false +# class barbican::plugins::dogtag ( $dogtag_plugin_ensure_package = 'present', $dogtag_plugin_pem_path = $::os_service_default, @@ -50,6 +54,7 @@ class barbican::plugins::dogtag ( $dogtag_plugin_simple_cmc_profile = $::os_service_default, $dogtag_plugin_ca_expiration_time = $::os_service_default, $dogtag_plugin_plugin_working_dir = $::os_service_default, + $global_default = false, ) { include ::barbican::deps @@ -65,6 +70,11 @@ class barbican::plugins::dogtag ( tag => ['openstack', 'barbican-package'] } + barbican_config { + 'secretstore:dogtag/secret_store_plugin': value => 'dogtag_plugin'; + 'secretstore:dogtag/global_default': value => $global_default; + } + barbican_config { 'dogtag_plugin/pem_path': value => $dogtag_plugin_pem_path; 'dogtag_plugin/dogtag_host': value => $dogtag_plugin_dogtag_host; @@ -75,5 +85,4 @@ class barbican::plugins::dogtag ( 'dogtag_plugin/ca_expiration_time': value => $dogtag_plugin_ca_expiration_time; 'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir; } - } diff --git a/manifests/plugins/kmip.pp b/manifests/plugins/kmip.pp index 8806e3b6..7aced576 100644 --- a/manifests/plugins/kmip.pp +++ b/manifests/plugins/kmip.pp @@ -34,6 +34,10 @@ # (optional) ca certs file for KMIP device # Defaults to undef # +# [*global_default*] +# (optional) set plugin as global default +# Defaults to false +# class barbican::plugins::kmip ( $kmip_plugin_username = undef, $kmip_plugin_password = undef, @@ -42,6 +46,7 @@ class barbican::plugins::kmip ( $kmip_plugin_keyfile = undef, $kmip_plugin_certfile = undef, $kmip_plugin_ca_certs = undef, + $global_default = false, ) { include ::barbican::deps @@ -84,4 +89,10 @@ class barbican::plugins::kmip ( 'kmip_plugin/port': value => $kmip_plugin_port; } } + + barbican_config { + 'secretstore:kmip/secret_store_plugin': value => 'kmip_plugin'; + 'secretstore:kmip/global_default': value => $global_default; + } + } diff --git a/manifests/plugins/p11_crypto.pp b/manifests/plugins/p11_crypto.pp index a52ca2a4..afc23ac7 100644 --- a/manifests/plugins/p11_crypto.pp +++ b/manifests/plugins/p11_crypto.pp @@ -33,6 +33,10 @@ # Required if p11_crypto_plugin is enabled. # Defaults to undef # +# [*global_default*] +# (optional) set plugin as global default +# Defaults to false +# class barbican::plugins::p11_crypto ( $p11_crypto_plugin_library_path = $::os_service_default, $p11_crypto_plugin_login = undef, @@ -40,6 +44,7 @@ class barbican::plugins::p11_crypto ( $p11_crypto_plugin_mkek_length = undef, $p11_crypto_plugin_hmac_label = undef, $p11_crypto_plugin_slot_id = undef, + $global_default = false, ) { include ::barbican::deps @@ -68,4 +73,10 @@ class barbican::plugins::p11_crypto ( 'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label; 'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id; } + + barbican_config { + 'secretstore:pkcs11/secret_store_plugin': value => 'store_crypto'; + 'secretstore:pkcs11/crypto_plugin': value => 'p11_crypto'; + 'secretstore:pkcs11/global_default': value => $global_default; + } } diff --git a/manifests/plugins/simple_crypto.pp b/manifests/plugins/simple_crypto.pp index dcb32bcc..aac5da7c 100644 --- a/manifests/plugins/simple_crypto.pp +++ b/manifests/plugins/simple_crypto.pp @@ -8,12 +8,23 @@ # (optional) base64 encoded 32-byte value # Defaults to $::os_service_default # +# [*global_default*] +# (optional) set plugin as global default +# Defaults to false +# class barbican::plugins::simple_crypto ( $simple_crypto_plugin_kek = $::os_service_default, + $global_default = false, ) { include ::barbican::deps + barbican_config { + 'secretstore:simple_crypto/secret_store_plugin': value => 'store_crypto'; + 'secretstore:simple_crypto/crypto_plugin': value => 'simple_crypto'; + 'secretstore:simple_crypto/global_default': value => $global_default; + } + barbican_config { 'simple_crypto_plugin/kek': value => $simple_crypto_plugin_kek; } diff --git a/releasenotes/notes/add-multiple-backend-config-158138b82dfd3dca.yaml b/releasenotes/notes/add-multiple-backend-config-158138b82dfd3dca.yaml new file mode 100644 index 00000000..9a993cfa --- /dev/null +++ b/releasenotes/notes/add-multiple-backend-config-158138b82dfd3dca.yaml @@ -0,0 +1,9 @@ +--- +features: + - Added parameters multiple_secret_stores_enabled and enabled_secret_stores + to configure secret store backends using the newer multiple backend + configuration scheme. This will allow us to specify more than one backend + in case we need to migrate to more secure backends. + - Added parameters in each backend to configure them correctly using + the newer multiple backend scheme, including global_default to specify if + the backend is supposed to be the default backend for new secrets. diff --git a/spec/classes/barbican_api_spec.rb b/spec/classes/barbican_api_spec.rb index 353e11a8..e5e283b4 100644 --- a/spec/classes/barbican_api_spec.rb +++ b/spec/classes/barbican_api_spec.rb @@ -67,6 +67,8 @@ describe 'barbican::api' do :retry_scheduler_periodic_interval_max_seconds => '', :service_name => platform_params[:service_name], :enable_proxy_headers_parsing => '', + :multiple_secret_stores_enabled => false, + :enabled_secret_stores => 'simple_crypto', } end @@ -111,6 +113,8 @@ describe 'barbican::api' do :max_allowed_secret_in_bytes => 20000, :max_allowed_request_size_in_bytes => 2000000, :enable_proxy_headers_parsing => false, + :multiple_secret_stores_enabled => true, + :enabled_secret_stores => 'simple_crypto,dogtag,kmip', } ].each do |param_set| describe "when #{param_set == {} ? "using default" : "specifying"} class parameters" do @@ -195,6 +199,13 @@ describe 'barbican::api' do is_expected.to contain_barbican_config('certificate_event/enabled_certificate_event_plugins') \ .with_value(param_hash[:enabled_certificate_event_plugins]) end + + it 'configures plugins in multiple plugin config' do + is_expected.to contain_barbican_config('secretstore/stores_lookup_suffix') \ + .with_value(param_hash[:enabled_secret_stores]) + is_expected.to contain_barbican_config('secretstore/enable_multiple_secret_stores') \ + .with_value(param_hash[:multiple_secret_stores_enabled]) + end end end diff --git a/spec/classes/barbican_plugins_dogtag_spec.rb b/spec/classes/barbican_plugins_dogtag_spec.rb index 6fc2440d..a12f9576 100644 --- a/spec/classes/barbican_plugins_dogtag_spec.rb +++ b/spec/classes/barbican_plugins_dogtag_spec.rb @@ -40,6 +40,7 @@ describe 'barbican::plugins::dogtag' do :dogtag_plugin_simple_cmc_profile => '', :dogtag_plugin_ca_expiration_time => '', :dogtag_plugin_plugin_working_dir => '', + :global_default => false, } end @@ -55,6 +56,7 @@ describe 'barbican::plugins::dogtag' do :dogtag_plugin_simple_cmc_profile => 'caServerCert', :dogtag_plugin_ca_expiration_time => '100', :dogtag_plugin_plugin_working_dir => 'path_to_working_dir', + :global_default => true, } ].each do |param_set| @@ -90,6 +92,12 @@ describe 'barbican::plugins::dogtag' do .with_value(param_hash[:dogtag_plugin_ca_expiration_time]) is_expected.to contain_barbican_config('dogtag_plugin/plugin_working_dir')\ .with_value(param_hash[:dogtag_plugin_plugin_working_dir]) + is_expected.to contain_barbican_config( + 'secretstore:dogtag/secret_store_plugin') \ + .with_value('dogtag_plugin') + is_expected.to contain_barbican_config( + 'secretstore:dogtag/global_default') \ + .with_value(param_hash[:global_default]) end end end diff --git a/spec/classes/barbican_plugins_kmip_spec.rb b/spec/classes/barbican_plugins_kmip_spec.rb index c29d791c..83f5adb4 100644 --- a/spec/classes/barbican_plugins_kmip_spec.rb +++ b/spec/classes/barbican_plugins_kmip_spec.rb @@ -30,6 +30,7 @@ describe 'barbican::plugins::kmip' do :kmip_plugin_password => 'kmip_password', :kmip_plugin_host => 'kmip_host', :kmip_plugin_port => 9000, + :global_default => true } end @@ -42,6 +43,12 @@ describe 'barbican::plugins::kmip' do .with_value(params[:kmip_plugin_username]) is_expected.to contain_barbican_config('kmip_plugin/password')\ .with_value(params[:kmip_plugin_password]).with_secret(true) + is_expected.to contain_barbican_config( + 'secretstore:kmip/secret_store_plugin') \ + .with_value('kmip_plugin') + is_expected.to contain_barbican_config( + 'secretstore:kmip/global_default') \ + .with_value(params[:global_default]) end end @@ -67,6 +74,12 @@ describe 'barbican::plugins::kmip' do .with_value(params[:kmip_plugin_host]) is_expected.to contain_barbican_config('kmip_plugin/port')\ .with_value(params[:kmip_plugin_port]) + is_expected.to contain_barbican_config( + 'secretstore:kmip/secret_store_plugin') \ + .with_value('kmip_plugin') + is_expected.to contain_barbican_config( + 'secretstore:kmip/global_default') \ + .with_value('false') end end end diff --git a/spec/classes/barbican_plugins_p11_crypto_spec.rb b/spec/classes/barbican_plugins_p11_crypto_spec.rb index 9c73a0fb..c5bc4466 100644 --- a/spec/classes/barbican_plugins_p11_crypto_spec.rb +++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb @@ -31,6 +31,7 @@ describe 'barbican::plugins::p11_crypto' do :p11_crypto_plugin_hmac_label => 'hmac_label', :p11_crypto_plugin_slot_id => 1, :p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so', + :global_default => true, } end @@ -47,6 +48,15 @@ describe 'barbican::plugins::p11_crypto' do .with_value(params[:p11_crypto_plugin_slot_id]) is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \ .with_value(params[:p11_crypto_plugin_library_path]) + is_expected.to contain_barbican_config( + 'secretstore:pkcs11/secret_store_plugin') \ + .with_value('store_crypto') + is_expected.to contain_barbican_config( + 'secretstore:pkcs11/crypto_plugin') \ + .with_value('p11_crypto') + is_expected.to contain_barbican_config( + 'secretstore:pkcs11/global_default') \ + .with_value('true') end end end diff --git a/spec/classes/barbican_plugins_simple_crypto_spec.rb b/spec/classes/barbican_plugins_simple_crypto_spec.rb index 689ae646..51b36a2a 100644 --- a/spec/classes/barbican_plugins_simple_crypto_spec.rb +++ b/spec/classes/barbican_plugins_simple_crypto_spec.rb @@ -25,13 +25,23 @@ describe 'barbican::plugins::simple_crypto' do describe 'with parameter passed into pk11 plugin' do let :params do { - :simple_crypto_plugin_kek => 'XXXXXXXXXXXXX' + :simple_crypto_plugin_kek => 'XXXXXXXXXXXXX', + :global_default => true, } end it 'is_expected.to set simple_crypto parameters' do is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \ .with_value(params[:simple_crypto_plugin_kek]) + is_expected.to contain_barbican_config( + 'secretstore:simple_crypto/secret_store_plugin') \ + .with_value('store_crypto') + is_expected.to contain_barbican_config( + 'secretstore:simple_crypto/crypto_plugin') \ + .with_value('simple_crypto') + is_expected.to contain_barbican_config( + 'secretstore:simple_crypto/global_default') \ + .with_value('true') end end @@ -43,6 +53,15 @@ describe 'barbican::plugins::simple_crypto' do it 'is_expected.to set default simple_crypto parameters' do is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \ .with_value('') + is_expected.to contain_barbican_config( + 'secretstore:simple_crypto/secret_store_plugin') \ + .with_value('store_crypto') + is_expected.to contain_barbican_config( + 'secretstore:simple_crypto/crypto_plugin') \ + .with_value('simple_crypto') + is_expected.to contain_barbican_config( + 'secretstore:simple_crypto/global_default') \ + .with_value('false') end end end