Added settings for cert and secret store plugins

Also added pk11 backend plugin settings Change-Id: Iee47b68835449a29521f4e55e981a46f9d152498
2016-03-22 13:12:01 -04:00 · 2016-03-22 13:12:01 -04:00 · 54453c1813
commit 54453c1813
parent 74c76bdadb
12 changed files with 241 additions and 76 deletions
--- a/lib/puppet/provider/barbican_config/ini_setting.rb
+++ b/lib/puppet/provider/barbican_config/ini_setting.rb
@ -1,10 +0,0 @@
-Puppet::Type.type(:barbican_config).provide(
-  :ini_setting,
-  :parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
-) do
-
-  def self.file_path
-    '/etc/barbican/barbican.conf'
-  end
-
-end
--- a/lib/puppet/provider/barbican_config/openstackconfig.rb
+++ b/lib/puppet/provider/barbican_config/openstackconfig.rb
@ -0,0 +1,10 @@
+Puppet::Type.type(:barbican_config).provide(
+  :openstackconfig,
+  :parent => Puppet::Type.type(:openstack_config).provider(:ruby)
+) do
+
+  def file_path
+    '/etc/barbican/barbican.conf'
+  end
+
+end
--- a/lib/puppet/type/barbican_config.rb
+++ b/lib/puppet/type/barbican_config.rb
@ -7,7 +7,7 @@ Puppet::Type.newtype(:barbican_config) do
    newvalues(/\S+\/\S+/)
  end

-  newproperty(:value) do
+  newproperty(:value, :array_matching => :all) do
    desc 'The value of the setting to be defined.'
    munge do |value|
      value = value.to_s.strip
@ -31,6 +31,18 @@ Puppet::Type.newtype(:barbican_config) do
        return newvalue
      end
    end
+
+    def insync?(is)
+      return true if @should.empty?
+      return false unless is.is_a? Array
+      return false unless is.length == @should.length
+      # we don't care about the order of items in array, hence
+      # it is necessary to override insync
+      return (
+        is & @should == is or
+        is & @should.map(&:to_s) == is
+      )
+    end
  end

  newparam(:secret, :boolean => true) do
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -121,6 +121,25 @@
 #   (optional) Seconds (float) to wait between starting retry scheduler
 #   Defaults to $::os_service_default
 #
+# [*enabled_secretstore_plugins*]
+#   (optional) Enabled secretstore plugins. Multiple plugins
+#   are defined in a list eg. ['store_crypto', dogtag_crypto']
+#   Defaults to $::os_service_default
+#
+# [*enabled_crypto_plugins*]
+#   (optional) Enabled crypto_plugins.  Multiple plugins
+#   are defined in a list eg. ['simple_crypto','p11_crypto']
+#   Defaults to $::os_service_default
+#
+# [*enabled_certificate_plugins*]
+#   (optional) Enabled certificate plugins as a list.
+#   e.g. ['snakeoil_ca', 'dogtag']
+#   Defaults to $::os_service_default
+#
+# [*enabled_certificate_event_plugins*]
+#   (optional) Enabled certificate event plugins as a list
+#   Defaults to $::os_service_default
+#
 # [*kombu_ssl_ca_certs*]
 #   (optional) SSL certification authority file (valid only if SSL enabled).
 #   Defaults to $::os_service_default
@ -185,6 +204,10 @@ class barbican::api (
  $queue_server_name                             = $::os_service_default,
  $retry_scheduler_initial_delay_seconds         = $::os_service_default,
  $retry_scheduler_periodic_interval_max_seconds = $::os_service_default,
+  $enabled_secretstore_plugins                   = $::os_service_default,
+  $enabled_crypto_plugins                        = $::os_service_default,
+  $enabled_certificate_plugins                   = $::os_service_default,
+  $enabled_certificate_event_plugins             = $::os_service_default,
  $kombu_ssl_ca_certs                            = $::os_service_default,
  $kombu_ssl_certfile                            = $::os_service_default,
  $kombu_ssl_keyfile                             = $::os_service_default,
@ -298,6 +321,14 @@ class barbican::api (
    'DEFAULT/max_allowed_request_size_in_bytes':     value => $max_allowed_request_size_in_bytes;
  }

+  # enabled plugins
+  barbican_config {
+    'secretstore/enabled_secretstore_plugins':             value => $enabled_secretstore_plugins;
+    'crypto/enabled_crypto_plugins':                       value => $enabled_crypto_plugins;
+    'certificate/enabled_certificate_plugins':             value => $enabled_certificate_plugins;
+    'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins;
+  }
+
  if $manage_service {
    if $enabled {
      $service_ensure = 'running'
--- a/manifests/plugins/p11_crypto.pp
+++ b/manifests/plugins/p11_crypto.pp
@ -0,0 +1,69 @@
+# == Class: barbican::plugins::p11_crypto
+#
+# Sets up Barbican API p11_crypto secret_store plugin
+#
+# === Parameters
+#
+# [*p11_crypto_plugin_library_path*]
+#   (optional) Path to vendor PKCS11 library
+#   Defaults to $::os_service_default
+#
+# [*p11_crypto_plugin_login*]
+#   (optional) Password to login to PKCS11 session
+#   Required if p11_crypto_plugin is enabled.
+#   Defaults to undef
+#
+# [*p11_crypto_plugin_mkek_label*]
+#   (optional) Label to identify master KEK in the HSM
+#   Required if p11_crypto_plugin is enabled.
+#   Defaults to undef
+#
+# [*p11_crypto_plugin_mkek_length*]
+#   (optional) Length in bytes of master KEK
+#   Required if p11_crypto_plugin is enabled.
+#   Defaults to undef
+#
+# [*p11_crypto_plugin_hmac_label*]
+#   (optional) Label to identify master KEK in the HSM
+#   Required if p11_crypto_plugin is enabled.
+#   Defaults to undef
+#
+# [*p11_crypto_plugin_slot_id*]
+#   (optional) HSM Slot id
+#   Required if p11_crypto_plugin is enabled.
+#   Defaults to undef
+#
+class barbican::plugins::p11_crypto (
+  $p11_crypto_plugin_library_path = $::os_service_default,
+  $p11_crypto_plugin_login        = undef,
+  $p11_crypto_plugin_mkek_label   = undef,
+  $p11_crypto_plugin_mkek_length  = undef,
+  $p11_crypto_plugin_hmac_label   = undef,
+  $p11_crypto_plugin_slot_id      = undef,
+) {
+
+  if $p11_crypto_plugin_login == undef {
+      fail('p11_crypto_plugin_login must be defined')
+  }
+  if $p11_crypto_plugin_mkek_label == undef {
+      fail('p11_crypto_plugin_mkek_label must be defined')
+  }
+  if $p11_crypto_plugin_mkek_length == undef {
+      fail('p11_crypto_plugin_mkek_length must be defined')
+  }
+  if $p11_crypto_plugin_hmac_label == undef {
+      fail('p11_crypto_plugin_hmac_label must be defined')
+  }
+  if $p11_crypto_plugin_slot_id == undef {
+      fail('p11_crypto_plugin_slot_id must be defined')
+  }
+
+  barbican_config {
+    'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
+    'p11_crypto_plugin/login':        value => $p11_crypto_plugin_login;
+    'p11_crypto_plugin/mkek_label':   value => $p11_crypto_plugin_mkek_label;
+    'p11_crypto_plugin/mkek_length':  value => $p11_crypto_plugin_mkek_length;
+    'p11_crypto_plugin/hmac_label':   value => $p11_crypto_plugin_hmac_label;
+    'p11_crypto_plugin/slot_id':      value => $p11_crypto_plugin_slot_id;
+  }
+}
--- a/manifests/plugins/simple_crypto.pp
+++ b/manifests/plugins/simple_crypto.pp
@ -0,0 +1,18 @@
+# == Class: barbican::plugins::simple_crypto
+#
+# Sets up Barbican simple_crypto plugin
+#
+# === Parameters
+#
+# [*simple_crypto_plugin_kek*]
+#   (optional) base64 encoded 32-byte value
+#   Defaults to $::os_service_default
+#
+class barbican::plugins::simple_crypto (
+  $simple_crypto_plugin_kek = $::os_service_default,
+) {
+
+  barbican_config {
+    'simple_crypto_plugin/kek':  value => $simple_crypto_plugin_kek;
+  }
+}
--- a/spec/acceptance/basic_barbican_spec.rb
+++ b/spec/acceptance/basic_barbican_spec.rb
@ -25,6 +25,7 @@ describe 'barbican::api class' do
          }

          class { '::barbican::api':
+            enabled_certificate_plugins => ['simple_certificate','dogtag']
          }
        }
      }
--- a/spec/classes/barbican_api_spec.rb
+++ b/spec/classes/barbican_api_spec.rb
@ -41,6 +41,10 @@ describe 'barbican::api' do
      :kombu_reconnect_delay                         => '<SERVICE DEFAULT>',
      :manage_service                                => true,
      :enabled                                       => true,
+      :enabled_secretstore_plugins                   => ['<SERVICE DEFAULT>'],
+      :enabled_crypto_plugins                        => ['<SERVICE DEFAULT>'],
+      :enabled_certificate_plugins                   => ['<SERVICE DEFAULT>'],
+      :enabled_certificate_event_plugins             => ['<SERVICE DEFAULT>'],
      :retry_scheduler_initial_delay_seconds         => '<SERVICE DEFAULT>',
      :retry_scheduler_periodic_interval_max_seconds => '<SERVICE DEFAULT>',
    }
@ -74,6 +78,10 @@ describe 'barbican::api' do
      :kombu_ssl_keyfile                             => 'path_to_keyfile',
      :kombu_ssl_version                             => '1.2',
      :kombu_reconnect_delay                         => '10',
+      :enabled_secretstore_plugins                   => ['dogtag_crypto', 'store_crypto', 'kmip'],
+      :enabled_crypto_plugins                        => ['simple_crypto'],
+      :enabled_certificate_plugins                   => ['simple_certificate', 'dogtag'],
+      :enabled_certificate_event_plugins             => ['simple_certificate_event', 'foo_event'],
      :retry_scheduler_initial_delay_seconds         => 20.0,
      :retry_scheduler_periodic_interval_max_seconds => 20.0,
      :max_allowed_secret_in_bytes                   => 20000,
@ -112,7 +120,7 @@ describe 'barbican::api' do
          'bind_host',
          'bind_port',
          'max_allowed_secret_in_bytes',
-          'max_allowed_request_size_in_bytes'
+          'max_allowed_request_size_in_bytes',
        ].each do |config|
          is_expected.to contain_barbican_config("DEFAULT/#{config}").with_value(param_hash[config.intern])
        end
@ -143,6 +151,17 @@ describe 'barbican::api' do
        is_expected.to contain_barbican_config('oslo_messaging_rabbit/kombu_ssl_version').with_value(param_hash[:kombu_ssl_version])
        is_expected.to contain_barbican_config('oslo_messaging_rabbit/kombu_reconnect_delay').with_value(param_hash[:kombu_reconnect_delay])
      end
+
+      it 'configures enabled plugins' do
+        is_expected.to contain_barbican_config('secretstore/enabled_secretstore_plugins') \
+          .with_value(param_hash[:enabled_secretstore_plugins])
+        is_expected.to contain_barbican_config('crypto/enabled_crypto_plugins') \
+          .with_value(param_hash[:enabled_crypto_plugins])
+        is_expected.to contain_barbican_config('certificate/enabled_certificate_plugins') \
+          .with_value(param_hash[:enabled_certificate_plugins])
+        is_expected.to contain_barbican_config('certificate_event/enabled_certificate_event_plugins') \
+          .with_value(param_hash[:enabled_certificate_event_plugins])
+      end
    end
  end

--- a/spec/classes/barbican_plugins_p11_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb
@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe 'barbican::plugins::p11_crypto' do
+
+  let :facts do
+    @default_facts.merge(
+      {
+        :osfamily       => 'RedHat',
+        :processorcount => '7',
+      }
+    )
+  end
+
+  describe 'with pk11 plugin' do
+    let :params do
+      {
+        :p11_crypto_plugin_login        => 'p11_user',
+        :p11_crypto_plugin_mkek_label   => 'mkek_label',
+        :p11_crypto_plugin_mkek_length  => 32,
+        :p11_crypto_plugin_hmac_label   => 'hmac_label',
+        :p11_crypto_plugin_slot_id      => 1,
+        :p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
+      }
+    end
+
+    it 'is_expected.to set p11 parameters' do
+      is_expected.to contain_barbican_config('p11_crypto_plugin/login') \
+        .with_value(params[:p11_crypto_plugin_login])
+      is_expected.to contain_barbican_config('p11_crypto_plugin/mkek_label') \
+        .with_value(params[:p11_crypto_plugin_mkek_label])
+      is_expected.to contain_barbican_config('p11_crypto_plugin/mkek_length') \
+        .with_value(params[:p11_crypto_plugin_mkek_length])
+      is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_label') \
+        .with_value(params[:p11_crypto_plugin_hmac_label])
+      is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
+        .with_value(params[:p11_crypto_plugin_slot_id])
+      is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
+        .with_value(params[:p11_crypto_plugin_library_path])
+    end
+  end
+end
--- a/spec/classes/barbican_plugins_simple_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_simple_crypto_spec.rb
@ -0,0 +1,37 @@
+require 'spec_helper'
+
+describe 'barbican::plugins::simple_crypto' do
+
+  let :facts do
+    @default_facts.merge(
+      {
+        :osfamily       => 'RedHat',
+        :processorcount => '7',
+      }
+    )
+  end
+
+  describe 'with parameter passed into pk11 plugin' do
+    let :params do
+      {
+        :simple_crypto_plugin_kek       => 'XXXXXXXXXXXXX'
+      }
+    end
+
+    it 'is_expected.to set simple_crypto parameters' do
+      is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
+        .with_value(params[:simple_crypto_plugin_kek])
+    end
+  end
+
+  describe 'with no parameter passed into pk11 plugin' do
+    let :params do
+      {}
+    end
+
+    it 'is_expected.to set default simple_crypto parameters' do
+      is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
+        .with_value('<SERVICE DEFAULT>')
+    end
+  end
+end
--- a/spec/unit/provider/barbican_config/ini_setting_spec.rb
+++ b/spec/unit/provider/barbican_config/ini_setting_spec.rb
@ -26,7 +26,7 @@ $LOAD_PATH.push(
    'lib')
 )
 require 'spec_helper'
-provider_class = Puppet::Type.type(:barbican_config).provider(:ini_setting)
+provider_class = Puppet::Type.type(:barbican_config).provider(:ruby)
 describe provider_class do

  it 'should default to the default setting when no other one is specified' do
--- a/spec/unit/type/barbican_config_spec.rb
+++ b/spec/unit/type/barbican_config_spec.rb
@ -1,63 +0,0 @@
-require 'puppet'
-require 'puppet/type/barbican_config'
-describe 'Puppet::Type.type(:barbican_config)' do
-  before :each do
-    @barbican_config = Puppet::Type.type(:barbican_config).new(:name => 'DEFAULT/foo', :value => 'bar')
-  end
-
-  it 'should require a name' do
-    expect {
-      Puppet::Type.type(:barbican_config).new({})
-    }.to raise_error(Puppet::Error, 'Title or name must be provided')
-  end
-
-  it 'should not expect a name with whitespace' do
-    expect {
-      Puppet::Type.type(:barbican_config).new(:name => 'f oo')
-    }.to raise_error(Puppet::Error, /Parameter name failed/)
-  end
-
-  it 'should fail when there is no section' do
-    expect {
-      Puppet::Type.type(:barbican_config).new(:name => 'foo')
-    }.to raise_error(Puppet::Error, /Parameter name failed/)
-  end
-
-  it 'should not require a value when ensure is absent' do
-    Puppet::Type.type(:barbican_config).new(:name => 'DEFAULT/foo', :ensure => :absent)
-  end
-
-  it 'should accept a valid value' do
-    @barbican_config[:value] = 'bar'
-    expect(@barbican_config[:value]).to eq('bar')
-  end
-
-  it 'should not accept a value with whitespace' do
-    @barbican_config[:value] = 'b ar'
-    expect(@barbican_config[:value]).to eq('b ar')
-  end
-
-  it 'should accept valid ensure values' do
-    @barbican_config[:ensure] = :present
-    expect(@barbican_config[:ensure]).to eq(:present)
-    @barbican_config[:ensure] = :absent
-    expect(@barbican_config[:ensure]).to eq(:absent)
-  end
-
-  it 'should not accept invalid ensure values' do
-    expect {
-      @barbican_config[:ensure] = :latest
-    }.to raise_error(Puppet::Error, /Invalid value/)
-  end
-
-  it 'should autorequire the package that install the file' do
-    catalog = Puppet::Resource::Catalog.new
-    package = Puppet::Type.type(:package).new(:name => 'barbican')
-    catalog.add_resource package, @barbican_config
-    dependency = @barbican_config.autorequire
-    expect(dependency.size).to eq(1)
-    expect(dependency[0].target).to eq(@barbican_config)
-    expect(dependency[0].source).to eq(package)
-  end
-
-end