Added settings for cert and secret store plugins

Also added pk11 backend plugin settings Change-Id: Iee47b68835449a29521f4e55e981a46f9d152498
2016-03-22 13:12:01 -04:00
parent 74c76bdadb
commit 54453c1813
12 changed files with 241 additions and 76 deletions
--- a/lib/puppet/provider/barbican_config/ini_setting.rb
+++ b/lib/puppet/provider/barbican_config/ini_setting.rb
@@ -1,10 +0,0 @@
 Puppet::Type.type(:barbican_config).provide(
  :ini_setting,
  :parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
 ) do
  def self.file_path
    '/etc/barbican/barbican.conf'
  end
 end
--- a/lib/puppet/provider/barbican_config/openstackconfig.rb
+++ b/lib/puppet/provider/barbican_config/openstackconfig.rb
@@ -0,0 +1,10 @@
 Puppet::Type.type(:barbican_config).provide(
  :openstackconfig,
  :parent => Puppet::Type.type(:openstack_config).provider(:ruby)
 ) do
  def file_path
    '/etc/barbican/barbican.conf'
  end
 end
--- a/lib/puppet/type/barbican_config.rb
+++ b/lib/puppet/type/barbican_config.rb
@@ -7,7 +7,7 @@ Puppet::Type.newtype(:barbican_config) do
    newvalues(/\S+\/\S+/)
  end
-  newproperty(:value) do
+  newproperty(:value, :array_matching => :all) do
    desc 'The value of the setting to be defined.'
    munge do |value|
      value = value.to_s.strip
@@ -31,6 +31,18 @@ Puppet::Type.newtype(:barbican_config) do
        return newvalue
      end
    end
    def insync?(is)
      return true if @should.empty?
      return false unless is.is_a? Array
      return false unless is.length == @should.length
      # we don't care about the order of items in array, hence
      # it is necessary to override insync
      return (
        is & @should == is or
        is & @should.map(&:to_s) == is
      )
    end
  end
  newparam(:secret, :boolean => true) do
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -121,6 +121,25 @@
 #   (optional) Seconds (float) to wait between starting retry scheduler
 #   Defaults to $::os_service_default
 #
 # [*enabled_secretstore_plugins*]
 #   (optional) Enabled secretstore plugins. Multiple plugins
 #   are defined in a list eg. ['store_crypto', dogtag_crypto']
 #   Defaults to $::os_service_default
 #
 # [*enabled_crypto_plugins*]
 #   (optional) Enabled crypto_plugins.  Multiple plugins
 #   are defined in a list eg. ['simple_crypto','p11_crypto']
 #   Defaults to $::os_service_default
 #
 # [*enabled_certificate_plugins*]
 #   (optional) Enabled certificate plugins as a list.
 #   e.g. ['snakeoil_ca', 'dogtag']
 #   Defaults to $::os_service_default
 #
 # [*enabled_certificate_event_plugins*]
 #   (optional) Enabled certificate event plugins as a list
 #   Defaults to $::os_service_default
 #
 # [*kombu_ssl_ca_certs*]
 #   (optional) SSL certification authority file (valid only if SSL enabled).
 #   Defaults to $::os_service_default
@@ -185,6 +204,10 @@ class barbican::api (
  $queue_server_name                             = $::os_service_default,
  $retry_scheduler_initial_delay_seconds         = $::os_service_default,
  $retry_scheduler_periodic_interval_max_seconds = $::os_service_default,
  $enabled_secretstore_plugins                   = $::os_service_default,
  $enabled_crypto_plugins                        = $::os_service_default,
  $enabled_certificate_plugins                   = $::os_service_default,
  $enabled_certificate_event_plugins             = $::os_service_default,
  $kombu_ssl_ca_certs                            = $::os_service_default,
  $kombu_ssl_certfile                            = $::os_service_default,
  $kombu_ssl_keyfile                             = $::os_service_default,
@@ -298,6 +321,14 @@ class barbican::api (
    'DEFAULT/max_allowed_request_size_in_bytes':     value => $max_allowed_request_size_in_bytes;
  }
  # enabled plugins
  barbican_config {
    'secretstore/enabled_secretstore_plugins':             value => $enabled_secretstore_plugins;
    'crypto/enabled_crypto_plugins':                       value => $enabled_crypto_plugins;
    'certificate/enabled_certificate_plugins':             value => $enabled_certificate_plugins;
    'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins;
  }
  if $manage_service {
    if $enabled {
      $service_ensure = 'running'
--- a/manifests/plugins/p11_crypto.pp
+++ b/manifests/plugins/p11_crypto.pp
@@ -0,0 +1,69 @@
 # == Class: barbican::plugins::p11_crypto
 #
 # Sets up Barbican API p11_crypto secret_store plugin
 #
 # === Parameters
 #
 # [*p11_crypto_plugin_library_path*]
 #   (optional) Path to vendor PKCS11 library
 #   Defaults to $::os_service_default
 #
 # [*p11_crypto_plugin_login*]
 #   (optional) Password to login to PKCS11 session
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
 # [*p11_crypto_plugin_mkek_label*]
 #   (optional) Label to identify master KEK in the HSM
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
 # [*p11_crypto_plugin_mkek_length*]
 #   (optional) Length in bytes of master KEK
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
 # [*p11_crypto_plugin_hmac_label*]
 #   (optional) Label to identify master KEK in the HSM
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
 # [*p11_crypto_plugin_slot_id*]
 #   (optional) HSM Slot id
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
 class barbican::plugins::p11_crypto (
  $p11_crypto_plugin_library_path = $::os_service_default,
  $p11_crypto_plugin_login        = undef,
  $p11_crypto_plugin_mkek_label   = undef,
  $p11_crypto_plugin_mkek_length  = undef,
  $p11_crypto_plugin_hmac_label   = undef,
  $p11_crypto_plugin_slot_id      = undef,
 ) {
  if $p11_crypto_plugin_login == undef {
      fail('p11_crypto_plugin_login must be defined')
  }
  if $p11_crypto_plugin_mkek_label == undef {
      fail('p11_crypto_plugin_mkek_label must be defined')
  }
  if $p11_crypto_plugin_mkek_length == undef {
      fail('p11_crypto_plugin_mkek_length must be defined')
  }
  if $p11_crypto_plugin_hmac_label == undef {
      fail('p11_crypto_plugin_hmac_label must be defined')
  }
  if $p11_crypto_plugin_slot_id == undef {
      fail('p11_crypto_plugin_slot_id must be defined')
  }
  barbican_config {
    'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
    'p11_crypto_plugin/login':        value => $p11_crypto_plugin_login;
    'p11_crypto_plugin/mkek_label':   value => $p11_crypto_plugin_mkek_label;
    'p11_crypto_plugin/mkek_length':  value => $p11_crypto_plugin_mkek_length;
    'p11_crypto_plugin/hmac_label':   value => $p11_crypto_plugin_hmac_label;
    'p11_crypto_plugin/slot_id':      value => $p11_crypto_plugin_slot_id;
  }
 }
--- a/manifests/plugins/simple_crypto.pp
+++ b/manifests/plugins/simple_crypto.pp
@@ -0,0 +1,18 @@
 # == Class: barbican::plugins::simple_crypto
 #
 # Sets up Barbican simple_crypto plugin
 #
 # === Parameters
 #
 # [*simple_crypto_plugin_kek*]
 #   (optional) base64 encoded 32-byte value
 #   Defaults to $::os_service_default
 #
 class barbican::plugins::simple_crypto (
  $simple_crypto_plugin_kek = $::os_service_default,
 ) {
  barbican_config {
    'simple_crypto_plugin/kek':  value => $simple_crypto_plugin_kek;
  }
 }
--- a/spec/acceptance/basic_barbican_spec.rb
+++ b/spec/acceptance/basic_barbican_spec.rb
@@ -25,6 +25,7 @@ describe 'barbican::api class' do
          }
          class { '::barbican::api':
            enabled_certificate_plugins => ['simple_certificate','dogtag']
          }
        }
      }
--- a/spec/classes/barbican_api_spec.rb
+++ b/spec/classes/barbican_api_spec.rb
@@ -41,6 +41,10 @@ describe 'barbican::api' do
      :kombu_reconnect_delay                         => '<SERVICE DEFAULT>',
      :manage_service                                => true,
      :enabled                                       => true,
      :enabled_secretstore_plugins                   => ['<SERVICE DEFAULT>'],
      :enabled_crypto_plugins                        => ['<SERVICE DEFAULT>'],
      :enabled_certificate_plugins                   => ['<SERVICE DEFAULT>'],
      :enabled_certificate_event_plugins             => ['<SERVICE DEFAULT>'],
      :retry_scheduler_initial_delay_seconds         => '<SERVICE DEFAULT>',
      :retry_scheduler_periodic_interval_max_seconds => '<SERVICE DEFAULT>',
    }
@@ -74,6 +78,10 @@ describe 'barbican::api' do
      :kombu_ssl_keyfile                             => 'path_to_keyfile',
      :kombu_ssl_version                             => '1.2',
      :kombu_reconnect_delay                         => '10',
      :enabled_secretstore_plugins                   => ['dogtag_crypto', 'store_crypto', 'kmip'],
      :enabled_crypto_plugins                        => ['simple_crypto'],
      :enabled_certificate_plugins                   => ['simple_certificate', 'dogtag'],
      :enabled_certificate_event_plugins             => ['simple_certificate_event', 'foo_event'],
      :retry_scheduler_initial_delay_seconds         => 20.0,
      :retry_scheduler_periodic_interval_max_seconds => 20.0,
      :max_allowed_secret_in_bytes                   => 20000,
@@ -112,7 +120,7 @@ describe 'barbican::api' do
          'bind_host',
          'bind_port',
          'max_allowed_secret_in_bytes',
-          'max_allowed_request_size_in_bytes'
+          'max_allowed_request_size_in_bytes',
        ].each do |config|
          is_expected.to contain_barbican_config("DEFAULT/#{config}").with_value(param_hash[config.intern])
        end
@@ -143,6 +151,17 @@ describe 'barbican::api' do
        is_expected.to contain_barbican_config('oslo_messaging_rabbit/kombu_ssl_version').with_value(param_hash[:kombu_ssl_version])
        is_expected.to contain_barbican_config('oslo_messaging_rabbit/kombu_reconnect_delay').with_value(param_hash[:kombu_reconnect_delay])
      end
      it 'configures enabled plugins' do
        is_expected.to contain_barbican_config('secretstore/enabled_secretstore_plugins') \
          .with_value(param_hash[:enabled_secretstore_plugins])
        is_expected.to contain_barbican_config('crypto/enabled_crypto_plugins') \
          .with_value(param_hash[:enabled_crypto_plugins])
        is_expected.to contain_barbican_config('certificate/enabled_certificate_plugins') \
          .with_value(param_hash[:enabled_certificate_plugins])
        is_expected.to contain_barbican_config('certificate_event/enabled_certificate_event_plugins') \
          .with_value(param_hash[:enabled_certificate_event_plugins])
      end
    end
  end
--- a/spec/classes/barbican_plugins_p11_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb
@@ -0,0 +1,41 @@
 require 'spec_helper'
 describe 'barbican::plugins::p11_crypto' do
  let :facts do
    @default_facts.merge(
      {
        :osfamily       => 'RedHat',
        :processorcount => '7',
      }
    )
  end
  describe 'with pk11 plugin' do
    let :params do
      {
        :p11_crypto_plugin_login        => 'p11_user',
        :p11_crypto_plugin_mkek_label   => 'mkek_label',
        :p11_crypto_plugin_mkek_length  => 32,
        :p11_crypto_plugin_hmac_label   => 'hmac_label',
        :p11_crypto_plugin_slot_id      => 1,
        :p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
      }
    end
    it 'is_expected.to set p11 parameters' do
      is_expected.to contain_barbican_config('p11_crypto_plugin/login') \
        .with_value(params[:p11_crypto_plugin_login])
      is_expected.to contain_barbican_config('p11_crypto_plugin/mkek_label') \
        .with_value(params[:p11_crypto_plugin_mkek_label])
      is_expected.to contain_barbican_config('p11_crypto_plugin/mkek_length') \
        .with_value(params[:p11_crypto_plugin_mkek_length])
      is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_label') \
        .with_value(params[:p11_crypto_plugin_hmac_label])
      is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
        .with_value(params[:p11_crypto_plugin_slot_id])
      is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
        .with_value(params[:p11_crypto_plugin_library_path])
    end
  end
 end
--- a/spec/classes/barbican_plugins_simple_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_simple_crypto_spec.rb
@@ -0,0 +1,37 @@
 require 'spec_helper'
 describe 'barbican::plugins::simple_crypto' do
  let :facts do
    @default_facts.merge(
      {
        :osfamily       => 'RedHat',
        :processorcount => '7',
      }
    )
  end
  describe 'with parameter passed into pk11 plugin' do
    let :params do
      {
        :simple_crypto_plugin_kek       => 'XXXXXXXXXXXXX'
      }
    end
    it 'is_expected.to set simple_crypto parameters' do
      is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
        .with_value(params[:simple_crypto_plugin_kek])
    end
  end
  describe 'with no parameter passed into pk11 plugin' do
    let :params do
      {}
    end
    it 'is_expected.to set default simple_crypto parameters' do
      is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
        .with_value('<SERVICE DEFAULT>')
    end
  end
 end
--- a/spec/unit/provider/barbican_config/ini_setting_spec.rb
+++ b/spec/unit/provider/barbican_config/ini_setting_spec.rb
@@ -26,7 +26,7 @@ $LOAD_PATH.push(
    'lib')
 )
 require 'spec_helper'
-provider_class = Puppet::Type.type(:barbican_config).provider(:ini_setting)
+provider_class = Puppet::Type.type(:barbican_config).provider(:ruby)
 describe provider_class do
  it 'should default to the default setting when no other one is specified' do
--- a/spec/unit/type/barbican_config_spec.rb
+++ b/spec/unit/type/barbican_config_spec.rb
@@ -1,63 +0,0 @@
 require 'puppet'
 require 'puppet/type/barbican_config'
 describe 'Puppet::Type.type(:barbican_config)' do
  before :each do
    @barbican_config = Puppet::Type.type(:barbican_config).new(:name => 'DEFAULT/foo', :value => 'bar')
  end
  it 'should require a name' do
    expect {
      Puppet::Type.type(:barbican_config).new({})
    }.to raise_error(Puppet::Error, 'Title or name must be provided')
  end
  it 'should not expect a name with whitespace' do
    expect {
      Puppet::Type.type(:barbican_config).new(:name => 'f oo')
    }.to raise_error(Puppet::Error, /Parameter name failed/)
  end
  it 'should fail when there is no section' do
    expect {
      Puppet::Type.type(:barbican_config).new(:name => 'foo')
    }.to raise_error(Puppet::Error, /Parameter name failed/)
  end
  it 'should not require a value when ensure is absent' do
    Puppet::Type.type(:barbican_config).new(:name => 'DEFAULT/foo', :ensure => :absent)
  end
  it 'should accept a valid value' do
    @barbican_config[:value] = 'bar'
    expect(@barbican_config[:value]).to eq('bar')
  end
  it 'should not accept a value with whitespace' do
    @barbican_config[:value] = 'b ar'
    expect(@barbican_config[:value]).to eq('b ar')
  end
  it 'should accept valid ensure values' do
    @barbican_config[:ensure] = :present
    expect(@barbican_config[:ensure]).to eq(:present)
    @barbican_config[:ensure] = :absent
    expect(@barbican_config[:ensure]).to eq(:absent)
  end
  it 'should not accept invalid ensure values' do
    expect {
      @barbican_config[:ensure] = :latest
    }.to raise_error(Puppet::Error, /Invalid value/)
  end
  it 'should autorequire the package that install the file' do
    catalog = Puppet::Resource::Catalog.new
    package = Puppet::Type.type(:package).new(:name => 'barbican')
    catalog.add_resource package, @barbican_config
    dependency = @barbican_config.autorequire
    expect(dependency.size).to eq(1)
    expect(dependency[0].target).to eq(@barbican_config)
    expect(dependency[0].source).to eq(package)
  end
 end