Add p11_crypto_plugin token options

This patch adds support for two new options in the p11_crypto_plugin section of the config file. Depends-On: I115cf1a7006a6c85f37c5e50ded13134a3dfd1a3 Change-Id: I84b66d56a0914ea9e10eebb44c99ba2951ddba61 (cherry picked from commit 432a34e076)
2020-10-15 14:09:06 -05:00 · 2020-10-15 14:09:06 -05:00 · e1acd2d994
parent da146d5387
commit e1acd2d994
3 changed files with 30 additions and 6 deletions
--- a/manifests/plugins/p11_crypto.pp
+++ b/manifests/plugins/p11_crypto.pp
@ -28,10 +28,17 @@
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
 # [*p11_crypto_plugin_token_serial_number*]
 #   (optional) Serial number to identify PKCS#11 token
 #   Defaults to $::os_service_default
 #
 # [*p11_crypto_plugin_token_label*]
 #   (optional) Label to identify PKCS#11 token
 #   Defaults to $::os_service_default
 #
 # [*p11_crypto_plugin_slot_id*]
 #   (optional) HSM Slot id
-#   Required if p11_crypto_plugin is enabled.
+#   Defaults to $::os_service_default
 #   Defaults to undef
 #
 # [*p11_crypto_plugin_encryption_mechanism*]
 #   (optional) PKCS#11 Mechanism used for encryption
@ -63,7 +70,9 @@ class barbican::plugins::p11_crypto (
  $p11_crypto_plugin_mkek_label            = undef,
  $p11_crypto_plugin_mkek_length           = undef,
  $p11_crypto_plugin_hmac_label            = undef,
-  $p11_crypto_plugin_slot_id               = undef,
+  $p11_crypto_plugin_token_serial_number   = $::os_service_default,
  $p11_crypto_plugin_token_label           = $::os_service_default,
  $p11_crypto_plugin_slot_id               = $::os_service_default,
  $p11_crypto_plugin_encryption_mechanism  = $::os_service_default,
  $p11_crypto_plugin_hmac_key_type         = $::os_service_default,
  $p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
@ -88,9 +97,6 @@ class barbican::plugins::p11_crypto (
  if $p11_crypto_plugin_hmac_label == undef {
      fail('p11_crypto_plugin_hmac_label must be defined')
  }
  if $p11_crypto_plugin_slot_id == undef {
      fail('p11_crypto_plugin_slot_id must be defined')
  }
  barbican_config {
    'p11_crypto_plugin/library_path':          value => $p11_crypto_plugin_library_path;
@ -98,6 +104,8 @@ class barbican::plugins::p11_crypto (
    'p11_crypto_plugin/mkek_label':            value => $p11_crypto_plugin_mkek_label;
    'p11_crypto_plugin/mkek_length':           value => $p11_crypto_plugin_mkek_length;
    'p11_crypto_plugin/hmac_label':            value => $p11_crypto_plugin_hmac_label;
    'p11_crypto_plugin/token_serial_number':   value => $p11_crypto_plugin_token_serial_number;
    'p11_crypto_plugin/token_label':           value => $p11_crypto_plugin_token_label;
    'p11_crypto_plugin/slot_id':               value => $p11_crypto_plugin_slot_id;
    'p11_crypto_plugin/encryption_mechanism':  value => $p11_crypto_plugin_encryption_mechanism;
    'p11_crypto_plugin/hmac_key_type':         value => $p11_crypto_plugin_hmac_key_type;
--- a/releasenotes/notes/add-support-for-token-label-and-serial-5b6ec6acc7f9d791.yaml
+++ b/releasenotes/notes/add-support-for-token-label-and-serial-5b6ec6acc7f9d791.yaml
@ -0,0 +1,10 @@
 ---
 features:
  - |
    Added support for two new options for Barbican's PKCS#11 backend.  The
    new options are ``[p11_crypto]token_serial_number`` and
    ``[p11_crypto]token_label``.
  - |
    The ``barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id`` parameter
    has become an optional parameter instead of a required one.
--- a/spec/classes/barbican_plugins_p11_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb
@ -29,6 +29,8 @@ describe 'barbican::plugins::p11_crypto' do
          :p11_crypto_plugin_mkek_label                => 'mkek_label',
          :p11_crypto_plugin_mkek_length               => 32,
          :p11_crypto_plugin_hmac_label                => 'hmac_label',
          :p11_crypto_plugin_token_serial_number       => 'token_serial',
          :p11_crypto_plugin_token_label               => 'token_label',
          :p11_crypto_plugin_slot_id                   => 1,
          :p11_crypto_plugin_library_path              => '/usr/lib/libCryptoki2_64.so',
          :p11_crypto_plugin_encryption_mechanism      => 'CKM_AES_CBC',
@ -48,6 +50,10 @@ describe 'barbican::plugins::p11_crypto' do
          .with_value(params[:p11_crypto_plugin_mkek_length])
        is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_label') \
          .with_value(params[:p11_crypto_plugin_hmac_label])
        is_expected.to contain_barbican_config('p11_crypto_plugin/token_serial_number') \
          .with_value(params[:p11_crypto_plugin_token_serial_number])
        is_expected.to contain_barbican_config('p11_crypto_plugin/token_label') \
          .with_value(params[:p11_crypto_plugin_token_label])
        is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
          .with_value(params[:p11_crypto_plugin_slot_id])
        is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \