Add support for always_set_cka_sensitive parameter

Some time ago BarbicanPkcs11AlwaysSetCkaSensitive option was added to tripleo-heat-templates. change: If3fa975e8243dfe30ef67ec81db891943a94a9d5 At the same time, it looks like relevant change was not added to puppet-barbican project. This patch adds missing parameter to barbican::plugins::p11_crypto class. Backport note: This backport includes the subsequent commit[1] which added a unit test case for the new parameter. [1] d7e27eb854 Partial-bug: #1916386 Change-Id: Idf9dc70cd68d4e594119efcd2a3c3a0e56621c96 (cherry picked from commit 27b1cc2735) (cherry picked from commit b44996d6c2)
2021-03-21 14:12:27 +01:00 · 2021-03-21 14:12:27 +01:00 · e2efcba0b9
parent d9e6c9757c
commit e2efcba0b9
3 changed files with 45 additions and 29 deletions
--- a/manifests/plugins/p11_crypto.pp
+++ b/manifests/plugins/p11_crypto.pp
@ -70,6 +70,11 @@
 #   the PKCS#11 client library.
 #   Defaults to $::os_service_default
 #
+# [*p11_crypto_plugin_always_set_cka_sensitive*]
+#   (optional) Always set CKA_SENSITIVE when generating keys.
+#   In some HSMs extractable keys cannot be marked sensitive.
+#   Defaults to $::os_service_default
+#
 # [*global_default*]
 #   (optional) set plugin as global default
 #   Defaults to false
@ -89,6 +94,7 @@ class barbican::plugins::p11_crypto (
  $p11_crypto_plugin_hmac_keygen_mechanism    = $::os_service_default,
  $p11_crypto_plugin_aes_gcm_generate_iv      = $::os_service_default,
  $p11_crypto_plugin_os_locking_ok            = $::os_service_default,
+  $p11_crypto_plugin_always_set_cka_sensitive = $::os_service_default,
  $global_default                             = false,
 ) {

@ -125,6 +131,7 @@ class barbican::plugins::p11_crypto (
    'p11_crypto_plugin/hmac_keygen_mechanism':    value => $p11_crypto_plugin_hmac_keygen_mechanism;
    'p11_crypto_plugin/aes_gcm_generate_iv':      value => $p11_crypto_plugin_aes_gcm_generate_iv;
    'p11_crypto_plugin/os_locking_ok':            value => $p11_crypto_plugin_os_locking_ok;
+    'p11_crypto_plugin/always_set_cka_sensitive': value => $p11_crypto_plugin_always_set_cka_sensitive;
  }

  barbican_config {
--- a/releasenotes/notes/p11_crypto_plugin_always_set_cka_sensitive-1c9a9b9726c3cf93.yaml
+++ b/releasenotes/notes/p11_crypto_plugin_always_set_cka_sensitive-1c9a9b9726c3cf93.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Support for the ``[p11_crypto_plugin] always_set_cka_sensitive`` parameter
+    has been added.
+
--- a/spec/classes/barbican_plugins_p11_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb
@ -39,6 +39,7 @@ describe 'barbican::plugins::p11_crypto' do
          :p11_crypto_plugin_hmac_keygen_mechanism     => 'CKM_AES_KEY_GEN',
          :p11_crypto_plugin_aes_gcm_generate_iv       => false,
          :p11_crypto_plugin_os_locking_ok             => false,
+          :p11_crypto_plugin_always_set_cka_sensitive  => true,
          :global_default                              => true,
        }
      end
@ -72,6 +73,8 @@ describe 'barbican::plugins::p11_crypto' do
          .with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv])
        is_expected.to contain_barbican_config('p11_crypto_plugin/os_locking_ok') \
          .with_value(params[:p11_crypto_plugin_os_locking_ok])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/always_set_cka_sensitive') \
+          .with_value(params[:p11_crypto_plugin_always_set_cka_sensitive])
        is_expected.to contain_barbican_config(
          'secretstore:pkcs11/secret_store_plugin') \
          .with_value('store_crypto')