From 5250c5f368204083fd36bbed5273b61ebe9e6de4 Mon Sep 17 00:00:00 2001
From: Douglas Mendizabal <dmendiza@redhat.com>
Date: Thu, 13 Feb 2025 11:35:43 -0500
Subject: [PATCH] Generate SimpleCryptoPlugin KEK for devstack

This patch removes the hard-coded key for `SimpleCryptoPlugin` and
instead generates a new one when devstack is run.

Change-Id: Ia12dc16c0afe4b7000c02e59031259dafe8c8c43
---
 barbican/plugin/crypto/simple_crypto.py | 1 -
 barbican/tests/utils.py                 | 7 +++++++
 devstack/lib/barbican                   | 3 +++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/barbican/plugin/crypto/simple_crypto.py b/barbican/plugin/crypto/simple_crypto.py
index 964ef86e6..ffe1d8f95 100644
--- a/barbican/plugin/crypto/simple_crypto.py
+++ b/barbican/plugin/crypto/simple_crypto.py
@@ -34,7 +34,6 @@ simple_crypto_plugin_group = cfg.OptGroup(name='simple_crypto_plugin',
 simple_crypto_plugin_opts = [
     cfg.MultiStrOpt(
         'kek',
-        default=['dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg='],
         secret=True,
         help=u._('Fernet Key-Encryption Key (KEK) to be used by SimpleCrypto '
                  'Plugin to encrypt Project-specific KEKs.'),
diff --git a/barbican/tests/utils.py b/barbican/tests/utils.py
index 7b95de1d9..fa49ec81c 100644
--- a/barbican/tests/utils.py
+++ b/barbican/tests/utils.py
@@ -34,6 +34,7 @@ import barbican.context
 from barbican.model import repositories
 from barbican.plugin.crypto import manager as cm
 from barbican.plugin.crypto import p11_crypto
+from barbican.plugin.crypto import simple_crypto
 from barbican.plugin.interface import secret_store
 from barbican.plugin import kmip_secret_store as kss
 from barbican.tests import database_utils
@@ -73,6 +74,11 @@ class BarbicanAPIBaseTestCase(oslotest.BaseTestCase):
         context.policy_enforcer = policy_enforcer
         return context
 
+    def _setup_kek_conf(self):
+        kek = "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+        conf = simple_crypto.CONF
+        conf.simple_crypto_plugin.kek = [kek]
+
     def setUp(self):
         super().setUp()
         self.useFixture(barbican_fixture.StandardLogging())
@@ -83,6 +89,7 @@ class BarbicanAPIBaseTestCase(oslotest.BaseTestCase):
         # Generic project id to perform actions under
         self.project_id = generate_test_valid_uuid()
 
+        self._setup_kek_conf()
         # Build the test app
         wsgi_app = app.build_wsgi_app(
             controller=self.root_controller,
diff --git a/devstack/lib/barbican b/devstack/lib/barbican
index 3672f67c9..8096e0567 100644
--- a/devstack/lib/barbican
+++ b/devstack/lib/barbican
@@ -169,6 +169,9 @@ function configure_barbican {
         echo_summary "Barbican requires that the RabbitMQ service is enabled"
     fi
 
+    # SimpleCryptoPlugin settings
+    iniset $BARBICAN_CONF simple_crypto_plugin kek "$(python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode('UTF-8'))")"
+
     write_uwsgi_config "$BARBICAN_UWSGI_CONF" "$BARBICAN_WSGI" "/key-manager"
     ## Set up keystone