openstack/barbican
Code Issues Proposed changes

Generate SimpleCryptoPlugin KEK for devstack

Browse Source 
This patch removes the hard-coded key for `SimpleCryptoPlugin` and
instead generates a new one when devstack is run.

Change-Id: Ia12dc16c0afe4b7000c02e59031259dafe8c8c43
This commit is contained in:
Douglas Mendizabal 2025-02-13 11:35:43 -05:00 committed by Andre Aranha
parent 4500d9f485
commit 5250c5f368
3 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
barbican/plugin/crypto/simple_crypto.py
View File

@ -34,7 +34,6 @@ simple_crypto_plugin_group = cfg.OptGroup(name='simple_crypto_plugin',
simple_crypto_plugin_opts = [ simple_crypto_plugin_opts = [
cfg.MultiStrOpt( cfg.MultiStrOpt(
'kek', 'kek',
default=['dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg='],
secret=True, secret=True,
help=u._('Fernet Key-Encryption Key (KEK) to be used by SimpleCrypto ' help=u._('Fernet Key-Encryption Key (KEK) to be used by SimpleCrypto '
'Plugin to encrypt Project-specific KEKs.'), 'Plugin to encrypt Project-specific KEKs.'),

7
barbican/tests/utils.py
View File

@ -34,6 +34,7 @@ import barbican.context
from barbican.model import repositories from barbican.model import repositories
from barbican.plugin.crypto import manager as cm from barbican.plugin.crypto import manager as cm
from barbican.plugin.crypto import p11_crypto from barbican.plugin.crypto import p11_crypto
from barbican.plugin.crypto import simple_crypto
from barbican.plugin.interface import secret_store from barbican.plugin.interface import secret_store
from barbican.plugin import kmip_secret_store as kss from barbican.plugin import kmip_secret_store as kss
from barbican.tests import database_utils from barbican.tests import database_utils
@ -73,6 +74,11 @@ class BarbicanAPIBaseTestCase(oslotest.BaseTestCase):
context.policy_enforcer = policy_enforcer context.policy_enforcer = policy_enforcer
return context return context
def _setup_kek_conf(self):
kek = "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
conf = simple_crypto.CONF
conf.simple_crypto_plugin.kek = [kek]
def setUp(self): def setUp(self):
super().setUp() super().setUp()
self.useFixture(barbican_fixture.StandardLogging()) self.useFixture(barbican_fixture.StandardLogging())
@ -83,6 +89,7 @@ class BarbicanAPIBaseTestCase(oslotest.BaseTestCase):
# Generic project id to perform actions under # Generic project id to perform actions under
self.project_id = generate_test_valid_uuid() self.project_id = generate_test_valid_uuid()
self._setup_kek_conf()
# Build the test app # Build the test app
wsgi_app = app.build_wsgi_app( wsgi_app = app.build_wsgi_app(
controller=self.root_controller, controller=self.root_controller,

3
devstack/lib/barbican
View File

@ -169,6 +169,9 @@ function configure_barbican {
echo_summary "Barbican requires that the RabbitMQ service is enabled" echo_summary "Barbican requires that the RabbitMQ service is enabled"
fi fi
# SimpleCryptoPlugin settings
iniset $BARBICAN_CONF simple_crypto_plugin kek "$(python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode('UTF-8'))")"
write_uwsgi_config "$BARBICAN_UWSGI_CONF" "$BARBICAN_WSGI" "/key-manager" write_uwsgi_config "$BARBICAN_UWSGI_CONF" "$BARBICAN_WSGI" "/key-manager"
## Set up keystone ## Set up keystone