From 2e4359069e8a50f83fe0dca1103d935212dd2703 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 21 Jun 2017 11:53:14 +0100
Subject: [PATCH] Barbican simple_crypto plugin broken - invalid key

When using the simple_crypto plugin, barbican expects the
[simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
value. However, kolla-ansible is providing a standard autogenerated
password.

There are two relevant variables in kolla-ansible -
barbican_crypto_password (a standard password) and barbican_crypto_key
(a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
when it is generated. barbican_crypto_password is used to set the
[simple_crypto_plugin] kek config value but causes an error when the
simple_crypto plugin is used as the value is not in the expected format.
Using barbican_crypto_key instead resolves the error. Clearly there is a
naming issue here and we should be using barbican_crypto_key instead of
barbican_crypto_password.

This change removes the barbican_crypto_password variable and uses
barbican_crypto_key instead.

Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
Closes-Bug: #1699014
Related-Bug: #1683216
Co-Authored-By: Stig Telfer <stig@stackhpc.com>
---
 .../roles/barbican/templates/barbican.conf.j2 |  2 +-
 etc/kolla/passwords.yml                       |  1 -
 ...an-simple-crypto-key-f3cd3b8b210ab237.yaml | 21 +++++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml

diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
index b0211174d3..343cb6b4db 100644
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -40,7 +40,7 @@ hmac_label = 'kolla_hmac'
 {% if barbican_crypto_plugin == 'simple_crypto' %}
 [simple_crypto_plugin]
 # the kek should be a 32-byte value which is base64 encoded
-kek = '{{ barbican_crypto_password }}'
+kek = '{{ barbican_crypto_key }}'
 {% endif %}
 
 
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index c5c45a383c..50b99c5351 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -31,7 +31,6 @@ barbican_database_password:
 barbican_keystone_password:
 barbican_p11_password:
 barbican_crypto_key:
-barbican_crypto_password:
 
 keystone_admin_password:
 keystone_database_password:
diff --git a/releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml b/releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml
new file mode 100644
index 0000000000..212571fde3
--- /dev/null
+++ b/releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml
@@ -0,0 +1,21 @@
+---
+upgrade:
+  - |
+    Fixes an issue with the barbican service when using the ``simple_crypto``
+    plugin whereby an invalid value is generated and used as the plugin's
+    encryption key.
+
+    The encryption key is configured via the ``[simple_crypto_plugin]: kek``
+    configuration option in ``barbican.conf``.  This option was previously
+    configured using the kolla-ansible variable ``barbican_crypto_password``,
+    but is now configured using ``barbican_crypto_key`` which uses the correct
+    format.
+
+    Operators that have set ``barbican_crypto_password`` to a valid value
+    to work around this issue should ensure that ``barbican_crypto_key``
+    is configured in ``passwords.yml`` with the same value that was used for
+    ``barbican_crypto_password``. This will ensure that existing barbican
+    secrets can be decrypted.
+
+    The variable ``barbican_crypto_password`` may safely be removed from
+    ``passwords.yml``.