diff --git a/lib/puppet/functions/generate_fernet_key.rb b/lib/puppet/functions/generate_fernet_key.rb new file mode 100644 index 00000000..6d6a4c20 --- /dev/null +++ b/lib/puppet/functions/generate_fernet_key.rb @@ -0,0 +1,12 @@ +require 'securerandom' + +Puppet::Functions.create_function(:'pulpcore::generate_fernet_key') do + # @return 32 byte url-safe base64-encoded (with padding) Fernet symmetric encryption key + dispatch :generate_fernet_key do + return_type 'Pattern[/\A([a-zA-Z]|\d|-|_){43}=\z/]' + end + + def generate_fernet_key + SecureRandom.urlsafe_base64(32)+"=" + end +end diff --git a/manifests/config.pp b/manifests/config.pp index 8cdaba84..e208ed5d 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -8,6 +8,16 @@ mode => '0755', } + file { $pulpcore::db_encrypted_fields_keyfile: + ensure => file, + content => $pulpcore::db_encrypted_fields_key, + owner => 'root', + group => $pulpcore::group, + mode => '0640', + show_diff => false, + require => File[$pulpcore::config_dir], + } + concat { 'pulpcore settings': ensure => present, path => $pulpcore::settings_file, diff --git a/manifests/init.pp b/manifests/init.pp index 6c624297..6a55a5ce 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -109,6 +109,9 @@ # @param django_secret_key # SECRET_KEY for Django # +# @param db_encrypted_fields_key +# String representing 32 byte secret key encoded in url-safe base64 alphabet, used to encrypt sensitive data in the DB. +# # @param redis_db # Redis DB number to use. By default, Redis supports a DB number of 0 through 15. # @@ -190,6 +193,7 @@ Optional[Stdlib::Absolutepath] $postgresql_db_ssl_key = undef, Optional[Stdlib::Absolutepath] $postgresql_db_ssl_root_ca = undef, String $django_secret_key = extlib::cache_data('pulpcore_cache_data', 'secret_key', extlib::random_password(50)), + Pattern[/\A([a-zA-Z]|\d|-|_){43}=\z/] $db_encrypted_fields_key = extlib::cache_data('pulpcore_cache_data', 'db_encrypted_fields_key', pulpcore::generate_fernet_key()), Integer[0] $redis_db = 8, Stdlib::Fqdn $servername = $facts['networking']['fqdn'], Array[Stdlib::Absolutepath] $allowed_import_path = ['/var/lib/pulp/sync_imports'], @@ -206,6 +210,7 @@ Hash[String[1], String[1]] $api_client_auth_cn_map = {}, ) { $settings_file = "${config_dir}/settings.py" + $db_encrypted_fields_keyfile = "${config_dir}/db_encrypted_fields_key" contain pulpcore::install contain pulpcore::database diff --git a/spec/acceptance/basic_spec.rb b/spec/acceptance/basic_spec.rb index 277df373..4d04d4f6 100644 --- a/spec/acceptance/basic_spec.rb +++ b/spec/acceptance/basic_spec.rb @@ -73,6 +73,14 @@ class { 'pulpcore': its(:body) { is_expected.to contain('artifacts_list') } its(:exit_status) { is_expected.to eq 0 } end + + describe file('/etc/pulp/db_encrypted_fields_key') do + it { is_expected.to be_file } + it { is_expected.to be_mode 640 } + it { is_expected.to be_owned_by 'root' } + it { is_expected.to be_grouped_into 'pulp' } + its(:content) { is_expected.to match /\A([a-zA-Z]|\d|-|_){43}=\z/ } + end end describe 'reducing worker count' do