From 7912e8d09a02fb882bfbeef62be948b9f4509da1 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Mon, 25 Apr 2022 15:41:23 +0900
Subject: [PATCH] simple_crypto: kek should be secret

... because the parameter takes encryption key.

Change-Id: I2d20cffb14295d560135ab1f1907da8b7ca3fc94
---
 manifests/plugins/simple_crypto.pp                  |  4 ++--
 spec/classes/barbican_plugins_simple_crypto_spec.rb | 10 ++++++----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/manifests/plugins/simple_crypto.pp b/manifests/plugins/simple_crypto.pp
index c822325f..c662b957 100644
--- a/manifests/plugins/simple_crypto.pp
+++ b/manifests/plugins/simple_crypto.pp
@@ -5,7 +5,7 @@
 # === Parameters
 #
 # [*simple_crypto_plugin_kek*]
-#   (optional) base64 encoded 32-byte value
+#   (optional) Key encryption key to be used by Simple Crypto Pluging.
 #   Defaults to $::os_service_default
 #
 # [*global_default*]
@@ -26,6 +26,6 @@ class barbican::plugins::simple_crypto (
   }
 
   barbican_config {
-    'simple_crypto_plugin/kek':  value => $simple_crypto_plugin_kek;
+    'simple_crypto_plugin/kek': value => $simple_crypto_plugin_kek, secret => true;
   }
 }
diff --git a/spec/classes/barbican_plugins_simple_crypto_spec.rb b/spec/classes/barbican_plugins_simple_crypto_spec.rb
index 51b36a2a..5af714e8 100644
--- a/spec/classes/barbican_plugins_simple_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_simple_crypto_spec.rb
@@ -25,14 +25,15 @@ describe 'barbican::plugins::simple_crypto' do
     describe 'with parameter passed into pk11 plugin' do
       let :params do
         {
-          :simple_crypto_plugin_kek       => 'XXXXXXXXXXXXX',
-          :global_default                 => true,
+          :simple_crypto_plugin_kek => 'XXXXXXXXXXXXX',
+          :global_default           => true,
         }
       end
 
       it 'is_expected.to set simple_crypto parameters' do
         is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
-          .with_value(params[:simple_crypto_plugin_kek])
+          .with_value(params[:simple_crypto_plugin_kek]) \
+          .with_secret(true)
         is_expected.to contain_barbican_config(
           'secretstore:simple_crypto/secret_store_plugin') \
           .with_value('store_crypto')
@@ -52,7 +53,8 @@ describe 'barbican::plugins::simple_crypto' do
 
       it 'is_expected.to set default simple_crypto parameters' do
         is_expected.to contain_barbican_config('simple_crypto_plugin/kek') \
-          .with_value('<SERVICE DEFAULT>')
+          .with_value('<SERVICE DEFAULT>') \
+          .with_secret(true)
         is_expected.to contain_barbican_config(
           'secretstore:simple_crypto/secret_store_plugin') \
           .with_value('store_crypto')