theforeman · wbclark · Jun 30, 2021
diff --git a/lib/puppet/functions/pulpcore/generate_fernet_key.rb b/lib/puppet/functions/pulpcore/generate_fernet_key.rb
@@ -0,0 +1,12 @@
+require 'securerandom'
+
+Puppet::Functions.create_function(:'pulpcore::generate_fernet_key') do
+  # @return 32 byte url-safe base64-encoded (with padding) Fernet symmetric encryption key
+  dispatch :generate_fernet_key do
+    return_type 'Pattern[/\A([a-zA-Z]|\d|-|_){43}=\z/]'
+  end
+
+  def generate_fernet_key
+    SecureRandom.urlsafe_base64(32)+"="
+  end
+end
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -8,6 +8,16 @@
     mode   => '0755',
   }
 
+  file { $pulpcore::db_encrypted_fields_keyfile:
+    ensure    => file,
+    content   => $pulpcore::db_encrypted_fields_key,
+    owner     => 'root',
+    group     => $pulpcore::group,
+    mode      => '0640',
+    show_diff => false,
+    require   => File[$pulpcore::config_dir],
+  }
+
   concat { 'pulpcore settings':
     ensure         => present,
     path           => $pulpcore::settings_file,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -109,6 +109,9 @@
 # @param django_secret_key
 #   SECRET_KEY for Django
 #
+# @param db_encrypted_fields_key
+#   String representing 32 byte secret key encoded in url-safe base64 alphabet, used to encrypt sensitive data in the DB.
+#
 # @param redis_db
 #   Redis DB number to use. By default, Redis supports a DB number of 0 through 15.
 #
@@ -190,6 +193,7 @@
   Optional[Stdlib::Absolutepath] $postgresql_db_ssl_key = undef,
   Optional[Stdlib::Absolutepath] $postgresql_db_ssl_root_ca = undef,
   String $django_secret_key = extlib::cache_data('pulpcore_cache_data', 'secret_key', extlib::random_password(50)),
+  Pattern[/\A([a-zA-Z]|\d|-|_){43}=\z/] $db_encrypted_fields_key = extlib::cache_data('pulpcore_cache_data', 'db_encrypted_fields_key', pulpcore::generate_fernet_key()),
   Integer[0] $redis_db = 8,
   Stdlib::Fqdn $servername = $facts['networking']['fqdn'],
   Array[Stdlib::Absolutepath] $allowed_import_path = ['/var/lib/pulp/sync_imports'],
@@ -206,6 +210,7 @@
   Hash[String[1], String[1]] $api_client_auth_cn_map = {},
 ) {
   $settings_file = "${config_dir}/settings.py"
+  $db_encrypted_fields_keyfile = "${config_dir}/db_encrypted_fields_key"
 
   contain pulpcore::install
   contain pulpcore::database

diff --git a/spec/acceptance/basic_spec.rb b/spec/acceptance/basic_spec.rb
@@ -73,6 +73,14 @@ class { 'pulpcore':
     its(:body) { is_expected.to contain('artifacts_list') }
     its(:exit_status) { is_expected.to eq 0 }
   end
+
+  describe file('/etc/pulp/db_encrypted_fields_key') do
+    it { is_expected.to be_file }
+    it { is_expected.to be_mode 640 }
+    it { is_expected.to be_owned_by 'root' }
+    it { is_expected.to be_grouped_into 'pulp' }
+    its(:content) { is_expected.to match /\A([a-zA-Z]|\d|-|_){43}=\z/ }
+  end
 end
 
 describe 'reducing worker count' do