From 35d3b77cb2eecf51e96134cbfe8aa1c042c8f16f Mon Sep 17 00:00:00 2001
From: Patrik Holmqvist <pahol@sunet.se>
Date: Thu, 27 Feb 2025 15:55:37 +0100
Subject: [PATCH] Make HSM use configurable in proxy class, SC-2522

---
 .../etc/puppet/modules/eid/manifests/proxy.pp | 34 +++++++++++--------
 .../templates/proxy/docker-compose.yml.erb    | 10 ++++--
 2 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp b/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
index c8c28316..619ac70f 100644
--- a/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
+++ b/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
@@ -5,21 +5,25 @@
 # @param server_fqdn          The FQDN of the server. (referenced in compose file)
 # @param proxy_directory      The directory where all proxy related config and files are stored. (referenced in compose file)
 # @param spring_config_param  Used as parameter name in compose file
-# @param contry               Used while creating directories and referenced in compsose file
+# @param country               Used while creating directories and referenced in compsose file
+# @param use_hsm              Configure if HSM is used or not
 class eid::proxy (
-  String $version = '',
-  String $service_name = '',
-  String $server_fqdn = $facts['networking']['fqdn'],
-  String $proxy_directory = '/opt/eidas-proxy',
-  String $spring_config_param = 'SPRING_CONFIG_ADDITIONAL_LOCATION',
-  String $country = 'se',
+  String  $version = '',
+  String  $service_name = '',
+  String  $server_fqdn = $facts['networking']['fqdn'],
+  String  $proxy_directory = '/opt/eidas-proxy',
+  String  $spring_config_param = 'SPRING_CONFIG_ADDITIONAL_LOCATION',
+  String  $country = 'se',
+  Boolean $use_hsm=true,
 ) {
 
-  $pkcs11_pin = safe_hiera('pkcs11_pin')
+  if $use_hsm {
+    $pkcs11_pin = safe_hiera('pkcs11_pin')
+  }
   $eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
   $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')
 
-  if $version and $service_name and $pkcs11_pin != 'NOT_SET_IN_HIERA' and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
+  if $version and $service_name and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
 
     sunet::nftables::allow { 'allow-http-from-any':
       from => any,
@@ -66,11 +70,13 @@ class eid::proxy (
       }
     }
 
-    file { ['/etc/luna','/etc/luna/cert']:
-      ensure => directory,
-      mode   => '0755',
-      owner  => 'root',
-      group  => 'root',
+    if $use_hsm {
+      file { ['/etc/luna','/etc/luna/cert']:
+        ensure => directory,
+        mode   => '0755',
+        owner  => 'root',
+        group  => 'root',
+      }
     }
 
     sunet::nagios::nrpe_check_fileage {'proxy_eidas_metadata_cache_age':
diff --git a/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
index 89e81068..68e9e071 100644
--- a/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
@@ -8,18 +8,22 @@ services:
       - SPRING_PROFILES_ACTIVE=<%= @country %>
       - CERTNAME=<%= @server_fqdn %>_infra
       - <%= @spring_config_param %>=<%= @proxy_directory %>/<%= @country %>/cfg/
-      - PKCS11_PIN=<%= @pkcs11_pin %>
       - PROXY_SERVICE_COOKIEENCRYPTPW=<%= @proxy_service_cookie_encrypt_pw %>
+<% if @use_hsm -%>
+      - PKCS11_PIN=<%= @pkcs11_pin %>
+<% end -%>
 
     hostname: <%= @server_fqdn %>
 
     volumes:
       - '/var/log/eidas-proxy:/var/log/eidas-proxy'
       - '<%= @proxy_directory %>:<%= @proxy_directory %>'
-      - '/etc/luna/cert:/usr/safenet/lunaclient/cert'
-      - '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d'
       - '/dev/log:/dev/log'
       - '/etc/ssl:/etc/ssl'
+<% if @use_hsm -%>
+      - '/etc/luna/cert:/usr/safenet/lunaclient/cert'
+      - '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d'
+<% end -%>
 
     ports:
       - "443:8443"