pki-setup should be run regardless of token provider

The puppet-keystone module currently will only execute 'keystone-manage pki_setup' to create the signing key if the PKI token provider is being used. The signing key/cert is still used for signing the token revocation list, even when the UUID token provider is being used. We should be running 'keystone-manage pki_setup' if enable_pki_setup=true, regardless of token provider. Change-Id: I2817fbde74cbd50cae31f681503816e576cc7b60 Closes-bug: #1373064
xbezdick · Sep 23, 2014 · fdbe8f9 · fdbe8f9
1 parent 611d964
commit fdbe8f9
Show file tree

Hide file tree

Showing 2 changed files with 126 additions and 37 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -54,22 +54,22 @@
 #   [*idle_timeout*]
 #     (optional) Deprecated. Use database_idle_timeout instead.
 #
-#   [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens,
-#     if it doesn't already exist. This generates a cert and key stored in file locations
-#     based on the signing_certfile and signing_keyfile paramters below. If you are providing
-#     your own signing cert, make this false.
-#   [signing_certfile] Location of the cert file for signing pki tokens. Optional. Note that if
-#     this file already exists (i.e. you are providing your own signing cert), the file will
-#     not be overwritten, even if enable_pki_setup is set to true.
+#   [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
+#     revocation lists if it doesn't already exist. This generates a cert and key stored in file
+#     locations based on the signing_certfile and signing_keyfile paramters below. If you are
+#     providing your own signing cert, make this false.
+#   [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
+#     Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
+#     the file will not be overwritten, even if enable_pki_setup is set to true.
 #     Default: /etc/keystone/ssl/certs/signing_cert.pem
-#   [signing_keyfile] Location of the key file for signing pki tokens. Optional. Note that if
-#     this file already exists (i.e. you are providing your own signing cert), the file will not
-#     be overwritten, even if enable_pki_setup is set to true.
+#   [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
+#     Note that if this file already exists (i.e. you are providing your own signing cert), the file
+#     will not be overwritten, even if enable_pki_setup is set to true.
 #     Default: /etc/keystone/ssl/private/signing_key.pem
 #   [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
-#     signing pki tokens. Optional. Default: /etc/keystone/ssl/certs/ca.pem
+#     signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
 #   [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
-#     pki tokens. Optional. Default: /etc/keystone/ssl/private/cakey.pem
+#     pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
 #
 #   [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
 #   [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
@@ -483,31 +483,36 @@
   # remove the old format in case of an upgrade
   keystone_config { 'signing/token_format': ensure => absent }
 
-  if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
-    file { $cache_dir:
-      ensure => directory,
-    }
-
-    keystone_config {
-      'token/provider':   value => $token_provider;
-      'signing/certfile': value => $signing_certfile;
-      'signing/keyfile':  value => $signing_keyfile;
-      'signing/ca_certs': value => $signing_ca_certs;
-      'signing/ca_key':   value => $signing_ca_key;
+  # Set the signing key/cert configuration values.
+  keystone_config {
+    'signing/certfile': value => $signing_certfile;
+    'signing/keyfile':  value => $signing_keyfile;
+    'signing/ca_certs': value => $signing_ca_certs;
+    'signing/ca_key':   value => $signing_ca_key;
+  }
+
+  # Create cache directory used for signing.
+  file { $cache_dir:
+    ensure => directory,
+  }
+
+  # Only do pki_setup if we were asked to do so.  This is needed
+  # regardless of the token provider since token revocation lists
+  # are always signed.
+  if $enable_pki_setup {
+    exec { 'keystone-manage pki_setup':
+      path        => '/usr/bin',
+      user        => 'keystone',
+      refreshonly => true,
+      creates     => $signing_keyfile,
+      notify      => Service['keystone'],
+      subscribe   => Package['keystone'],
+      require     => User['keystone'],
     }
+  }
 
-    # Only do pki_setup if we were asked to do so
-    if $enable_pki_setup {
-      exec { 'keystone-manage pki_setup':
-        path        => '/usr/bin',
-        user        => 'keystone',
-        refreshonly => true,
-        creates     => $signing_keyfile,
-        notify      => Service['keystone'],
-        subscribe   => Package['keystone'],
-        require     => User['keystone'],
-      }
-    }
+  if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
+    keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
   } elsif $token_format == 'UUID' {
     keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
   } else {

diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb
@@ -210,7 +210,24 @@
           'token_provider' => 'keystone.token.providers.uuid.Provider'
         }
       end
-      it { should_not contain_exec('keystone-manage pki_setup') }
+      it { should contain_exec('keystone-manage pki_setup').with(
+        :creates => '/etc/keystone/ssl/private/signing_key.pem'
+      ) }
+      it { should contain_file('/var/cache/keystone').with_ensure('directory') }
+
+      describe 'when overriding the cache dir' do
+        before do
+          params.merge!(:cache_dir => '/var/lib/cache/keystone')
+        end
+        it { should contain_file('/var/lib/cache/keystone') }
+      end
+
+      describe 'when disable pki_setup' do
+        before do
+          params.merge!(:enable_pki_setup => false)
+        end
+        it { should_not contain_exec('keystone-manage pki_setup') }
+      end
     end
 
     describe 'when configuring as PKI' do
@@ -240,6 +257,38 @@
       end
     end
 
+    describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
+      let :params do
+        {
+          'admin_token'       => 'service_token',
+          'token_provider'    => 'keystone.token.providers.uuid.Provider',
+          'enable_pki_setup'  => false,
+          'signing_certfile'  => 'signing_certfile',
+          'signing_keyfile'   => 'signing_keyfile',
+          'signing_ca_certs'  => 'signing_ca_certs',
+          'signing_ca_key'    => 'signing_ca_key'
+        }
+      end
+
+      it { should_not contain_exec('keystone-manage pki_setup') }
+
+      it 'should contain correct PKI certfile config' do
+        should contain_keystone_config('signing/certfile').with_value('signing_certfile')
+      end
+
+      it 'should contain correct PKI keyfile config' do
+        should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
+      end
+
+      it 'should contain correct PKI ca_certs config' do
+        should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
+      end
+
+      it 'should contain correct PKI ca_key config' do
+        should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
+      end
+    end
+
     describe 'when configuring PKI signing cert paths with pki_setup disabled' do
       let :params do
         {
@@ -290,14 +339,49 @@
       it { should contain_keystone_config('catalog/driver').with_value(params[:catalog_driver]) }
     end
 
-    describe 'when configuring deprecated token_format as UUID' do
+    describe 'when configuring deprecated token_format as UUID with enable_pki_setup' do
       let :params do
         {
           'admin_token'    => 'service_token',
           'token_format'   => 'UUID'
         }
       end
+      it { should contain_exec('keystone-manage pki_setup').with(
+        :creates => '/etc/keystone/ssl/private/signing_key.pem'
+      ) }
+      it { should contain_file('/var/cache/keystone').with_ensure('directory') }
+      describe 'when overriding the cache dir' do
+        let :params do
+          {
+            'admin_token'    => 'service_token',
+            'token_provider' => 'keystone.token.providers.pki.Provider',
+            'cache_dir'      => '/var/lib/cache/keystone'
+          }
+        end
+        it { should contain_file('/var/lib/cache/keystone') }
+      end
+    end
+
+    describe 'when configuring deprecated token_format as UUID without enable_pki_setup' do
+      let :params do
+        {
+          'admin_token'      => 'service_token',
+          'token_format'     => 'UUID',
+          'enable_pki_setup' => false
+        }
+      end
       it { should_not contain_exec('keystone-manage pki_setup') }
+      it { should contain_file('/var/cache/keystone').with_ensure('directory') }
+      describe 'when overriding the cache dir' do
+        let :params do
+          {
+            'admin_token'    => 'service_token',
+            'token_provider' => 'keystone.token.providers.uuid.Provider',
+            'cache_dir'      => '/var/lib/cache/keystone'
+          }
+        end
+        it { should contain_file('/var/lib/cache/keystone') }
+      end
     end
 
     describe 'when configuring deprecated token_format as PKI with enable_pki_setup' do