From ee45612e7c3dd78712a0ad29576de557d144a1fd Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Thu, 10 Aug 2017 15:22:50 +0100
Subject: [PATCH] pki: conditional enablement of signing section

Only enable the [signing] section of the keystone configuration
if PKI token format is in use; other token formats don't have
support for token revocation retrieval.

Note that PKI format tokens are no longer supported >= Pike.

Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe
Closes-Bug: 1709189
---
 hooks/keystone_context.py       | 20 +++++++++++++-------
 templates/parts/section-signing |  4 +++-
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py
index d23add6f..36516c8d 100644
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@@ -247,13 +247,19 @@ class KeystoneContext(context.OSContextGenerator):
             log("Enabling PKI", level=DEBUG)
             ctxt['token_provider'] = 'pki'
 
-        ensure_pki_cert_paths()
-        certs = os.path.join(PKI_CERTS_DIR, 'certs')
-        privates = os.path.join(PKI_CERTS_DIR, 'privates')
-        ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'),
-                     'keyfile': os.path.join(privates, 'signing_key.pem'),
-                     'ca_certs': os.path.join(certs, 'ca.pem'),
-                     'ca_key': os.path.join(certs, 'ca_key.pem')})
+            # NOTE(jamespage): Only check PKI configuration if the PKI
+            #                  token format is in use, which has been
+            #                  removed as of OpenStack Ocata.
+            ensure_pki_cert_paths()
+            certs = os.path.join(PKI_CERTS_DIR, 'certs')
+            privates = os.path.join(PKI_CERTS_DIR, 'privates')
+            ctxt['enable_signing'] = True
+            ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'),
+                         'keyfile': os.path.join(privates, 'signing_key.pem'),
+                         'ca_certs': os.path.join(certs, 'ca.pem'),
+                         'ca_key': os.path.join(certs, 'ca_key.pem')})
+        else:
+            ctxt['enable_signing'] = False
 
         # Base endpoint URL's which are used in keystone responses
         # to unauthenticated requests to redirect clients to the
diff --git a/templates/parts/section-signing b/templates/parts/section-signing
index 77a17014..cb7d69ae 100644
--- a/templates/parts/section-signing
+++ b/templates/parts/section-signing
@@ -1,3 +1,4 @@
+{% if enable_signing -%}
 [signing]
 {% if certfile -%}
 certfile = {{ certfile }}
@@ -10,4 +11,5 @@ ca_certs = {{ ca_certs }}
 {% endif -%}
 {% if ca_key -%}
 ca_key = {{ ca_key }}
-{% endif -%} 
+{% endif -%}
+{% endif -%}
\ No newline at end of file