From 48a3a0562af3dfc5e0c94b90b2b3efdc8570c67a Mon Sep 17 00:00:00 2001 From: "Luis A. Garcia" Date: Fri, 25 Apr 2014 14:31:13 -0700 Subject: [PATCH] Use right PKI defaults The common cookbook has been updated to make PKI the default token provider in keystone. This patch updates the specs to match that. The default PKI key size is double what the default value in the cookbook is. This patch updates it. Change-Id: Ic17c572f7aa67f88b8f6f2ed31968d043f1abb73 Partial-Bug: #1312927 --- attributes/default.rb | 2 +- spec/server_spec.rb | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index e658b58..97aa77b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -75,7 +75,7 @@ default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl' default['openstack']['identity']['signing']['certfile'] = '/etc/keystone/ssl/certs/signing_cert.pem' default['openstack']['identity']['signing']['keyfile'] = '/etc/keystone/ssl/private/signing_key.pem' default['openstack']['identity']['signing']['ca_certs'] = '/etc/keystone/ssl/certs/ca.pem' -default['openstack']['identity']['signing']['key_size'] = '1024' +default['openstack']['identity']['signing']['key_size'] = '2048' default['openstack']['identity']['signing']['valid_days'] = '3650' default['openstack']['identity']['signing']['ca_password'] = nil diff --git a/spec/server_spec.rb b/spec/server_spec.rb index 76bfed7..746bdca 100644 --- a/spec/server_spec.rb +++ b/spec/server_spec.rb @@ -98,13 +98,13 @@ describe 'openstack-identity::server' do let(:ssl_dir) { '/etc/keystone/ssl' } describe 'without pki' do + before { node.set['openstack']['auth']['strategy'] = 'uuid' } it 'does not create' do expect(chef_run).not_to create_directory(ssl_dir) end end describe 'with pki' do - before { node.set['openstack']['auth']['strategy'] = 'pki' } let(:dir_resource) { chef_run.directory(ssl_dir) } it 'creates' do @@ -135,6 +135,7 @@ describe 'openstack-identity::server' do let(:cmd) { 'keystone-manage pki_setup' } describe 'without pki' do + before { node.set['openstack']['auth']['strategy'] = 'uuid' } it 'does not execute' do expect(chef_run).to_not run_execute(cmd).with( user: 'keystone', @@ -144,8 +145,6 @@ describe 'openstack-identity::server' do end describe 'with pki' do - before { node.set['openstack']['auth']['strategy'] = 'pki' } - it 'executes' do ::FileTest.should_receive(:exists?) .with('/etc/keystone/ssl/private/signing_key.pem') @@ -400,15 +399,13 @@ describe 'openstack-identity::server' do certfile: '/etc/keystone/ssl/certs/signing_cert.pem', keyfile: '/etc/keystone/ssl/private/signing_key.pem', ca_certs: '/etc/keystone/ssl/certs/ca.pem', - key_size: '1024', + key_size: '2048', valid_days: '3650', ca_password: nil } describe 'with pki' do it 'configures cert options' do - node.set['openstack']['auth']['strategy'] = 'pki' - opts.each do |key, val| r = line_regexp("#{key} = #{val}") expect(chef_run).to render_file(path).with_content(r) @@ -417,6 +414,7 @@ describe 'openstack-identity::server' do end describe 'without pki' do + before { node.set['openstack']['auth']['strategy'] = 'uuid' } it 'does not configure cert options' do opts.each do |key, val| expect(chef_run).not_to render_file(path).with_content(