diff --git a/attributes/default.rb b/attributes/default.rb index 97aa77b..c5f72bd 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -72,9 +72,12 @@ default['openstack']['identity']['users'] = { # PKI signing. Corresponds to the [signing] section of keystone.conf # Note this section is only written if node['openstack']['auth']['strategy'] == 'pki' default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl' -default['openstack']['identity']['signing']['certfile'] = '/etc/keystone/ssl/certs/signing_cert.pem' -default['openstack']['identity']['signing']['keyfile'] = '/etc/keystone/ssl/private/signing_key.pem' -default['openstack']['identity']['signing']['ca_certs'] = '/etc/keystone/ssl/certs/ca.pem' +default['openstack']['identity']['signing']['certfile'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/signing_cert.pem" +default['openstack']['identity']['signing']['keyfile'] = "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem" +default['openstack']['identity']['signing']['ca_certs'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/ca.pem" +default['openstack']['identity']['signing']['certfile_url'] = nil +default['openstack']['identity']['signing']['keyfile_url'] = nil +default['openstack']['identity']['signing']['ca_certs_url'] = nil default['openstack']['identity']['signing']['key_size'] = '2048' default['openstack']['identity']['signing']['valid_days'] = '3650' default['openstack']['identity']['signing']['ca_password'] = nil diff --git a/recipes/server.rb b/recipes/server.rb index f6c6c2f..33be5a0 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -76,25 +76,70 @@ directory '/etc/keystone' do mode 00700 end -directory node['openstack']['identity']['signing']['basedir'] do - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00700 - - only_if { node['openstack']['auth']['strategy'] == 'pki' } -end - file '/var/lib/keystone/keystone.db' do action :delete not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' } end -execute 'keystone-manage pki_setup' do - user node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] +if node['openstack']['auth']['strategy'] == 'pki' + certfile_url = node['openstack']['identity']['signing']['certfile_url'] + keyfile_url = node['openstack']['identity']['signing']['keyfile_url'] + ca_certs_url = node['openstack']['identity']['signing']['ca_certs_url'] + signing_basedir = node['openstack']['identity']['signing']['basedir'] - only_if { node['openstack']['auth']['strategy'] == 'pki' } - not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] } + directory signing_basedir do + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00700 + end + + directory "#{signing_basedir}/certs" do + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00755 + end + + directory "#{signing_basedir}/private" do + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00750 + end + + if certfile_url.nil? || keyfile_url.nil? || ca_certs_url.nil? + execute 'keystone-manage pki_setup' do + user node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + + not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] } + end + else + remote_file node['openstack']['identity']['signing']['certfile'] do + source certfile_url + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00640 + + notifies :restart, 'service[keystone]', :delayed + end + + remote_file node['openstack']['identity']['signing']['keyfile'] do + source keyfile_url + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00640 + + notifies :restart, 'service[keystone]', :delayed + end + + remote_file node['openstack']['identity']['signing']['ca_certs'] do + source ca_certs_url + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00640 + + notifies :restart, 'service[keystone]', :delayed + end + end end bind_endpoint = endpoint 'identity-bind' diff --git a/spec/server_spec.rb b/spec/server_spec.rb index 746bdca..c88ba30 100644 --- a/spec/server_spec.rb +++ b/spec/server_spec.rb @@ -94,30 +94,185 @@ describe 'openstack-identity::server' do end end - describe '/etc/keystone/ssl' do + describe 'ssl directories' do let(:ssl_dir) { '/etc/keystone/ssl' } + let(:certs_dir) { "#{ssl_dir}/certs" } + let(:private_dir) { "#{ssl_dir}/private" } describe 'without pki' do before { node.set['openstack']['auth']['strategy'] = 'uuid' } - it 'does not create' do + + it 'does not create /etc/keystone/ssl' do expect(chef_run).not_to create_directory(ssl_dir) end + + it 'does not create /etc/keystone/ssl/certs' do + expect(chef_run).not_to create_directory(certs_dir) + end + + it 'does not create /etc/keystone/ssl/private' do + expect(chef_run).not_to create_directory(private_dir) + end end describe 'with pki' do - let(:dir_resource) { chef_run.directory(ssl_dir) } + describe '/etc/keystone/ssl' do + let(:dir_resource) { chef_run.directory(ssl_dir) } - it 'creates' do - expect(chef_run).to create_directory(ssl_dir) + it 'creates /etc/keystone/ssl' do + expect(chef_run).to create_directory(ssl_dir) + end + + it 'has proper owner' do + expect(dir_resource.owner).to eq('keystone') + expect(dir_resource.group).to eq('keystone') + end + + it 'has proper modes' do + expect(sprintf('%o', dir_resource.mode)).to eq('700') + end end - it 'has proper owner' do - expect(dir_resource.owner).to eq('keystone') - expect(dir_resource.group).to eq('keystone') + describe '/etc/keystone/ssl/certs' do + let(:dir_resource) { chef_run.directory(certs_dir) } + + it 'creates /etc/keystone/ssl/certs' do + expect(chef_run).to create_directory(certs_dir) + end + + it 'has proper owner' do + expect(dir_resource.owner).to eq('keystone') + expect(dir_resource.group).to eq('keystone') + end + + it 'has proper modes' do + expect(sprintf('%o', dir_resource.mode)).to eq('755') + end end - it 'has proper modes' do - expect(sprintf('%o', dir_resource.mode)).to eq('700') + describe '/etc/keystone/ssl/private' do + let(:dir_resource) { chef_run.directory(private_dir) } + + it 'creates /etc/keystone/ssl/private' do + expect(chef_run).to create_directory(private_dir) + end + + it 'has proper owner' do + expect(dir_resource.owner).to eq('keystone') + expect(dir_resource.group).to eq('keystone') + end + + it 'has proper modes' do + expect(sprintf('%o', dir_resource.mode)).to eq('750') + end + end + end + end + + describe 'ssl files' do + describe 'with pki' do + describe 'with {certfile,keyfile,ca_certs}_url attributes set' do + before do + node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem' + node.set['openstack']['identity']['signing']['keyfile_url'] = 'http://www.test.com/signing_key.pem' + node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem' + end + + describe 'cert file' do + let(:cert_file) { node['openstack']['identity']['signing']['certfile'] } + let(:file_resource) { chef_run.remote_file(cert_file) } + + it 'creates files' do + expect(chef_run).to create_remote_file(cert_file) + end + + it 'has proper owner' do + expect(file_resource.owner).to eq('keystone') + expect(file_resource.group).to eq('keystone') + end + + it 'has proper modes' do + expect(sprintf('%o', file_resource.mode)).to eq('640') + end + + it 'notifies keystone restart' do + expect(file_resource).to notify('service[keystone]').to(:restart) + end + end + + describe 'key file' do + let(:key_file) { node['openstack']['identity']['signing']['keyfile'] } + let(:file_resource) { chef_run.remote_file(key_file) } + + it 'creates file' do + expect(chef_run).to create_remote_file(key_file) + end + + it 'has proper owner' do + expect(file_resource.owner).to eq('keystone') + expect(file_resource.group).to eq('keystone') + end + + it 'has proper modes' do + expect(sprintf('%o', file_resource.mode)).to eq('640') + end + + it 'notifies keystone restart' do + expect(file_resource).to notify('service[keystone]').to(:restart) + end + end + + describe 'ca_certs' do + let(:ca_certs) { node['openstack']['identity']['signing']['ca_certs'] } + let(:file_resource) { chef_run.remote_file(ca_certs) } + + it 'creates file' do + expect(chef_run).to create_remote_file(ca_certs) + end + + it 'has proper owner' do + expect(file_resource.owner).to eq('keystone') + expect(file_resource.group).to eq('keystone') + end + + it 'has proper modes' do + expect(sprintf('%o', file_resource.mode)).to eq('640') + end + + it 'notifies keystone restart' do + expect(file_resource).to notify('service[keystone]').to(:restart) + end + end + end + + describe 'without {certfile,keyfile,ca_certs}_url attributes set' do + it 'does not create cert file' do + expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile']) + end + + it 'does not create key file' do + expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile']) + end + + it 'does not create ca_certs file' do + expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs']) + end + end + end + + describe 'without pki' do + before { node.set['openstack']['auth']['strategy'] = 'uuid' } + + it 'does not create cert file' do + expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile']) + end + + it 'does not create key file' do + expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile']) + end + + it 'does not create ca_certs file' do + expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs']) end end end @@ -145,15 +300,32 @@ describe 'openstack-identity::server' do end describe 'with pki' do - it 'executes' do - ::FileTest.should_receive(:exists?) - .with('/etc/keystone/ssl/private/signing_key.pem') - .and_return(false) + describe 'without {certfile,keyfile,ca_certs}_url attributes set' do + it 'executes' do + ::FileTest.should_receive(:exists?) + .with('/etc/keystone/ssl/private/signing_key.pem') + .and_return(false) - expect(chef_run).to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) + expect(chef_run).to run_execute(cmd).with( + user: 'keystone', + group: 'keystone' + ) + end + end + + describe 'with {certfile,keyfile,ca_certs}_url attributes set' do + before do + node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem' + node.set['openstack']['identity']['signing']['keyfile_url'] = 'http://www.test.com/signing_key.pem' + node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem' + end + + it 'does not execute' do + expect(chef_run).to_not run_execute(cmd).with( + user: 'keystone', + group: 'keystone' + ) + end end it 'does not execute when dir exists' do