Allow token signing key/cert/cacert to be pulled in remotely

Currently, we run a pki_setup if auth strategy is 'pki' (default).  If
you have multiple keystone nodes load balanced, they'd all have
different keys/certs/cacerts (created by the pki_setup).  This change
allows you to pull in a custom key/cert/cacert so that these files can
be uniform across all nodes.

Change-Id: I8f0fa41e4433e3a44247fc467e3f6b5f0d2e203d

attributes/default.rb

@@ -72,9 +72,12 @@ default['openstack']['identity']['users'] = {
 # PKI signing. Corresponds to the [signing] section of keystone.conf
 # Note this section is only written if node['openstack']['auth']['strategy'] == 'pki'
 default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
-default['openstack']['identity']['signing']['certfile'] = '/etc/keystone/ssl/certs/signing_cert.pem'
-default['openstack']['identity']['signing']['keyfile'] = '/etc/keystone/ssl/private/signing_key.pem'
-default['openstack']['identity']['signing']['ca_certs'] = '/etc/keystone/ssl/certs/ca.pem'
+default['openstack']['identity']['signing']['certfile'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/signing_cert.pem"
+default['openstack']['identity']['signing']['keyfile'] = "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem"
+default['openstack']['identity']['signing']['ca_certs'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/ca.pem"
+default['openstack']['identity']['signing']['certfile_url'] = nil
+default['openstack']['identity']['signing']['keyfile_url'] = nil
+default['openstack']['identity']['signing']['ca_certs_url'] = nil
 default['openstack']['identity']['signing']['key_size'] = '2048'
 default['openstack']['identity']['signing']['valid_days'] = '3650'
 default['openstack']['identity']['signing']['ca_password'] = nil

recipes/server.rb

@@ -76,25 +76,70 @@ directory '/etc/keystone' do
   mode  00700
 end
 
-directory node['openstack']['identity']['signing']['basedir'] do
-  owner node['openstack']['identity']['user']
-  group node['openstack']['identity']['group']
-  mode  00700
-
-  only_if { node['openstack']['auth']['strategy'] == 'pki' }
-end
-
 file '/var/lib/keystone/keystone.db' do
   action :delete
   not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
 end
 
-execute 'keystone-manage pki_setup' do
+if node['openstack']['auth']['strategy'] == 'pki'
+  certfile_url = node['openstack']['identity']['signing']['certfile_url']
+  keyfile_url = node['openstack']['identity']['signing']['keyfile_url']
+  ca_certs_url = node['openstack']['identity']['signing']['ca_certs_url']
+  signing_basedir = node['openstack']['identity']['signing']['basedir']
+
+  directory signing_basedir do
+    owner node['openstack']['identity']['user']
+    group node['openstack']['identity']['group']
+    mode  00700
+  end
+
+  directory "#{signing_basedir}/certs" do
+    owner node['openstack']['identity']['user']
+    group node['openstack']['identity']['group']
+    mode  00755
+  end
+
+  directory "#{signing_basedir}/private" do
+    owner node['openstack']['identity']['user']
+    group node['openstack']['identity']['group']
+    mode  00750
+  end
+
+  if certfile_url.nil? || keyfile_url.nil? || ca_certs_url.nil?
+    execute 'keystone-manage pki_setup' do
       user  node['openstack']['identity']['user']
       group node['openstack']['identity']['group']
 
-  only_if { node['openstack']['auth']['strategy'] == 'pki' }
       not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] }
+    end
+  else
+    remote_file node['openstack']['identity']['signing']['certfile'] do
+      source certfile_url
+      owner  node['openstack']['identity']['user']
+      group  node['openstack']['identity']['group']
+      mode   00640
+
+      notifies :restart, 'service[keystone]', :delayed
+    end
+
+    remote_file node['openstack']['identity']['signing']['keyfile'] do
+      source keyfile_url
+      owner  node['openstack']['identity']['user']
+      group  node['openstack']['identity']['group']
+      mode   00640
+
+      notifies :restart, 'service[keystone]', :delayed
+    end
+
+    remote_file node['openstack']['identity']['signing']['ca_certs'] do
+      source ca_certs_url
+      owner  node['openstack']['identity']['user']
+      group  node['openstack']['identity']['group']
+      mode   00640
+
+      notifies :restart, 'service[keystone]', :delayed
+    end
+  end
 end
 
 bind_endpoint = endpoint 'identity-bind'

spec/server_spec.rb

@@ -94,20 +94,32 @@ describe 'openstack-identity::server' do
       end
     end
 
-    describe '/etc/keystone/ssl' do
+    describe 'ssl directories' do
       let(:ssl_dir) { '/etc/keystone/ssl' }
+      let(:certs_dir) { "#{ssl_dir}/certs" }
+      let(:private_dir) { "#{ssl_dir}/private" }
 
       describe 'without pki' do
         before { node.set['openstack']['auth']['strategy'] = 'uuid' }
-        it 'does not create' do
+
+        it 'does not create /etc/keystone/ssl' do
           expect(chef_run).not_to create_directory(ssl_dir)
         end
+
+        it 'does not create /etc/keystone/ssl/certs' do
+          expect(chef_run).not_to create_directory(certs_dir)
+        end
+
+        it 'does not create /etc/keystone/ssl/private' do
+          expect(chef_run).not_to create_directory(private_dir)
+        end
       end
 
       describe 'with pki' do
+        describe '/etc/keystone/ssl' do
           let(:dir_resource) { chef_run.directory(ssl_dir) }
 
-        it 'creates' do
+          it 'creates /etc/keystone/ssl' do
             expect(chef_run).to create_directory(ssl_dir)
           end
 
@@ -120,6 +132,149 @@ describe 'openstack-identity::server' do
             expect(sprintf('%o', dir_resource.mode)).to eq('700')
           end
         end
+
+        describe '/etc/keystone/ssl/certs' do
+          let(:dir_resource) { chef_run.directory(certs_dir) }
+
+          it 'creates /etc/keystone/ssl/certs' do
+            expect(chef_run).to create_directory(certs_dir)
+          end
+
+          it 'has proper owner' do
+            expect(dir_resource.owner).to eq('keystone')
+            expect(dir_resource.group).to eq('keystone')
+          end
+
+          it 'has proper modes' do
+            expect(sprintf('%o', dir_resource.mode)).to eq('755')
+          end
+        end
+
+        describe '/etc/keystone/ssl/private' do
+          let(:dir_resource) { chef_run.directory(private_dir) }
+
+          it 'creates /etc/keystone/ssl/private' do
+            expect(chef_run).to create_directory(private_dir)
+          end
+
+          it 'has proper owner' do
+            expect(dir_resource.owner).to eq('keystone')
+            expect(dir_resource.group).to eq('keystone')
+          end
+
+          it 'has proper modes' do
+            expect(sprintf('%o', dir_resource.mode)).to eq('750')
+          end
+        end
+      end
+    end
+
+    describe 'ssl files' do
+      describe 'with pki' do
+        describe 'with {certfile,keyfile,ca_certs}_url attributes set' do
+          before do
+            node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem'
+            node.set['openstack']['identity']['signing']['keyfile_url']  = 'http://www.test.com/signing_key.pem'
+            node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem'
+          end
+
+          describe 'cert file' do
+            let(:cert_file) { node['openstack']['identity']['signing']['certfile'] }
+            let(:file_resource) { chef_run.remote_file(cert_file) }
+
+            it 'creates files' do
+              expect(chef_run).to create_remote_file(cert_file)
+            end
+
+            it 'has proper owner' do
+              expect(file_resource.owner).to eq('keystone')
+              expect(file_resource.group).to eq('keystone')
+            end
+
+            it 'has proper modes' do
+              expect(sprintf('%o', file_resource.mode)).to eq('640')
+            end
+
+            it 'notifies keystone restart' do
+              expect(file_resource).to notify('service[keystone]').to(:restart)
+            end
+          end
+
+          describe 'key file' do
+            let(:key_file) { node['openstack']['identity']['signing']['keyfile'] }
+            let(:file_resource) { chef_run.remote_file(key_file) }
+
+            it 'creates file' do
+              expect(chef_run).to create_remote_file(key_file)
+            end
+
+            it 'has proper owner' do
+              expect(file_resource.owner).to eq('keystone')
+              expect(file_resource.group).to eq('keystone')
+            end
+
+            it 'has proper modes' do
+              expect(sprintf('%o', file_resource.mode)).to eq('640')
+            end
+
+            it 'notifies keystone restart' do
+              expect(file_resource).to notify('service[keystone]').to(:restart)
+            end
+          end
+
+          describe 'ca_certs' do
+            let(:ca_certs) { node['openstack']['identity']['signing']['ca_certs'] }
+            let(:file_resource) { chef_run.remote_file(ca_certs) }
+
+            it 'creates file' do
+              expect(chef_run).to create_remote_file(ca_certs)
+            end
+
+            it 'has proper owner' do
+              expect(file_resource.owner).to eq('keystone')
+              expect(file_resource.group).to eq('keystone')
+            end
+
+            it 'has proper modes' do
+              expect(sprintf('%o', file_resource.mode)).to eq('640')
+            end
+
+            it 'notifies keystone restart' do
+              expect(file_resource).to notify('service[keystone]').to(:restart)
+            end
+          end
+        end
+
+        describe 'without {certfile,keyfile,ca_certs}_url attributes set' do
+          it 'does not create cert file' do
+            expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile'])
+          end
+
+          it 'does not create key file' do
+            expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile'])
+          end
+
+          it 'does not create ca_certs file' do
+            expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs'])
+          end
+        end
+      end
+
+      describe 'without pki' do
+        before { node.set['openstack']['auth']['strategy'] = 'uuid' }
+
+        it 'does not create cert file' do
+          expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile'])
+        end
+
+        it 'does not create key file' do
+          expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile'])
+        end
+
+        it 'does not create ca_certs file' do
+          expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs'])
+        end
+      end
     end
 
     it 'deletes keystone.db' do
@@ -145,6 +300,7 @@ describe 'openstack-identity::server' do
       end
 
       describe 'with pki' do
+        describe 'without {certfile,keyfile,ca_certs}_url attributes set' do
           it 'executes' do
             ::FileTest.should_receive(:exists?)
               .with('/etc/keystone/ssl/private/signing_key.pem')
@@ -155,6 +311,22 @@ describe 'openstack-identity::server' do
               group: 'keystone'
             )
           end
+        end
+
+        describe 'with {certfile,keyfile,ca_certs}_url attributes set' do
+          before do
+            node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem'
+            node.set['openstack']['identity']['signing']['keyfile_url']  = 'http://www.test.com/signing_key.pem'
+            node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem'
+          end
+
+          it 'does not execute' do
+            expect(chef_run).to_not run_execute(cmd).with(
+              user: 'keystone',
+              group: 'keystone'
+            )
+          end
+        end
 
         it 'does not execute when dir exists' do
           ::FileTest.should_receive(:exists?)