Add some authtoken related attributes

This change adds some attributes into the cookbook so
that they are configurable. It mainly includes:
cafile, memcached_servers, memcache_security_strategy,
memcache_secret_key, insecure and hash_algorithms.

Change-Id: I6d38db321da2d86265bace3d36c68ddcb196ed61
Closes-Bug: #1372315

CHANGELOG.md

@@ -7,6 +7,7 @@ This file is used to list changes made in each version of cookbook-openstack-orc
 * Sync conf files with Juno
 * Upgrading berkshelf from 2.0.18 to 3.1.5
 * Update mode for heat.conf from 644 to 640
+* Add cafile, memcached_servers, memcache_security_strategy, memcache_secret_key, insecure and hash_algorithms so that they are configurable.
 
 ## 9.2.0
 * python_packages database client attributes have been migrated to

README.md

@@ -76,6 +76,12 @@ Attributes for the Heat service are in the ['openstack']['orchestration'] namesp
 * `openstack['orchestration']['rpc_response_timeout']` - seconds to wait for a response from call or multicall
 * `openstack['orchestration']['platform']` - hash of platform specific package/service names and options
 * `openstack['orchestration']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service.
+* `openstack['orchestration']['api']['auth']['memcached_servers']` - A list of memcached server(s) for caching
+* `openstack['orchestration']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
+* `openstack['orchestration']['api']['auth']['memcache_secret_key']` - This string is used for key derivation.
+* `openstack['orchestration']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens.
+* `openstack['orchestration']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+* `openstack['orchestration']['api']['auth']['insecure']` - Whether to allow the client to perform insecure SSL (https) requests.
 
 Notification definitions
 ------------------------

attributes/default.rb

@@ -42,6 +42,24 @@ default['openstack']['orchestration']['service_role'] = 'admin'
 
 default['openstack']['orchestration']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
 
+# A list of memcached server(s) for caching
+default['openstack']['orchestration']['api']['auth']['memcached_servers'] = nil
+
+# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
+default['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] = nil
+
+# This string is used for key derivation
+default['openstack']['orchestration']['api']['auth']['memcache_secret_key'] = nil
+
+# Hash algorithms to use for hashing PKI tokens
+default['openstack']['orchestration']['api']['auth']['hash_algorithms'] = 'md5'
+
+# A PEM encoded Certificate Authority to use when verifying HTTPs connections
+default['openstack']['orchestration']['api']['auth']['cafile'] = nil
+
+# Whether to allow the client to perform insecure SSL (https) requests
+default['openstack']['orchestration']['api']['auth']['insecure'] = false
+
 # If set, heat API service will bind to the address on this interface,
 # otherwise it will bind to the API endpoint's host.
 default['openstack']['orchestration']['api']['bind_interface'] = nil

spec/spec_helper.rb

@@ -142,6 +142,47 @@ shared_examples 'expects to create heat conf' do
       )
     end
 
+    it 'uses default values for these attributes and they are not set' do
+      expect(chef_run).not_to render_file(file.name).with_content(
+        /^memcached_servers=/)
+      expect(chef_run).not_to render_file(file.name).with_content(
+        /^memcache_security_strategy=/)
+      expect(chef_run).not_to render_file(file.name).with_content(
+        /^memcache_secret_key=/)
+      expect(chef_run).not_to render_file(file.name).with_content(
+        /^cafile=/)
+    end
+
+    it 'sets memcached server(s)' do
+      node.set['openstack']['orchestration']['api']['auth']['memcached_servers'] = 'localhost:11211'
+      expect(chef_run).to render_file(file.name).with_content(/^memcached_servers=localhost:11211$/)
+    end
+
+    it 'sets memcache security strategy' do
+      node.set['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] = 'MAC'
+      expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy=MAC$/)
+    end
+
+    it 'sets memcache secret key' do
+      node.set['openstack']['orchestration']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
+      expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key=0123456789ABCDEF$/)
+    end
+
+    it 'sets cafile' do
+      node.set['openstack']['orchestration']['api']['auth']['cafile'] = 'dir/to/path'
+      expect(chef_run).to render_file(file.name).with_content(%r{^cafile=dir/to/path$})
+    end
+
+    it 'sets token hash algorithms' do
+      node.set['openstack']['orchestration']['api']['auth']['hash_algorithms'] = 'sha2'
+      expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms=sha2$/)
+    end
+
+    it 'sets insecure' do
+      node.set['openstack']['orchestration']['api']['auth']['insecure'] = false
+      expect(chef_run).to render_file(file.name).with_content(/^insecure=false$/)
+    end
+
     describe 'default values' do
       it 'has default conf values' do
         [
@@ -175,6 +216,8 @@ shared_examples 'expects to create heat conf' do
           /^auth_protocol=http$/,
           %r{^auth_uri=http://127.0.0.1:5000/v2.0$},
           /^auth_version=v2.0$/,
+          /^hash_algorithms=md5$/,
+          /^insecure=false$/,
           /^admin_user=heat$/,
           /^admin_password=heat-pass$/,
           /^admin_tenant_name=service$/,

templates/default/heat.conf.erb

@@ -1170,9 +1170,13 @@ admin_tenant_name=<%= node["openstack"]["orchestration"]["service_tenant_name"]
 # A PEM encoded Certificate Authority to use when verifying
 # HTTPs connections. Defaults to system CAs. (string value)
 #cafile=<None>
+<% unless node['openstack']['orchestration']['api']['auth']['cafile'].nil? %>
+cafile=<%= node['openstack']['orchestration']['api']['auth']['cafile'] %>
+<% end %>
 
 # Verify HTTPS connections. (boolean value)
 #insecure=false
+insecure=<%= node['openstack']['orchestration']['api']['auth']['insecure'] %>
 
 # Directory used to cache files related to PKI tokens (string
 # value)
@@ -1183,6 +1187,9 @@ signing_dir=<%= node['openstack']['orchestration']['api']['auth']['cache_dir']
 # in-process. (list value)
 # Deprecated group/name - [DEFAULT]/memcache_servers
 #memcached_servers=<None>
+<% unless node['openstack']['orchestration']['api']['auth']['memcached_servers'].nil? %>
+memcached_servers=<%= node['openstack']['orchestration']['api']['auth']['memcached_servers'] %>
+<% end %>
 
 # In order to prevent excessive effort spent validating
 # tokens, the middleware caches previously-seen tokens for a
@@ -1205,11 +1212,17 @@ signing_dir=<%= node['openstack']['orchestration']['api']['auth']['cache_dir']
 # value is not one of these options or empty, auth_token will
 # raise an exception on initialization. (string value)
 #memcache_security_strategy=<None>
+<% unless node['openstack']['orchestration']['api']['auth']['memcache_security_strategy'].nil? %>
+memcache_security_strategy=<%= node['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] %>
+<% end %>
 
 # (optional, mandatory if memcache_security_strategy is
 # defined) this string is used for key derivation. (string
 # value)
 #memcache_secret_key=<None>
+<% unless node['openstack']['orchestration']['api']['auth']['memcache_secret_key'].nil? %>
+memcache_secret_key=<%= node['openstack']['orchestration']['api']['auth']['memcache_secret_key'] %>
+<% end %>
 
 # (optional) indicate whether to set the X-Service-Catalog
 # header. If False, middleware will not ask for service
@@ -1244,6 +1257,7 @@ signing_dir=<%= node['openstack']['orchestration']['api']['auth']['cache_dir']
 # should be set to a single value for better performance.
 # (list value)
 #hash_algorithms=md5
+hash_algorithms=<%= node['openstack']['orchestration']['api']['auth']['hash_algorithms'] %>
 
 [matchmaker_ring]