Add configuration options for JWS provider

This commit only introduces a new group for JWT configuration options that are specific to JWS. Even though the configuration group is named after JWT, the configuration options are specific to JWS. If keystone supports JWE token in the future, we will add new configuration options for key specific to that implementation as opposed to reusing JWS keys. It does not wire anything up to the actual token provider code. That will come in a later patch. bp json-web-tokens Change-Id: I8c9b249138a32f096d5edc84772099e9d780687b
2019-01-04 20:16:11 +00:00 · 2019-01-04 20:16:11 +00:00 · 781aea6193
commit 781aea6193
parent 8fe84eecf7
2 changed files with 60 additions and 0 deletions
--- a/keystone/conf/init.py
+++ b/keystone/conf/init.py
@ -35,6 +35,7 @@ from keystone.conf import fernet_receipts
 from keystone.conf import fernet_tokens
 from keystone.conf import identity
 from keystone.conf import identity_mapping
+from keystone.conf import jwt_tokens
 from keystone.conf import ldap
 from keystone.conf import memcache
 from keystone.conf import oauth1
@ -72,6 +73,7 @@ conf_modules = [
    fernet_tokens,
    identity,
    identity_mapping,
+    jwt_tokens,
    ldap,
    memcache,
    oauth1,
--- a/keystone/conf/jwt_tokens.py
+++ b/keystone/conf/jwt_tokens.py
@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_config import cfg
+
+from keystone.conf import utils
+
+
+jws_public_key_repository = cfg.StrOpt(
+    'jws_public_key_repository',
+    default='/etc/keystone/jws-keys/public',
+    help=utils.fmt("""
+Directory containing public keys for validating JWS token signatures. This
+directory must exist in order for keystone's server process to start. It must
+also be readable by keystone's server process. It must contain at least one
+public key that corresponds to a private key in `keystone.conf [jwt_tokens]
+jws_private_key_repository`. This option is only applicable in deployments
+issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`.
+"""))
+jws_private_key_repository = cfg.StrOpt(
+    'jws_private_key_repository',
+    default='/etc/keystone/jws-keys/private',
+    help=utils.fmt("""
+Directory containing private keys for signing JWS tokens. This directory must
+exist in order for keystone's server process to start. It must also be readable
+by keystone's server process. It must contain at least one private key that
+corresponds to a public key in `keystone.conf [jwt_tokens]
+jws_public_key_repository`. In the event there are multiple private keys in
+this directory, keystone will use a key named `private.pem` to sign tokens. In
+the future, keystone may support the ability to sign tokens with multiple
+private keys. For now, only a key named `private.pem` within this directory is
+required to issue JWS tokens. This option is only applicable in deployments
+issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`.
+"""))
+
+
+GROUP_NAME = __name__.split('.')[-1]
+ALL_OPTS = [
+    jws_public_key_repository,
+    jws_private_key_repository
+]
+
+
+def register_opts(conf):
+    conf.register_opts(ALL_OPTS, group=GROUP_NAME)
+
+
+def list_opts():
+    return {GROUP_NAME: ALL_OPTS}