From a6ee6100c5c1dfc3c0657af19652e30d5bbdde74 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Tue, 7 Feb 2017 20:58:09 -0600
Subject: [PATCH] Resolved Keystone Federation bugs

The keystone role needed a few updates to deal with modern Ansible.

  * The changeset pulls in the needed updates to resolve issues causing
    the keystone_sp plugin, which powers federation, to crash.
  * The changeset pulls in style changes for keystone cert sync removing
    the need for the role to leverage the now deprecated memcached key
    module.

Closes-Bug: 1660626

Change-Id: I29d444c9631a7511123aa6cd521a20a0e7588645
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 library/keystone_sp                    |  6 ++-
 tasks/keystone_federation_sp_setup.yml | 68 ++++++++++++++------------
 tasks/main.yml                         |  4 +-
 3 files changed, 45 insertions(+), 33 deletions(-)

diff --git a/library/keystone_sp b/library/keystone_sp
index 9b7081e1..71417328 100644
--- a/library/keystone_sp
+++ b/library/keystone_sp
@@ -15,6 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import json
 
 # import module snippets
 from ansible.module_utils.basic import *
@@ -80,6 +81,8 @@ class KeystoneSp(object):
         self.identities_return_list = list()
         self.protocols_return_list = list()
         self.sp_data = self.module.params['sp_data']
+        if isinstance(self.sp_data, str):
+            self.sp_data = json.loads(self.sp_data.replace("'", '"'))
 
     def populate_sp_data(self):
         trusted_idp_list = self.sp_data['trusted_idp_list']
@@ -113,8 +116,7 @@ def main():
                 'keystone_federated_protocols': ksp.protocols_return_list}
         )
     except Exception as exp:
-        resp = {'stderr': exp}
-        module.fail_json(msg='Failed Process', **resp)
+        module.fail_json(msg='Failed Process: "%s"' % exp)
 
 if __name__ == '__main__':
     main()
diff --git a/tasks/keystone_federation_sp_setup.yml b/tasks/keystone_federation_sp_setup.yml
index ae845b58..36fcd0b7 100644
--- a/tasks/keystone_federation_sp_setup.yml
+++ b/tasks/keystone_federation_sp_setup.yml
@@ -37,38 +37,46 @@
     - Restart service on other nodes
     - Restart Shibd
 
-- name: Store Shibboleth SP key-pair
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "present"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert" }
-    - { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Store sp cert
+  slurp:
+    src: "/etc/shibboleth/sp-cert.pem"
+  register: _keystone_sp_cert
+  changed_when: false
   when: inventory_hostname == groups['keystone_all'][0]
 
-- name: Distribute the Shibboleth SP key-pair
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "retrieve"
-    file_mode: "{{ item.file_mode }}"
-    dir_mode: "{{ item.dir_mode }}"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert", file_mode: "0640", dir_mode: "0750" }
-    - { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key", file_mode: "0600", dir_mode: "0750" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Store sp key
+  slurp:
+    src: "/etc/shibboleth/sp-key.pem"
+  register: _keystone_sp_key
+  changed_when: false
+  when: inventory_hostname == groups['keystone_all'][0]
+
+- name: Register a fact for the cert and key
+  set_fact:
+     keystone_sp_cert_fact: "{{ _keystone_sp_cert.content }}"
+     keystone_sp_key_fact: "{{ _keystone_sp_key.content }}"
+  when: inventory_hostname == groups['keystone_all'][0]
+
+- name: Distribute sp key
+  copy:
+    dest: "/etc/shibboleth/sp-key.pem"
+    content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_key_fact'] | b64decode }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  when: inventory_hostname != groups['keystone_all'][0]
+  notify:
+    - Restart service on first node
+    - Restart service on other nodes
+    - Restart Shibd
+
+- name: Distribute sp cert
+  copy:
+    dest: "/etc/shibboleth/sp-cert.pem"
+    content: "{{ hostvars[groups['keystone_all'][0]]['keystone_sp_cert_fact'] | b64decode }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
   when: inventory_hostname != groups['keystone_all'][0]
   notify:
     - Restart service on first node
diff --git a/tasks/main.yml b/tasks/main.yml
index 421a0dba..ca292bc4 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -82,7 +82,9 @@
   when:
     - keystone_database_enabled | bool
     - inventory_hostname == groups['keystone_all'][0]
-    - keystone_get_venv | changed or keystone_venv_dir | changed or install_packages | changed
+    - (keystone_get_venv is defined and keystone_get_venv | changed) or
+        (keystone_venv_dir is defined and keystone_venv_dir | changed) or
+          (install_packages is defined and install_packages | changed)
   tags:
     - keystone-config