From bd2f2472554d21627aec60bb6ff2797f981eb4fe Mon Sep 17 00:00:00 2001
From: ZhongShengping <chdzsp@163.com>
Date: Thu, 22 Nov 2018 11:31:55 +0800
Subject: [PATCH] Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I5a0a697afbabe6312e2a2b46f70f51964649a9da
Closes-Bug: #1804562
Closes-Bug: #1804720
---
 manifests/keystone/authtoken.pp               | 48 +++++++++++--------
 ...i_related_parameters-85dada9800e64a55.yaml |  6 +++
 .../barbican_keystone_authtoken_spec.rb       |  6 ---
 3 files changed, 33 insertions(+), 27 deletions(-)
 create mode 100644 releasenotes/notes/deprecate_pki_related_parameters-85dada9800e64a55.yaml

diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index 02eee34c..bd80eab5 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -63,12 +63,6 @@
 #   (Optional) Required if identity server requires client certificate
 #   Defaults to $::os_service_default.
 #
-# [*check_revocations_for_cached*]
-#   (Optional) If true, the revocation list will be checked for cached tokens.
-#   This requires that PKI tokens are configured on the identity server.
-#   boolean value.
-#   Defaults to $::os_service_default.
-#
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
 #   must be present in tokens. String value.
 #   Defaults to $::os_service_default.
 #
-# [*hash_algorithms*]
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
-#   single algorithm or multiple. The algorithms are those supported by Python
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
-#  the preferred one first for performance. The result of the first hash will
-#   be stored in the cache. This will typically be set to multiple values only
-#   while migrating from a less secure algorithm to a more secure one. Once all
-#   the old tokens are expired this option should be set to a single value for
-#   better performance. List value.
-#   Defaults to $::os_service_default.
-#
 # [*http_connect_timeout*]
 #   (Optional) Request timeout value for communicating with Identity API
 #   server.
@@ -184,6 +167,23 @@
 #   (Optional) Complete public Identity API endpoint.
 #   Defaults to undef
 #
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to undef.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#  the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to undef.
+#
 class barbican::keystone::authtoken(
   $password                       = $::os_service_default,
   $username                       = 'barbican',
@@ -199,10 +199,8 @@ class barbican::keystone::authtoken(
   $cache                          = $::os_service_default,
   $cafile                         = $::os_service_default,
   $certfile                       = $::os_service_default,
-  $check_revocations_for_cached   = $::os_service_default,
   $delay_auth_decision            = $::os_service_default,
   $enforce_token_bind             = $::os_service_default,
-  $hash_algorithms                = $::os_service_default,
   $http_connect_timeout           = $::os_service_default,
   $http_request_max_retries       = $::os_service_default,
   $include_service_catalog        = $::os_service_default,
@@ -221,6 +219,8 @@ class barbican::keystone::authtoken(
   $token_cache_time               = $::os_service_default,
   # DEPRECATED PARAMETERS
   $auth_uri                       = undef,
+  $check_revocations_for_cached   = undef,
+  $hash_algorithms                = undef,
 ) {
 
   include ::barbican::deps
@@ -234,6 +234,14 @@ class barbican::keystone::authtoken(
   }
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
 
+  if $check_revocations_for_cached {
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
+  if $hash_algorithms {
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
   keystone::resource::authtoken { 'barbican_config':
     username                       => $username,
     password                       => $password,
@@ -249,10 +257,8 @@ class barbican::keystone::authtoken(
     cache                          => $cache,
     cafile                         => $cafile,
     certfile                       => $certfile,
-    check_revocations_for_cached   => $check_revocations_for_cached,
     delay_auth_decision            => $delay_auth_decision,
     enforce_token_bind             => $enforce_token_bind,
-    hash_algorithms                => $hash_algorithms,
     http_connect_timeout           => $http_connect_timeout,
     http_request_max_retries       => $http_request_max_retries,
     include_service_catalog        => $include_service_catalog,
diff --git a/releasenotes/notes/deprecate_pki_related_parameters-85dada9800e64a55.yaml b/releasenotes/notes/deprecate_pki_related_parameters-85dada9800e64a55.yaml
new file mode 100644
index 00000000..7aa4e60a
--- /dev/null
+++ b/releasenotes/notes/deprecate_pki_related_parameters-85dada9800e64a55.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - check_revocations_for_cached option is now deprecated for removal, the
+    parameter has no effect.
+  - hash_algorithms option is now deprecated for removal, the parameter
+    has no effect.
diff --git a/spec/classes/barbican_keystone_authtoken_spec.rb b/spec/classes/barbican_keystone_authtoken_spec.rb
index 315707f8..0f418132 100644
--- a/spec/classes/barbican_keystone_authtoken_spec.rb
+++ b/spec/classes/barbican_keystone_authtoken_spec.rb
@@ -44,10 +44,8 @@ describe 'barbican::keystone::authtoken' do
         is_expected.to contain_barbican_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_barbican_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_barbican_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_barbican_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -83,10 +81,8 @@ describe 'barbican::keystone::authtoken' do
           :cache                                => 'somevalue',
           :cafile                               => '/opt/stack/data/cafile.pem',
           :certfile                             => 'certfile.crt',
-          :check_revocations_for_cached         => false,
           :delay_auth_decision                  => false,
           :enforce_token_bind                   => 'permissive',
-          :hash_algorithms                      => 'md5',
           :http_connect_timeout                 => '300',
           :http_request_max_retries             => '3',
           :include_service_catalog              => true,
@@ -121,10 +117,8 @@ describe 'barbican::keystone::authtoken' do
         is_expected.to contain_barbican_config('keystone_authtoken/cache').with_value(params[:cache])
         is_expected.to contain_barbican_config('keystone_authtoken/cafile').with_value(params[:cafile])
         is_expected.to contain_barbican_config('keystone_authtoken/certfile').with_value(params[:certfile])
-        is_expected.to contain_barbican_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
         is_expected.to contain_barbican_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         is_expected.to contain_barbican_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
-        is_expected.to contain_barbican_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
         is_expected.to contain_barbican_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         is_expected.to contain_barbican_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         is_expected.to contain_barbican_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])