Merge "Add a new param for fernet tokens config"

2015-11-12 04:06:15 +00:00
parent 0fc92fc63e c3c11dc5ad
commit 976763705c
2 changed files with 20 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -79,6 +79,14 @@
 #   (optional) Driver for token revocation.
 #   Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
 #
+# [*revoke_by_id*]
+#   (optional) Revoke token by token identifier.
+#   Setting revoke_by_id to true enables various forms of enumerating tokens.
+#   These enumerations are processed to determine the list of tokens to revoke.
+#   Only disable if you are switching to using the Revoke extension with a backend
+#   other than KVS, which stores events in memory.
+#   Defaults to true.
+#
 # [*cache_dir*]
 #   (optional) Directory created when token_provider is pki.
 #   Defaults to /var/cache/keystone.
@@ -482,6 +490,7 @@ class keystone(
  $token_driver                       = 'keystone.token.persistence.backends.sql.Token',
  $token_expiration                   = 3600,
  $revoke_driver                      = 'keystone.contrib.revoke.backends.sql.Revoke',
+  $revoke_by_id                       = true,
  $public_endpoint                    = false,
  $admin_endpoint                     = false,
  $enable_ssl                         = false,
@@ -960,6 +969,8 @@ class keystone(
    }
  }

+  keystone_config {'token/revoke_by_id':   value => $revoke_by_id}
+
  if $fernet_key_repository {
    keystone_config {
        'fernet_tokens/key_repository':   value => $fernet_key_repository;
--- a/spec/classes/keystone_spec.rb
+++ b/spec/classes/keystone_spec.rb
@@ -35,6 +35,7 @@ describe 'keystone' do
      'token_provider'                      => 'keystone.token.providers.uuid.Provider',
      'token_driver'                        => 'keystone.token.persistence.backends.sql.Token',
      'revoke_driver'                       => 'keystone.contrib.revoke.backends.sql.Revoke',
+      'revoke_by_id'                        => true,
      'cache_dir'                           => '/var/cache/keystone',
      'enable_ssl'                          => false,
      'ssl_certfile'                        => '/etc/keystone/ssl/certs/keystone.pem',
@@ -76,6 +77,7 @@ describe 'keystone' do
      'token_provider'                      => 'keystone.token.providers.uuid.Provider',
      'token_driver'                        => 'keystone.token.backends.kvs.Token',
      'revoke_driver'                       => 'keystone.contrib.revoke.backends.kvs.Revoke',
+      'revoke_by_id'                        => false,
      'public_endpoint'                     => 'https://localhost:5000/v2.0/',
      'admin_endpoint'                      => 'https://localhost:35357/v2.0/',
      'enable_ssl'                          => true,
@@ -186,6 +188,10 @@ describe 'keystone' do
      is_expected.to contain_keystone_config('revoke/driver').with_value(param_hash['revoke_driver'])
    end

+    it 'should contain default revoke_by_id value ' do
+      is_expected.to contain_keystone_config('token/revoke_by_id').with_value(param_hash['revoke_by_id'])
+    end
+
    it 'should ensure proper setting of admin_endpoint and public_endpoint' do
      if param_hash['admin_endpoint']
        is_expected.to contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint'])
@@ -765,6 +771,7 @@ describe 'keystone' do
        default_params.merge({
          'enable_fernet_setup'    => true,
          'fernet_max_active_keys' => 5,
+          'revoke_by_id'           => false,
        })
      end

@@ -772,6 +779,7 @@ describe 'keystone' do
        :creates => '/etc/keystone/fernet-keys/0'
      ) }
      it { is_expected.to contain_keystone_config('fernet_tokens/max_active_keys').with_value(5)}
+      it { is_expected.to contain_keystone_config('token/revoke_by_id').with_value(false)}
    end

    describe 'when overriding the fernet key directory' do
@@ -909,4 +917,5 @@ describe 'keystone' do
    it_configures 'when using default class parameters for httpd'
    it_configures 'when configuring default domain'
  end
+
 end