Implement resource to configure parameters to use service token

Recently we have service_token feature implemented in some OpenStack
services, like nova or cinder, to avoid problems in cross-compnent
interfaction caused by token expiration.

This patch introduces new class to configure required options
to use that feature.

Change-Id: I8ff7de2f59d7963130860f4a71596420e58ccb54

manifests/resource/authtoken.pp

@@ -352,5 +352,6 @@ define keystone::resource::authtoken(
     'keystone_authtoken/service_token_roles'            => {'value' => $service_token_roles},
     'keystone_authtoken/service_token_roles_required'   => {'value' => $service_token_roles_required},
   }
+
   create_resources($name, $keystonemiddleware_options)
 }

manifests/resource/service_user.pp

@@ -0,0 +1,108 @@
+# == Definition: keystone::resource::service_user
+#
+# This resource configures Keystone authentication resources to make OpenStack
+# services like nova or cinder use service token feature. It will manage the
+# [service_user] section in the given config resource.
+#
+# == Parameters:
+#
+# [*name*]
+#  (Required) The name of the resource corresponding to the config file.
+#  For example, keystone::resource::service_user { 'nova_config': ... }
+#  Where 'nova_config' is the name of the resource used to manage
+#  the nova configuration.
+#
+# [*username*]
+#  (Required) The name of the service user
+#
+# [*password*]
+#  (Required) Password to create for the service user
+#
+# [*auth_url*]
+#  (Required) The URL to use for authentication.
+#
+# [*project_name*]
+#  (Required) Service project name
+#
+# [*user_domain_name*]
+#  (Optional) Name of domain for $username
+#  Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#  (Optional) Name of domain for $project_name
+#  Defaults to $::os_service_default
+#
+# [*send_service_user_token*]
+#  (Optional) The service uses service token feature when this is set as true
+#  Defaults to false
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to $::os_service_default
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $::os_service_default.
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $::os_service_default.
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+define keystone::resource::service_user(
+  $username,
+  $password,
+  $auth_url,
+  $project_name,
+  $user_domain_name        = $::os_service_default,
+  $project_domain_name     = $::os_service_default,
+  $send_service_user_token = false,
+  $insecure                = $::os_service_default,
+  $auth_type               = $::os_service_default,
+  $auth_version            = $::os_service_default,
+  $cafile                  = $::os_service_default,
+  $certfile                = $::os_service_default,
+  $keyfile                 = $::os_service_default,
+  $region_name             = $::os_service_default,
+) {
+
+  include ::keystone::params
+  include ::keystone::deps
+
+  $service_user_options = {
+    'service_user/auth_type'               => {'value' => $auth_type},
+    'service_user/auth_version'            => {'value' => $auth_version},
+    'service_user/cafile'                  => {'value' => $cafile},
+    'service_user/certfile'                => {'value' => $certfile},
+    'service_user/keyfile'                 => {'value' => $keyfile},
+    'service_user/region_name'             => {'value' => $region_name},
+    'service_user/auth_url'                => {'value' => $auth_url},
+    'service_user/username'                => {'value' => $username},
+    'service_user/password'                => {'value' => $password, 'secret' => true},
+    'service_user/user_domain_name'        => {'value' => $user_domain_name},
+    'service_user/project_name'            => {'value' => $project_name},
+    'service_user/project_domain_name'     => {'value' => $project_domain_name},
+    'service_user/send_service_user_token' => {'value' => $send_service_user_token},
+    'service_user/insecure'                => {'value' => $insecure},
+  }
+
+  create_resources($name, $service_user_options)
+}

releasenotes/notes/service_token-d49c87af77b8c39b.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    New resource, keystone::resource::service_user, is available to configure
+    Keystone authentication parameters to use service token feature.

spec/defines/keystone_resource_authtoken_spec.rb

@@ -93,12 +93,15 @@ describe 'keystone::resource::authtoken' do
         is_expected.to contain_keystone_config('keystone_authtoken/www_authenticate_uri').with_value(params[:www_authenticate_uri])
         is_expected.to contain_keystone_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
         is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value(params[:cache])
+        is_expected.to contain_keystone_config('keystone_authtoken/cafile').with_value(params[:cafile])
+        is_expected.to contain_keystone_config('keystone_authtoken/certfile').with_value(params[:certfile])
         is_expected.to contain_keystone_config('keystone_authtoken/collect_timing').with_value(params[:collect_timing])
         is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
         is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
+        is_expected.to contain_keystone_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
         is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')

spec/defines/keystone_resource_service_user_spec.rb

@@ -0,0 +1,97 @@
+require 'spec_helper'
+
+describe 'keystone::resource::service_user' do
+
+  let (:title) { 'keystone_config' }
+
+  let :params do
+    { :username     => 'keystone',
+      :password     => 'secret',
+      :auth_url     => 'http://127.0.0.1:5000',
+      :project_name => 'services' }
+  end
+
+  shared_examples 'shared examples' do
+    context 'with only required parameters' do
+      it 'configures keystone service_user' do
+        is_expected.to contain_keystone_config('service_user/username').with_value('keystone')
+        is_expected.to contain_keystone_config('service_user/password').with_value('secret').with_secret(true)
+        is_expected.to contain_keystone_config('service_user/auth_url').with_value( params[:auth_url] )
+        is_expected.to contain_keystone_config('service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/send_service_user_token').with_value(false)
+        is_expected.to contain_keystone_config('service_user/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/auth_type').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('service_user/region_name').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'set all keystone service_user parameters' do
+      before do
+        params.merge! ({
+          :username                     => 'username',
+          :password                     => 'hardpassword',
+          :auth_url                     => 'http://127.1.1.127:5000/',
+          :project_name                 => 'NoProject',
+          :user_domain_name             => 'MyDomain',
+          :project_domain_name          => 'OurDomain',
+          :send_service_user_token      =>  true,
+          :insecure                     =>  true,
+          :auth_type                    => 'password',
+          :auth_version                 => '3',
+          :cafile                       => 'cafile.pem',
+          :certfile                     => 'certfile.crt',
+          :keyfile                      => 'somekey.key',
+          :region_name                  => 'MyRegion',
+        })
+      end
+      it 'override keystone service_user parameters' do
+        is_expected.to contain_keystone_config('service_user/username').with_value(params[:username])
+        is_expected.to contain_keystone_config('service_user/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_keystone_config('service_user/auth_url').with_value( params[:auth_url] )
+        is_expected.to contain_keystone_config('service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('service_user/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_keystone_config('service_user/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_keystone_config('service_user/send_service_user_token').with_value(params[:send_service_user_token])
+        is_expected.to contain_keystone_config('service_user/insecure').with_value(params[:insecure])
+        is_expected.to contain_keystone_config('service_user/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_keystone_config('service_user/cafile').with_value(params[:cafile])
+        is_expected.to contain_keystone_config('service_user/certfile').with_value(params[:certfile])
+        is_expected.to contain_keystone_config('service_user/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_keystone_config('service_user/region_name').with_value(params[:region_name])
+      end
+    end
+
+    context 'without password required parameter' do
+      let :params do
+        params.delete(:password)
+      end
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+
+    context 'without specify project' do
+      let :params do
+        params.delete(:project_name)
+      end
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      include_examples 'shared examples'
+    end
+  end
+
+end