Deprecate PKI parameters in novajoin

In nova::metadata::novajoin::authtoken there is also
PKI parameters that needs to be deprecated or else
rspec testing fails since it's removed in puppet-oslo.

Change-Id: I489f10502ccaec40e72d08f5449965ad68b673aa

manifests/metadata/novajoin/authtoken.pp

@@ -63,12 +63,6 @@
 #   (Optional) Required if identity server requires client certificate
 #   Defaults to $::os_service_default.
 #
-# [*check_revocations_for_cached*]
-#   (Optional) If true, the revocation list will be checked for cached tokens.
-#   This requires that PKI tokens are configured on the identity server.
-#   boolean value.
-#   Defaults to $::os_service_default.
-#
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
 #   must be present in tokens. String value.
 #   Defaults to $::os_service_default.
 #
-# [*hash_algorithms*]
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
-#   single algorithm or multiple. The algorithms are those supported by Python
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
-#   the preferred one first for performance. The result of the first hash will
-#   be stored in the cache. This will typically be set to multiple values only
-#   while migrating from a less secure algorithm to a more secure one. Once all
-#   the old tokens are expired this option should be set to a single value for
-#   better performance. List value.
-#   Defaults to $::os_service_default.
-#
 # [*http_connect_timeout*]
 #   (Optional) Request timeout value for communicating with Identity API
 #   server.
@@ -178,6 +161,25 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# === Deprecated parameters
+#
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to $::os_service_default.
+#
 class nova::metadata::novajoin::authtoken(
   $username                       = 'novajoin',
   $password                       = $::os_service_default,
@@ -193,10 +195,8 @@ class nova::metadata::novajoin::authtoken(
   $cache                          = $::os_service_default,
   $cafile                         = $::os_service_default,
   $certfile                       = $::os_service_default,
-  $check_revocations_for_cached   = $::os_service_default,
   $delay_auth_decision            = $::os_service_default,
   $enforce_token_bind             = $::os_service_default,
-  $hash_algorithms                = $::os_service_default,
   $http_connect_timeout           = $::os_service_default,
   $http_request_max_retries       = $::os_service_default,
   $include_service_catalog        = $::os_service_default,
@@ -213,12 +213,23 @@ class nova::metadata::novajoin::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  ## DEPRECATED PARAMETERS
+  $check_revocations_for_cached   = undef,
+  $hash_algorithms                = undef,
 ) {
 
   if is_service_default($password) {
     fail('Please set password for novajoin service user')
   }
 
+  if $check_revocations_for_cached {
+    warning('check_revocations_for_cached is deprecated, will be removed and has no effect')
+  }
+
+  if $hash_algorithms {
+    warning('hash_algorithms is deprecated, will be removed and has no effect')
+  }
+
   keystone::resource::authtoken { 'novajoin_config':
     username                       => $username,
     password                       => $password,
@@ -234,10 +245,8 @@ class nova::metadata::novajoin::authtoken(
     cache                          => $cache,
     cafile                         => $cafile,
     certfile                       => $certfile,
-    check_revocations_for_cached   => $check_revocations_for_cached,
     delay_auth_decision            => $delay_auth_decision,
     enforce_token_bind             => $enforce_token_bind,
-    hash_algorithms                => $hash_algorithms,
     http_connect_timeout           => $http_connect_timeout,
     http_request_max_retries       => $http_request_max_retries,
     include_service_catalog        => $include_service_catalog,

spec/classes/nova_metadata_novajoin_authtoken_spec.rb

@@ -25,10 +25,8 @@ describe 'nova::metadata::novajoin::authtoken' do
         is_expected.to contain_novajoin_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_novajoin_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_novajoin_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_novajoin_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -65,10 +63,8 @@ describe 'nova::metadata::novajoin::authtoken' do
           :cafile                               =>
 '/opt/stack/data/cafile.pem',
           :certfile                             => 'certfile.crt',
-          :check_revocations_for_cached         => false,
           :delay_auth_decision                  => false,
           :enforce_token_bind                   => 'permissive',
-          :hash_algorithms                      => 'md5',
           :http_connect_timeout                 => '300',
           :http_request_max_retries             => '3',
           :include_service_catalog              => true,
@@ -104,10 +100,8 @@ describe 'nova::metadata::novajoin::authtoken' do
         is_expected.to contain_novajoin_config('keystone_authtoken/cache').with_value(params[:cache])
         is_expected.to contain_novajoin_config('keystone_authtoken/cafile').with_value(params[:cafile])
         is_expected.to contain_novajoin_config('keystone_authtoken/certfile').with_value(params[:certfile])
-        is_expected.to contain_novajoin_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
         is_expected.to contain_novajoin_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         is_expected.to contain_novajoin_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
-        is_expected.to contain_novajoin_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
         is_expected.to contain_novajoin_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         is_expected.to contain_novajoin_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         is_expected.to contain_novajoin_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])