Merge "Support system/domain scope credential"

5 months ago · 003aef1282
4 changed files with 101 additions and 7 deletions
--- a/lib/puppet/provider/openstack/auth.rb
+++ b/lib/puppet/provider/openstack/auth.rb
@ -32,14 +32,14 @@ module Puppet::Provider::Openstack::Auth
    RCFILENAME
  end

-  def request(service, action, properties=nil, options={})
+  def request(service, action, properties=nil, options={}, scope='project')
    properties ||= []
    set_credentials(@credentials, get_os_vars_from_env)
-    unless @credentials.set?
+    unless @credentials.set? and (!@credentials.scope_set? or @credentials.scope == scope)
      @credentials.unset
      set_credentials(@credentials, get_os_vars_from_rcfile(rc_filename))
    end
-    unless @credentials.set?
+    unless @credentials.set? and (!@credentials.scope_set? or @credentials.scope == scope)
      raise(Puppet::Error::OpenstackAuthInputError, 'Insufficient credentials to authenticate')
    end
    super(service, action, properties, @credentials, options)
--- a/lib/puppet/provider/openstack/credentials.rb
+++ b/lib/puppet/provider/openstack/credentials.rb
@ -40,6 +40,20 @@ class Puppet::Provider::Openstack::Credentials
    env
  end

+  def scope_set?
+    @project_name
+  end
+
+  def scope
+    if @project_name
+      return 'project'
+    else
+      # When only service token is used, there is not way to determine
+      # the scope unless we inspect the token using keystone API call.
+      return nil
+    end
+  end
+
  def user_password_set?
    return true if @username && @password && @project_name && @auth_url
  end
@ -70,6 +84,7 @@ class Puppet::Provider::Openstack::CredentialsV3 < Puppet::Provider::Openstack::
    :project_domain_id,
    :project_domain_name,
    :project_id,
+    :system_scope,
    :trust_id,
    :user_domain_id,
    :user_domain_name,
@ -82,8 +97,28 @@ class Puppet::Provider::Openstack::CredentialsV3 < Puppet::Provider::Openstack::
    KEYS.include?(name.to_sym) || super
  end

+  def user_set?
+    @username || @user_id
+  end
+
+  def scope_set?
+    @system_scope || @domain_name || @domain_id || @project_name || @project_id
+  end
+
+  def scope
+    if @project_name || @project_id
+      return 'project'
+    elsif @domain_name || @domain_id
+      return 'domain'
+    elsif @system_scope
+      return 'system'
+    else
+      return nil
+    end
+  end
+
  def user_password_set?
-    return true if (@username || @user_id) && @password && (@project_name || @project_id) && @auth_url
+    return true if user_set? && @password && scope_set? && @auth_url
  end

  def initialize
--- a/releasenotes/notes/system-scope-credential-113608525e12a22d.yaml
+++ b/releasenotes/notes/system-scope-credential-113608525e12a22d.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Now ``Puppet::Provider::Openstack::CredentialsV3`` supports system scope
+    credential and domain scope credential in addition to project scope
+    credential.
--- a/spec/unit/provider/openstack/credentials_spec.rb
+++ b/spec/unit/provider/openstack/credentials_spec.rb
@ -47,7 +47,7 @@ describe Puppet::Provider::Openstack::Credentials do

  describe '#password_set?' do
    context "with user credentials" do
-      it 'is successful' do
+      it 'is successful with project scope credential' do
        creds.auth_url = 'auth_url'
        creds.password = 'password'
        creds.project_name = 'project_name'
@ -56,6 +56,24 @@ describe Puppet::Provider::Openstack::Credentials do
        expect(creds.service_token_set?).to be_falsey
      end

+      it 'is successful with project scope credential' do
+        creds.auth_url = 'auth_url'
+        creds.password = 'password'
+        creds.domain_name = 'domain_name'
+        creds.username = 'username'
+        expect(creds.user_password_set?).to be_truthy
+        expect(creds.service_token_set?).to be_falsey
+      end
+
+      it 'is successful with system scope credential' do
+        creds.auth_url = 'auth_url'
+        creds.password = 'password'
+        creds.system_scope = 'all'
+        creds.username = 'username'
+        expect(creds.user_password_set?).to be_truthy
+        expect(creds.service_token_set?).to be_falsey
+      end
+
      it 'fails' do
        creds.auth_url = 'auth_url'
        creds.password = 'password'
@ -87,18 +105,22 @@ describe Puppet::Provider::Openstack::Credentials do
        creds.password = 'password'
        creds.project_name = 'project_name'
        creds.domain_name = 'domain_name'
+        creds.system_scope = 'system_scope'
        creds.username = 'username'
        creds.token = 'token'
        creds.endpoint = 'endpoint'
+        creds.region_name = 'region_name'
        creds.identity_api_version = 'identity_api_version'
        creds.unset
        expect(creds.auth_url).to eq('')
        expect(creds.password).to eq('')
        expect(creds.project_name).to eq('')
        expect(creds.domain_name).to eq('')
+        expect(creds.system_scope).to eq('')
        expect(creds.username).to eq('')
        expect(creds.token).to eq('')
        expect(creds.endpoint).to eq('')
+        expect(creds.region_name).to eq('')
        expect(creds.identity_api_version).to eq('identity_api_version')
        newcreds = Puppet::Provider::Openstack::CredentialsV3.new
        expect(newcreds.identity_api_version).to eq('3')
@ -112,20 +134,24 @@ describe Puppet::Provider::Openstack::Credentials do
        creds.auth_url = 'auth_url'
        creds.password = 'password'
        creds.project_name = 'project_name'
+        creds.domain_name = 'domain_name'
+        creds.system_scope = 'all'
        creds.username = 'username'
        creds.token = 'token'
        creds.endpoint = 'endpoint'
-        creds.identity_api_version = 'identity_api_version'
        creds.region_name = 'Region1'
+        creds.identity_api_version = 'identity_api_version'
        expect(creds.to_env).to eq({
          'OS_USERNAME'             => 'username',
          'OS_PASSWORD'             => 'password',
          'OS_PROJECT_NAME'         => 'project_name',
+          'OS_DOMAIN_NAME'          => 'domain_name',
+          'OS_SYSTEM_SCOPE'         => 'all',
          'OS_AUTH_URL'             => 'auth_url',
          'OS_TOKEN'                => 'token',
          'OS_ENDPOINT'             => 'endpoint',
-          'OS_IDENTITY_API_VERSION' => 'identity_api_version',
          'OS_REGION_NAME'          => 'Region1',
+          'OS_IDENTITY_API_VERSION' => 'identity_api_version',
        })
      end
    end
@ -149,6 +175,24 @@ describe Puppet::Provider::Openstack::Credentials do
        expect(creds.user_password_set?).to be_truthy
      end
    end
+    describe '#password_set? with username and domain_name' do
+      it 'is successful' do
+        creds.auth_url = 'auth_url'
+        creds.password = 'password'
+        creds.domain_name = 'domain_name'
+        creds.username = 'username'
+        expect(creds.user_password_set?).to be_truthy
+      end
+    end
+    describe '#password_set? with username and system_scope' do
+      it 'is successful' do
+        creds.auth_url = 'auth_url'
+        creds.password = 'password'
+        creds.system_scope = 'all'
+        creds.username = 'username'
+        expect(creds.user_password_set?).to be_truthy
+      end
+    end
    describe '#password_set? with user_id and project_id' do
      it 'is successful' do
        creds.auth_url = 'auth_url'
@ -158,5 +202,14 @@ describe Puppet::Provider::Openstack::Credentials do
        expect(creds.user_password_set?).to be_truthy
      end
    end
+    describe '#password_set? with user_id and domain_id' do
+      it 'is successful' do
+        creds.auth_url = 'auth_url'
+        creds.password = 'password'
+        creds.domain_id = 'domid'
+        creds.user_id = 'userid'
+        expect(creds.user_password_set?).to be_truthy
+      end
+    end
  end
 end