key_manager: Add service user options for Barbican key manager

This change introduces some parameters to set up the service user token
feature for Barbican key manager, which was implemented during the Xena
cycle[1].

This basically replicates the implementation in puppet-keystone class.
We should not make this dependent on puppet-keystone to avoid circular
dependency between puppet-oslo and puppet-keystone.

[1] 162039467ad0dfc5e25a16b75d9072d607690702

Change-Id: I6d94318929cf4bcfc61180494110d0e5812356c0

manifests/key_manager/barbican.pp

@@ -37,25 +37,31 @@
 #   (Optional) Specifies the region of the chosen endpoint.
 #   Defaults to $::os_service_default
 #
+# [*send_service_user_token*]
+#   (Optional) The service uses service token feature when this is set as true.
+#   Defaults to $::os_service_default
+#
 define oslo::key_manager::barbican (
-  $config                 = $name,
-  $barbican_endpoint      = $::os_service_default,
-  $barbican_api_version   = $::os_service_default,
-  $auth_endpoint          = $::os_service_default,
-  $retry_delay            = $::os_service_default,
-  $number_of_retries      = $::os_service_default,
-  $barbican_endpoint_type = $::os_service_default,
-  $barbican_region_name   = $::os_service_default,
+  $config                  = $name,
+  $barbican_endpoint       = $::os_service_default,
+  $barbican_api_version    = $::os_service_default,
+  $auth_endpoint           = $::os_service_default,
+  $retry_delay             = $::os_service_default,
+  $number_of_retries       = $::os_service_default,
+  $barbican_endpoint_type  = $::os_service_default,
+  $barbican_region_name    = $::os_service_default,
+  $send_service_user_token = $::os_service_default,
 ) {
 
   $barbican_options = {
-    'barbican/barbican_endpoint'      => { value => $barbican_endpoint },
-    'barbican/barbican_api_version'   => { value => $barbican_api_version },
-    'barbican/auth_endpoint'          => { value => $auth_endpoint },
-    'barbican/retry_delay'            => { value => $retry_delay },
-    'barbican/number_of_retries'      => { value => $number_of_retries },
-    'barbican/barbican_endpoint_type' => { value => $barbican_endpoint_type },
-    'barbican/barbican_region_name'   => { value => $barbican_region_name },
+    'barbican/barbican_endpoint'       => { value => $barbican_endpoint },
+    'barbican/barbican_api_version'    => { value => $barbican_api_version },
+    'barbican/auth_endpoint'           => { value => $auth_endpoint },
+    'barbican/retry_delay'             => { value => $retry_delay },
+    'barbican/number_of_retries'       => { value => $number_of_retries },
+    'barbican/barbican_endpoint_type'  => { value => $barbican_endpoint_type },
+    'barbican/barbican_region_name'    => { value => $barbican_region_name },
+    'barbican/send_service_user_token' => { value => $send_service_user_token },
   }
 
   create_resources($config, $barbican_options)

manifests/key_manager/barbican/service_user.pp

@@ -0,0 +1,97 @@
+# == Definition: oslo::key_manager::barbican::service_user
+#
+# Setup and configure the service token feature for Barbican Key Manager
+#
+# == Parameters:
+#
+# [*name*]
+#  (Required) The name of the resource corresponding to the config file.
+#  For example, oslo::key_manager::barbican::service_user { 'nova_config': ... }
+#  Where 'nova_config' is the name of the resource used to manage
+#  the nova configuration.
+#
+# [*username*]
+#  (Required) The name of the service user
+#
+# [*password*]
+#  (Required) Password to create for the service user
+#
+# [*auth_url*]
+#  (Required) The URL to use for authentication.
+#
+# [*project_name*]
+#  (Required) Service project name
+#
+# [*user_domain_name*]
+#  (Optional) Name of domain for $username
+#  Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#  (Optional) Name of domain for $project_name
+#  Defaults to $::os_service_default
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to $::os_service_default
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $::os_service_default.
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $::os_service_default.
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+define oslo::key_manager::barbican::service_user(
+  $username,
+  $password,
+  $auth_url,
+  $project_name,
+  $user_domain_name        = $::os_service_default,
+  $project_domain_name     = $::os_service_default,
+  $insecure                = $::os_service_default,
+  $auth_type               = $::os_service_default,
+  $auth_version            = $::os_service_default,
+  $cafile                  = $::os_service_default,
+  $certfile                = $::os_service_default,
+  $keyfile                 = $::os_service_default,
+  $region_name             = $::os_service_default,
+) {
+
+  $service_user_options = {
+    'barbican_service_user/auth_type'           => {'value' => $auth_type},
+    'barbican_service_user/auth_version'        => {'value' => $auth_version},
+    'barbican_service_user/cafile'              => {'value' => $cafile},
+    'barbican_service_user/certfile'            => {'value' => $certfile},
+    'barbican_service_user/keyfile'             => {'value' => $keyfile},
+    'barbican_service_user/region_name'         => {'value' => $region_name},
+    'barbican_service_user/auth_url'            => {'value' => $auth_url},
+    'barbican_service_user/username'            => {'value' => $username},
+    'barbican_service_user/password'            => {'value' => $password, 'secret' => true},
+    'barbican_service_user/user_domain_name'    => {'value' => $user_domain_name},
+    'barbican_service_user/project_name'        => {'value' => $project_name},
+    'barbican_service_user/project_domain_name' => {'value' => $project_domain_name},
+    'barbican_service_user/insecure'            => {'value' => $insecure},
+  }
+
+  create_resources($name, $service_user_options)
+}

releasenotes/notes/barbican_service_user-a8ac0abd364927d8.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The following parameter and resource type have been added, to support usage
+    of the service token feature with the Barbican key manager.
+
+    - The ``oslo::key_manager::barbican::send_service_user_token`` parameter
+    - The ``oslo::key_manager::barbican::service_user`` resource type

spec/defines/oslo_key_manager_barbican_service_user_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe 'oslo::key_manager::barbican::service_user' do
+
+  let (:title) { 'keystone_config' }
+
+  let :params do
+    { :username     => 'keystone',
+      :password     => 'secret',
+      :auth_url     => 'http://127.0.0.1:5000',
+      :project_name => 'services' }
+  end
+
+  shared_examples 'oslo::key_manager::barbican::service_user' do
+    context 'with only required parameters' do
+      it 'configures keystone service_user' do
+        is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone')
+        is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true)
+        is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'set all keystone service_user parameters' do
+      before do
+        params.merge! ({
+          :username            => 'username',
+          :password            => 'hardpassword',
+          :auth_url            => 'http://127.1.1.127:5000/',
+          :project_name        => 'NoProject',
+          :user_domain_name    => 'MyDomain',
+          :project_domain_name => 'OurDomain',
+          :insecure            =>  true,
+          :auth_type           => 'password',
+          :auth_version        => '3',
+          :cafile              => 'cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'somekey.key',
+          :region_name         => 'MyRegion',
+        })
+      end
+      it 'override keystone service_user parameters' do
+        is_expected.to contain_keystone_config('barbican_service_user/username').with_value(params[:username])
+        is_expected.to contain_keystone_config('barbican_service_user/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure])
+        is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
+        is_expected.to contain_keystone_config('barbican_service_user/certfile').with_value(params[:certfile])
+        is_expected.to contain_keystone_config('barbican_service_user/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_keystone_config('barbican_service_user/region_name').with_value(params[:region_name])
+      end
+    end
+
+    context 'without password required parameter' do
+      let :params do
+        params.delete(:password)
+      end
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+
+    context 'without specify project' do
+      let :params do
+        params.delete(:project_name)
+      end
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      include_examples 'oslo::key_manager::barbican::service_user'
+    end
+  end
+
+end

spec/defines/oslo_key_manager_barbican_spec.rb

@@ -19,19 +19,21 @@ describe 'oslo::key_manager::barbican' do
         is_expected.to contain_keystone_config('barbican/number_of_retries').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value('<SERVICE DEFAULT>')
       end
     end
 
     context 'with parameters overridden' do
       let :params do
         {
-          :barbican_endpoint      => 'http://localhost:9311/',
-          :barbican_api_version   => 'v1',
-          :auth_endpoint          => 'http://localhost:5000',
-          :retry_delay            => 1,
-          :number_of_retries      => 60,
-          :barbican_endpoint_type => 'public',
-          :barbican_region_name   => 'regionOne',
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
         }
       end
 
@@ -43,6 +45,7 @@ describe 'oslo::key_manager::barbican' do
         is_expected.to contain_keystone_config('barbican/number_of_retries').with_value(60)
         is_expected.to contain_keystone_config('barbican/barbican_endpoint_type').with_value('public')
         is_expected.to contain_keystone_config('barbican/barbican_region_name').with_value('regionOne')
+        is_expected.to contain_keystone_config('barbican/send_service_user_token').with_value(true)
       end
     end
   end