From a4c362131b242612c787e48b0ea0fb49a09a3f55 Mon Sep 17 00:00:00 2001
From: ZhongShengping <chdzsp@163.com>
Date: Thu, 22 Nov 2018 11:31:58 +0800
Subject: [PATCH] Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I98c88882d49d2d3f59535eef1c3b3d75af7f35f9
Closes-Bug: #1804562
Closes-Bug: #1804720
---
 manifests/keystone/authtoken.pp               | 48 +++++++++++--------
 ...i_related_parameters-aeecfa846786582d.yaml |  6 +++
 spec/classes/panko_keystone_authtoken_spec.rb |  6 ---
 3 files changed, 33 insertions(+), 27 deletions(-)
 create mode 100644 releasenotes/notes/deprecate_pki_related_parameters-aeecfa846786582d.yaml

diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index b104aec..39718cc 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -62,12 +62,6 @@
 #  (Optional) Required if identity server requires client certificate
 #  Defaults to $::os_service_default.
 #
-# [*check_revocations_for_cached*]
-#  (Optional) If true, the revocation list will be checked for cached tokens.
-#  This requires that PKI tokens are configured on the identity server.
-#  boolean value.
-#  Defaults to $::os_service_default.
-#
 # [*delay_auth_decision*]
 #  (Optional) Do not handle authorization requests within the middleware, but
 #  delegate the authorization decision to downstream WSGI components. Boolean
@@ -84,17 +78,6 @@
 #  must be present in tokens. String value.
 #  Defaults to $::os_service_default.
 #
-# [*hash_algorithms*]
-#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
-#  single algorithm or multiple. The algorithms are those supported by Python
-#  standard hashlib.new(). The hashes will be tried in the order given, so put
-#  the preferred one first for performance. The result of the first hash will
-#  be stored in the cache. This will typically be set to multiple values only
-#  while migrating from a less secure algorithm to a more secure one. Once all
-#  the old tokens are expired this option should be set to a single value for
-#  better performance. List value.
-#  Defaults to $::os_service_default.
-#
 # [*http_connect_timeout*]
 #  (Optional) Request timeout value for communicating with Identity API
 #  server.
@@ -188,6 +171,23 @@
 #   (Optional) Complete public Identity API endpoint.
 #   Defaults to undef
 #
+# [*check_revocations_for_cached*]
+#  (Optional) If true, the revocation list will be checked for cached tokens.
+#  This requires that PKI tokens are configured on the identity server.
+#  boolean value.
+#  Defaults to undef.
+#
+# [*hash_algorithms*]
+#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#  single algorithm or multiple. The algorithms are those supported by Python
+#  standard hashlib.new(). The hashes will be tried in the order given, so put
+#  the preferred one first for performance. The result of the first hash will
+#  be stored in the cache. This will typically be set to multiple values only
+#  while migrating from a less secure algorithm to a more secure one. Once all
+#  the old tokens are expired this option should be set to a single value for
+#  better performance. List value.
+#  Defaults to undef.
+#
 class panko::keystone::authtoken(
   $password,
   $username                       = 'panko',
@@ -203,10 +203,8 @@ class panko::keystone::authtoken(
   $cache                          = $::os_service_default,
   $cafile                         = $::os_service_default,
   $certfile                       = $::os_service_default,
-  $check_revocations_for_cached   = $::os_service_default,
   $delay_auth_decision            = $::os_service_default,
   $enforce_token_bind             = $::os_service_default,
-  $hash_algorithms                = $::os_service_default,
   $http_connect_timeout           = $::os_service_default,
   $http_request_max_retries       = $::os_service_default,
   $include_service_catalog        = $::os_service_default,
@@ -225,6 +223,8 @@ class panko::keystone::authtoken(
   $token_cache_time               = $::os_service_default,
   # DEPRECATED PARAMETERS
   $auth_uri                       = undef,
+  $check_revocations_for_cached   = undef,
+  $hash_algorithms                = undef,
 ) {
 
   include ::panko::deps
@@ -234,6 +234,14 @@ class panko::keystone::authtoken(
   }
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
 
+  if $check_revocations_for_cached {
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
+  if $hash_algorithms {
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
   keystone::resource::authtoken { 'panko_config':
     username                       => $username,
     password                       => $password,
@@ -249,10 +257,8 @@ class panko::keystone::authtoken(
     cache                          => $cache,
     cafile                         => $cafile,
     certfile                       => $certfile,
-    check_revocations_for_cached   => $check_revocations_for_cached,
     delay_auth_decision            => $delay_auth_decision,
     enforce_token_bind             => $enforce_token_bind,
-    hash_algorithms                => $hash_algorithms,
     http_connect_timeout           => $http_connect_timeout,
     http_request_max_retries       => $http_request_max_retries,
     include_service_catalog        => $include_service_catalog,
diff --git a/releasenotes/notes/deprecate_pki_related_parameters-aeecfa846786582d.yaml b/releasenotes/notes/deprecate_pki_related_parameters-aeecfa846786582d.yaml
new file mode 100644
index 0000000..7aa4e60
--- /dev/null
+++ b/releasenotes/notes/deprecate_pki_related_parameters-aeecfa846786582d.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - check_revocations_for_cached option is now deprecated for removal, the
+    parameter has no effect.
+  - hash_algorithms option is now deprecated for removal, the parameter
+    has no effect.
diff --git a/spec/classes/panko_keystone_authtoken_spec.rb b/spec/classes/panko_keystone_authtoken_spec.rb
index 403d56e..17ff436 100644
--- a/spec/classes/panko_keystone_authtoken_spec.rb
+++ b/spec/classes/panko_keystone_authtoken_spec.rb
@@ -25,10 +25,8 @@ describe 'panko::keystone::authtoken' do
         is_expected.to contain_panko_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_panko_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_panko_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_panko_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -64,10 +62,8 @@ describe 'panko::keystone::authtoken' do
           :cache                                => 'somevalue',
           :cafile                               => '/opt/stack/data/cafile.pem',
           :certfile                             => 'certfile.crt',
-          :check_revocations_for_cached         => false,
           :delay_auth_decision                  => false,
           :enforce_token_bind                   => 'permissive',
-          :hash_algorithms                      => 'md5',
           :http_connect_timeout                 => '300',
           :http_request_max_retries             => '3',
           :include_service_catalog              => true,
@@ -102,10 +98,8 @@ describe 'panko::keystone::authtoken' do
         is_expected.to contain_panko_config('keystone_authtoken/cache').with_value(params[:cache])
         is_expected.to contain_panko_config('keystone_authtoken/cafile').with_value(params[:cafile])
         is_expected.to contain_panko_config('keystone_authtoken/certfile').with_value(params[:certfile])
-        is_expected.to contain_panko_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
         is_expected.to contain_panko_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         is_expected.to contain_panko_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
-        is_expected.to contain_panko_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
         is_expected.to contain_panko_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         is_expected.to contain_panko_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         is_expected.to contain_panko_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])