Add auth_admin_prefix and custom auth_uri params

auth_admin_prefix allows the prepend of a prefix to the URL used for admin tasks. See: https://review.openstack.org/#/c/7156/ for implementation in Keystone. auth_uri allows to specify the public authentication url (Keystone's public endpoint) if it can't be guessed from $auth_host + $auth_protocol Implements blueprint serve-keystone-from-wsgi Change-Id: Ic66727f78406d70b5ab5bc07fcc074477df2303c
2013-05-14 17:18:00 +02:00 · 2013-05-14 17:18:00 +02:00 · 09a78bfd9d
commit 09a78bfd9d
parent aac6528f70
3 changed files with 98 additions and 4 deletions
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@ -21,6 +21,12 @@
 #    Defaults to 3557.
 #  [auth_protocol] Protocol to use to communicate with keystone. Optional.
 #    Defaults to https.
+#  [auth_admin_prefix] path part of the auth url. Optional.
+#    This allows admin auth URIs like http://host/keystone/admin/v2.0.
+#    Defaults to false for empty. It defined, should be a string with a leading '/' and no trailing '/'.
+#  [auth_uri] The public auth url to redirect unauthenticated requests.
+#    Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'.
+#    Should be set to your public keystone endpoint (without version).
 #
 # == Authors
 #
@ -38,13 +44,23 @@ class swift::proxy::authtoken(
  $auth_host           = '127.0.0.1',
  $auth_port           = '35357',
  $auth_protocol       = 'http',
+  $auth_admin_prefix   = false,
+  $auth_uri            = false,
  $delay_auth_decision = 1,
  $admin_token         = false
 ) {

-  $auth_uri = "${auth_protocol}://${auth_host}:5000"
+  if $auth_uri {
+    $auth_uri_real = $auth_uri
+  } else {
+    $auth_uri_real = "${auth_protocol}://${auth_host}:5000"
+  }
  $fragment_title    = regsubst($name, '/', '_', 'G')

+  if $auth_admin_prefix {
+    validate_re($auth_admin_prefix, '^(/.+[^/])?$')
+  }
+
  concat::fragment { "swift_authtoken":
    target  => '/etc/swift/proxy-server.conf',
    content => template('swift/proxy/authtoken.conf.erb'),
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@ -39,15 +39,90 @@ describe 'swift::proxy::authtoken' do
    end
  end

-  describe "when override parameters" do
+  describe "when overriding admin_token" do
    let :params do
      {
        :admin_token => 'ADMINTOKEN'
      }
    end

-    it { should contain_file(fragment_file).with_content(/admin_token = ADMINTOKEN/) }
+    it 'should build the fragment with correct parameters' do
+      verify_contents(subject, fragment_file,
+        [
+          '[filter:authtoken]',
+          'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
+          'signing_dir = /etc/swift',
+          'auth_host = 127.0.0.1',
+          'auth_port = 35357',
+          'auth_protocol = http',
+          'auth_uri = http://127.0.0.1:5000',
+          'admin_token = ADMINTOKEN',
+          'delay_auth_decision = 1',
+        ]
+      )
+    end
+  end
+
+  describe "when overriding parameters" do
+    let :params do
+      {
+        :auth_host           => 'some.host',
+        :auth_port           => '443',
+        :auth_protocol       => 'https',
+        :auth_admin_prefix   => '/keystone/admin',
+        :admin_tenant_name   => 'admin',
+        :admin_user          => 'swiftuser',
+        :admin_password      => 'swiftpassword',
+        :delay_auth_decision => '0'
+      }
+    end
+
+    it 'should build the fragment with correct parameters' do
+      verify_contents(subject, fragment_file,
+        [
+          '[filter:authtoken]',
+          'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
+          'signing_dir = /etc/swift',
+          'auth_host = some.host',
+          'auth_port = 443',
+          'auth_protocol = https',
+          'auth_admin_prefix = /keystone/admin',
+          'auth_uri = https://some.host:5000',
+          'admin_tenant_name = admin',
+          'admin_user = swiftuser',
+          'admin_password = swiftpassword',
+          'delay_auth_decision = 0',
+        ]
+      )
+    end
+  end
+
+  describe 'when overriding auth_uri' do
+    let :params do
+      { :auth_uri => 'http://public.host/keystone/main' }
+    end
+
+    it { should contain_file(fragment_file).with_content(/auth_uri = http:\/\/public.host\/keystone\/main/)}
+  end
+
+  [
+    'keystone',
+    'keystone/',
+    '/keystone/',
+    '/keystone/admin/',
+    'keystone/admin/',
+    'keystone/admin'
+  ].each do |auth_admin_prefix|
+    describe "when overriding auth_admin_prefix with incorrect value #{auth_admin_prefix}" do
+      let :params do
+        { :auth_admin_prefix => auth_admin_prefix }
+      end
+
+      it { expect { should contain_file(fragment_file).with_content(/auth_admin_prefix = #{auth_admin_prefix}/) }.to \
+        raise_error(Puppet::Error, /validate_re\(\): "#{auth_admin_prefix}" does not match/) }
+    end
  end


+
 end
--- a/templates/proxy/authtoken.conf.erb
+++ b/templates/proxy/authtoken.conf.erb
@ -4,7 +4,10 @@ signing_dir = /etc/swift
 auth_host = <%= auth_host %>
 auth_port = <%= auth_port %>
 auth_protocol = <%= auth_protocol %>
-auth_uri = <%= auth_uri %>
+<% if auth_admin_prefix -%>
+auth_admin_prefix = <%= auth_admin_prefix %>
+<% end -%>
+auth_uri = <%= auth_uri_real %>
 # if its defined
 <% if admin_token -%>
 admin_token = <%= admin_token %>