Add support for service token parameters

Add support for the parameters in authtoken middleware, which are
related to service token feature.

Change-Id: If60373cb44a62397678cee7aaefad3431a91f7e4
This commit is contained in:
Takashi Kajinami 2020-02-17 07:38:33 +09:00
parent 48a8fc8ff8
commit b6b458cd59
3 changed files with 69 additions and 37 deletions

View File

@ -55,6 +55,22 @@
# not set the X-Service-Catalog header. Boolean value.
# Defaults to false
#
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
# true/false
# Defaults to $::os_service_default.
#
# == DEPRECATED
#
# [*identity_uri*]
@ -86,24 +102,26 @@
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class swift::proxy::authtoken(
$delay_auth_decision = 1,
$signing_dir = $::swift::params::signing_dir,
$cache = 'swift.cache',
$www_authenticate_uri = 'http://127.0.0.1:5000',
$auth_url = 'http://127.0.0.1:5000',
$auth_plugin = 'password',
$project_domain_id = 'default',
$user_domain_id = 'default',
$project_name = 'services',
$username = 'swift',
$password = 'password',
$include_service_catalog = false,
$delay_auth_decision = 1,
$signing_dir = $::swift::params::signing_dir,
$cache = 'swift.cache',
$www_authenticate_uri = 'http://127.0.0.1:5000',
$auth_url = 'http://127.0.0.1:5000',
$auth_plugin = 'password',
$project_domain_id = 'default',
$user_domain_id = 'default',
$project_name = 'services',
$username = 'swift',
$password = 'password',
$include_service_catalog = false,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default,
# DEPRECATED PARAMETERS
$admin_user = undef,
$admin_tenant_name = undef,
$admin_password = undef,
$identity_uri = undef,
$auth_uri = undef,
$admin_user = undef,
$admin_tenant_name = undef,
$admin_password = undef,
$identity_uri = undef,
$auth_uri = undef,
) inherits swift::params {
include swift::deps
@ -148,19 +166,21 @@ class swift::proxy::authtoken(
swift_proxy_config {
'filter:authtoken/log_name': value => 'swift';
'filter:authtoken/signing_dir': value => $signing_dir;
'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory';
'filter:authtoken/www_authenticate_uri': value => $www_authenticate_uri_real;
'filter:authtoken/auth_url': value => $auth_url_real;
'filter:authtoken/auth_plugin': value => $auth_plugin;
'filter:authtoken/project_domain_id': value => $project_domain_id;
'filter:authtoken/user_domain_id': value => $user_domain_id;
'filter:authtoken/project_name': value => $project_name_real;
'filter:authtoken/username': value => $username_real;
'filter:authtoken/password': value => $password_real;
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
'filter:authtoken/cache': value => $cache;
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
'filter:authtoken/log_name': value => 'swift';
'filter:authtoken/signing_dir': value => $signing_dir;
'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory';
'filter:authtoken/www_authenticate_uri': value => $www_authenticate_uri_real;
'filter:authtoken/auth_url': value => $auth_url_real;
'filter:authtoken/auth_plugin': value => $auth_plugin;
'filter:authtoken/project_domain_id': value => $project_domain_id;
'filter:authtoken/user_domain_id': value => $user_domain_id;
'filter:authtoken/project_name': value => $project_name_real;
'filter:authtoken/username': value => $username_real;
'filter:authtoken/password': value => $password_real;
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
'filter:authtoken/cache': value => $cache;
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
'filter:authtoken/service_token_roles': value => $service_token_roles;
'filter:authtoken/service_token_roles_required': value => $service_token_roles_required;
}
}

View File

@ -0,0 +1,6 @@
---
features:
- |
swift::proxy::authtoken::service_token_roles and
swift::proxy::authtoken::service_token_roles_required were added to
add support for the authtoken parameters related to service token feature

View File

@ -32,17 +32,21 @@ describe 'swift::proxy::authtoken' do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') }
end
describe "when overriding parameters" do
let :params do
{
:admin_tenant_name => 'admin',
:admin_user => 'swiftuser',
:admin_password => 'swiftpassword',
:cache => 'foo',
:delay_auth_decision => '0',
:signing_dir => '/home/swift/keystone-signing'
:admin_tenant_name => 'admin',
:admin_user => 'swiftuser',
:admin_password => 'swiftpassword',
:cache => 'foo',
:delay_auth_decision => '0',
:signing_dir => '/home/swift/keystone-signing',
:service_token_roles => ['service'],
:service_token_roles_required => true,
}
end
@ -60,6 +64,8 @@ describe 'swift::proxy::authtoken' do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value(['service']) }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value(true) }
end
describe 'when overriding www_authenticate_uri' do