Merge "Improve Proxy Signing Directory Support"

manifests/init.pp

@@ -69,8 +69,4 @@ class swift(
     content => template('swift/swift.conf.erb'),
   }
 
-  file { '/var/cache/swift':
-    ensure => directory,
-  }
-
 }

manifests/proxy/authtoken.pp

@@ -27,6 +27,8 @@
 #  [auth_uri] The public auth url to redirect unauthenticated requests.
 #    Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'.
 #    Should be set to your public keystone endpoint (without version).
+#  [signing_dir] The cache directory for signing certificates.
+#    Defaults to '/var/cache/swift'
 #
 # == Authors
 #
@@ -47,7 +49,8 @@ class swift::proxy::authtoken(
   $auth_admin_prefix   = false,
   $auth_uri            = false,
   $delay_auth_decision = 1,
-  $admin_token         = false
+  $admin_token         = false,
+  $signing_dir         = '/var/cache/swift'
 ) {
 
   if $auth_uri {
@@ -61,6 +64,13 @@ class swift::proxy::authtoken(
     validate_re($auth_admin_prefix, '^(/.+[^/])?$')
   }
 
+  file { $signing_dir:
+    ensure => directory,
+    mode   => '0700',
+    owner  => 'swift',
+    group  => 'swift',
+  }
+
   concat::fragment { 'swift_authtoken':
     target  => '/etc/swift/proxy-server.conf',
     content => template('swift/proxy/authtoken.conf.erb'),

spec/classes/swift_proxy_authtoken_spec.rb

@@ -15,6 +15,19 @@ describe 'swift::proxy::authtoken' do
     '
   end
 
+  describe 'when using the default signing directory' do
+    let :file_defaults do
+      {
+        :mode    => '0700',
+        :owner   => 'swift',
+        :group   => 'swift',
+      }
+    end
+    it {should contain_file('/var/cache/swift').with(
+      {:ensure => 'directory'}.merge(file_defaults)
+    )}
+  end
+
   let :fragment_file do
     "/var/lib/puppet/concat/_etc_swift_proxy-server.conf/fragments/22_swift_authtoken"
   end
@@ -24,7 +37,7 @@ describe 'swift::proxy::authtoken' do
       verify_contents(subject, fragment_file,
         [
           '[filter:authtoken]',
-          'signing_dir=/var/cache/swift',
+          'signing_dir = /var/cache/swift',
           'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
           'auth_host = 127.0.0.1',
           'auth_port = 35357',
@@ -50,6 +63,7 @@ describe 'swift::proxy::authtoken' do
       verify_contents(subject, fragment_file,
         [
           '[filter:authtoken]',
+          'signing_dir = /var/cache/swift',
           'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
           'auth_host = 127.0.0.1',
           'auth_port = 35357',
@@ -72,7 +86,8 @@ describe 'swift::proxy::authtoken' do
         :admin_tenant_name   => 'admin',
         :admin_user          => 'swiftuser',
         :admin_password      => 'swiftpassword',
-        :delay_auth_decision => '0'
+        :delay_auth_decision => '0',
+        :signing_dir         => '/home/swift/keystone-signing'
       }
     end
 
@@ -80,6 +95,7 @@ describe 'swift::proxy::authtoken' do
       verify_contents(subject, fragment_file,
         [
           '[filter:authtoken]',
+          'signing_dir = /home/swift/keystone-signing',
           'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
           'auth_host = some.host',
           'auth_port = 443',

spec/classes/swift_spec.rb

@@ -42,9 +42,6 @@ describe 'swift' do
     it {should contain_file('/var/run/swift').with(
       {:ensure => 'directory'}.merge(file_defaults)
     )}
-    it {should contain_file('/var/cache/swift').with(
-      {:ensure => 'directory'}.merge(file_defaults)
-    )}
     it {should contain_file('/etc/swift/swift.conf').with(
       {:ensure  => 'present',
        :mode    => '0660',

templates/proxy/authtoken.conf.erb

@@ -1,5 +1,5 @@
 [filter:authtoken]
-signing_dir=/var/cache/swift
+signing_dir = <%= @signing_dir %>
 paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
 auth_host = <%= @auth_host %>
 auth_port = <%= @auth_port %>