From d238ee9b295541547bfe42ac21c771c18fce8c38 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 17 Feb 2020 07:38:33 +0900 Subject: [PATCH] Add support for service token parameters Add support for the parameters in authtoken middleware, which are related to service token feature. Change-Id: If60373cb44a62397678cee7aaefad3431a91f7e4 (cherry picked from commit b6b458cd59bde37635a1c146e6c76a62505be4e3) --- manifests/proxy/authtoken.pp | 82 ++++++++++++------- ...htoken-service_token-f2e7209b778c2eb5.yaml | 6 ++ spec/classes/swift_proxy_authtoken_spec.rb | 18 ++-- 3 files changed, 69 insertions(+), 37 deletions(-) create mode 100644 releasenotes/notes/authtoken-service_token-f2e7209b778c2eb5.yaml diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index c0e82f20..564265cc 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -55,6 +55,22 @@ # not set the X-Service-Catalog header. Boolean value. # Defaults to false # +# [*service_token_roles*] +# (Optional) A choice of roles that must be present in a service token. +# Service tokens are allowed to request that an expired token +# can be used and so this check should tightly control that +# only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list +# must be present. For backwards compatibility reasons this +# currently only affects the allow_expired check. (list value) +# Defaults to $::os_service_default. +# +# [*service_token_roles_required*] +# (optional) backwards compatibility to ensure that the service tokens are +# compared against a list of possible roles for validity +# true/false +# Defaults to $::os_service_default. +# # == DEPRECATED # # [*identity_uri*] @@ -86,24 +102,26 @@ # Copyright 2012 Puppetlabs Inc, unless otherwise noted. # class swift::proxy::authtoken( - $delay_auth_decision = 1, - $signing_dir = $::swift::params::signing_dir, - $cache = 'swift.cache', - $www_authenticate_uri = 'http://127.0.0.1:5000', - $auth_url = 'http://127.0.0.1:5000', - $auth_plugin = 'password', - $project_domain_id = 'default', - $user_domain_id = 'default', - $project_name = 'services', - $username = 'swift', - $password = 'password', - $include_service_catalog = false, + $delay_auth_decision = 1, + $signing_dir = $::swift::params::signing_dir, + $cache = 'swift.cache', + $www_authenticate_uri = 'http://127.0.0.1:5000', + $auth_url = 'http://127.0.0.1:5000', + $auth_plugin = 'password', + $project_domain_id = 'default', + $user_domain_id = 'default', + $project_name = 'services', + $username = 'swift', + $password = 'password', + $include_service_catalog = false, + $service_token_roles = $::os_service_default, + $service_token_roles_required = $::os_service_default, # DEPRECATED PARAMETERS - $admin_user = undef, - $admin_tenant_name = undef, - $admin_password = undef, - $identity_uri = undef, - $auth_uri = undef, + $admin_user = undef, + $admin_tenant_name = undef, + $admin_password = undef, + $identity_uri = undef, + $auth_uri = undef, ) inherits swift::params { include ::swift::deps @@ -148,19 +166,21 @@ class swift::proxy::authtoken( swift_proxy_config { - 'filter:authtoken/log_name': value => 'swift'; - 'filter:authtoken/signing_dir': value => $signing_dir; - 'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory'; - 'filter:authtoken/www_authenticate_uri': value => $www_authenticate_uri_real; - 'filter:authtoken/auth_url': value => $auth_url_real; - 'filter:authtoken/auth_plugin': value => $auth_plugin; - 'filter:authtoken/project_domain_id': value => $project_domain_id; - 'filter:authtoken/user_domain_id': value => $user_domain_id; - 'filter:authtoken/project_name': value => $project_name_real; - 'filter:authtoken/username': value => $username_real; - 'filter:authtoken/password': value => $password_real; - 'filter:authtoken/delay_auth_decision': value => $delay_auth_decision; - 'filter:authtoken/cache': value => $cache; - 'filter:authtoken/include_service_catalog': value => $include_service_catalog; + 'filter:authtoken/log_name': value => 'swift'; + 'filter:authtoken/signing_dir': value => $signing_dir; + 'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory'; + 'filter:authtoken/www_authenticate_uri': value => $www_authenticate_uri_real; + 'filter:authtoken/auth_url': value => $auth_url_real; + 'filter:authtoken/auth_plugin': value => $auth_plugin; + 'filter:authtoken/project_domain_id': value => $project_domain_id; + 'filter:authtoken/user_domain_id': value => $user_domain_id; + 'filter:authtoken/project_name': value => $project_name_real; + 'filter:authtoken/username': value => $username_real; + 'filter:authtoken/password': value => $password_real; + 'filter:authtoken/delay_auth_decision': value => $delay_auth_decision; + 'filter:authtoken/cache': value => $cache; + 'filter:authtoken/include_service_catalog': value => $include_service_catalog; + 'filter:authtoken/service_token_roles': value => $service_token_roles; + 'filter:authtoken/service_token_roles_required': value => $service_token_roles_required; } } diff --git a/releasenotes/notes/authtoken-service_token-f2e7209b778c2eb5.yaml b/releasenotes/notes/authtoken-service_token-f2e7209b778c2eb5.yaml new file mode 100644 index 00000000..0b9b5ea7 --- /dev/null +++ b/releasenotes/notes/authtoken-service_token-f2e7209b778c2eb5.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + swift::proxy::authtoken::service_token_roles and + swift::proxy::authtoken::service_token_roles_required were added to + add support for the authtoken parameters related to service token feature diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb index e055f0d3..91ccf198 100644 --- a/spec/classes/swift_proxy_authtoken_spec.rb +++ b/spec/classes/swift_proxy_authtoken_spec.rb @@ -32,17 +32,21 @@ describe 'swift::proxy::authtoken' do it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') } + it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value('') } + it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value('') } end describe "when overriding parameters" do let :params do { - :admin_tenant_name => 'admin', - :admin_user => 'swiftuser', - :admin_password => 'swiftpassword', - :cache => 'foo', - :delay_auth_decision => '0', - :signing_dir => '/home/swift/keystone-signing' + :admin_tenant_name => 'admin', + :admin_user => 'swiftuser', + :admin_password => 'swiftpassword', + :cache => 'foo', + :delay_auth_decision => '0', + :signing_dir => '/home/swift/keystone-signing', + :service_token_roles => ['service'], + :service_token_roles_required => true, } end @@ -60,6 +64,8 @@ describe 'swift::proxy::authtoken' do it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') } + it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value(['service']) } + it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value(true) } end describe 'when overriding www_authenticate_uri' do