Add support for service token parameters

Add support for the parameters in authtoken middleware, which are
related to service token feature.

Change-Id: If60373cb44a62397678cee7aaefad3431a91f7e4
(cherry picked from commit b6b458cd59)
This commit is contained in:
Takashi Kajinami 2020-02-17 07:38:33 +09:00
parent 1c1cb38c70
commit d238ee9b29
3 changed files with 69 additions and 37 deletions

View File

@ -55,6 +55,22 @@
# not set the X-Service-Catalog header. Boolean value.
# Defaults to false
#
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
# true/false
# Defaults to $::os_service_default.
#
# == DEPRECATED
#
# [*identity_uri*]
@ -98,6 +114,8 @@ class swift::proxy::authtoken(
$username = 'swift',
$password = 'password',
$include_service_catalog = false,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default,
# DEPRECATED PARAMETERS
$admin_user = undef,
$admin_tenant_name = undef,
@ -162,5 +180,7 @@ class swift::proxy::authtoken(
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
'filter:authtoken/cache': value => $cache;
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
'filter:authtoken/service_token_roles': value => $service_token_roles;
'filter:authtoken/service_token_roles_required': value => $service_token_roles_required;
}
}

View File

@ -0,0 +1,6 @@
---
features:
- |
swift::proxy::authtoken::service_token_roles and
swift::proxy::authtoken::service_token_roles_required were added to
add support for the authtoken parameters related to service token feature

View File

@ -32,6 +32,8 @@ describe 'swift::proxy::authtoken' do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') }
end
describe "when overriding parameters" do
@ -42,7 +44,9 @@ describe 'swift::proxy::authtoken' do
:admin_password => 'swiftpassword',
:cache => 'foo',
:delay_auth_decision => '0',
:signing_dir => '/home/swift/keystone-signing'
:signing_dir => '/home/swift/keystone-signing',
:service_token_roles => ['service'],
:service_token_roles_required => true,
}
end
@ -60,6 +64,8 @@ describe 'swift::proxy::authtoken' do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value(['service']) }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value(true) }
end
describe 'when overriding www_authenticate_uri' do