From 14ee418491dbe8f362348f588ca8554425582116 Mon Sep 17 00:00:00 2001
From: Alex Schultz <aschultz@redhat.com>
Date: Wed, 26 Oct 2016 14:47:58 -0600
Subject: [PATCH] Switch to fernet tokens by default

In the upcoming puppet keystone release, the default is being switched
to fernet. This change updates packstack to properly handle the fernet
provider configuration for keystone and makes it the new default.
Since the upstream will be enabling the fernet token setup by default,
packstack needs to properly turn off the fernet setup when using uuid.

Change-Id: Id9f6d54e7e5190c3a01f60c511d8a470436bff7d
---
 README.md                                                | 2 +-
 docs/packstack.rst                                       | 2 +-
 packstack/plugins/keystone_100.py                        | 6 +++---
 packstack/puppet/modules/packstack/manifests/keystone.pp | 6 ++++++
 tests/scenario002.sh                                     | 1 +
 5 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 5ae02a8e7..b02b9364c 100644
--- a/README.md
+++ b/README.md
@@ -187,7 +187,7 @@ This is the current matrix of available tests:
 
 |     -      | scenario001 | scenario002 | scenario003 |
 |:----------:|:-----------:|:-----------:|:------------:
-| keystone   |      X      |      X      |      X      |
+| keystone   |   FERNET    |    UUID     |    FERNET   |
 | glance     |    file     |    swift    |     file    |
 | nova       |      X      |      X      |      X      |
 | neutron    |      X      |      X      |      X      |
diff --git a/docs/packstack.rst b/docs/packstack.rst
index 08fa6e25c..9507a9ef6 100644
--- a/docs/packstack.rst
+++ b/docs/packstack.rst
@@ -335,7 +335,7 @@ Keystone Config parameters
     Identity service API version string. ['v2.0', 'v3']
 
 **CONFIG_KEYSTONE_TOKEN_FORMAT**
-    Identity service token format (UUID or PKI). The recommended format for new deployments is UUID. ['UUID', 'PKI']
+    Identity service token format (UUID, PKI or FERNET). The recommended format for new deployments is FERNET. ['UUID', 'PKI', 'FERNET']
 
 **CONFIG_KEYSTONE_IDENTITY_BACKEND**
     Type of Identity service backend (sql or ldap). ['sql', 'ldap']
diff --git a/packstack/plugins/keystone_100.py b/packstack/plugins/keystone_100.py
index 3e30b242f..55aa799b6 100644
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@@ -151,13 +151,13 @@ def initConfig(controller):
 
             {"CMD_OPTION": "keystone-token-format",
              "PROMPT": "Enter the Keystone token format.",
-             "OPTION_LIST": ['UUID', 'PKI'],
+             "OPTION_LIST": ['UUID', 'PKI', 'FERNET'],
              "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'UUID',
+             "DEFAULT_VALUE": 'FERNET',
              "MASK_INPUT": False,
              "LOOSE_VALIDATION": False,
              "CONF_NAME": 'CONFIG_KEYSTONE_TOKEN_FORMAT',
-             "USE_DEFAULT": True,
+             "USE_DEFAULT": False,
              "NEED_CONFIRM": False,
              "CONDITION": False},
 
diff --git a/packstack/puppet/modules/packstack/manifests/keystone.pp b/packstack/puppet/modules/packstack/manifests/keystone.pp
index fa4967897..ae4ced5ed 100644
--- a/packstack/puppet/modules/packstack/manifests/keystone.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone.pp
@@ -6,6 +6,11 @@ class packstack::keystone ()
     $keystone_cfg_ks_db_pw = hiera('CONFIG_KEYSTONE_DB_PW')
     $keystone_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
     $keystone_token_provider_str = downcase(hiera('CONFIG_KEYSTONE_TOKEN_FORMAT'))
+    if $keystone_token_provider_str == 'fernet' {
+      $enable_fernet_setup = true
+    } else {
+      $enable_fernet_setup = false
+    }
     $keystone_url = regsubst(regsubst(hiera('CONFIG_KEYSTONE_PUBLIC_URL'),'/v2.0',''),'/v3','')
     $keystone_admin_url = hiera('CONFIG_KEYSTONE_ADMIN_URL')
 
@@ -33,6 +38,7 @@ class packstack::keystone ()
       admin_token         => hiera('CONFIG_KEYSTONE_ADMIN_TOKEN'),
       database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone",
       token_provider      => "keystone.token.providers.${keystone_token_provider_str}.Provider",
+      enable_fernet_setup => $enable_fernet_setup,
       debug               => hiera('CONFIG_DEBUG_MODE'),
       service_name        => 'httpd',
       enable_ssl          => $keystone_use_ssl,
diff --git a/tests/scenario002.sh b/tests/scenario002.sh
index 029e06513..b322185db 100755
--- a/tests/scenario002.sh
+++ b/tests/scenario002.sh
@@ -31,6 +31,7 @@ $SUDO packstack ${ADDITIONAL_ARGS} \
           --os-neutron-lbaas-install=y \
           --os-sahara-install=y \
           --os-trove-install=y \
+          --keystone-token-format=UUID \
           --provision-uec-kernel-url="/tmp/cirros/cirros-0.3.4-x86_64-vmlinuz" \
           --provision-uec-ramdisk-url="/tmp/cirros/cirros-0.3.4-x86_64-initrd" \
           --provision-uec-disk-url="/tmp/cirros/cirros-0.3.4-x86_64-disk.img" \