From f55c866119ff453fcd69137ce6a0cf07f3db29c3 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 15 Jun 2016 14:49:01 +0300
Subject: [PATCH] Enforce use_ssl flag

Setting the certificate and key in heat's configuration has the
effect of enabling SSL. So, one can actually enable SSL using those
and ignore the use_ssl flag.

This commit enforces that flag, so if the flag is not set, then those
parameters shouldn't be persisted in Heat's configuration.

A unit test was removed for each of the correspondent API's because they no
longer apply. If ssl is not enabled, then heat_config resources containing
those configurations are not present in the resource catalog.

Change-Id: I87fb234943829d7f0d8786e98e90b81e9a71c8ef
---
 manifests/api.pp                         |  8 ++++++--
 manifests/api_cfn.pp                     |  9 +++++++--
 manifests/api_cloudwatch.pp              |  8 ++++++--
 spec/classes/heat_api_cfn_spec.rb        | 11 -----------
 spec/classes/heat_api_cloudwatch_spec.rb | 11 -----------
 spec/classes/heat_api_spec.rb            | 12 ------------
 6 files changed, 19 insertions(+), 40 deletions(-)

diff --git a/manifests/api.pp b/manifests/api.pp
index ae532fb2..d94c1976 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -99,8 +99,12 @@ class heat::api (
     'heat_api/bind_host': value => $bind_host;
     'heat_api/bind_port': value => $bind_port;
     'heat_api/workers':   value => $workers;
-    'heat_api/cert_file': value => $cert_file;
-    'heat_api/key_file':  value => $key_file;
   }
 
+  if $use_ssl {
+    heat_config {
+      'heat_api/cert_file': value => $cert_file;
+      'heat_api/key_file':  value => $key_file;
+    }
+  }
 }
diff --git a/manifests/api_cfn.pp b/manifests/api_cfn.pp
index 41fba1ec..3fb81ebc 100644
--- a/manifests/api_cfn.pp
+++ b/manifests/api_cfn.pp
@@ -102,8 +102,13 @@ class heat::api_cfn (
     'heat_api_cfn/bind_host': value => $bind_host;
     'heat_api_cfn/bind_port': value => $bind_port;
     'heat_api_cfn/workers':   value => $workers;
-    'heat_api_cfn/cert_file': value => $cert_file;
-    'heat_api_cfn/key_file':  value => $key_file;
+  }
+
+  if $use_ssl {
+    heat_config {
+      'heat_api_cfn/cert_file': value => $cert_file;
+      'heat_api_cfn/key_file':  value => $key_file;
+    }
   }
 
 }
diff --git a/manifests/api_cloudwatch.pp b/manifests/api_cloudwatch.pp
index 9d0bac5d..236ce785 100644
--- a/manifests/api_cloudwatch.pp
+++ b/manifests/api_cloudwatch.pp
@@ -101,8 +101,12 @@ class heat::api_cloudwatch (
     'heat_api_cloudwatch/bind_host': value => $bind_host;
     'heat_api_cloudwatch/bind_port': value => $bind_port;
     'heat_api_cloudwatch/workers':   value => $workers;
-    'heat_api_cloudwatch/cert_file': value => $cert_file;
-    'heat_api_cloudwatch/key_file':  value => $key_file;
   }
 
+  if $use_ssl {
+    heat_config {
+      'heat_api_cloudwatch/cert_file': value => $cert_file;
+      'heat_api_cloudwatch/key_file':  value => $key_file;
+    }
+  }
 }
diff --git a/spec/classes/heat_api_cfn_spec.rb b/spec/classes/heat_api_cfn_spec.rb
index b40c0162..145d57f8 100644
--- a/spec/classes/heat_api_cfn_spec.rb
+++ b/spec/classes/heat_api_cfn_spec.rb
@@ -48,17 +48,6 @@ describe 'heat::api_cfn' do
       it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
     end
 
-    context 'with SSL socket options set to false' do
-      let :params do
-        {
-          :use_ssl   => false,
-        }
-      end
-
-      it { is_expected.to contain_heat_config('heat_api_cfn/cert_file').with_value('<SERVICE DEFAULT>') }
-      it { is_expected.to contain_heat_config('heat_api_cfn/key_file').with_value('<SERVICE DEFAULT>') }
-    end
-
     [{:enabled => true}, {:enabled => false}].each do |param_hash|
       context "when service should be #{param_hash[:enabled] ? 'enabled' : 'disabled'}" do
         before do
diff --git a/spec/classes/heat_api_cloudwatch_spec.rb b/spec/classes/heat_api_cloudwatch_spec.rb
index b6dd44c6..5227a8df 100644
--- a/spec/classes/heat_api_cloudwatch_spec.rb
+++ b/spec/classes/heat_api_cloudwatch_spec.rb
@@ -48,17 +48,6 @@ describe 'heat::api_cloudwatch' do
       it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
     end
 
-    context 'with SSL socket options set to false' do
-      let :params do
-        {
-          :use_ssl   => false,
-        }
-      end
-
-      it { is_expected.to contain_heat_config('heat_api_cloudwatch/cert_file').with_value('<SERVICE DEFAULT>') }
-      it { is_expected.to contain_heat_config('heat_api_cloudwatch/key_file').with_value('<SERVICE DEFAULT>') }
-    end
-
     [{:enabled => true}, {:enabled => false}].each do |param_hash|
       context "when service should be #{param_hash[:enabled] ? 'enabled' : 'disabled'}" do
         before do
diff --git a/spec/classes/heat_api_spec.rb b/spec/classes/heat_api_spec.rb
index 444b7b00..836bce06 100644
--- a/spec/classes/heat_api_spec.rb
+++ b/spec/classes/heat_api_spec.rb
@@ -48,18 +48,6 @@ describe 'heat::api' do
       it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
     end
 
-    context 'with SSL socket options set to false' do
-      let :params do
-        {
-          :use_ssl   => false,
-        }
-      end
-
-      it { is_expected.to contain_heat_config('heat_api/cert_file').with_value('<SERVICE DEFAULT>') }
-      it { is_expected.to contain_heat_config('heat_api/key_file').with_value('<SERVICE DEFAULT>') }
-    end
-
-
     [{:enabled => true}, {:enabled => false}].each do |param_hash|
       context "when service should be #{param_hash[:enabled] ? 'enabled' : 'disabled'}" do
         before do