Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I8cc64c8a0fdf002405e8cfdba178c3a6fcda5bab
Closes-Bug: #1804562
Closes-Bug: #1804720

manifests/keystone/authtoken.pp

@@ -63,12 +63,6 @@
 #   (Optional) Required if identity server requires client certificate
 #   Defaults to $::os_service_default.
 #
-# [*check_revocations_for_cached*]
-#   (Optional) If true, the revocation list will be checked for cached tokens.
-#   This requires that PKI tokens are configured on the identity server.
-#   boolean value.
-#   Defaults to $::os_service_default.
-#
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
 #   must be present in tokens. String value.
 #   Defaults to $::os_service_default.
 #
-# [*hash_algorithms*]
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
-#   single algorithm or multiple. The algorithms are those supported by Python
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
-#   the preferred one first for performance. The result of the first hash will
-#   be stored in the cache. This will typically be set to multiple values only
-#   while migrating from a less secure algorithm to a more secure one. Once all
-#   the old tokens are expired this option should be set to a single value for
-#   better performance. List value.
-#   Defaults to $::os_service_default.
-#
 # [*http_connect_timeout*]
 #   (Optional) Request timeout value for communicating with Identity API
 #   server.
@@ -190,6 +173,23 @@
 #   (Optional) Complete public Identity API endpoint.
 #   Defaults to undef
 #
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to undef.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to undef.
+#
 class neutron::keystone::authtoken(
   $username                       = 'neutron',
   $password                       = $::os_service_default,
@@ -205,10 +205,8 @@ class neutron::keystone::authtoken(
   $cache                          = $::os_service_default,
   $cafile                         = $::os_service_default,
   $certfile                       = $::os_service_default,
-  $check_revocations_for_cached   = $::os_service_default,
   $delay_auth_decision            = $::os_service_default,
   $enforce_token_bind             = $::os_service_default,
-  $hash_algorithms                = $::os_service_default,
   $http_connect_timeout           = $::os_service_default,
   $http_request_max_retries       = $::os_service_default,
   $include_service_catalog        = $::os_service_default,
@@ -228,6 +226,8 @@ class neutron::keystone::authtoken(
   $service_token_roles_required   = $::os_service_default,
   # DEPRECATED PARAMETERS
   $auth_uri                       = undef,
+  $check_revocations_for_cached   = undef,
+  $hash_algorithms                = undef,
 ) {
 
   include ::neutron::deps
@@ -241,6 +241,14 @@ class neutron::keystone::authtoken(
   }
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
 
+  if $check_revocations_for_cached {
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
+  if $hash_algorithms {
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
   keystone::resource::authtoken { 'neutron_config':
     username                       => $username,
     password                       => $password,
@@ -256,10 +264,8 @@ class neutron::keystone::authtoken(
     cache                          => $cache,
     cafile                         => $cafile,
     certfile                       => $certfile,
-    check_revocations_for_cached   => $check_revocations_for_cached,
     delay_auth_decision            => $delay_auth_decision,
     enforce_token_bind             => $enforce_token_bind,
-    hash_algorithms                => $hash_algorithms,
     http_connect_timeout           => $http_connect_timeout,
     http_request_max_retries       => $http_request_max_retries,
     include_service_catalog        => $include_service_catalog,

releasenotes/notes/deprecate_pki_related_parameters-89ced5b6c65604db.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - check_revocations_for_cached option is now deprecated for removal, the
+    parameter has no effect.
+  - hash_algorithms option is now deprecated for removal, the parameter
+    has no effect.

spec/classes/neutron_keystone_authtoken_spec.rb

@@ -22,10 +22,8 @@ describe 'neutron::keystone::authtoken' do
         should contain_neutron_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
-        should contain_neutron_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
-        should contain_neutron_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -62,10 +60,8 @@ describe 'neutron::keystone::authtoken' do
           :cache                                => 'somevalue',
           :cafile                               => '/opt/stack/data/cafile.pem',
           :certfile                             => 'certfile.crt',
-          :check_revocations_for_cached         => false,
           :delay_auth_decision                  => false,
           :enforce_token_bind                   => 'permissive',
-          :hash_algorithms                      => 'md5',
           :http_connect_timeout                 => '300',
           :http_request_max_retries             => '3',
           :include_service_catalog              => true,
@@ -101,10 +97,8 @@ describe 'neutron::keystone::authtoken' do
         should contain_neutron_config('keystone_authtoken/cache').with_value(params[:cache])
         should contain_neutron_config('keystone_authtoken/cafile').with_value(params[:cafile])
         should contain_neutron_config('keystone_authtoken/certfile').with_value(params[:certfile])
-        should contain_neutron_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
         should contain_neutron_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         should contain_neutron_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
-        should contain_neutron_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
         should contain_neutron_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         should contain_neutron_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         should contain_neutron_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])