Add support for service token parameters

Add support for the parameters in authtoken middleware, which are
related to service token feature.

Change-Id: If60373cb44a62397678cee7aaefad3431a91f7e4

manifests/proxy/authtoken.pp

@@ -55,6 +55,22 @@
 #   not set the X-Service-Catalog header. Boolean value.
 #   Defaults to false
 #
+# [*service_token_roles*]
+#  (Optional) A choice of roles that must be present in a service token.
+#  Service tokens are allowed to request that an expired token
+#  can be used and so this check should tightly control that
+#  only actual services should be sending this token. Roles
+#  here are applied as an ANY check so any role in this list
+#  must be present. For backwards compatibility reasons this
+#  currently only affects the allow_expired check. (list value)
+#  Defaults to $::os_service_default.
+#
+# [*service_token_roles_required*]
+#  (optional) backwards compatibility to ensure that the service tokens are
+#  compared against a list of possible roles for validity
+#  true/false
+#  Defaults to $::os_service_default.
+#
 # == DEPRECATED
 #
 # [*identity_uri*]
@@ -86,24 +102,26 @@
 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
 #
 class swift::proxy::authtoken(
-  $delay_auth_decision     = 1,
+  $delay_auth_decision          = 1,
-  $signing_dir             = $::swift::params::signing_dir,
+  $signing_dir                  = $::swift::params::signing_dir,
-  $cache                   = 'swift.cache',
+  $cache                        = 'swift.cache',
-  $www_authenticate_uri    = 'http://127.0.0.1:5000',
+  $www_authenticate_uri         = 'http://127.0.0.1:5000',
-  $auth_url                = 'http://127.0.0.1:5000',
+  $auth_url                     = 'http://127.0.0.1:5000',
-  $auth_plugin             = 'password',
+  $auth_plugin                  = 'password',
-  $project_domain_id       = 'default',
+  $project_domain_id            = 'default',
-  $user_domain_id          = 'default',
+  $user_domain_id               = 'default',
-  $project_name            = 'services',
+  $project_name                 = 'services',
-  $username                = 'swift',
+  $username                     = 'swift',
-  $password                = 'password',
+  $password                     = 'password',
-  $include_service_catalog = false,
+  $include_service_catalog      = false,
+  $service_token_roles          = $::os_service_default,
+  $service_token_roles_required = $::os_service_default,
   # DEPRECATED PARAMETERS
-  $admin_user              = undef,
+  $admin_user                   = undef,
-  $admin_tenant_name       = undef,
+  $admin_tenant_name            = undef,
-  $admin_password          = undef,
+  $admin_password               = undef,
-  $identity_uri            = undef,
+  $identity_uri                 = undef,
-  $auth_uri                = undef,
+  $auth_uri                     = undef,
 ) inherits swift::params {
 
   include swift::deps
@@ -148,19 +166,21 @@ class swift::proxy::authtoken(
 
 
   swift_proxy_config {
-    'filter:authtoken/log_name':                value => 'swift';
+    'filter:authtoken/log_name':                     value => 'swift';
-    'filter:authtoken/signing_dir':             value => $signing_dir;
+    'filter:authtoken/signing_dir':                  value => $signing_dir;
-    'filter:authtoken/paste.filter_factory':    value => 'keystonemiddleware.auth_token:filter_factory';
+    'filter:authtoken/paste.filter_factory':         value => 'keystonemiddleware.auth_token:filter_factory';
-    'filter:authtoken/www_authenticate_uri':    value => $www_authenticate_uri_real;
+    'filter:authtoken/www_authenticate_uri':         value => $www_authenticate_uri_real;
-    'filter:authtoken/auth_url':                value => $auth_url_real;
+    'filter:authtoken/auth_url':                     value => $auth_url_real;
-    'filter:authtoken/auth_plugin':             value => $auth_plugin;
+    'filter:authtoken/auth_plugin':                  value => $auth_plugin;
-    'filter:authtoken/project_domain_id':       value => $project_domain_id;
+    'filter:authtoken/project_domain_id':            value => $project_domain_id;
-    'filter:authtoken/user_domain_id':          value => $user_domain_id;
+    'filter:authtoken/user_domain_id':               value => $user_domain_id;
-    'filter:authtoken/project_name':            value => $project_name_real;
+    'filter:authtoken/project_name':                 value => $project_name_real;
-    'filter:authtoken/username':                value => $username_real;
+    'filter:authtoken/username':                     value => $username_real;
-    'filter:authtoken/password':                value => $password_real;
+    'filter:authtoken/password':                     value => $password_real;
-    'filter:authtoken/delay_auth_decision':     value => $delay_auth_decision;
+    'filter:authtoken/delay_auth_decision':          value => $delay_auth_decision;
-    'filter:authtoken/cache':                   value => $cache;
+    'filter:authtoken/cache':                        value => $cache;
-    'filter:authtoken/include_service_catalog': value => $include_service_catalog;
+    'filter:authtoken/include_service_catalog':      value => $include_service_catalog;
+    'filter:authtoken/service_token_roles':          value => $service_token_roles;
+    'filter:authtoken/service_token_roles_required': value => $service_token_roles_required;
   }
 }

releasenotes/notes/authtoken-service_token-f2e7209b778c2eb5.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    swift::proxy::authtoken::service_token_roles and 
+    swift::proxy::authtoken::service_token_roles_required were added to
+    add support for the authtoken parameters related to service token feature

spec/classes/swift_proxy_authtoken_spec.rb

@@ -32,17 +32,21 @@ describe 'swift::proxy::authtoken' do
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value('<SERVICE DEFAULT>') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') }
     end
 
     describe "when overriding parameters" do
       let :params do
         {
-          :admin_tenant_name   => 'admin',
+          :admin_tenant_name            => 'admin',
-          :admin_user          => 'swiftuser',
+          :admin_user                   => 'swiftuser',
-          :admin_password      => 'swiftpassword',
+          :admin_password               => 'swiftpassword',
-          :cache               => 'foo',
+          :cache                        => 'foo',
-          :delay_auth_decision => '0',
+          :delay_auth_decision          => '0',
-          :signing_dir         => '/home/swift/keystone-signing'
+          :signing_dir                  => '/home/swift/keystone-signing',
+          :service_token_roles          => ['service'],
+          :service_token_roles_required => true,
         }
       end
 
@@ -60,6 +64,8 @@ describe 'swift::proxy::authtoken' do
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value(['service']) }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value(true) }
     end
 
     describe 'when overriding www_authenticate_uri' do