Include option to set SSLCertificateChainFile

Some cert providers require an chain cert file so this allows for this option.
In addition, I added tests for SSL that were missing for the apache vhost file.

Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39

attributes/default.rb

@@ -124,6 +124,7 @@ default['openstack']['identity']['ssl']['ciphers'] = nil
 default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
 # path of the keyfile for SSL.
 default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
+default['openstack']['identity']['ssl']['chainfile'] = nil
 # path of the CA cert file for SSL.
 default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
 # path of the CA cert files for SSL (Apache)

recipes/server-apache.rb

@@ -325,6 +325,7 @@ wsgi_apps.each do |app, opt|
     group node['openstack']['identity']['group']
     use_ssl node['openstack']['identity']['ssl']['enabled']
     cert_file node['openstack']['identity']['ssl']['certfile']
+    chain_file node['openstack']['identity']['ssl']['chainfile']
     key_file node['openstack']['identity']['ssl']['keyfile']
     ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
     cert_required node['openstack']['identity']['ssl']['cert_required']

spec/server-apache_spec.rb

@@ -417,6 +417,42 @@ describe 'openstack-identity::server-apache' do
               expect(chef_run).not_to render_file(file).with_content(line)
             end
           end
+          context 'Enable SSL' do
+            before do
+              node.set['openstack']['identity']['ssl']['enabled'] = true
+            end
+            it "configures #{file} common ssl lines" do
+              [/^    SSLEngine On$/,
+               %r{^    SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
+               %r{^    SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
+               %r{^    SSLCACertificatePath /etc/keystone/ssl/certs/$},
+               /^    SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
+                expect(chef_run).to render_file(file).with_content(line)
+              end
+            end
+            it "does not configure #{file} common ssl lines" do
+              [/^    SSLCertificateChainFile/,
+               /^    SSLCipherSuite/,
+               /^    SSLVerifyClient require/].each do |line|
+                expect(chef_run).not_to render_file(file).with_content(line)
+              end
+            end
+            it "configures #{file} chainfile when set" do
+              node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
+              expect(chef_run).to render_file(file)
+                .with_content(%r{^    SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
+            end
+            it "configures #{file} ciphers when set" do
+              node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
+              expect(chef_run).to render_file(file)
+                .with_content(/^    SSLCipherSuite ciphers_value$/)
+            end
+            it "configures #{file} cert_required set" do
+              node.set['openstack']['identity']['ssl']['cert_required'] = true
+              expect(chef_run).to render_file(file)
+                .with_content(/^    SSLVerifyClient require$/)
+            end
+          end
         end
 
         describe 'keystone-main.conf' do

templates/default/wsgi-keystone.conf.erb

@@ -19,6 +19,9 @@
     SSLCertificateFile <%= @params[:cert_file] %>
     SSLCertificateKeyFile <%= @params[:key_file] %>
     SSLCACertificatePath <%= @params[:ca_certs_path] %>
+      <% if @params[:chain_file] %>
+    SSLCertificateChainFile <%= @params[:chain_file] %>
+      <% end -%>
     SSLProtocol <%= @params[:protocol] %>
       <% if @params[:ciphers] -%>
     SSLCipherSuite <%= @params[:ciphers] %>