From f17339fb7d5e16102cebd5cf2d41b3ea084ec3d1 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Mon, 19 Oct 2020 12:40:58 +0900
Subject: [PATCH] Add support for the keystone_authtoken/service_type parameter

Change-Id: I2fb901e22e01c5b3acda20ee286413c13ba9b90c
---
 manifests/api/authtoken.pp                                | 7 +++++++
 manifests/inspector/authtoken.pp                          | 7 +++++++
 .../keystone-authtoken-service_type-3f922952045488ec.yaml | 8 ++++++++
 spec/classes/ironic_api_authtoken_spec.rb                 | 3 +++
 spec/classes/ironic_inspector_authtoken_spec.rb           | 6 ++++++
 5 files changed, 31 insertions(+)
 create mode 100644 releasenotes/notes/keystone-authtoken-service_type-3f922952045488ec.yaml

diff --git a/manifests/api/authtoken.pp b/manifests/api/authtoken.pp
index d8f7d0a0..3c2d1542 100644
--- a/manifests/api/authtoken.pp
+++ b/manifests/api/authtoken.pp
@@ -178,6 +178,11 @@
 #   a future release and should be enabled if possible.
 #   Defaults to $::os_service_default.
 #
+# [*service_type*]
+#  (Optional) The name or type of the service as it appears in the service
+#  catalog. This is used to validate tokens that have restricted access rules.
+#  Defaults to $::os_service_default.
+#
 # [*interface*]
 #  (Optional) Interface to use for the Identity API endpoint. Valid values are
 #  "public", "internal" or "admin".
@@ -218,6 +223,7 @@ class ironic::api::authtoken(
   $token_cache_time               = $::os_service_default,
   $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
+  $service_type                   = $::os_service_default,
   $interface                      = $::os_service_default,
 ) {
 
@@ -262,6 +268,7 @@ class ironic::api::authtoken(
     token_cache_time               => $token_cache_time,
     service_token_roles            => $service_token_roles,
     service_token_roles_required   => $service_token_roles_required,
+    service_type                   => $service_type,
     interface                      => $interface,
   }
 }
diff --git a/manifests/inspector/authtoken.pp b/manifests/inspector/authtoken.pp
index f3768533..7cefcf6c 100644
--- a/manifests/inspector/authtoken.pp
+++ b/manifests/inspector/authtoken.pp
@@ -177,6 +177,11 @@
 #   true/false
 #   Defaults to $::os_service_default.
 #
+# [*service_type*]
+#  (Optional) The name or type of the service as it appears in the service
+#  catalog. This is used to validate tokens that have restricted access rules.
+#  Defaults to $::os_service_default.
+#
 # [*interface*]
 #  (Optional) Interface to use for the Identity API endpoint. Valid values are
 #  "public", "internal" or "admin".
@@ -217,6 +222,7 @@ class ironic::inspector::authtoken(
   $token_cache_time               = $::os_service_default,
   $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
+  $service_type                   = $::os_service_default,
   $interface                      = $::os_service_default,
 ) {
 
@@ -261,6 +267,7 @@ class ironic::inspector::authtoken(
     token_cache_time               => $token_cache_time,
     service_token_roles            => $service_token_roles,
     service_token_roles_required   => $service_token_roles_required,
+    service_type                   => $service_type,
     interface                      => $interface,
   }
 }
diff --git a/releasenotes/notes/keystone-authtoken-service_type-3f922952045488ec.yaml b/releasenotes/notes/keystone-authtoken-service_type-3f922952045488ec.yaml
new file mode 100644
index 00000000..57db5d2f
--- /dev/null
+++ b/releasenotes/notes/keystone-authtoken-service_type-3f922952045488ec.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The following two parameters have been added to configure the service_type
+    parameter in authtoken middlewae.
+
+    - ``ironic::api::authtoken::service_type``
+    - ``ironic::inspector::authtoken::service_type``
diff --git a/spec/classes/ironic_api_authtoken_spec.rb b/spec/classes/ironic_api_authtoken_spec.rb
index 6140b632..870c6d75 100644
--- a/spec/classes/ironic_api_authtoken_spec.rb
+++ b/spec/classes/ironic_api_authtoken_spec.rb
@@ -44,6 +44,7 @@ describe 'ironic::api::authtoken' do
         is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('keystone_authtoken/service_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('keystone_authtoken/interface').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -85,6 +86,7 @@ describe 'ironic::api::authtoken' do
           :token_cache_time               => '301',
           :service_token_roles            => ['service'],
           :service_token_roles_required   => true,
+          :service_type                   => 'identity',
           :interface                      => 'internal',
         })
       end
@@ -123,6 +125,7 @@ describe 'ironic::api::authtoken' do
         is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
         is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
+        is_expected.to contain_ironic_config('keystone_authtoken/service_type').with_value(params[:service_type])
         is_expected.to contain_ironic_config('keystone_authtoken/interface').with_value(params[:interface])
       end
 
diff --git a/spec/classes/ironic_inspector_authtoken_spec.rb b/spec/classes/ironic_inspector_authtoken_spec.rb
index 874a182a..a9c1aa10 100644
--- a/spec/classes/ironic_inspector_authtoken_spec.rb
+++ b/spec/classes/ironic_inspector_authtoken_spec.rb
@@ -44,6 +44,8 @@ describe 'ironic::inspector::authtoken' do
         is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_type').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('keystone_authtoken/interface').with_value('<SERVICE DEFAULT>')
       end
     end
 
@@ -84,6 +86,8 @@ describe 'ironic::inspector::authtoken' do
           :token_cache_time               => '301',
           :service_token_roles            => ['service'],
           :service_token_roles_required   => false,
+          :service_type                   => 'identity',
+          :interface                      => 'internal',
         })
       end
 
@@ -121,6 +125,8 @@ describe 'ironic::inspector::authtoken' do
         is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
         is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
+        is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_type').with_value(params[:service_type])
+        is_expected.to contain_ironic_inspector_config('keystone_authtoken/interface').with_value(params[:interface])
       end
 
       it 'installs python memcache package' do