Delete service_token from keystone on Fuel Master

Deletes keystone service token after deploying keystone
to minimize security risk.

Change-Id: I776644f727ce086369954f383a09b48b60bf11a5
Depends-On: Idb7694b19792a6c43c2752867da7c34b995513d0
Closes-Bug: #1582893

deployment/puppet/fuel/examples/deploy.sh

@@ -23,6 +23,7 @@ rabbitmq
 mcollective
 astute
 keystone
+keystone_token_disable
 nailgun
 ostf
 nginx_repo

deployment/puppet/fuel/examples/keystone_token_disable.pp

@@ -0,0 +1,3 @@
+notice('MODULAR: keystone.pp')
+
+class { 'osnailyfacter::astute::service_token_off': }

deployment/puppet/osnailyfacter/manifests/astute/service_token_off.pp

@@ -8,7 +8,7 @@ class osnailyfacter::astute::service_token_off {
 
   $keystone_params_hash = hiera_hash('keystone', {})
 
-  if $keystone_params_hash['service_token_off'] {
+  if str2bool($keystone_params_hash['service_token_off']) {
 
     include ::keystone::params
     include ::tweaks::apache_wrappers

tests/noop/spec/hosts/master/keystone_token_disable_spec.rb

@@ -0,0 +1,30 @@
+# HIERA: master
+# FACTS: master_centos7
+
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'master/keystone_token_disable.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+
+    keystone_params  = Noop.hiera_structure 'keystone'
+    disable_token = Noop.puppet_function('str2bool', keystone_params['service_token_off'])
+
+    if disable_token
+      it 'should remove admin_token option' do
+        is_expected.to contain_keystone_config('DEFAULT/admin_token').with_ensure('absent')
+      end
+
+      it 'should contain exec of remove AdminTokenAuthMiddleware from pipelines' do
+        paste_ini = '/etc/keystone/keystone-paste.ini'
+        is_expected.to contain_exec('remove_admin_token_auth_middleware').with(
+          :path    => ['/bin', '/usr/bin'],
+          :command => "sed -i.dist 's/ admin_token_auth//' #{paste_ini}",
+          :onlyif  => "fgrep -q ' admin_token_auth' #{paste_ini}",
+        )
+      end
+    end
+  end
+  run_test manifest
+end