Make keystone exit when fernet keys don't exist

An outcome of some of the token discussions in Austin was that when Fernet is
the configured token provider, Keystone should fail on start up if there are no
keys in the key repository or if the repository doesn't exist.

Closes-Bug: 1576315

Change-Id: I0351dddc49da5908f46e09e22467f6fb112593dd

keystone/tests/unit/test_token_provider.py

@@ -22,6 +22,7 @@ from keystone.common import dependency
 from keystone.common import utils
 from keystone import exception
 from keystone.tests import unit
+from keystone.tests.unit import ksfixtures
 from keystone.tests.unit.ksfixtures import database
 from keystone import token
 from keystone.token.providers import fernet
@@ -717,6 +718,7 @@ class TestTokenProvider(unit.TestCase):
     def setUp(self):
         super(TestTokenProvider, self).setUp()
         self.useFixture(database.Database())
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
         self.load_backends()
 
     def test_get_token_version(self):

keystone/tests/unit/test_v2.py

@@ -1421,8 +1421,6 @@ class TestFernetTokenProviderV2(RestfulTestCase):
 
     def setUp(self):
         super(TestFernetTokenProviderV2, self).setUp()
-        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
-
         # Add catalog data
         self.region = unit.new_region_ref()
         self.region_id = self.region['id']
@@ -1458,6 +1456,7 @@ class TestFernetTokenProviderV2(RestfulTestCase):
     def config_overrides(self):
         super(TestFernetTokenProviderV2, self).config_overrides()
         self.config_fixture.config(group='token', provider='fernet')
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
 
     def test_authenticate_unscoped_token(self):
         unscoped_token = self.get_unscoped_token()

keystone/tests/unit/test_v3_auth.py

@@ -4718,10 +4718,10 @@ class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain):
 class TestAuthFernetTokenProvider(TestAuth):
     def setUp(self):
         super(TestAuthFernetTokenProvider, self).setUp()
-        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
 
     def config_overrides(self):
         super(TestAuthFernetTokenProvider, self).config_overrides()
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
         self.config_fixture.config(group='token', provider='fernet')
 
     def test_verify_with_bound_token(self):

keystone/token/providers/fernet/core.py

@@ -10,11 +10,14 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import os
+
 from oslo_config import cfg
 
 from keystone.common import dependency
 from keystone.common import utils as ks_utils
 from keystone.federation import constants as federation_constants
+from keystone.i18n import _
 from keystone.token.providers import common
 from keystone.token.providers.fernet import token_formatters as tf
 
@@ -27,6 +30,20 @@ class Provider(common.BaseProvider):
     def __init__(self, *args, **kwargs):
         super(Provider, self).__init__(*args, **kwargs)
 
+        # NOTE(lbragstad): We add these checks here because if the fernet
+        # provider is going to be used and either the `key_repository` is empty
+        # or doesn't exist we should fail, hard. It doesn't make sense to start
+        # keystone and just 500 because we can't do anything with an empty or
+        # non-existant key repository.
+        if not os.path.exists(CONF.fernet_tokens.key_repository):
+            subs = {'key_repo': CONF.fernet_tokens.key_repository}
+            raise SystemExit(_('%(key_repo)s does not exist') % subs)
+        if not os.listdir(CONF.fernet_tokens.key_repository):
+            subs = {'key_repo': CONF.fernet_tokens.key_repository}
+            raise SystemExit(_('%(key_repo)s does not contain keys, use '
+                               'keystone-manage fernet_setup to create '
+                               'Fernet keys.') % subs)
+
         self.token_formatter = tf.TokenFormatter()
 
     def needs_persistence(self):