Stein fixes

- Cookstyle fixes
- Refactor Berksfile to use groups so we can exclude integration testing
  cookbooks
- Update documentation
- Enable sensitive resources for template[/etc/keystone/keystone.conf]
  and execute[bootstrap_keystone] to improve security.
- Update delivery configuration to exclude integration cookbooks

[1] https://docs.openstack.org/keystone/stein/install/keystone-install-rdo.html#install-and-configure-components

Depends-On: https://review.opendev.org/701027
Depends-On: https://review.opendev.org/706101
Depends-On: https://review.opendev.org/706140
Depends-On: https://review.opendev.org/706147
Depends-On: https://review.opendev.org/706158
Change-Id: I6c5005b23ee209650911146e373c4cf082cbee9e

.delivery/project.toml

@@ -1 +1,9 @@
-remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml"
+[local_phases]
+unit = 'rspec spec/'
+lint = 'cookstyle --display-cop-names --extra-details'
+syntax = "berks install -e integration"
+provision = "echo skipping"
+deploy = "echo skipping"
+smoke = "echo skipping"
+functional = "echo skipping"
+cleanup = "echo skipping"

.rubocop.yml

@@ -1,5 +1,3 @@
-inherit_from: .rubocop_todo.yml
-
 AllCops:
   Include:
     - metadata.rb
@@ -14,24 +12,3 @@ AllCops:
     - .cookbooks/**/*
     - berks-cookbooks/**/*
     - .bundle/**/*
-
-Encoding:
-  Exclude:
-    - metadata.rb
-    - Gemfile
-
-NumericLiterals:
-  Enabled: false
-
-LineLength:
-  Enabled: false
-
-WordArray:
-  MinSize: 3
-
-# TODO(galstom21)
-# The rescue exception statements in providers/**.rb need to be modified,
-# to rescue specific exceptions.
-RescueException:
-  Exclude:
-    - providers/register.rb

.rubocop_todo.yml

@@ -1,19 +0,0 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2018-08-03 05:25:58 -0700 using RuboCop version 0.55.0.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/IfUnlessModifier:
-  Exclude:
-    - 'recipes/server-apache.rb'
-
-# Offense count: 65
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
-# URISchemes: http, https
-Metrics/LineLength:
-  Max: 224

Berksfile

@@ -4,19 +4,19 @@ solver :ruby, :required
 
 metadata
 
-%w(
+[
-  client
+  %w(client dep),
-  -common
+  %w(-common dep),
-  -dns
+  %w(-dns integration),
-  -image
+  %w(-image integration),
-  -integration-test
+  %w(-integration-test integration),
-  -network
+  %w(-network integration),
-  -ops-database
+  %w(-ops-database integration),
-  -ops-messaging
+  %w(-ops-messaging integration)
-).each do |cookbook|
+].each do |cookbook, group|
   if Dir.exist?("../cookbook-openstack#{cookbook}")
-    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}"
+    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}", group: group
   else
-    cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}"
+    cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}", group: group
   end
 end

README.rst

@@ -21,9 +21,9 @@ https://docs.openstack.org/keystone/latest/
 Requirements
 ============
 
-- Chef 14 or higher
+- Chef 15 or higher
-- ChefDK 3.2.30 for testing (also includes Berkshelf for cookbook
+- Chef Workstation 0.15.18 for testing (also includes Berkshelf for
-  dependency resolution)
+  cookbook dependency resolution)
 
 Platform
 ========
@@ -38,7 +38,7 @@ Cookbooks
 The following cookbooks are dependencies:
 
 - 'apache2', '~> 8.0'
-- 'openstack-common', '>= 18.0.0'
+- 'openstack-common', '>= 19.0.0'
 - 'openstackclient'
 
 Attributes
@@ -63,7 +63,17 @@ openstack-identity::cloud_config
 openstack-identity::_credential_tokens
 --------------------------------------
 
-- Helper recipe to manage credential keys
+- Helper recipe to manage credential keys.
+
+If you prefer, you can manually create the keys by doing the following:
+
+.. code-block:: console
+
+  $ keystone-manage credential_setup \
+    --keystone-user keystone --keystone-group keystone
+
+This should create a directory ``/etc/keystone/credential-keys`` with
+the keys residing in it.
 
 openstack-identity::_fernet_tokens
 ----------------------------------
@@ -141,7 +151,7 @@ License and Author
 +---------------+----------------------------------------------+
 | **Copyright** | GmbH Copyright 2013-2014, IBM, Corp.         |
 +---------------+----------------------------------------------+
-| **Copyright** | Copyright 2016-2019, Oregon State University |
+| **Copyright** | Copyright 2016-2020, Oregon State University |
 +---------------+----------------------------------------------+
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may

attributes/default.rb

@@ -1,14 +1,15 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: default
 #
-# Copyright 2012-2013, AT&T Services, Inc.
+# Copyright:: 2012-2013, AT&T Services, Inc.
-# Copyright 2013, Opscode, Inc.
+# Copyright:: 2013, Opscode, Inc.
-# Copyright 2013, IBM Corp.
+# Copyright:: 2013, IBM Corp.
-# Copyright 2017, x-ion GmbH
+# Copyright:: 2017, x-ion GmbH
-# Copyright 2018, Workday, Inc.
+# Copyright:: 2018, Workday, Inc.
-# Copyright 2019, x-ion GmbH
+# Copyright:: 2019, x-ion GmbH
+# Copyright:: 2016-2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

metadata.rb

@@ -3,14 +3,7 @@ maintainer       'openstack-chef'
 maintainer_email 'openstack-discuss@lists.openstack.org'
 license          'Apache-2.0'
 description      'The OpenStack Identity service Keystone.'
-version          '18.0.0'
+version          '19.0.0'
-
-recipe 'cloud_config', 'Manage the cloud config file located at /root/clouds.yaml'
-recipe '_credential_tokens', 'Helper recipe to manage credential keys'
-recipe '_fernet_tokens', 'Helper recipe to manage fernet tokens'
-recipe 'openrc', 'Creates a fully usable openrc file'
-recipe 'registration', 'Registers the initial keystone endpoint as well as users, tenants and roles'
-recipe 'server-apache', 'Installs and configures the OpenStack Identity Service running inside of an apache webserver.'
 
 %w(ubuntu redhat centos).each do |os|
   supports os
@@ -18,8 +11,8 @@ end
 
 depends 'apache2', '~> 8.0'
 depends 'openstackclient'
-depends 'openstack-common', '>= 18.0.0'
+depends 'openstack-common', '>= 19.0.0'
 
 issues_url 'https://launchpad.net/openstack-chef'
 source_url 'https://opendev.org/openstack/cookbook-openstack-identity'
-chef_version '>= 14.0'
+chef_version '>= 15.0'

recipes/_credential_tokens.rb

@@ -1,8 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: _credential_tokens
 #
+# Copyright:: 2020, Oregon State University
+#
 # Licensed under the Apache License, Version 2.0 (the 'License');
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -24,23 +26,23 @@ class ::Chef::Recipe
   include ::Openstack
 end
 
-key_repository =
+key_repository = node['openstack']['identity']['conf']['credential']['key_repository']
-  node['openstack']['identity']['conf']['credential']['key_repository']
+keystone_user = node['openstack']['identity']['user']
+keystone_group = node['openstack']['identity']['group']
 
 directory key_repository do
-  owner node['openstack']['identity']['user']
+  owner keystone_user
-  group node['openstack']['identity']['group']
+  group keystone_group
-  mode 0o0700
+  mode '700'
 end
 
 node['openstack']['identity']['credential']['keys'].each do |key_index|
-  key = secret(node['openstack']['secret']['secrets_data_bag'],
+  key = secret(node['openstack']['secret']['secrets_data_bag'], "credential_key#{key_index}")
-               "credential_key#{key_index}")
   file File.join(key_repository, key_index.to_s) do
     content key
-    owner node['openstack']['identity']['user']
+    owner keystone_user
-    group node['openstack']['identity']['group']
+    group keystone_group
-    mode 0o0400
+    mode '400'
     sensitive true
   end
 end

recipes/_fernet_tokens.rb

@@ -1,8 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: _fernet_tokens
 #
+# Copyright:: 2020, Oregon State University
+#
 # Licensed under the Apache License, Version 2.0 (the 'License');
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -23,23 +25,28 @@ class ::Chef::Recipe
   include ::Openstack
 end
 
-key_repository =
+key_repository = node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
-  node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
+keystone_user = node['openstack']['identity']['user']
+keystone_group = node['openstack']['identity']['group']
 
 directory key_repository do
-  owner node['openstack']['identity']['user']
+  owner keystone_user
-  group node['openstack']['identity']['group']
+  group keystone_group
-  mode 0o0700
+  mode '700'
 end
 
 node['openstack']['identity']['fernet']['keys'].each do |key_index|
-  key = secret(node['openstack']['secret']['secrets_data_bag'],
+  key = secret(node['openstack']['secret']['secrets_data_bag'], "fernet_key#{key_index}")
-               "fernet_key#{key_index}")
   file File.join(key_repository, key_index.to_s) do
     content key
-    owner node['openstack']['identity']['user']
+    owner keystone_user
-    group node['openstack']['identity']['group']
+    group keystone_group
-    mode 0o0400
+    mode '400'
     sensitive true
   end
 end
+
+execute 'keystone-manage fernet_setup' do
+  command "keystone-manage fernet_setup --keystone-user #{keystone_user} --keystone-group #{keystone_group}"
+  creates '/etc/keystone/fernet-keys'
+end

recipes/cloud_config.rb

@@ -1,9 +1,9 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # recipe:: cloud_config
 #
-# Copyright 2019 x-ion GmbH
+# Copyright:: 2019 x-ion GmbH
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

recipes/openrc.rb

@@ -1,9 +1,9 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # recipe:: openrc
 #
-# Copyright 2014 IBM Corp.
+# Copyright:: 2014 IBM Corp.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

recipes/registration.rb

@@ -1,10 +1,11 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: setup
 #
-# Copyright 2012, Rackspace US, Inc.
+# Copyright:: 2012, Rackspace US, Inc.
-# Copyright 2012-2013, Opscode, Inc.
+# Copyright:: 2012-2013, Opscode, Inc.
+# Copyright:: 2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -48,11 +49,11 @@ admin_domain = node['openstack']['identity']['admin_domain_name']
 # endpoint_type = node['openstack']['identity']['endpoint_type']
 
 connection_params = {
-  openstack_auth_url:      auth_url,
+  openstack_auth_url: auth_url,
-  openstack_username:      admin_user,
+  openstack_username: admin_user,
-  openstack_api_key:       admin_pass,
+  openstack_api_key: admin_pass,
-  openstack_project_name:  admin_project,
+  openstack_project_name: admin_project,
-  openstack_domain_id:     admin_domain,
+  openstack_domain_id: admin_domain,
   # openstack_endpoint_type: endpoint_type,
 }
 
@@ -77,8 +78,8 @@ openstack_role 'service' do
   connection_params connection_params
 end
 
-node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
+node.default['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
-node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
+node.default['openstack']['identity']['publicURL'] = identity_endpoint.to_s
 
 Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
 Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"

recipes/server-apache.rb

@@ -1,9 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: server-apache
 #
-# Copyright 2015, IBM Corp. Inc.
+# Copyright:: 2015, IBM Corp. Inc.
+# Copyright:: 2016-2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the 'License');
 # you may not use this file except in compliance with the License.
@@ -50,8 +51,8 @@ admin_user = node['openstack']['identity']['admin_user']
 admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
 admin_role = node['openstack']['identity']['admin_role']
 region = node['openstack']['identity']['region']
-keystone_user    = node['openstack']['identity']['user']
+keystone_user = node['openstack']['identity']['user']
-keystone_group   = node['openstack']['identity']['group']
+keystone_group = node['openstack']['identity']['group']
 
 # install the database python adapter packages for the selected database
 # service_type
@@ -101,14 +102,14 @@ end
 directory '/etc/keystone' do
   owner keystone_user
   group keystone_group
-  mode 0o0700
+  mode '700'
 end
 
 # create keystone domain config dir if needed
 directory node['openstack']['identity']['domain_config_dir'] do
   owner keystone_user
   group keystone_group
-  mode 0o0700
+  mode '700'
   only_if { node['openstack']['identity']['domain_specific_drivers_enabled'] }
 end
 
@@ -119,8 +120,8 @@ file '/var/lib/keystone/keystone.db' do
 end
 
 # include the recipes to setup tokens
-include_recipe 'openstack-identity::_credential_tokens'
 include_recipe 'openstack-identity::_fernet_tokens'
+include_recipe 'openstack-identity::_credential_tokens'
 
 # define the address to bind the keystone apache public service to
 bind_service = node['openstack']['bind_service']['public']['identity']
@@ -145,14 +146,14 @@ if node['openstack']['identity']['pastefile_url']
     source node['openstack']['identity']['pastefile_url']
     owner keystone_user
     group keystone_group
-    mode 0o0644
+    mode '644'
   end
 else
   template '/etc/keystone/keystone-paste.ini' do
     source 'keystone-paste.ini.erb'
     owner keystone_user
     group keystone_group
-    mode 0o0644
+    mode '644'
   end
 end
 
@@ -176,7 +177,8 @@ template '/etc/keystone/keystone.conf' do
   cookbook 'openstack-common'
   owner keystone_user
   group keystone_group
-  mode 0o0640
+  mode '640'
+  sensitive true
   variables(
     service_config: keystone_conf_options
   )
@@ -210,6 +212,7 @@ execute 'bootstrap_keystone' do
           --bootstrap-admin-url #{identity_internal_endpoint} \\
           --bootstrap-public-url #{identity_endpoint} \\
           --bootstrap-internal-url #{identity_internal_endpoint}"
+  sensitive true
 end
 
 #### Start of Apache specific work
@@ -236,7 +239,7 @@ keystone_apache_dir = "#{default_docroot_dir}/keystone"
 directory keystone_apache_dir do
   owner 'root'
   group 'root'
-  mode 0o0755
+  mode '755'
 end
 
 # create the keystone apache config using template

spec/credential_tokens_spec.rb

@@ -13,7 +13,7 @@ describe 'openstack-identity::_credential_tokens' do
 
     it do
       expect(chef_run).to create_directory('/etc/keystone/credential-tokens')
-        .with(owner: 'keystone', user: 'keystone', mode: 0o0700)
+        .with(owner: 'keystone', user: 'keystone', mode: '700')
     end
 
     [0, 1].each do |key_index|
@@ -23,7 +23,7 @@ describe 'openstack-identity::_credential_tokens' do
             content: "thisiscredentialkey#{key_index}",
             owner: 'keystone',
             group: 'keystone',
-            mode: 0o0400
+            mode: '400'
           )
       end
     end

spec/fernet_tokens_spec.rb

@@ -13,7 +13,7 @@ describe 'openstack-identity::_fernet_tokens' do
 
     it do
       expect(chef_run).to create_directory('/etc/keystone/fernet-tokens')
-        .with(owner: 'keystone', user: 'keystone', mode: 0o0700)
+        .with(owner: 'keystone', user: 'keystone', mode: '700')
     end
 
     [0, 1].each do |key_index|
@@ -23,9 +23,14 @@ describe 'openstack-identity::_fernet_tokens' do
             content: "thisisfernetkey#{key_index}",
             owner: 'keystone',
             group: 'keystone',
-            mode: 0o0400
+            mode: '400'
           )
       end
     end
+    it do
+      expect(chef_run).to run_execute('keystone-manage fernet_setup').with(
+        command: 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'
+      )
+    end
   end
 end

spec/server-apache_spec.rb

@@ -54,7 +54,8 @@ describe 'openstack-identity::server-apache' do
     end
 
     it 'bootstrap with keystone-manage' do
-      expect(chef_run).to run_execute('bootstrap_keystone').with(command: "keystone-manage bootstrap \\
+      expect(chef_run).to run_execute('bootstrap_keystone').with(
+        command: "keystone-manage bootstrap \\
           --bootstrap-password #{password} \\
           --bootstrap-username #{service_user} \\
           --bootstrap-project-name #{project_name} \\
@@ -63,7 +64,9 @@ describe 'openstack-identity::server-apache' do
           --bootstrap-region-id #{region} \\
           --bootstrap-admin-url #{public_url} \\
           --bootstrap-public-url #{public_url} \\
-          --bootstrap-internal-url #{public_url}")
+          --bootstrap-internal-url #{public_url}",
+        sensitive: true
+      )
     end
 
     describe '/etc/keystone' do
@@ -73,7 +76,7 @@ describe 'openstack-identity::server-apache' do
         expect(chef_run).to create_directory(dir.name).with(
           user: 'keystone',
           group: 'keystone',
-          mode: 0o0700
+          mode: '700'
         )
       end
     end
@@ -94,7 +97,7 @@ describe 'openstack-identity::server-apache' do
           expect(chef_run).to create_directory(dir).with(
             user: 'keystone',
             group: 'keystone',
-            mode: 0o0700
+            mode: '700'
           )
         end
       end
@@ -122,7 +125,8 @@ describe 'openstack-identity::server-apache' do
           expect(chef_run).to create_template(resource.name).with(
             user: 'keystone',
             group: 'keystone',
-            mode: 0o0640
+            mode: '640',
+            sensitive: true
           )
         end
       end
@@ -207,13 +211,13 @@ describe 'openstack-identity::server-apache' do
         end
       end
       describe '[fernet_tokens] section' do
-        it do
+        it 'key_repository = /etc/keystone/fernet-tokens' do
           r = %r{^key_repository = /etc/keystone/fernet-tokens$}
           expect(chef_run).to render_config_file(path).with_section_content('fernet_tokens', r)
         end
       end
       describe '[credential] section' do
-        it do
+        it 'key_repository = /etc/keystone/credential-tokens' do
           r = %r{^key_repository = /etc/keystone/credential-tokens$}
           expect(chef_run).to render_config_file(path).with_section_content('credential', r)
         end
@@ -301,7 +305,7 @@ describe 'openstack-identity::server-apache' do
           source: 'http://server/mykeystone-paste.ini',
           user: 'keystone',
           group: 'keystone',
-          mode: 0o0644
+          mode: '644'
         )
       end
     end