From 697be3badbcf943b0a7ef0cdc4ab152a4c012deb Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.se>
Date: Fri, 26 Oct 2018 01:25:41 +0200
Subject: [PATCH] Deprecate all paste code

Keystone no longer uses it's paste ini file or
uses the paste deploy parts so we deprecate all
that now. [1]

Unfortunately this should probably have been done
in Rocky but got missed, in Stein keystone will
effectively remove the paste ini file. [1]

[1] https://docs.openstack.org/releasenotes/keystone/rocky.html

Change-Id: Ifefea626f754d247b376745fbb2791e725ebafbc
Closes-Bug: 1794045
---
 .../keystone_paste_ini/ini_setting.rb         |  1 +
 lib/puppet/type/keystone_paste_ini.rb         |  3 ++
 manifests/config.pp                           | 20 ++++++-----
 manifests/deps.pp                             |  1 +
 manifests/disable_admin_token_auth.pp         | 34 ++-----------------
 manifests/disable_v2_api.pp                   | 24 ++-----------
 manifests/init.pp                             | 18 ++++++----
 ...ecate-keystone-paste-01d714353e5544df.yaml |  8 +++++
 spec/classes/keystone_config_spec.rb          | 13 -------
 .../keystone_disable_admin_token_auth_spec.rb | 20 -----------
 spec/classes/keystone_init_spec.rb            |  6 ----
 spec/unit/type/keystone_paste_ini_spec.rb     |  1 +
 12 files changed, 43 insertions(+), 106 deletions(-)
 create mode 100644 releasenotes/notes/deprecate-keystone-paste-01d714353e5544df.yaml
 delete mode 100644 spec/classes/keystone_disable_admin_token_auth_spec.rb

diff --git a/lib/puppet/provider/keystone_paste_ini/ini_setting.rb b/lib/puppet/provider/keystone_paste_ini/ini_setting.rb
index 23a47af65..77e5e694b 100644
--- a/lib/puppet/provider/keystone_paste_ini/ini_setting.rb
+++ b/lib/puppet/provider/keystone_paste_ini/ini_setting.rb
@@ -1,3 +1,4 @@
+# TODO(tobias-urdin): This is deprecated and should be removed in T release.
 Puppet::Type.type(:keystone_paste_ini).provide(
   :ini_setting,
   :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
diff --git a/lib/puppet/type/keystone_paste_ini.rb b/lib/puppet/type/keystone_paste_ini.rb
index f2fc81eb2..59b0c834e 100644
--- a/lib/puppet/type/keystone_paste_ini.rb
+++ b/lib/puppet/type/keystone_paste_ini.rb
@@ -1,3 +1,4 @@
+# TODO(tobias-urdin): This is deprecated and should be removed in T release.
 Puppet::Type.newtype(:keystone_paste_ini) do
 
   ensurable
@@ -10,6 +11,8 @@ Puppet::Type.newtype(:keystone_paste_ini) do
   newproperty(:value) do
     desc 'The value of the setting to be defined.'
     munge do |value|
+      Puppet.deprecation_warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release')
+
       value = value.to_s.strip
       value.capitalize! if value =~ /^(true|false)$/i
       value
diff --git a/manifests/config.pp b/manifests/config.pp
index 63871c154..9cdc45fac 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -17,22 +17,26 @@
 #     DEFAULT/bar:
 #       value: barValue
 #
-# [*keystone_paste_ini*]
-#   (optional) Allow configuration of /etc/keystone/keystone-paste.ini options.
-#
 #   NOTE: The configuration MUST NOT be already handled by this module
 #   or Puppet catalog compilation will fail with duplicate resources.
 #
+#### DEPRECATED PARAMS
+#
+# [*keystone_paste_ini*]
+#   (optional) Allow configuration of /etc/keystone/keystone-paste.ini options.
+#
 class keystone::config (
-  $keystone_config  = {},
-  $keystone_paste_ini = {},
+  $keystone_config    = {},
+  # DEPRECATED PARAMS
+  $keystone_paste_ini = undef,
 ) {
 
   include ::keystone::deps
 
   validate_hash($keystone_config)
-  validate_hash($keystone_paste_ini)
-
   create_resources('keystone_config', $keystone_config)
-  create_resources('keystone_paste_ini', $keystone_paste_ini)
+
+  if $keystone_paste_ini {
+    warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release')
+  }
 }
diff --git a/manifests/deps.pp b/manifests/deps.pp
index e0265fe3e..56ff57ccd 100644
--- a/manifests/deps.pp
+++ b/manifests/deps.pp
@@ -32,6 +32,7 @@ class keystone::deps {
   # before dbsync starts
   Oslo::Db<||> -> Anchor['keystone::dbsync::begin']
 
+  # TODO(tobias-urdin): Remove this when keystone_paste_ini is removed.
   # paste-api.ini config should occur in the config block also.
   Anchor['keystone::config::begin']
   -> Keystone_paste_ini<||>
diff --git a/manifests/disable_admin_token_auth.pp b/manifests/disable_admin_token_auth.pp
index dd113d5e5..d3b00db58 100644
--- a/manifests/disable_admin_token_auth.pp
+++ b/manifests/disable_admin_token_auth.pp
@@ -1,6 +1,8 @@
 #
 # Class to manage and secure the keystone-paste.ini pipeline configuration.
 #
+# DEPRECATED!
+#
 # The keystone module uses the admin_token parameter in keystone.conf to
 # bootstrap the basic setup of an admin user, project, and domain. However, the
 # admin_token provides an easy vector of attack for production keystone
@@ -12,35 +14,5 @@
 #
 class keystone::disable_admin_token_auth {
 
-  require ::keystone::roles::admin
-
-  Keystone::Resource::Service_identity<||> -> Class['::keystone::disable_admin_token_auth']
-
-  ini_subsetting { 'public_api/admin_token_auth':
-    ensure     => absent,
-    path       => '/etc/keystone/keystone-paste.ini',
-    section    => 'pipeline:public_api',
-    setting    => 'pipeline',
-    subsetting => 'admin_token_auth',
-    tag        => 'disable-admin-token-auth',
-  }
-  ini_subsetting { 'admin_api/admin_token_auth':
-    ensure     => absent,
-    path       => '/etc/keystone/keystone-paste.ini',
-    section    => 'pipeline:admin_api',
-    setting    => 'pipeline',
-    subsetting => 'admin_token_auth',
-    tag        => 'disable-admin-token-auth',
-  }
-  ini_subsetting { 'api_v3/admin_token_auth':
-    ensure     => absent,
-    path       => '/etc/keystone/keystone-paste.ini',
-    section    => 'pipeline:api_v3',
-    setting    => 'pipeline',
-    subsetting => 'admin_token_auth',
-    tag        => 'disable-admin-token-auth',
-  }
-
-  Ini_subsetting <| tag == 'disable-admin-token-auth' |>
-    ~> Exec<| name == 'restart_keystone' |>
+  warning('keystone::disable_admin_token_auth is deprecated, has no effect and will be removed in a later release')
 }
diff --git a/manifests/disable_v2_api.pp b/manifests/disable_v2_api.pp
index 825e5e86d..82b654376 100644
--- a/manifests/disable_v2_api.pp
+++ b/manifests/disable_v2_api.pp
@@ -1,5 +1,7 @@
 # Class to disable the Keystone v2.0 API via keystone-paste.ini.
 #
+# DEPRECATED!
+#
 # This class removes the /v2.0 entries for Keystone, ensuring that the
 # only supported API's are v3. After this class is executed, the
 # standard overcloudrc file will no longer work, the user needs to
@@ -9,25 +11,5 @@
 
 class keystone::disable_v2_api {
 
-  require ::keystone::roles::admin
-
-  Keystone::Resource::Service_identity<||> -> Class['::keystone::disable_v2_api']
-  ini_setting { 'disable_admin/v2.0':
-    ensure  => absent,
-    path    => '/etc/keystone/keystone-paste.ini',
-    section => 'composite:admin',
-    setting => '/v2.0',
-    value   => undef,
-    tag     => 'disable-v2.0-api',
-  }
-  ini_setting { 'disable_main/v2.0':
-    ensure  => absent,
-    path    => '/etc/keystone/keystone-paste.ini',
-    section => 'composite:main',
-    setting => '/v2.0',
-    value   => undef,
-    tag     => 'disable-v2.0-api',
-  }
-  Ini_subsetting <| tag == 'disable-v2.0-api' |>
-    ~> Exec<| name == 'restart_keystone' |>
+  warning('keystone::disable_v2_api has been deprecated, has no effect and will be removed in a later release')
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 757a22534..2b44a103b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -395,11 +395,6 @@
 #   Defaults to '$::keystone::params::service_name'
 #   NOTE: validate_service only applies if the default value is used.
 #
-# [*paste_config*]
-#   (optional) Name of the paste configuration file that defines the
-#   available pipelines. (string value)
-#   Defaults to $::os_service_default
-#
 # [*max_token_size*]
 #   (optional) maximum allowable Keystone token size
 #   Defaults to $::os_service_default
@@ -626,6 +621,11 @@
 #   (optional) Deprecated. Key size (in bits) for token signing cert (auto generated certificate)
 #   Defaults to $::os_service_default
 #
+# [*paste_config*]
+#   (optional) Name of the paste configuration file that defines the
+#   available pipelines. (string value)
+#   Defaults to undef
+#
 # == Dependencies
 #  None
 #
@@ -729,7 +729,6 @@ class keystone(
   $validate_insecure                    = false,
   $validate_auth_url                    = false,
   $validate_cacert                      = undef,
-  $paste_config                         = $::os_service_default,
   $service_name                         = $::keystone::params::service_name,
   $max_token_size                       = $::os_service_default,
   $sync_db                              = true,
@@ -770,12 +769,18 @@ class keystone(
   $signing_ca_key                       = $::os_service_default,
   $signing_cert_subject                 = $::os_service_default,
   $signing_key_size                     = $::os_service_default,
+  $paste_config                         = undef,
 ) inherits keystone::params {
 
   include ::keystone::deps
   include ::keystone::logging
   include ::keystone::policy
 
+  # TODO(tobias-urdin): Remove when paste_config is removed.
+  if $paste_config {
+    warning('keystone::paste_config is deprecated, has no effect and will be removed in a later release')
+  }
+
   if ! $catalog_driver {
     validate_re($catalog_type, 'template|sql')
   }
@@ -837,7 +842,6 @@ admin_token will be removed in a later release")
     'DEFAULT/admin_port':       value => $admin_port;
     'DEFAULT/member_role_id':   value => $member_role_id;
     'DEFAULT/member_role_name': value => $member_role_name;
-    'paste_deploy/config_file': value => $paste_config;
   }
 
   # Endpoint configuration
diff --git a/releasenotes/notes/deprecate-keystone-paste-01d714353e5544df.yaml b/releasenotes/notes/deprecate-keystone-paste-01d714353e5544df.yaml
new file mode 100644
index 000000000..fb9e866e3
--- /dev/null
+++ b/releasenotes/notes/deprecate-keystone-paste-01d714353e5544df.yaml
@@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    keystone_paste_ini resource, keystone::config::keystone_paste_config,
+    keystone::disable_admin_token_auth, keystone::disable_v2_api and
+    keystone::paste_config is all deprecated and has no effect on how
+    Keystone behaves. These will be removed in the next release, keystone
+    is not reading the paste configuration in Stein.
diff --git a/spec/classes/keystone_config_spec.rb b/spec/classes/keystone_config_spec.rb
index 812588586..77c7c5103 100644
--- a/spec/classes/keystone_config_spec.rb
+++ b/spec/classes/keystone_config_spec.rb
@@ -23,18 +23,6 @@ describe 'keystone::config' do
     end
   end
 
-  shared_examples_for 'keystone_paste_ini' do
-    let :params do
-      { :keystone_paste_ini => config_hash }
-    end
-
-    it 'configures arbitrary keystone-paste-ini configurations' do
-      is_expected.to contain_keystone_paste_ini('DEFAULT/foo').with_value('fooValue')
-      is_expected.to contain_keystone_paste_ini('DEFAULT/bar').with_value('barValue')
-      is_expected.to contain_keystone_paste_ini('DEFAULT/baz').with_ensure('absent')
-    end
-  end
-
   on_supported_os({
     :supported_os   => OSDefaults.get_supported_os
   }).each do |os,facts|
@@ -44,7 +32,6 @@ describe 'keystone::config' do
       end
 
       it_configures 'keystone_config'
-      it_configures 'keystone_paste_ini'
     end
   end
 end
diff --git a/spec/classes/keystone_disable_admin_token_auth_spec.rb b/spec/classes/keystone_disable_admin_token_auth_spec.rb
deleted file mode 100644
index 764b26a35..000000000
--- a/spec/classes/keystone_disable_admin_token_auth_spec.rb
+++ /dev/null
@@ -1,20 +0,0 @@
-require 'spec_helper'
-
-describe 'keystone::disable_admin_token_auth' do
-  let :facts do
-    @default_facts.merge({
-       :osfamily => 'Debian',
-       :os       => { :name  => 'Debian', :family => 'Debian', :release => { :major => '8', :minor => '0' } },
-    })
-  end
-
-  let :pre_condition do
-    'class { "::keystone": admin_token => "secret", }
-     class { "::keystone::roles::admin": password => "secret" }
-    '
-  end
-
-  it { is_expected.to contain_ini_subsetting('public_api/admin_token_auth') }
-  it { is_expected.to contain_ini_subsetting('admin_api/admin_token_auth') }
-  it { is_expected.to contain_ini_subsetting('api_v3/admin_token_auth') }
-end
diff --git a/spec/classes/keystone_init_spec.rb b/spec/classes/keystone_init_spec.rb
index ae96d54ab..f976af810 100644
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@@ -68,7 +68,6 @@ describe 'keystone' do
       'public_workers'                     => 20,
       'member_role_id'                     => '<SERVICE DEFAULT>',
       'member_role_name'                   => '<SERVICE DEFAULT>',
-      'paste_config'                       => '<SERVICE DEFAULT>',
       'sync_db'                            => true,
       'purge_config'                       => false,
       'keystone_user'                      => 'keystone',
@@ -121,7 +120,6 @@ describe 'keystone' do
       'default_domain'                     => 'other_domain',
       'member_role_id'                     => '123456789',
       'member_role_name'                   => 'othermember',
-      'paste_config'                       => '/usr/share/keystone/keystone-paste.ini',
       'using_domain_config'                => false,
       'keystone_user'                      => 'test_user',
       'keystone_group'                     => 'test_group',
@@ -222,10 +220,6 @@ describe 'keystone' do
       is_expected.to contain_keystone_config('token/revoke_by_id').with_value(param_hash['revoke_by_id'])
     end
 
-    it 'should contain default paste_config' do
-      is_expected.to contain_keystone_config('paste_deploy/config_file').with_value(param_hash['paste_config'])
-    end
-
     it 'should ensure proper setting of admin_endpoint and public_endpoint' do
       if param_hash['admin_endpoint']
         is_expected.to contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint'])
diff --git a/spec/unit/type/keystone_paste_ini_spec.rb b/spec/unit/type/keystone_paste_ini_spec.rb
index cc869d292..89e4de738 100644
--- a/spec/unit/type/keystone_paste_ini_spec.rb
+++ b/spec/unit/type/keystone_paste_ini_spec.rb
@@ -1,3 +1,4 @@
+# TODO(tobias-urdin): This is deprecated and should be removed in T release.
 require 'spec_helper'
 # this hack is required for now to ensure that the path is set up correctly
 # to retrieve the parent provider