Add service_token_roles for keystone authtoken config

Add the ability to configure service_token_roles.

Change-Id: If8e71f76f10fff0934ae8e7e85ff602fcabc72e8
Depends-On: https://review.opendev.org/#/c/747098
Closes-Bug: #1892284

puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp

@@ -160,6 +160,23 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#   (Optional) A choice of roles that must be present in a service token.
+#   Service tokens are allowed to request that an expired token
+#   can be used and so this check should tightly control that
+#   only actual services should be sending this token. Roles
+#   here are applied as an ANY check so any role in this list
+#   must be present. For backwards compatibility reasons this
+#   currently only affects the allow_expired check. (list value)
+#   Defaults to $::os_service_default.
+#
+# [*service_token_roles_required*]
+#   (Optional) For backwards compatibility reasons we must let
+#   valid service tokens pass that don't pass the service_token_roles
+#   check as valid. Setting this true will become the default in
+#   a future release and should be enabled if possible.
+#   Defaults to $::os_service_default.
+#
 class {{cookiecutter.project_name}}::keystone::authtoken(
   $password,
   $username                       = '{{cookiecutter.project_name}}',
@@ -193,6 +210,8 @@ class {{cookiecutter.project_name}}::keystone::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
+  $service_token_roles_required   = $::os_service_default,
 ) {
 
   include {{cookiecutter.project_name}}::deps
@@ -230,6 +249,8 @@ class {{cookiecutter.project_name}}::keystone::authtoken(
     manage_memcache_package        => $manage_memcache_package,
     region_name                    => $region_name,
     token_cache_time               => $token_cache_time,
+    service_token_roles            => $service_token_roles,
+    service_token_roles_required   => $service_token_roles_required,
   }
 }
 

puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb

@@ -41,6 +41,8 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
         should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
         should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
+        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
       }
     end
 
@@ -79,6 +81,8 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
           :manage_memcache_package        => true,
           :region_name                    => 'region2',
           :token_cache_time               => '301',
+          :service_token_roles            => ['service'],
+          :service_token_roles_required   => false,
         })
       end
 
@@ -114,6 +118,8 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
         should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
         should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/region_name').with_value(params[:region_name])
         should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
+        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
       }
 
       it { should contain_package('python-memcache') }