default token format/provider handling

The Keystone server would print a warning when both the token
format and provider were set to the default.

Also, the Keystone server would not start if the format was
commented out and the provider was set to the uuid.Provider.

Fixes: bug 1204314

Change-Id: Id7db33a1f27c4986af153efc73b22db8c6a8942e

6 files changed, 16 insertions, 11 deletions

diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 4c0327cf..a49a9a5e 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -128,7 +128,8 @@
 # driver = keystone.token.backends.sql.Token
 
 # Controls the token construction, validation, and revocation operations.
-# provider = keystone.token.providers.pki.Provider
+# Core providers are keystone.token.providers.[pki|uuid].Provider
+# provider =
 
 # Amount of time a token should remain valid (in seconds)
 # expiration = 86400
@@ -165,7 +166,8 @@
 
 [signing]
 # Deprecated in favor of provider in the [token] section
-#token_format = PKI
+# Allowed values are PKI or UUID
+#token_format =
 
 #certfile = /etc/keystone/pki/certs/signing_cert.pem
 #keyfile = /etc/keystone/pki/private/signing_key.pem
diff --git a/keystone/common/config.py b/keystone/common/config.py
index b0a534f8..10c47a35 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -240,7 +240,7 @@ def configure():
 
     # signing
     register_str(
-        'token_format', group='signing', default="PKI")
+        'token_format', group='signing', default=None)
     register_str(
         'certfile',
         group='signing',
diff --git a/keystone/token/provider.py b/keystone/token/provider.py
index 2459f843..2864be6f 100644
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@@ -77,6 +77,10 @@ class Manager(manager.Manager):
                       'conflicts with keystone.conf [token] provider'))
             return CONF.token.provider
         else:
+            if not CONF.signing.token_format:
+                # No token provider and no format, so use default (PKI)
+                return PKI_PROVIDER
+
             msg = _('keystone.conf [signing] token_format is deprecated in '
                     'favor of keystone.conf [token] provider')
             if CONF.signing.token_format == 'PKI':
diff --git a/tests/test_pki_token_provider.conf b/tests/test_pki_token_provider.conf
index ec8df231..255972c3 100644
--- a/tests/test_pki_token_provider.conf
+++ b/tests/test_pki_token_provider.conf
@@ -1,5 +1,2 @@
-[signing]
-token_format = PKI
-
 [token]
 provider = keystone.token.providers.pki.Provider
diff --git a/tests/test_token_provider.py b/tests/test_token_provider.py
index 1bcf1a21..ac0b0d6b 100644
--- a/tests/test_token_provider.py
+++ b/tests/test_token_provider.py
@@ -410,11 +410,16 @@ class TestTokenProvider(test.TestCase):
         self.assertRaises(exception.UnexpectedError,
                           token.provider.Manager.get_token_provider)
 
+    def test_uuid_provider(self):
+        self.opt_in_group('token', provider=token.provider.UUID_PROVIDER)
+        self.assertEqual(token.provider.Manager.get_token_provider(),
+                         token.provider.UUID_PROVIDER)
+
     def test_provider_override_token_format(self):
         self.opt_in_group('token',
                           provider='keystone.token.providers.pki.Test')
-        self.assertRaises(exception.UnexpectedError,
-                          token.provider.Manager.get_token_provider)
+        self.assertEqual(token.provider.Manager.get_token_provider(),
+                         'keystone.token.providers.pki.Test')
 
         self.opt_in_group('signing', token_format='UUID')
         self.opt_in_group('token',
diff --git a/tests/test_uuid_token_provider.conf b/tests/test_uuid_token_provider.conf
index d1ac5fdf..d127ea3b 100644
--- a/tests/test_uuid_token_provider.conf
+++ b/tests/test_uuid_token_provider.conf
@@ -1,5 +1,2 @@
-[signing]
-token_format = UUID
-
 [token]
 provider = keystone.token.providers.uuid.Provider