From 56b547eb2d0af7b2a4daa290c889d08c07c4641b Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Tue, 15 Nov 2016 12:41:28 +0000
Subject: [PATCH] CentOS: Only install Federation IDP/SP Packages when
 necessary

In https://review.openstack.org/309425 adjustments were
made which resulted in keystone_idp and keystone_sp to
always be defined. Unfortunately the CentOS support for
os_keystone merged after that and reviews did not pick
up the necessary changes.

This patch corrects it so that the repo and packages are
only installed if necessary.

Additionally, the Federation SP callback template was
being unnecessarily copied over. It will now only copy
over when it will be used.

Change-Id: I466f1391893d33be7c83caba70ec93e44dd1d482
---
 tasks/keystone_install_yum.yml  |  6 +++---
 tasks/keystone_post_install.yml | 13 ++++++++++++-
 templates/keystone.conf.j2      |  2 +-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/tasks/keystone_install_yum.yml b/tasks/keystone_install_yum.yml
index ad919f57..8c4c6ec9 100644
--- a/tasks/keystone_install_yum.yml
+++ b/tasks/keystone_install_yum.yml
@@ -104,7 +104,7 @@
   delay: 2
   with_items: "{{ keystone_idp_distro_packages }}"
   when:
-    - keystone_idp is defined
+    - keystone_idp != {}
 
 #TODO(cloudnull) Remove this task once we move to Ansible 2.1
 # where we can leverage the `yum_repository` module:
@@ -127,7 +127,7 @@
   with_items:
     - "{{ keystone_shibboleth_repo }}"
   when:
-    - keystone_sp is defined
+    - keystone_sp != {}
 
 - name: Install SP yum packages
   yum:
@@ -139,7 +139,7 @@
   delay: 2
   with_items: "{{ keystone_sp_distro_packages }}"
   when:
-    - keystone_sp is defined
+    - keystone_sp != {}
 
 - name: Install developer mode yum packages
   yum:
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
index 1f19a4bd..4cb9bbf1 100644
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -39,14 +39,25 @@
     - Restart Keystone APIs
     - Restart service
 
-- name: Drop Keystone Configs
+- name: Copy Keystone Federation SP SSO callback template
   copy:
     src: "sso_callback_template.html"
     dest: "/etc/keystone/sso_callback_template.html"
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
     mode: "0644"
+  when:
+    - keystone_idp != {}
   notify:
     - Restart Keystone APIs
     - Restart service
 
+- name: Clean up Keystone Federation SP SSO callback template
+  file:
+    path: "/etc/keystone/sso_callback_template.html"
+    state: absent
+  when:
+    - keystone_idp == {}
+  notify:
+    - Restart Keystone APIs
+    - Restart service
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 0c2f37e9..98163a8c 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -110,7 +110,7 @@ provider = {{ keystone_token_provider }}
 driver = {{ keystone_token_driver }}
 {% endif %}
 
-{% if keystone_idp is defined and keystone_idp != {} %}
+{% if keystone_idp != {} %}
 [saml]
 certfile = "{{ keystone_idp.certfile }}"
 keyfile = "{{ keystone_idp.keyfile }}"