From 3030cba7e5fb2af2394fddf6c9ac0d565278485b Mon Sep 17 00:00:00 2001
From: Andy McCrae <andy.mccrae@googlemail.com>
Date: Mon, 25 Nov 2013 14:21:37 +0000
Subject: [PATCH] Allow nss db files to be created for keystone integration

---
 attributes/radosgw.rb |  1 +
 recipes/radosgw.rb    | 31 +++++++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/attributes/radosgw.rb b/attributes/radosgw.rb
index 6bc5278..03a6f8b 100644
--- a/attributes/radosgw.rb
+++ b/attributes/radosgw.rb
@@ -21,6 +21,7 @@
 default["ceph"]["radosgw"]["rgw_addr"] = "*:80"
 default["ceph"]["radosgw"]["rgw_port"] = false
 default["ceph"]["radosgw"]["webserver_companion"] = "apache2" #can be false
+default["ceph"]["radosgw"]["process_owner"] = node['apache']['user']
 default['ceph']["radosgw"]['use_apache_fork'] = true
 case node['platform']
 when 'ubuntu'
diff --git a/recipes/radosgw.rb b/recipes/radosgw.rb
index e438caa..0d20e7f 100644
--- a/recipes/radosgw.rb
+++ b/recipes/radosgw.rb
@@ -20,7 +20,7 @@
 case node['platform_family']
 when "debian"
   packages = %w{
-    radosgw
+    radosgw libnss3-tools
   }
 
   if node['ceph']['install_debug']
@@ -31,7 +31,7 @@
   end
 when "rhel","fedora","suse"
   packages = %w{
-    ceph-radosgw
+    ceph-radosgw nss-tools
   }
 end
 
@@ -43,6 +43,33 @@
 
 include_recipe "ceph::conf"
 
+if !(node["ceph"]["radosgw"]["keystone_ca"].nil? || node["ceph"]["radosgw"]["keystone_signing"].nil? || node["ceph"]["config"]["rgw"]["nss db path"].nil?)
+  directory "#{node['ceph']['config']['rgw']['nss db path']}" do
+    owner "root"
+    group "root"
+    mode 0755
+    recursive true
+    action :create
+  end
+  unless (File.exists?("#{node['ceph']['config']['rgw']['nss db path']}/cert8.db") && File.exists?("#{node['ceph']['config']['rgw']['nss db path']}/key3.db") && File.exists?("#{node['ceph']['config']['rgw']['nss db path']}/secmod.db"))
+    execute "keystone-ca certutil" do
+      command "openssl x509 -in #{node['ceph']['radosgw']['keystone_ca']} -pubkey | certutil -d #{node['ceph']['config']['rgw']['nss db path']} -A -n ca -t 'TCu,Cu,Tuw'"
+    end
+    execute "keystone-signing certutil" do
+      command "openssl x509 -in #{node['ceph']['radosgw']['keystone_signing']} -pubkey | certutil -A -d #{node['ceph']['config']['rgw']['nss db path']} -n signing_cert -t 'P,P,P'"
+    end
+  end
+  file "#{node['ceph']['config']['rgw']['nss db path']}/cert8.db" do
+    owner node['ceph']['radosgw']['process_owner']
+  end
+  file "#{node['ceph']['config']['rgw']['nss db path']}/key3.db" do
+    owner node['ceph']['radosgw']['process_owner']
+  end
+  file "#{node['ceph']['config']['rgw']['nss db path']}/secmod.db" do
+    owner node['ceph']['radosgw']['process_owner']
+  end
+end
+
 unless File.exists?("/var/lib/ceph/radosgw/ceph-radosgw.#{node['hostname']}/done")
   if node["ceph"]["radosgw"]["webserver_companion"]
     include_recipe "ceph::radosgw_#{node["ceph"]["radosgw"]["webserver_companion"]}"