WIP

2019-03-26 17:43:09 +00:00 · 2019-03-26 17:43:09 +00:00 · 403fa91549
commit 403fa91549
parent b8dfc25ae5
4 changed files with 23 additions and 57 deletions
--- a/src/README.md
+++ b/src/README.md
@ -47,6 +47,7 @@ In a bundle:
          idp-name: 'samltest'
          protocol-name: 'mapped'
          user-facing-name: "samltest.id'
+          nameid-formats="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        resources:
          idp-metadata: "./idp-metadata.xml"
          sp-signing-keyinfo: "./sp-keyinfo.xml"
--- a/src/lib/charm/openstack/keystone_saml_mellon.py
+++ b/src/lib/charm/openstack/keystone_saml_mellon.py
@ -54,7 +54,6 @@ class KeystoneSAMLMellonConfigurationAdapter(
        self._sp_private_key = None
        self._sp_signing_keyinfo = None
        self._validation_errors = {}
-        self._fid_data = self.get_fid_data()

    @property
    def validation_errors(self):
@ -83,31 +82,6 @@ class KeystoneSAMLMellonConfigurationAdapter(
    def sp_location_config(self):
        return SP_LOCATION_CONFIG

-    def get_fid_data(self):
-        fid_sp = endpoint_from_flag(KEYSTONE_FID_ENDPOINT)
-        if fid_sp:
-            return fid_sp.all_joined_units.received
-        else:
-            return {}
-
-    @property
-    def keystone_host(self):
-        return self.get_fid_data().get("hostname")
-
-    @property
-    def keystone_port(self):
-        return self.get_fid_data().get("port")
-
-    @property
-    def tls_enabled(self):
-        return self.get_fid_data().get("tls-enabled")
-
-    @property
-    def keystone_base_url(self):
-        scheme = 'https' if self.tls_enabled else 'http'
-        return ('{}://{}:{}'.format(scheme, self.keystone_host,
-                                    self.keystone_port))
-
    @property
    def sp_idp_path(self):
        return ('/v3/OS-FEDERATION/identity_providers/{}'
@ -147,21 +121,6 @@ class KeystoneSAMLMellonConfigurationAdapter(
    def sp_logout_path(self):
        return '{}/logout'.format(self.mellon_endpoint_path)

-    @property
-    def sp_auth_url(self):
-        return '{}{}'.format(self.keystone_base_url,
-                             self.sp_auth_path)
-
-    @property
-    def sp_logout_url(self):
-        return '{}{}'.format(self.keystone_base_url,
-                             self.sp_logout_path)
-
-    @property
-    def sp_post_response_url(self):
-        return '{}{}'.format(self.keystone_base_url,
-                             self.sp_post_response_path)
-
    @property
    def mellon_subject_confirmation_data_address_check(self):
        return ('On' if self.subject_confirmation_data_address_check
@ -310,7 +269,7 @@ class KeystoneSAMLMellonCharm(charms_openstack.charm.OpenStackCharm):
        # Nothing to report
        return None, None

-    def render_config(self):
+    def render_config(self, *args):
        """
        Render Service Provider configuration file to be used by Apache
        and provided to idP out of band to establish mutual trust.
@ -327,14 +286,23 @@ class KeystoneSAMLMellonCharm(charms_openstack.charm.OpenStackCharm):
        # ensure that a directory we need is there
        ch_host.mkdir('/etc/apache2/mellon', perms=dperms, owner=owner,
                      group=group)
+        _template_map = {
+            os.path.basename(self.options.sp_metadata_file): 'mellon-sp-metadata.xml',
+            os.path.basename(self.options.sp_location_config): 'apache-mellon-location.conf',
+        }
+        # idp-metadata.xml and sp-private-key are rendered purely from resources
+        #self.render_with_interfaces(args, template_map=_template_map)
        self.render_configs(self.string_templates.keys())

+        # For now the template name does not match the basename(file_name)
+        # So not using self.render_with_interfaces(args)
+        # TODO: Make a mapping mechanism between target and source templates
        core.templating.render(
            source='mellon-sp-metadata.xml',
            template_loader=os_templating.get_loader(
                'templates/', self.release),
            target=self.options.sp_metadata_file,
-            context=self.adapters_instance,
+            context=self.adapters_class(args, charm_instance=self),
            owner=owner,
            group=group,
            perms=fileperms
@ -345,7 +313,7 @@ class KeystoneSAMLMellonCharm(charms_openstack.charm.OpenStackCharm):
            template_loader=os_templating.get_loader(
                'templates/', self.release),
            target=self.options.sp_location_config,
-            context=self.adapters_instance,
+            context=self.adapters_class(args, charm_instance=self),
            owner=owner,
            group=group,
            perms=fileperms
--- a/src/reactive/keystone_saml_mellon_handlers.py
+++ b/src/reactive/keystone_saml_mellon_handlers.py
@ -40,30 +40,27 @@ def keystone_departed():


@reactive.when('keystone-fid-service-provider.connected')
-def publish_sp_fid():
+def publish_sp_fid(fid_sp):
    # don't always have a relation context - obtain from the flag
-    fid_sp = endpoint_from_flag(
-        keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
+    #fid_sp = endpoint_from_flag(
+    #    keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
    with charm.provide_charm_instance() as charm_instance:
        fid_sp.publish(charm_instance.options.protocol_name,
                       charm_instance.options.remote_id_attribute)


@reactive.when('keystone-fid-service-provider.available')
-def render_config():
+def render_config(fid_sp):
    # don't always have a relation context - obtain from the flag
-    fid_sp = endpoint_from_flag(
-        keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
+    #fid_sp = endpoint_from_flag(
+    #    keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
    with charm.provide_charm_instance() as charm_instance:
        if charm_instance.configuration_complete():
-            print("COMPLETE")
-            charm_instance.render_config()
+            charm_instance.render_config(fid_sp)
            # Trigger keystone restart. The relation is container-scoped
            # so a per-unit db of a remote unit will only contain a nonce
            # of a single subordinate
-            print("CHECK_anyfile")
            if reactive.any_file_changed(keystone_saml_mellon.CONFIGS):
-                print("TRUE_anyfile")
                fid_sp.request_restart()


--- a/src/templates/mellon-sp-metadata.xml
+++ b/src/templates/mellon-sp-metadata.xml
@ -1,5 +1,5 @@
 <EntityDescriptor
-	entityID="{{ options.sp_auth_url }}"
+	entityID="{{ keystone_fid_service_provider.base_url }}{{ options.sp_auth_path }}"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 	<SPSSODescriptor
@ -14,10 +14,10 @@
 			{{ options.sp_signing_keyinfo }}
 		</KeyDescriptor>
 		{% endif %}
-		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ options.sp_logout_url }}"/>
+		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_logout_path }}"/>
 		{% for format in options.supported_nameid_formats -%}
 		<NameIDFormat>{{ format }}</NameIDFormat>
 		{% endfor -%}
-		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ options.sp_post_response_url }}" isDefault="true" index="0"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_post_response_path }}" isDefault="true" index="0"/>
 	</SPSSODescriptor>
 </EntityDescriptor>