WIP
This commit is contained in:
parent
b8dfc25ae5
commit
403fa91549
@ -47,6 +47,7 @@ In a bundle:
|
||||
idp-name: 'samltest'
|
||||
protocol-name: 'mapped'
|
||||
user-facing-name: "samltest.id'
|
||||
nameid-formats="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
||||
resources:
|
||||
idp-metadata: "./idp-metadata.xml"
|
||||
sp-signing-keyinfo: "./sp-keyinfo.xml"
|
||||
|
@ -54,7 +54,6 @@ class KeystoneSAMLMellonConfigurationAdapter(
|
||||
self._sp_private_key = None
|
||||
self._sp_signing_keyinfo = None
|
||||
self._validation_errors = {}
|
||||
self._fid_data = self.get_fid_data()
|
||||
|
||||
@property
|
||||
def validation_errors(self):
|
||||
@ -83,31 +82,6 @@ class KeystoneSAMLMellonConfigurationAdapter(
|
||||
def sp_location_config(self):
|
||||
return SP_LOCATION_CONFIG
|
||||
|
||||
def get_fid_data(self):
|
||||
fid_sp = endpoint_from_flag(KEYSTONE_FID_ENDPOINT)
|
||||
if fid_sp:
|
||||
return fid_sp.all_joined_units.received
|
||||
else:
|
||||
return {}
|
||||
|
||||
@property
|
||||
def keystone_host(self):
|
||||
return self.get_fid_data().get("hostname")
|
||||
|
||||
@property
|
||||
def keystone_port(self):
|
||||
return self.get_fid_data().get("port")
|
||||
|
||||
@property
|
||||
def tls_enabled(self):
|
||||
return self.get_fid_data().get("tls-enabled")
|
||||
|
||||
@property
|
||||
def keystone_base_url(self):
|
||||
scheme = 'https' if self.tls_enabled else 'http'
|
||||
return ('{}://{}:{}'.format(scheme, self.keystone_host,
|
||||
self.keystone_port))
|
||||
|
||||
@property
|
||||
def sp_idp_path(self):
|
||||
return ('/v3/OS-FEDERATION/identity_providers/{}'
|
||||
@ -147,21 +121,6 @@ class KeystoneSAMLMellonConfigurationAdapter(
|
||||
def sp_logout_path(self):
|
||||
return '{}/logout'.format(self.mellon_endpoint_path)
|
||||
|
||||
@property
|
||||
def sp_auth_url(self):
|
||||
return '{}{}'.format(self.keystone_base_url,
|
||||
self.sp_auth_path)
|
||||
|
||||
@property
|
||||
def sp_logout_url(self):
|
||||
return '{}{}'.format(self.keystone_base_url,
|
||||
self.sp_logout_path)
|
||||
|
||||
@property
|
||||
def sp_post_response_url(self):
|
||||
return '{}{}'.format(self.keystone_base_url,
|
||||
self.sp_post_response_path)
|
||||
|
||||
@property
|
||||
def mellon_subject_confirmation_data_address_check(self):
|
||||
return ('On' if self.subject_confirmation_data_address_check
|
||||
@ -310,7 +269,7 @@ class KeystoneSAMLMellonCharm(charms_openstack.charm.OpenStackCharm):
|
||||
# Nothing to report
|
||||
return None, None
|
||||
|
||||
def render_config(self):
|
||||
def render_config(self, *args):
|
||||
"""
|
||||
Render Service Provider configuration file to be used by Apache
|
||||
and provided to idP out of band to establish mutual trust.
|
||||
@ -327,14 +286,23 @@ class KeystoneSAMLMellonCharm(charms_openstack.charm.OpenStackCharm):
|
||||
# ensure that a directory we need is there
|
||||
ch_host.mkdir('/etc/apache2/mellon', perms=dperms, owner=owner,
|
||||
group=group)
|
||||
_template_map = {
|
||||
os.path.basename(self.options.sp_metadata_file): 'mellon-sp-metadata.xml',
|
||||
os.path.basename(self.options.sp_location_config): 'apache-mellon-location.conf',
|
||||
}
|
||||
# idp-metadata.xml and sp-private-key are rendered purely from resources
|
||||
#self.render_with_interfaces(args, template_map=_template_map)
|
||||
self.render_configs(self.string_templates.keys())
|
||||
|
||||
# For now the template name does not match the basename(file_name)
|
||||
# So not using self.render_with_interfaces(args)
|
||||
# TODO: Make a mapping mechanism between target and source templates
|
||||
core.templating.render(
|
||||
source='mellon-sp-metadata.xml',
|
||||
template_loader=os_templating.get_loader(
|
||||
'templates/', self.release),
|
||||
target=self.options.sp_metadata_file,
|
||||
context=self.adapters_instance,
|
||||
context=self.adapters_class(args, charm_instance=self),
|
||||
owner=owner,
|
||||
group=group,
|
||||
perms=fileperms
|
||||
@ -345,7 +313,7 @@ class KeystoneSAMLMellonCharm(charms_openstack.charm.OpenStackCharm):
|
||||
template_loader=os_templating.get_loader(
|
||||
'templates/', self.release),
|
||||
target=self.options.sp_location_config,
|
||||
context=self.adapters_instance,
|
||||
context=self.adapters_class(args, charm_instance=self),
|
||||
owner=owner,
|
||||
group=group,
|
||||
perms=fileperms
|
||||
|
@ -40,30 +40,27 @@ def keystone_departed():
|
||||
|
||||
|
||||
@reactive.when('keystone-fid-service-provider.connected')
|
||||
def publish_sp_fid():
|
||||
def publish_sp_fid(fid_sp):
|
||||
# don't always have a relation context - obtain from the flag
|
||||
fid_sp = endpoint_from_flag(
|
||||
keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
|
||||
#fid_sp = endpoint_from_flag(
|
||||
# keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
|
||||
with charm.provide_charm_instance() as charm_instance:
|
||||
fid_sp.publish(charm_instance.options.protocol_name,
|
||||
charm_instance.options.remote_id_attribute)
|
||||
|
||||
|
||||
@reactive.when('keystone-fid-service-provider.available')
|
||||
def render_config():
|
||||
def render_config(fid_sp):
|
||||
# don't always have a relation context - obtain from the flag
|
||||
fid_sp = endpoint_from_flag(
|
||||
keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
|
||||
#fid_sp = endpoint_from_flag(
|
||||
# keystone_saml_mellon.KEYSTONE_FID_ENDPOINT)
|
||||
with charm.provide_charm_instance() as charm_instance:
|
||||
if charm_instance.configuration_complete():
|
||||
print("COMPLETE")
|
||||
charm_instance.render_config()
|
||||
charm_instance.render_config(fid_sp)
|
||||
# Trigger keystone restart. The relation is container-scoped
|
||||
# so a per-unit db of a remote unit will only contain a nonce
|
||||
# of a single subordinate
|
||||
print("CHECK_anyfile")
|
||||
if reactive.any_file_changed(keystone_saml_mellon.CONFIGS):
|
||||
print("TRUE_anyfile")
|
||||
fid_sp.request_restart()
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
<EntityDescriptor
|
||||
entityID="{{ options.sp_auth_url }}"
|
||||
entityID="{{ keystone_fid_service_provider.base_url }}{{ options.sp_auth_path }}"
|
||||
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
||||
<SPSSODescriptor
|
||||
@ -14,10 +14,10 @@
|
||||
{{ options.sp_signing_keyinfo }}
|
||||
</KeyDescriptor>
|
||||
{% endif %}
|
||||
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ options.sp_logout_url }}"/>
|
||||
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_logout_path }}"/>
|
||||
{% for format in options.supported_nameid_formats -%}
|
||||
<NameIDFormat>{{ format }}</NameIDFormat>
|
||||
{% endfor -%}
|
||||
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ options.sp_post_response_url }}" isDefault="true" index="0"/>
|
||||
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_post_response_path }}" isDefault="true" index="0"/>
|
||||
</SPSSODescriptor>
|
||||
</EntityDescriptor>
|
||||
|
Loading…
x
Reference in New Issue
Block a user