Add "idp-metadata-auto-update" option

Add option to allow auto-updating the IDP metadata from a URL. Auto update occurs on every "update-status" hook. Change-Id: I65b20e52835497a3fe57571794f332b2b4327fba Signed-off-by: Yanos Angelopoulos <yanos@admin.grnet.gr>
2019-10-23 17:45:07 +03:00 · 2019-10-23 17:45:07 +03:00 · 990b708dea
parent 0947cb7f86
commit 990b708dea
2 changed files with 33 additions and 12 deletions
--- a/src/config.yaml
+++ b/src/config.yaml
@ -62,3 +62,11 @@ options:
    description: |
      Indicates a requirement for the <saml:Assertion> elements received
      by this service provider to be signed.
+  idp-metadata-auto-update:
+    type: string
+    default:
+    description: |
+      If set to anything other than "" then a URL is expected in which the
+      IDP XML metadata are being served. Also, if set then the "idp-metadata"
+      resource will be ignored. Auto update will occur on every "update-status"
+      hook.
--- a/src/lib/charm/openstack/keystone_saml_mellon.py
+++ b/src/lib/charm/openstack/keystone_saml_mellon.py
@ -29,6 +29,11 @@ from lxml import etree
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization

+try:
+    import urllib.request as urllib2
+except ImportError:
+    import urllib2
+
 CONFIGS = (IDP_METADATA, SP_METADATA, SP_PRIVATE_KEY,
           SP_LOCATION_CONFIG,) = [
               os.path.join('/etc/apache2/mellon',
@ -129,18 +134,26 @@ class KeystoneSAMLMellonConfigurationAdapter(

    @property
    def idp_metadata(self):
-        idp_metadata_path = hookenv.resource_get('idp-metadata')
-        if os.path.exists(idp_metadata_path) and not self._idp_metadata:
-            with open(idp_metadata_path) as f:
-                content = f.read()
-                try:
-                    etree.fromstring(content.encode())
-                    self._idp_metadata = content
-                    self._validation_errors['idp-metadata'] = None
-                except etree.XMLSyntaxError:
-                    self._idp_metadata = ''
-                    self._validation_errors['idp-metadata'] = (
-                        self.IDP_METADATA_INVALID)
+        if self.idp_metadata_auto_update is None:
+            idp_metadata_path = hookenv.resource_get('idp-metadata')
+            if os.path.exists(idp_metadata_path) and not self._idp_metadata:
+                with open(idp_metadata_path, 'r', encoding='utf-8') as f:
+                    content = f.read()
+        else:
+            # Get metadata from URL in "self.idp_metadata_auto_update"
+            response = urllib2.urlopen(self.idp_metadata_auto_update)
+            encoded_content = response.read()
+            content = encoded_content.decode("utf-8")
+
+        try:
+            etree.fromstring(content.encode())
+            self._idp_metadata = content
+            self._validation_errors['idp-metadata'] = None
+        except etree.XMLSyntaxError:
+            self._idp_metadata = ''
+            self._validation_errors['idp-metadata'] = (
+                self.IDP_METADATA_INVALID)
+
        return self._idp_metadata

    SP_SIGNING_KEYINFO_INVALID = ('sp-signing-keyinfo resource is not a'