Use AuthMethod context

Rather than use hard coded auth methods, use the protocal named passed over the keystone-fid-service-provider relation. Also, when using federation do not allow the "external" method as they are mutually exclusive. Change-Id: I08f0632630d7f0e8d2d7ddb057e02f9febf9ad6f Closes-Bug: #1828015 Closes-Bug: #1828018
2019-05-15 14:53:48 -07:00 · 2019-05-15 14:53:48 -07:00 · a103c15e40
parent 275029da51
commit a103c15e40
5 changed files with 28 additions and 4 deletions
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@ -343,3 +343,26 @@ class WebSSOTrustedDashboardContext(context.OSContextGenerator):
        ctxt = ({'trusted_dashboards': trusted_dashboards}
                if trusted_dashboards else {})
        return ctxt
+
+
+class AuthMethods(context.OSContextGenerator):
+
+    auth_methods = ["external", "password", "token", "oauth1",
+                    "openid", "totp", "application_credential"]
+
+    def __call__(self):
+
+        _external = "external"
+        _protocol_name = ""
+        for rid in relation_ids("keystone-fid-service-provider"):
+            for unit in related_units(rid):
+                rdata = relation_get(unit=unit, rid=rid)
+                _protocol_name = rdata.get('protocol-name').strip('"')
+                if _protocol_name and _protocol_name not in self.auth_methods:
+                    self.auth_methods.append(_protocol_name)
+                    # We are federated so remove the external method
+                    if _external in self.auth_methods:
+                        self.auth_methods.remove(_external)
+
+        ctxt = {"auth_methods": ",".join(self.auth_methods)}
+        return ctxt
--- a/hooks/keystone_utils.py
+++ b/hooks/keystone_utils.py
@ -239,7 +239,8 @@ BASE_RESOURCE_MAP = OrderedDict([
                         interface=['keystone-middleware'],
                         service='keystone',
                         config_file=KEYSTONE_CONF),
-                     keystone_context.MiddlewareContext()]
+                     keystone_context.MiddlewareContext(),
+                     keystone_context.AuthMethods()]
    }),
    (KEYSTONE_LOGGER_CONF, {
        'contexts': [keystone_context.KeystoneLoggingContext()],
--- a/templates/ocata/keystone.conf
+++ b/templates/ocata/keystone.conf
@ -128,4 +128,4 @@ admin_project_name = admin
 {% include "section-oslo-middleware" %}
 # This goes in the section above, selectively
 # Bug #1819134
-max_request_body_size = 114688
+max_request_body_size = 114688
--- a/templates/queens/keystone.conf
+++ b/templates/queens/keystone.conf
@ -73,7 +73,7 @@ driver = {{ assignment_backend }}
 {% include "parts/section-middleware" %}
 {% else %}
 [auth]
-methods = external,password,token,oauth1,mapped,openid,totp,application_credential
+methods = {{ auth_methods }}
 password = keystone.auth.plugins.password.Password
 token = keystone.auth.plugins.token.Token
 oauth1 = keystone.auth.plugins.oauth1.OAuth
--- a/templates/rocky/keystone.conf
+++ b/templates/rocky/keystone.conf
@ -58,7 +58,7 @@ driver = sql
 driver = {{ assignment_backend }}

 [auth]
-methods = external,password,token,oauth1,mapped,openid,totp,application_credential
+methods = {{ auth_methods }}

 [paste_deploy]
 config_file = {{ paste_config_file }}