support WEBSSO_KEYSTONE_URL

Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO deployments where network segmentation is used per security requirement. In this case, the controllers are not reachable from public network. Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint. If WEBSSO_KEYSTONE_URL is set, it will be used instead of OPENSTACK_KEYSTONE_URL. Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a Closes-bug: #1544703
2018-10-01 15:30:16 -07:00 · 2018-10-01 15:30:16 -07:00 · a53f012fa1
commit a53f012fa1
parent 9d7620f76f
6 changed files with 54 additions and 2 deletions
--- a/doc/source/configuration/settings.rst
+++ b/doc/source/configuration/settings.rst
@ -1565,6 +1565,20 @@ Default: ``None``
 Allows to specify a callback to the IdP to cleanup the SSO resources.
 Once the user logs out it will redirect to the IdP log out method.

+WEBSSO_KEYSTONE_URL
+-----------------------
+
+.. versionadded:: 15.0.0(Stein)
+
+Default: None
+
+The full auth URL for the Keystone endpoint used for web single-sign-on
+authentication. Use this when ``OPENSTACK_KEYSTONE_URL`` is set to an internal
+Keystone endpoint and is not reachable from the external network where the
+identity provider lives. This URL will take precedence over
+``OPENSTACK_KEYSTONE_URL`` if the login choice is an external
+identity provider (IdP).
+
 Neutron
 -------

--- a/openstack_auth/tests/unit/test_auth.py
+++ b/openstack_auth/tests/unit/test_auth.py
@ -16,6 +16,7 @@ import uuid
 from django.conf import settings
 from django.contrib import auth
 from django import test
+from django.test.utils import override_settings
 from django.urls import reverse
 from keystoneauth1 import exceptions as keystone_exceptions
 from keystoneauth1.identity import v2 as v2_auth
@ -1195,6 +1196,25 @@ class OpenStackAuthTestsWebSSO(OpenStackAuthTestsMixin,
        self.assertRedirects(response, redirect_url, status_code=302,
                             target_status_code=404)

+    @override_settings(WEBSSO_KEYSTONE_URL='http://keystone-public:5000/v3')
+    def test_websso_redirect_using_websso_keystone_url(self):
+        origin = 'http://testserver/auth/websso/'
+        protocol = 'oidc'
+        redirect_url = ('%s/auth/OS-FEDERATION/identity_providers/%s'
+                        '/protocols/%s/websso?origin=%s' %
+                        (settings.WEBSSO_KEYSTONE_URL, self.idp_id,
+                         protocol, origin))
+
+        form_data = {'auth_type': self.idp_oidc_id,
+                     'region': settings.OPENSTACK_KEYSTONE_URL}
+        url = reverse('login')
+
+        # POST to the page and redirect to keystone.
+        response = self.client.post(url, form_data)
+        # verify that the request was sent back to WEBSSO_KEYSTONE_URL
+        self.assertRedirects(response, redirect_url, status_code=302,
+                             target_status_code=404)
+
    def test_websso_login(self):
        projects = [self.data.project_one, self.data.project_two]
        domains = []
--- a/openstack_auth/utils.py
+++ b/openstack_auth/utils.py
@ -191,7 +191,8 @@ def get_websso_url(request, auth_url, websso_auth):
    :param request: Django http request object.
    :type request: django.http.HttpRequest
    :param auth_url: Keystone endpoint configured in the horizon setting.
-                     The value is derived from:
+                     If WEBSSO_KEYSTONE_URL is defined, its value will be
+                     used. Otherwise, the value is derived from:
                     - OPENSTACK_KEYSTONE_URL
                     - AVAILABLE_REGIONS
    :type auth_url: string
--- a/openstack_auth/views.py
+++ b/openstack_auth/views.py
@ -71,7 +71,8 @@ def login(request, template_name=None, extra_context=None, **kwargs):
    if request.method == 'POST':
        auth_type = request.POST.get('auth_type', 'credentials')
        if utils.is_websso_enabled() and auth_type != 'credentials':
-            auth_url = request.POST.get('region')
+            auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL',
+                               request.POST.get('region'))
            url = utils.get_websso_url(request, auth_url, auth_type)
            return shortcuts.redirect(url)

--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@ -247,6 +247,14 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 # variable.
 #WEBSSO_DEFAULT_REDIRECT_LOGOUT = None

+# If set this URL will be used for web single-sign-on authentication
+# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
+# scenarios where network segmentation is used per security requirement.
+# In this case, the controllers are not reachable from public network.
+# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
+# if it is set to the internal endpoint.
+#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
+
 # The Keystone Provider drop down uses Keystone to Keystone federation
 # to switch between Keystone service providers.
 # Set display name for Identity Provider (dropdown display name)
--- a/releasenotes/notes/support-websso_keystone_url-f663bbf40a5855c9.yaml
+++ b/releasenotes/notes/support-websso_keystone_url-f663bbf40a5855c9.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [:bug:`1544703`] Add a new optional WEBSSO_KEYSTONE_URL property to
+    facilitate WEBSSO deployments where network segmentation is used per
+    security requirement. In this case, the controllers are not reachable
+    from public network. Therefore, user's browser will not be able to access
+    OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint.