From a53f012fa1c0724ee4d532e782e6b2fe88ef8fa8 Mon Sep 17 00:00:00 2001 From: Guang Yee Date: Mon, 1 Oct 2018 15:30:16 -0700 Subject: [PATCH] support WEBSSO_KEYSTONE_URL Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO deployments where network segmentation is used per security requirement. In this case, the controllers are not reachable from public network. Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint. If WEBSSO_KEYSTONE_URL is set, it will be used instead of OPENSTACK_KEYSTONE_URL. Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a Closes-bug: #1544703 --- doc/source/configuration/settings.rst | 14 +++++++++++++ openstack_auth/tests/unit/test_auth.py | 20 +++++++++++++++++++ openstack_auth/utils.py | 3 ++- openstack_auth/views.py | 3 ++- .../local/local_settings.py.example | 8 ++++++++ ...-websso_keystone_url-f663bbf40a5855c9.yaml | 8 ++++++++ 6 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/support-websso_keystone_url-f663bbf40a5855c9.yaml diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index 1a844f1cb1..61cc0f7429 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -1565,6 +1565,20 @@ Default: ``None`` Allows to specify a callback to the IdP to cleanup the SSO resources. Once the user logs out it will redirect to the IdP log out method. +WEBSSO_KEYSTONE_URL +----------------------- + +.. versionadded:: 15.0.0(Stein) + +Default: None + +The full auth URL for the Keystone endpoint used for web single-sign-on +authentication. Use this when ``OPENSTACK_KEYSTONE_URL`` is set to an internal +Keystone endpoint and is not reachable from the external network where the +identity provider lives. This URL will take precedence over +``OPENSTACK_KEYSTONE_URL`` if the login choice is an external +identity provider (IdP). + Neutron ------- diff --git a/openstack_auth/tests/unit/test_auth.py b/openstack_auth/tests/unit/test_auth.py index b2f0179f1c..119464d9fc 100644 --- a/openstack_auth/tests/unit/test_auth.py +++ b/openstack_auth/tests/unit/test_auth.py @@ -16,6 +16,7 @@ import uuid from django.conf import settings from django.contrib import auth from django import test +from django.test.utils import override_settings from django.urls import reverse from keystoneauth1 import exceptions as keystone_exceptions from keystoneauth1.identity import v2 as v2_auth @@ -1195,6 +1196,25 @@ class OpenStackAuthTestsWebSSO(OpenStackAuthTestsMixin, self.assertRedirects(response, redirect_url, status_code=302, target_status_code=404) + @override_settings(WEBSSO_KEYSTONE_URL='http://keystone-public:5000/v3') + def test_websso_redirect_using_websso_keystone_url(self): + origin = 'http://testserver/auth/websso/' + protocol = 'oidc' + redirect_url = ('%s/auth/OS-FEDERATION/identity_providers/%s' + '/protocols/%s/websso?origin=%s' % + (settings.WEBSSO_KEYSTONE_URL, self.idp_id, + protocol, origin)) + + form_data = {'auth_type': self.idp_oidc_id, + 'region': settings.OPENSTACK_KEYSTONE_URL} + url = reverse('login') + + # POST to the page and redirect to keystone. + response = self.client.post(url, form_data) + # verify that the request was sent back to WEBSSO_KEYSTONE_URL + self.assertRedirects(response, redirect_url, status_code=302, + target_status_code=404) + def test_websso_login(self): projects = [self.data.project_one, self.data.project_two] domains = [] diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py index c08cdea3a4..70ccfdd5ec 100644 --- a/openstack_auth/utils.py +++ b/openstack_auth/utils.py @@ -191,7 +191,8 @@ def get_websso_url(request, auth_url, websso_auth): :param request: Django http request object. :type request: django.http.HttpRequest :param auth_url: Keystone endpoint configured in the horizon setting. - The value is derived from: + If WEBSSO_KEYSTONE_URL is defined, its value will be + used. Otherwise, the value is derived from: - OPENSTACK_KEYSTONE_URL - AVAILABLE_REGIONS :type auth_url: string diff --git a/openstack_auth/views.py b/openstack_auth/views.py index 62ed7028cb..bac06edf82 100644 --- a/openstack_auth/views.py +++ b/openstack_auth/views.py @@ -71,7 +71,8 @@ def login(request, template_name=None, extra_context=None, **kwargs): if request.method == 'POST': auth_type = request.POST.get('auth_type', 'credentials') if utils.is_websso_enabled() and auth_type != 'credentials': - auth_url = request.POST.get('region') + auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL', + request.POST.get('region')) url = utils.get_websso_url(request, auth_url, auth_type) return shortcuts.redirect(url) diff --git a/openstack_dashboard/local/local_settings.py.example b/openstack_dashboard/local/local_settings.py.example index 9ac3bcdbd2..ba36ff1b95 100644 --- a/openstack_dashboard/local/local_settings.py.example +++ b/openstack_dashboard/local/local_settings.py.example @@ -247,6 +247,14 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" # variable. #WEBSSO_DEFAULT_REDIRECT_LOGOUT = None +# If set this URL will be used for web single-sign-on authentication +# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment +# scenarios where network segmentation is used per security requirement. +# In this case, the controllers are not reachable from public network. +# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL +# if it is set to the internal endpoint. +#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" + # The Keystone Provider drop down uses Keystone to Keystone federation # to switch between Keystone service providers. # Set display name for Identity Provider (dropdown display name) diff --git a/releasenotes/notes/support-websso_keystone_url-f663bbf40a5855c9.yaml b/releasenotes/notes/support-websso_keystone_url-f663bbf40a5855c9.yaml new file mode 100644 index 0000000000..15e01369c2 --- /dev/null +++ b/releasenotes/notes/support-websso_keystone_url-f663bbf40a5855c9.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [:bug:`1544703`] Add a new optional WEBSSO_KEYSTONE_URL property to + facilitate WEBSSO deployments where network segmentation is used per + security requirement. In this case, the controllers are not reachable + from public network. Therefore, user's browser will not be able to access + OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint.