OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

225 lines
8.4 KiB

# Copyright 2016 Massachusetts Open Cloud
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
DOMAIN_NAME=${DOMAIN_NAME:-federated_domain}
PROJECT_NAME=${PROJECT_NAME:-federated_project}
GROUP_NAME=${GROUP_NAME:-federated_users}
IDP_ID=${IDP_ID:-samltest}
IDP_USERNAME=${IDP_USERNAME:-morty}
IDP_PASSWORD=${IDP_PASSWORD:-panic}
IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp}
IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP}
IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp}
KEYSTONE_IDP_METADATA_URL=${KEYSTONE_IDP_METADATA_URL:-"http://$HOST_IP/identity/v3/OS-FEDERATION/saml2/metadata"}
MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid}
MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
PROTOCOL_ID=${PROTOCOL_ID:-mapped}
# File paths
FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation"
SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml"
ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml"
function configure_apache {
if [[ "$WSGI_MODE" == "uwsgi" ]]; then
local keystone_apache_conf=$(apache_site_config_for keystone-wsgi-public)
echo "ProxyPass /Shibboleth.sso !" | sudo tee -a $keystone_apache_conf
else
local keystone_apache_conf=$(apache_site_config_for keystone)
# Add WSGIScriptAlias directive to vhost configuration for port 5000
sudo sed -i -e "
/<VirtualHost \*:5000>/r $KEYSTONE_PLUGIN/files/federation/shib_apache_alias.txt
" $keystone_apache_conf
fi
# Append to the keystone.conf vhost file a <Location> directive for the Shibboleth module
# and a <Location> directive for the identity provider
cat $KEYSTONE_PLUGIN/files/federation/shib_apache_handler.txt | sudo tee -a $keystone_apache_conf
sudo sed -i -e "s|%IDP_ID%|$IDP_ID|g;" $keystone_apache_conf
restart_apache_server
}
function configure_shibboleth {
# Copy a templated /etc/shibboleth/shibboleth2.xml file...
sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
# ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
sudo sed -i -e "
s|%HOST_IP%|$HOST_IP|g;
s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
s|%KEYSTONE_METADATA_URL%|$KEYSTONE_IDP_METADATA_URL|g;
" $SHIBBOLETH_XML
sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
restart_service shibd
}
function install_federation {
if is_ubuntu; then
install_package libapache2-mod-shib2 xmlsec1
# Create a new keypair for Shibboleth
sudo shib-keygen -f
# Enable the Shibboleth module for Apache
sudo a2enmod shib2
elif is_fedora; then
# NOTE(knikolla): For CentOS/RHEL, installing shibboleth is tricky
# It requires adding a separate repo not officially supported
# Add Shibboleth repository with curl
curl https://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo \
| sudo tee /etc/yum.repos.d/shibboleth.repo >/dev/null
# Install Shibboleth
install_package shibboleth xmlsec1-openssl
# Create a new keypair for Shibboleth
sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
# Start Shibboleth module
start_service shibd
elif is_suse; then
# Install Shibboleth
install_package shibboleth-sp
# Install xmlsec dependency needed only for opensuse
install_package libxmlsec1-openssl1
# Create a new keypair for Shibboleth
sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
# Start Shibboleth module
start_service shibd
else
echo "Skipping installation of shibboleth for non ubuntu nor fedora nor suse host"
fi
pip_install pysaml2
# xmlsec1 needed for k2k
install_package xmlsec1
}
function upload_sp_metadata_to_samltest {
local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp
local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata
wget $metadata_url -O $FILES/$metadata_fname
if [[ $? -ne 0 ]]; then
echo "Not found: $metadata_url"
return
fi
curl --form userfile=@"$FILES/${metadata_fname}" --form "submit=OK" "https://samltest.id/upload.php"
}
function configure_federation {
# Specify the header that contains information about the identity provider
iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider"
# Configure certificates and keys for Keystone as an IdP
if is_service_enabled tls-proxy; then
iniset $KEYSTONE_CONF saml certfile "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
iniset $KEYSTONE_CONF saml keyfile "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
else
openssl genrsa -out /etc/keystone/ca.key 4096
openssl req -new -x509 -days 1826 -key /etc/keystone/ca.key -out /etc/keystone/ca.crt \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
iniset $KEYSTONE_CONF saml certfile "/etc/keystone/ca.crt"
iniset $KEYSTONE_CONF saml keyfile "/etc/keystone/ca.key"
fi
iniset $KEYSTONE_CONF saml idp_entity_id "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/idp"
iniset $KEYSTONE_CONF saml idp_sso_endpoint "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/sso"
iniset $KEYSTONE_CONF saml idp_metadata_path "/etc/keystone/keystone_idp_metadata.xml"
if [[ "$WSGI_MODE" == "uwsgi" ]]; then
restart_service "devstack@keystone"
fi
keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml
configure_shibboleth
configure_apache
# TODO(knikolla): We should not be relying on an external service. This
# will be removed once we have an idp deployed during devstack install.
if [[ "$IDP_ID" == "samltest" ]]; then
upload_sp_metadata_to_samltest
fi
}
function register_federation {
local federated_domain=$(get_or_create_domain $DOMAIN_NAME)
local federated_project=$(get_or_create_project $PROJECT_NAME $DOMAIN_NAME)
local federated_users=$(get_or_create_group $GROUP_NAME $DOMAIN_NAME)
local member_role=$(get_or_create_role Member)
openstack role add --group $federated_users --domain $federated_domain $member_role
openstack role add --group $federated_users --project $federated_project $member_role
}
function configure_tests_settings {
# Enable the mapped auth method in /etc/keystone.conf
iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
# Here we set any settings that might be need by the fed_scenario set of tests
iniset $TEMPEST_CONFIG identity-feature-enabled federation True
# If not using samltest as an external IdP, tell tempest not to test that scenario
if [[ "$IDP_ID" != "samltest" ]] ; then
iniset $TEMPEST_CONFIG identity-feature-enabled external_idp false
fi
# Identity provider settings
iniset $TEMPEST_CONFIG fed_scenario idp_id $IDP_ID
iniset $TEMPEST_CONFIG fed_scenario idp_remote_ids $IDP_REMOTE_ID
iniset $TEMPEST_CONFIG fed_scenario idp_username $IDP_USERNAME
iniset $TEMPEST_CONFIG fed_scenario idp_password $IDP_PASSWORD
iniset $TEMPEST_CONFIG fed_scenario idp_ecp_url $IDP_ECP_URL
# Mapping rules settings
iniset $TEMPEST_CONFIG fed_scenario mapping_remote_type $MAPPING_REMOTE_TYPE
iniset $TEMPEST_CONFIG fed_scenario mapping_user_name $MAPPING_USER_NAME
iniset $TEMPEST_CONFIG fed_scenario mapping_group_name $GROUP_NAME
iniset $TEMPEST_CONFIG fed_scenario mapping_group_domain_name $DOMAIN_NAME
# Protocol settings
iniset $TEMPEST_CONFIG fed_scenario protocol_id $PROTOCOL_ID
}
function uninstall_federation {
if is_ubuntu; then
uninstall_package libapache2-mod-shib2
elif is_fedora; then
uninstall_package shibboleth
# Remove Shibboleth repository
sudo rm /etc/yum.repos.d/shibboleth.repo
elif is_suse; then
unistall_package shibboleth-sp
else
echo "Skipping uninstallation of shibboleth for non ubuntu nor fedora nor suse host"
fi
}