From 40b7fe80312b54274ae6f101ac92147e4fe7aba9 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Wed, 10 Feb 2021 10:35:28 +0900
Subject: [PATCH] Add support for SSO redirect options

This change implements support for automatic redirect in SSO, which was
implemented during Stein cycle[1].

[1] https://opendev.org/openstack/horizon/commit/7fc8018956945cfe683a2cf1c53643d800c482bf

Change-Id: I421ccdcc003ff7cc917b2a9f9efac8ec051f51b0
---
 manifests/init.pp                             | 23 +++++++
 .../sso-redirect-opts-8e190e4c0f6338df.yaml   |  4 ++
 spec/classes/horizon_init_spec.rb             | 65 ++++++++++++-------
 templates/local_settings.py.erb               | 27 ++++++++
 4 files changed, 96 insertions(+), 23 deletions(-)
 create mode 100644 releasenotes/notes/sso-redirect-opts-8e190e4c0f6338df.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index 1237e954..3a9464d8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -427,6 +427,25 @@
 #        'acme_saml2' => ['acme', 'saml2'],
 #      }
 #
+#  [*websso_default_redirect*]
+#    (optional) Enables redirection on login to the identity proider defined on
+#    WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGIO.
+#    Defaults to undef
+#
+#  [*websso_default_redirect_protocol*]
+#    (optional) Specifies the protocol to use fo default redirection on login.
+#    Defaults to undef
+#
+#  [*websso_default_redirect_region*]
+#    (optional) Specifies the region to which the connection will be established
+#    on login.
+#    Defaults to undef
+#
+#  [*websso_default_redirect_logout*]
+#    (optional) Enables redirection on logout to the method specified on
+#    the identity provider.
+#    Defaults to undef
+#
 #  [*password_validator*]
 #    (optional) Horizon provides a password validation check, which OpenStack cloud
 #    operators can use to enforce password complexity checks for users within horizon.
@@ -560,6 +579,10 @@ class horizon(
   $websso_initial_choice               = undef,
   $websso_choices                      = undef,
   $websso_idp_mapping                  = undef,
+  $websso_default_redirect             = false,
+  $websso_default_redirect_protocol    = undef,
+  $websso_default_redirect_region      = undef,
+  $websso_default_redirect_logout      = undef,
   $password_validator                  = undef,
   $password_validator_help             = undef,
   $enable_user_pass                    = true,
diff --git a/releasenotes/notes/sso-redirect-opts-8e190e4c0f6338df.yaml b/releasenotes/notes/sso-redirect-opts-8e190e4c0f6338df.yaml
new file mode 100644
index 00000000..f9a2339f
--- /dev/null
+++ b/releasenotes/notes/sso-redirect-opts-8e190e4c0f6338df.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Support for SSO redirect options have been added.
diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb
index b90b8a17..9fae3c61 100644
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@@ -589,32 +589,51 @@ describe 'horizon' do
     context 'with websso enabled' do
       before do
         params.merge!({
-                        :websso_enabled => 'True',
-                        :websso_initial_choice => 'acme',
-                        :websso_choices => [
-                          ['oidc', 'OpenID Connect'],
-                          ['saml2', 'Security Assertion Markup Language'],
-                        ],
-                        :websso_idp_mapping => {
-                          'acme_oidc'  => ['acme', 'oidc'],
-                          'acme_saml2' => ['acme', 'saml2'],
-                        }
-                      })
+            :websso_enabled => 'True',
+            :websso_initial_choice => 'acme',
+            :websso_choices => [
+              ['oidc', 'OpenID Connect'],
+              ['saml2', 'Security Assertion Markup Language'],
+            ],
+            :websso_idp_mapping => {
+              'acme_oidc'  => ['acme', 'oidc'],
+              'acme_saml2' => ['acme', 'saml2'],
+            }
+          })
       end
       it 'configures websso options' do
         verify_concat_fragment_contents(catalogue, 'local_settings.py', [
-                                          'WEBSSO_ENABLED = True',
-                                          'WEBSSO_INITIAL_CHOICE = "acme"',
-                                          'WEBSSO_CHOICES = (',
-                                          '    ("credentials", _("Keystone Credentials")),',
-                                          '    ("oidc", _("OpenID Connect")),',
-                                          '    ("saml2", _("Security Assertion Markup Language")),',
-                                          ')',
-                                          'WEBSSO_IDP_MAPPING = {',
-                                          '    "acme_oidc": ("acme", "oidc"),',
-                                          '    "acme_saml2": ("acme", "saml2"),',
-                                          '}',
-                                        ])
+          'WEBSSO_ENABLED = True',
+          'WEBSSO_INITIAL_CHOICE = "acme"',
+          'WEBSSO_CHOICES = (',
+          '    ("credentials", _("Keystone Credentials")),',
+          '    ("oidc", _("OpenID Connect")),',
+          '    ("saml2", _("Security Assertion Markup Language")),',
+          ')',
+          'WEBSSO_IDP_MAPPING = {',
+          '    "acme_oidc": ("acme", "oidc"),',
+          '    "acme_saml2": ("acme", "saml2"),',
+          '}',
+          ])
+      end
+    end
+
+    context 'with websso redirect enabled' do
+      before do
+        params.merge!({
+          :websso_default_redirect          => true,
+          :websso_default_redirect_protocol => 'oidc',
+          :websso_default_redirect_region   => 'http://127.0.0.1:5000',
+          :websso_default_redirect_logout   => 'http://idptest/logout'
+        })
+      end
+      it 'configures websso redirect options' do
+        verify_concat_fragment_contents(catalogue, 'local_settings.py', [
+          'WEBSSO_DEFAULT_REDIRECT = True',
+          'WEBSSO_DEFAULT_REDIRECT_PROTOCOL = "oidc"',
+          'WEBSSO_DEFAULT_REDIRECT_REGION = "http://127.0.0.1:5000"',
+          'WEBSSO_DEFAULT_REDIRECT_LOGOUT = "http://idptest/logout"'
+          ])
       end
     end
 
diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb
index 75142d2c..8ebd78fb 100644
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@@ -335,6 +335,33 @@ WEBSSO_IDP_MAPPING = {
 }
 <% end -%>
 
+# Enables redirection on login to the identity provider defined on
+# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
+#WEBSSO_DEFAULT_REDIRECT = False
+<% if @websso_default_redirect -%>
+WEBSSO_DEFAULT_REDIRECT = True
+<% end -%>
+
+# Specifies the protocol to use for default redirection on login
+#WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
+<% if @websso_default_redirect_protocol -%>
+WEBSSO_DEFAULT_REDIRECT_PROTOCOL = "<%= @websso_default_redirect_protocol %>"
+<% end -%>
+
+# Specifies the region to which the connection will be established on login
+#WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
+<% if @websso_default_redirect_region -%>
+WEBSSO_DEFAULT_REDIRECT_REGION = "<%= @websso_default_redirect_region %>"
+<% end -%>
+
+# Enables redirection on logout to the method specified on the identity
+# provider. Once logout the client will be redirected to the address specified
+# in this variable.
+#WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
+<% if @websso_default_redirect_logout -%>
+WEBSSO_DEFAULT_REDIRECT_LOGOUT = "<%= @websso_default_redirect_logout %>"
+<% end -%>
+
 # Disable SSL certificate checks (useful for self-signed certificates):
 #OPENSTACK_SSL_NO_VERIFY = True
 <% if @ssl_no_verify %>