WebSSO config options

Add support for WEBSSO options in local_settings.py.erb

Change-Id: Ie528eb1afeb967d30fc504cd682154913fe6927c
Closes-Bug: #1607912
This commit is contained in:
Harald Jensas 2017-01-05 03:10:59 +01:00
parent a8462638c7
commit 4ed2edf02a
4 changed files with 99 additions and 0 deletions

@ -305,6 +305,44 @@
# Scripting (XFS) vulnerability, so this option allows extra security hardening
# where iframes are not used in deployment. Default setting is True.
#
# [*websso_enabled*]
# (optional)Enable the WEBSSO_ENABLED option which turn on the keystone web
# single-sign-on if set to true.
# Default to false
#
# [*websso_initial_choice*]
# (optional)Set the WEBSSO_INITIAL_CHOICE option used to determine which
# authentication choice to show as default.
# Defaults to undef
#
# [*websso_choices*]
# (optional)Set the WEBSSO_CHOICES option, A list of authentication
# mechanisms which include keystone federation protocols and identity
# provide protocol mapping keys (WEBSSO_IDP_MAPPING).
# Default to undef
#
# Example:
# websso_choices => [
# ['oidc', 'OpenID Connect'],
# ['saml2', 'Security Assertion Markup Language']
# ]
#
# [*websso_idp_mapping*]
# (optional)Set the WEBSSO_IDP_MAPPING option.
# A dictionary of specific identity provider and protocol combinations.
# From theselected authentication mechanism, the value will be looked up as
# keys in the dictionary. If a match is found, it will redirect the user to
# a identity provider and federation protocol specific WebSSO endpoint in
# keystone, otherwise it will use the value as the protocol_id when
# redirecting to the WebSSO by protocol endpoint.
# Default to undef
#
# Example:
# websso_idp_mapping => {
# 'acme_oidc' => ['acme', 'oidc'],
# 'acme_saml2' => ['acme', 'saml2'],
# }
#
# === DEPRECATED group/name
#
# [*fqdn*]
@ -405,6 +443,10 @@ class horizon(
$enforce_password_check = false,
$enable_secure_proxy_ssl_header = false,
$disallow_iframe_embed = true,
$websso_enabled = false,
$websso_initial_choice = undef,
$websso_choices = undef,
$websso_idp_mapping = undef,
# DEPRECATED PARAMETERS
$custom_theme_path = undef,
$fqdn = undef,

@ -0,0 +1,4 @@
---
features:
- Support was added for WEBSSO options in local_settings.py.erb.
WEBSSO options enables keystone web single-sign-on.

@ -456,6 +456,38 @@ describe 'horizon' do
])
end
end
context 'with websso enabled' do
before do
params.merge!({
:websso_enabled => 'True',
:websso_initial_choice => 'acme',
:websso_choices => [
['oidc', 'OpenID Connect'],
['saml2', 'Security Assertion Markup Language'],
],
:websso_idp_mapping => {
'acme_oidc' => ['acme', 'oidc'],
'acme_saml2' => ['acme', 'saml2'],
}
})
end
it 'configures websso options' do
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
'WEBSSO_ENABLED = True',
'WEBSSO_INITIAL_CHOICE = "acme"',
'WEBSSO_CHOICES = (',
' ("credentials", _("Keystone Credentials")),',
' ("oidc", _("OpenID Connect")),',
' ("saml2", _("Security Assertion Markup Language")),',
')',
'WEBSSO_IDP_MAPPING = {',
' "acme_oidc": ("acme", "oidc"),',
' "acme_saml2": ("acme", "saml2"),',
'}',
])
end
end
end
shared_examples_for 'horizon on RedHat' do

@ -273,6 +273,27 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "<%= @keystone_default_role %>"
# "acme_oidc": ("acme", "oidc"),
# "acme_saml2": ("acme", "saml2")
#}
<% if @websso_enabled -%>
WEBSSO_ENABLED = <%= @websso_enabled %>
<% end -%>
<% if @websso_initial_choice -%>
WEBSSO_INITIAL_CHOICE = "<%= @websso_initial_choice %>"
<% end -%>
<% if @websso_choices.kind_of?(Array) %>
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
<% @websso_choices.each do |r| -%>
("<%= r[0] -%>", _("<%= r[1] -%>")),
<% end -%>
)
<% end -%>
<% if @websso_idp_mapping.kind_of?(Hash) %>
WEBSSO_IDP_MAPPING = {
<% @websso_idp_mapping.each do |key,r| -%>
"<%= key -%>": ("<%= r[0] -%>", "<%= r[1] -%>"),
<% end -%>
}
<% end -%>
# Disable SSL certificate checks (useful for self-signed certificates):
#OPENSTACK_SSL_NO_VERIFY = True