diff --git a/manifests/init.pp b/manifests/init.pp index 218d9688..ef11e5c9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -373,6 +373,10 @@ # (optional) The default theme to use from list of available themes. Value should be theme_name. # Defaults to false # +# [*authentication_plugins*] +# (optional) List of authentication plugins to be used. +# Defaults to [] +# # [*password_autocomplete*] # (optional) Whether to instruct the client browser to autofill the login form password # Valid values are 'on' and 'off' @@ -478,6 +482,10 @@ # the identity provider. # Defaults to undef # +# [*totp_enabled*] +# (optional) Activate TOTP support. +# Defaults to false +# # [*password_validator*] # (optional) Horizon provides a password validation check, which OpenStack cloud # operators can use to enforce password complexity checks for users within horizon. @@ -604,6 +612,7 @@ class horizon( $vhost_extra_params = undef, $available_themes = false, $default_theme = false, + Array[String[1]] $authentication_plugins = [], Enum['on', 'off'] $password_autocomplete = 'off', $create_image_defaults = undef, Boolean $password_retrieve = false, @@ -621,6 +630,7 @@ class horizon( $websso_default_redirect_protocol = undef, $websso_default_redirect_region = undef, $websso_default_redirect_logout = undef, + Boolean $totp_enabled = false, $password_validator = undef, $password_validator_help = undef, $customization_module = undef, diff --git a/releasenotes/notes/totp-support-c31e3b9213c8d68d.yaml b/releasenotes/notes/totp-support-c31e3b9213c8d68d.yaml new file mode 100644 index 00000000..171da579 --- /dev/null +++ b/releasenotes/notes/totp-support-c31e3b9213c8d68d.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + The new ``horizon::totp_enabled`` parameter has been added. This parameter + can be used to customize the ``OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED`` option + in Horizon to enable TOTP support. + + - | + The ``authentication_plugins`` parameter has been added to allow + customizing the ``AUTHENTICATION_PLUGINS`` option, which is required to + enable TOTP support. diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb index ba2333ee..96b2345a 100644 --- a/spec/classes/horizon_init_spec.rb +++ b/spec/classes/horizon_init_spec.rb @@ -661,6 +661,28 @@ describe 'horizon' do end end + context 'with totp enabled' do + before do + params.merge!({ + :totp_enabled => true, + :authentication_plugins => [ + 'openstack_auth.plugin.totp.TotpPlugin', + 'openstack_auth.plugin.password.PasswordPlugin', + 'openstack_auth.plugin.token.TokenPlugin' + ] + }) + end + it 'configures totp options' do + verify_concat_fragment_contents(catalogue, 'local_settings.py', [ + 'OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True', + 'AUTHENTICATION_PLUGINS = [', + " 'openstack_auth.plugin.totp.TotpPlugin',", + " 'openstack_auth.plugin.password.PasswordPlugin',", + " 'openstack_auth.plugin.token.TokenPlugin',", + ]) + end + end + context 'with help_url, bug_url and customization_module provided' do before do params.merge!({ diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb index cdf1e7a0..c92cd567 100644 --- a/templates/local_settings.py.erb +++ b/templates/local_settings.py.erb @@ -358,6 +358,10 @@ WEBSSO_DEFAULT_REDIRECT_REGION = "<%= @websso_default_redirect_region %>" WEBSSO_DEFAULT_REDIRECT_LOGOUT = "<%= @websso_default_redirect_logout %>" <% end -%> +<% if @totp_enabled -%> +OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True + +<% end -%> # Disable SSL certificate checks (useful for self-signed certificates): #OPENSTACK_SSL_NO_VERIFY = False <% if @ssl_no_verify -%> @@ -694,6 +698,14 @@ AVAILABLE_THEMES = [ <% if @default_theme -%> DEFAULT_THEME = '<%= @default_theme %>' +<% end -%> +<% if !(@authentication_plugins.empty?) -%> +AUTHENTICATION_PLUGINS = [ +<% @authentication_plugins.each do |r| -%> + '<%= r -%>', +<% end -%> +] + <% end -%> # Modules that provide /auth routes that can be used to handle different types # of user authentication. Add auth plugins that require extra route handling to