openstack/puppet-horizon
Code Issues Proposed changes

Add TOTP support

Browse Source 
Horizon recently introduced TOTP support. This introduces a few new
parameters to allow users to enable the feature.

Depends-on: https://review.opendev.org/c/openstack/horizon/+/885570
Change-Id: I0b8d86c292715ffbb6d75dadcda7b51b1c190641
This commit is contained in:
Thomas Goirand 2023-08-23 10:16:39 +02:00 committed by Takashi Kajinami
parent 0eebd89391
commit d94647073a
4 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
manifests/init.pp
View File

@ -373,6 +373,10 @@
# (optional) The default theme to use from list of available themes. Value should be theme_name. # (optional) The default theme to use from list of available themes. Value should be theme_name.
# Defaults to false # Defaults to false
# #
# [*authentication_plugins*]
# (optional) List of authentication plugins to be used.
# Defaults to []
#
# [*password_autocomplete*] # [*password_autocomplete*]
# (optional) Whether to instruct the client browser to autofill the login form password # (optional) Whether to instruct the client browser to autofill the login form password
# Valid values are 'on' and 'off' # Valid values are 'on' and 'off'
@ -478,6 +482,10 @@
# the identity provider. # the identity provider.
# Defaults to undef # Defaults to undef
# #
# [*totp_enabled*]
# (optional) Activate TOTP support.
# Defaults to false
#
# [*password_validator*] # [*password_validator*]
# (optional) Horizon provides a password validation check, which OpenStack cloud # (optional) Horizon provides a password validation check, which OpenStack cloud
# operators can use to enforce password complexity checks for users within horizon. # operators can use to enforce password complexity checks for users within horizon.
@ -604,6 +612,7 @@ class horizon(
$vhost_extra_params = undef, $vhost_extra_params = undef,
$available_themes = false, $available_themes = false,
$default_theme = false, $default_theme = false,
Array[String[1]] $authentication_plugins = [],
Enum['on', 'off'] $password_autocomplete = 'off', Enum['on', 'off'] $password_autocomplete = 'off',
$create_image_defaults = undef, $create_image_defaults = undef,
Boolean $password_retrieve = false, Boolean $password_retrieve = false,
@ -621,6 +630,7 @@ class horizon(
$websso_default_redirect_protocol = undef, $websso_default_redirect_protocol = undef,
$websso_default_redirect_region = undef, $websso_default_redirect_region = undef,
$websso_default_redirect_logout = undef, $websso_default_redirect_logout = undef,
Boolean $totp_enabled = false,
$password_validator = undef, $password_validator = undef,
$password_validator_help = undef, $password_validator_help = undef,
$customization_module = undef, $customization_module = undef,

11
releasenotes/notes/totp-support-c31e3b9213c8d68d.yaml Normal file
View File

@ -0,0 +1,11 @@
---
features:
- |
The new ``horizon::totp_enabled`` parameter has been added. This parameter
can be used to customize the ``OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED`` option
in Horizon to enable TOTP support.
- |
The ``authentication_plugins`` parameter has been added to allow
customizing the ``AUTHENTICATION_PLUGINS`` option, which is required to
enable TOTP support.

22
spec/classes/horizon_init_spec.rb
View File

@ -661,6 +661,28 @@ describe 'horizon' do
end end
end end
context 'with totp enabled' do
before do
params.merge!({
:totp_enabled => true,
:authentication_plugins => [
'openstack_auth.plugin.totp.TotpPlugin',
'openstack_auth.plugin.password.PasswordPlugin',
'openstack_auth.plugin.token.TokenPlugin'
]
})
end
it 'configures totp options' do
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
'OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True',
'AUTHENTICATION_PLUGINS = [',
" 'openstack_auth.plugin.totp.TotpPlugin',",
" 'openstack_auth.plugin.password.PasswordPlugin',",
" 'openstack_auth.plugin.token.TokenPlugin',",
])
end
end
context 'with help_url, bug_url and customization_module provided' do context 'with help_url, bug_url and customization_module provided' do
before do before do
params.merge!({ params.merge!({

12
templates/local_settings.py.erb
View File

@ -358,6 +358,10 @@ WEBSSO_DEFAULT_REDIRECT_REGION = "<%= @websso_default_redirect_region %>"
WEBSSO_DEFAULT_REDIRECT_LOGOUT = "<%= @websso_default_redirect_logout %>" WEBSSO_DEFAULT_REDIRECT_LOGOUT = "<%= @websso_default_redirect_logout %>"
<% end -%> <% end -%>
<% if @totp_enabled -%>
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True
<% end -%>
# Disable SSL certificate checks (useful for self-signed certificates): # Disable SSL certificate checks (useful for self-signed certificates):
#OPENSTACK_SSL_NO_VERIFY = False #OPENSTACK_SSL_NO_VERIFY = False
<% if @ssl_no_verify -%> <% if @ssl_no_verify -%>
@ -694,6 +698,14 @@ AVAILABLE_THEMES = [
<% if @default_theme -%> <% if @default_theme -%>
DEFAULT_THEME = '<%= @default_theme %>' DEFAULT_THEME = '<%= @default_theme %>'
<% end -%>
<% if !(@authentication_plugins.empty?) -%>
AUTHENTICATION_PLUGINS = [
<% @authentication_plugins.each do |r| -%>
'<%= r -%>',
<% end -%>
]
<% end -%> <% end -%>
# Modules that provide /auth routes that can be used to handle different types # Modules that provide /auth routes that can be used to handle different types
# of user authentication. Add auth plugins that require extra route handling to # of user authentication. Add auth plugins that require extra route handling to