Add oidc options

Add additional OIDC Options to allow for user defined configuration. This change adds: keystone::federation::openidc::openidc_pass_userinfo_as keystone::federation::openidc::openidc_pass_claim_as Change-Id: Id093956a4c88cfe1f70aa93ecc87da5850bb185c (cherry picked from commit a3ef077a8a) (cherry picked from commit cf81f460c1) (cherry picked from commit cf81f460c1) (cherry picked from commit 724e5910be) (cherry picked from commit f0d4f19eae)
2021-08-09 02:05:32 +00:00 · 2021-08-09 02:05:32 +00:00 · 118401484b
parent 063d524dbf
commit 118401484b
4 changed files with 70 additions and 0 deletions
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@ -83,6 +83,19 @@
 #  Must be one of introspection or jwks
 #  Defaults to introspection
 #
+# [*openidc_pass_userinfo_as*]
+#  Define the way(s) in which the claims resolved from the userinfo endpoint
+#  are passed to the application according to OIDCPassClaimsAs.
+#  Defaults to undef
+#
+# [*openidc_pass_claim_as*]
+#  Define the way in which the claims and tokens are passed to the application environment:
+#  "none": no claims/tokens are passed
+#  "environment": claims/tokens are passed as environment variables
+#  "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
+#  "both": claims/tokens are passed as both headers as well as environment variables (default)
+#  Defaults to undef
+#
 # [*memcached_servers*]
 #  (Optional) A list of memcache servers. Defaults to undef.
 #
@ -134,6 +147,8 @@ class keystone::federation::openidc (
  $openidc_introspection_endpoint = undef,
  $openidc_verify_jwks_uri        = undef,
  $openidc_verify_method          = 'introspection',
+  $openidc_pass_userinfo_as       = undef,
+  $openidc_pass_claim_as          = undef,
  $memcached_servers              = undef,
  $redis_server                   = undef,
  $redis_password                 = undef,
@ -163,6 +178,18 @@ class keystone::federation::openidc (
    }
  }

+  if $openidc_pass_userinfo_as != undef {
+    if !($openidc_pass_userinfo_as in ['claims', 'json', 'jwt']) {
+      fail('Unsupported OIDCPassUserInfoAs. Must be one of: claims, json or jwt')
+    }
+  }
+
+  if $openidc_pass_claim_as != undef {
+    if !($openidc_pass_claim_as in ['none', 'environment', 'headers', 'both']) {
+      fail('Unsupported OIDCPassClaimAs. Must be one of: none, environment, headers, both')
+    }
+  }
+
  if $memcached_servers != undef {
    $memcached_servers_real = join(any2array($memcached_servers), ' ')
  } else {
--- a/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml
+++ b/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml
@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Adding the following configurable items for OpenID:
+
+    - ``keystone::federation::openidc::openidc_pass_userinfo_as`` to set
+      ``OIDCPassUserInfoAs``
+
+    - ``keystone::federation::openidc::openidc_pass_claim_as`` to set
+      ``OIDCPassClaimsAs``
+
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@ -178,5 +178,31 @@ describe 'keystone::federation::openidc' do
        expect(content).to match('OIDCClaimDelimiter ";"')
      end
    end
+
+    context 'with openidc_pass_userinfo_as attribute' do
+      before do
+        params.merge!({
+          :openidc_pass_userinfo_as => 'claims',
+        })
+      end
+
+      it 'should contain OIDC pass userinfo as' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCPassUserInfoAs "claims"')
+      end
+    end
+
+    context 'with openidc_pass_claim_as attribute' do
+      before do
+        params.merge!({
+          :openidc_pass_claim_as => 'both',
+        })
+      end
+
+      it 'should contain OIDC pass claim as' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCPassClaimsAs "both"')
+      end
+    end
  end
 end
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@ -34,6 +34,12 @@
 <%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
  OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
 <%- end -%>
+<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
+  OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
+<%- end -%>
+<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
+  OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
+<%- end -%>

  # The following directives are necessary to support websso from Horizon
  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)