enable oauth support in keystone::fededation::openidc

add parameters for enabling OAuth support, which is required for the
command line tools to interact with an openid identity provider.

Change-Id: I284160e520fbb73a041c49ff1a3e1ef5f3caf59d
changes/65/644965/4
Lars Kellogg-Stedman 4 years ago committed by Emilien Macchi
parent dcbd368d5c
commit 717d40798a
  1. 48
      manifests/federation/openidc.pp
  2. 23
      spec/classes/keystone_federation_openidc_spec.rb
  3. 18
      templates/openidc.conf.erb

@ -49,13 +49,19 @@
# with a minimum of 8464 bytes. Defaults to undef.
#
# [*openidc_cache_dir*]
# (Optional) # Directory that holds cache files; must be writable
# (Optional) Directory that holds cache files; must be writable
# for the Apache process/user. Defaults to undef.
#
# [*openidc_cache_clean_interval*]
# (Optional) # Cache file clean interval in seconds (only triggered
# (Optional) Cache file clean interval in seconds (only triggered
# on writes). Defaults to undef.
#
# [*openidc_enable_oauth*]
# (Optional) Set to true to enable oauthsupport.
#
# [*openidc_introspection_endpoint*]
# (Required if oauth is enabled) Oauth introspection endpoint url.
#
# [*memcached_servers*]
# (Optional) A list of memcache servers. Defaults to undef.
#
@ -108,23 +114,25 @@ class keystone::federation::openidc (
$openidc_provider_metadata_url,
$openidc_client_id,
$openidc_client_secret,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$openidc_cache_type = undef,
$openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef,
$openidc_cache_dir = undef,
$openidc_cache_clean_interval = undef,
$memcached_servers = undef,
$redis_server = undef,
$redis_password = undef,
$remote_id_attribute = undef,
$template_order = 331,
$package_ensure = present,
$keystone_url = undef,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$openidc_cache_type = undef,
$openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef,
$openidc_cache_dir = undef,
$openidc_cache_clean_interval = undef,
$openidc_enable_oauth = false,
$openidc_introspection_endpoint = undef,
$memcached_servers = undef,
$redis_server = undef,
$redis_password = undef,
$remote_id_attribute = undef,
$template_order = 331,
$package_ensure = present,
$keystone_url = undef,
# DEPRECATED
$admin_port = undef,
$main_port = undef,
$admin_port = undef,
$main_port = undef,
) {
include ::apache
@ -144,6 +152,10 @@ class keystone::federation::openidc (
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
}
if $openidc_enable_oauth and !$openidc_introspection_endpoint {
fail('You must set openidc_introspection_endpoint when enabling oauth support')
}
$memcached_servers_real = join(any2array($memcached_servers), ' ')
# Note: if puppet-apache modify these values, this needs to be updated

@ -48,6 +48,11 @@ describe 'keystone::federation::openidc' do
params.merge!(:template_port => 999)
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
end
before do
params.merge!(:openidc_enable_oauth => true)
it_raises 'a Puppet:Error', /You must set openidc_introspection_endpoint when enabling oauth support/
end
end
on_supported_os({
@ -87,7 +92,23 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
expect(content).to match('OIDCClientID "openid_client_id"')
expect(content).to match('OIDCClientSecret "openid_client_secret"')
expect(content).to match('OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
end
end
context 'with oauth enabled' do
before do
params.merge!({
:openidc_enable_oauth => true,
:openidc_introspection_endpoint => 'http://example.com',
})
end
it 'should contain oauth config' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCOAuthClientID "openid_client_id"')
expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
end
end

@ -32,13 +32,6 @@
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
<%- end -%>
# The following directives are required to support openidc from the command
# line
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
@ -53,3 +46,14 @@
AuthType "openid-connect"
Require valid-user
</LocationMatch>
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
<%- end -%>

Loading…
Cancel
Save