From 717d40798aa5d34b2b8a2e37b88d69bf798cd0eb Mon Sep 17 00:00:00 2001
From: Lars Kellogg-Stedman <lars@redhat.com>
Date: Wed, 20 Mar 2019 14:24:31 -0400
Subject: [PATCH] enable oauth support in keystone::fededation::openidc

add parameters for enabling OAuth support, which is required for the
command line tools to interact with an openid identity provider.

Change-Id: I284160e520fbb73a041c49ff1a3e1ef5f3caf59d
---
 manifests/federation/openidc.pp               | 48 ++++++++++++-------
 .../keystone_federation_openidc_spec.rb       | 23 ++++++++-
 templates/openidc.conf.erb                    | 18 ++++---
 3 files changed, 63 insertions(+), 26 deletions(-)

diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp
index b623bf343..87f2dfede 100644
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@@ -49,13 +49,19 @@
 #  with a minimum of 8464 bytes. Defaults to undef.
 #
 # [*openidc_cache_dir*]
-#  (Optional) # Directory that holds cache files; must be writable
+#  (Optional) Directory that holds cache files; must be writable
 #  for the Apache process/user. Defaults to undef.
 #
 # [*openidc_cache_clean_interval*]
-#  (Optional) # Cache file clean interval in seconds (only triggered
+#  (Optional) Cache file clean interval in seconds (only triggered
 #  on writes). Defaults to undef.
 #
+# [*openidc_enable_oauth*]
+#  (Optional) Set to true to enable oauthsupport.
+#
+# [*openidc_introspection_endpoint*]
+#  (Required if oauth is enabled) Oauth introspection endpoint url.
+#
 # [*memcached_servers*]
 #  (Optional) A list of memcache servers. Defaults to undef.
 #
@@ -108,23 +114,25 @@ class keystone::federation::openidc (
   $openidc_provider_metadata_url,
   $openidc_client_id,
   $openidc_client_secret,
-  $openidc_crypto_passphrase    = 'openstack',
-  $openidc_response_type        = 'id_token',
-  $openidc_cache_type           = undef,
-  $openidc_cache_shm_max        = undef,
-  $openidc_cache_shm_entry_size = undef,
-  $openidc_cache_dir            = undef,
-  $openidc_cache_clean_interval = undef,
-  $memcached_servers            = undef,
-  $redis_server                 = undef,
-  $redis_password               = undef,
-  $remote_id_attribute          = undef,
-  $template_order               = 331,
-  $package_ensure               = present,
-  $keystone_url                 = undef,
+  $openidc_crypto_passphrase      = 'openstack',
+  $openidc_response_type          = 'id_token',
+  $openidc_cache_type             = undef,
+  $openidc_cache_shm_max          = undef,
+  $openidc_cache_shm_entry_size   = undef,
+  $openidc_cache_dir              = undef,
+  $openidc_cache_clean_interval   = undef,
+  $openidc_enable_oauth           = false,
+  $openidc_introspection_endpoint = undef,
+  $memcached_servers              = undef,
+  $redis_server                   = undef,
+  $redis_password                 = undef,
+  $remote_id_attribute            = undef,
+  $template_order                 = 331,
+  $package_ensure                 = present,
+  $keystone_url                   = undef,
   # DEPRECATED
-  $admin_port                   = undef,
-  $main_port                    = undef,
+  $admin_port                     = undef,
+  $main_port                      = undef,
 ) {
 
   include ::apache
@@ -144,6 +152,10 @@ class keystone::federation::openidc (
     warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
   }
 
+  if $openidc_enable_oauth and !$openidc_introspection_endpoint {
+    fail('You must set openidc_introspection_endpoint when enabling oauth support')
+  }
+
   $memcached_servers_real = join(any2array($memcached_servers), ' ')
 
   # Note: if puppet-apache modify these values, this needs to be updated
diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb
index 9195a03b1..dc3a127ca 100644
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@@ -48,6 +48,11 @@ describe 'keystone::federation::openidc' do
       params.merge!(:template_port => 999)
       it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
     end
+
+    before do
+      params.merge!(:openidc_enable_oauth => true)
+      it_raises 'a Puppet:Error', /You must set openidc_introspection_endpoint when enabling oauth support/
+    end
   end
 
   on_supported_os({
@@ -87,7 +92,23 @@ describe 'keystone::federation::openidc' do
         expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
         expect(content).to match('OIDCClientID "openid_client_id"')
         expect(content).to match('OIDCClientSecret "openid_client_secret"')
-        expect(content).to match('OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
+      end
+    end
+
+    context 'with oauth enabled' do
+      before do
+        params.merge!({
+          :openidc_enable_oauth => true,
+          :openidc_introspection_endpoint => 'http://example.com',
+        })
+      end
+
+      it 'should contain oauth config' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCOAuthClientID "openid_client_id"')
+        expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
+        expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
+        expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
       end
     end
 
diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index 0c050e1d9..39b957ed3 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -32,13 +32,6 @@
   OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
 <%- end -%>
 
-  # The following directives are required to support openidc from the command
-  # line
-  <Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
-      AuthType oauth20
-      Require valid-user
-  </Location>
-
   # The following directives are necessary to support websso from Horizon
   # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
   OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
@@ -53,3 +46,14 @@
       AuthType "openid-connect"
       Require valid-user
   </LocationMatch>
+
+<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
+  OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
+  OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
+  OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
+
+  <Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
+      AuthType oauth20
+      Require valid-user
+  </Location>
+<%- end -%>