Federation mellon support Web Single Sign-On (SSO)

When configuring federation using mellon it should be possible to also setup Web Single Sign-On (SSO) according to: http://docs.openstack.org/developer/keystone/federation/websso.html Closes-Bug: #1655620 Change-Id: I340b3a86f6870ea3b9240b4d4f69e33dde004868
2017-01-11 13:52:04 +01:00 · 2017-01-11 13:52:04 +01:00 · 73d7194a60
parent dbb4c3c8ce
commit 73d7194a60
4 changed files with 74 additions and 5 deletions
--- a/manifests/federation/mellon.pp
+++ b/manifests/federation/mellon.pp
@ -46,15 +46,28 @@
 #   accepts latest or specific versions.
 #   Defaults to present.
 #
+# [*enable_websso*]
+#   (optional) Wheater or not to enable Web Single Sign-On (SSO)
+#   Defaults to false
+#
+# [*trusted_dashboards*]
+#   (optional) URL list of trusted horizon servers.
+#   This setting ensures that keystone only sends token data back to trusted
+#   servers. This is performed as a precaution, specifically to prevent man-in-
+#   the-middle (MITM) attacks.
+#   Defaults to undef
+#
 class keystone::federation::mellon (
  $methods,
  $idp_name,
  $protocol_name,
-  $admin_port     = false,
-  $main_port      = true,
-  $module_plugin  = 'keystone.auth.plugins.mapped.Mapped',
-  $template_order = 331,
-  $package_ensure = present,
+  $admin_port         = false,
+  $main_port          = true,
+  $module_plugin      = 'keystone.auth.plugins.mapped.Mapped',
+  $template_order     = 331,
+  $package_ensure     = present,
+  $enable_websso      = false,
+  $trusted_dashboards = undef,
 ) {

  include ::apache
@ -81,6 +94,7 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even

  validate_bool($admin_port)
  validate_bool($main_port)
+  validate_bool($enable_websso)

  if( !$admin_port and !$main_port){
    fail('No VirtualHost port to configure, please choose at least one.')
@ -91,6 +105,16 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
    'auth/saml2':   value => $module_plugin;
  }

+  if($enable_websso){
+    if( !trusted_dashboards){
+      fail('No trusted dashboard specified, please add at least one.')
+    }
+    keystone_config {
+      'mapped/remote_id_attribute': value => 'MELLON_IDP';
+      'federation/trusted_dashboard': value => join(any2array($trusted_dashboards),',');
+    }
+  }
+
  ensure_packages([$::keystone::params::mellon_package_name], {
    ensure => $package_ensure,
    tag    => 'keystone-support-package',
--- a/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml
+++ b/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Federation mellon support Web Single Sign-On (SSO)
+    When configuring federation using mellon enable setup of Web Single
+    Sign-On.
--- a/spec/classes/keystone_federation_mellon_spec.rb
+++ b/spec/classes/keystone_federation_mellon_spec.rb
@ -89,6 +89,33 @@ describe 'keystone::federation::mellon' do
        :order  => params[:template_order],
      })}
    end
+
+    context 'with websso enabled' do
+      before do
+        params.merge!({
+          :enable_websso => true,
+          :trusted_dashboards => [
+            'http://acme.horizon.com/auth/websso/',
+            'http://beta.horizon.com/auth/websso/',
+          ],
+        })
+      end
+
+      it 'should have basic params for mellon in Keystone configuration' do
+        is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
+        is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+      end
+
+      it 'should have parameters for websso in Keystone configuration' do
+        is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP')
+        is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
+      end
+
+      it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
+        :target => "10-keystone_wsgi_main.conf",
+        :order  => params[:template_order],
+      })}
+    end
  end

  on_supported_os({
--- a/templates/mellon.conf.erb
+++ b/templates/mellon.conf.erb
@ -14,3 +14,16 @@
      AuthType "Mellon"
      MellonEnable "auth"
  </Location>
+
+<% if @enable_websso -%>
+  <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
+    AuthType Mellon
+    MellonEnable auth
+    Require valid-user
+  </Location>
+  <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::mellon::idp_name']-%>/protocols/mapped/websso">
+    AuthType Mellon
+    MellonEnable auth
+    Require valid-user
+  </Location>
+<% end -%>