openstack/puppet-keystone
Code Issues Proposed changes

Use native interface to inject vhost configuration

Browse Source 
puppetlabs-apache provides a native interface to inject arbitrary
contents to vhost configuration files managed by the module.

Change-Id: Ia2489b5c79781a6335eea3ce2f6a19fd1c45b1c2
This commit is contained in:
Takashi Kajinami
2024-03-25 11:40:15 +09:00
parent aacacdc154
commit 8780840907
6 changed files with 61 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
manifests/federation/mellon.pp
View File

@@ -76,10 +76,10 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
} }
} }
concat::fragment { 'configure_mellon_keystone': apache::vhost::fragment { 'configure_mellon_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", vhost => 'keystone_wsgi',
content => template('keystone/mellon.conf.erb'), priority => $keystone::wsgi::apache::priority,
order => $template_order, content => template('keystone/mellon.conf.erb'),
order => $template_order,
} }
} }

9
manifests/federation/openidc.pp
View File

@@ -242,9 +242,10 @@ class keystone::federation::openidc (
'openid/remote_id_attribute': value => $remote_id_attribute; 'openid/remote_id_attribute': value => $remote_id_attribute;
} }
concat::fragment { 'configure_openidc_keystone': apache::vhost::fragment { 'configure_openidc_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", vhost => 'keystone_wsgi',
content => template('keystone/openidc.conf.erb'), priority => $keystone::wsgi::apache::priority,
order => $template_order, content => template('keystone/openidc.conf.erb'),
order => $template_order,
} }
} }

18
manifests/federation/shibboleth.pp
View File

@@ -80,10 +80,11 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
include apache::mod::shib include apache::mod::shib
include apache::mod::authn_core include apache::mod::authn_core
concat::fragment { 'configure_shibboleth_keystone': apache::vhost::fragment { 'configure_shibboleth_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", vhost => 'keystone_wsgi',
content => template('keystone/shibboleth.conf.erb'), priority => $keystone::wsgi::apache::priority,
order => $template_order, content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
} }
} }
'RedHat': { 'RedHat': {
@@ -94,10 +95,11 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
path => '/usr/lib64/shibboleth/mod_shib_24.so' path => '/usr/lib64/shibboleth/mod_shib_24.so'
} }
concat::fragment { 'configure_shibboleth_keystone': apache::vhost::fragment { 'configure_shibboleth_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf", vhost => 'keystone_wsgi',
content => template('keystone/shibboleth.conf.erb'), priority => $keystone::wsgi::apache::priority,
order => $template_order, content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
} }
} else { } else {
if !$suppress_warning { if !$suppress_warning {

15
spec/classes/keystone_federation_mellon_spec.rb
View File

@@ -51,10 +51,11 @@ describe 'keystone::federation::mellon' do
is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_ensure('absent') is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_ensure('absent')
end end
it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({ it { is_expected.to contain_apache__vhost__fragment('configure_mellon_keystone').with({
:vhost => 'keystone_wsgi',
# This need to change if priority is changed in keystone::wsgi::apache # This need to change if priority is changed in keystone::wsgi::apache
:target => "10-keystone_wsgi.conf", :priority => 10,
:order => params[:template_order], :order => params[:template_order],
})} })}
end end
@@ -73,9 +74,11 @@ describe 'keystone::federation::mellon' do
is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP') is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP')
end end
it { is_expected.to contain_concat__fragment('configure_mellon_keystone').with({ it { is_expected.to contain_apache__vhost__fragment('configure_mellon_keystone').with({
:target => "10-keystone_wsgi.conf", :vhost => 'keystone_wsgi',
:order => params[:template_order], # This need to change if priority is changed in keystone::wsgi::apache
:priority => 10,
:order => params[:template_order],
})} })}
end end
end end

29
spec/classes/keystone_federation_openidc_spec.rb
View File

@@ -66,13 +66,14 @@ describe 'keystone::federation::openidc' do
is_expected.to contain_keystone_config('openid/remote_id_attribute').with_value('<SERVICE DEFAULT>') is_expected.to contain_keystone_config('openid/remote_id_attribute').with_value('<SERVICE DEFAULT>')
end end
it { is_expected.to contain_concat__fragment('configure_openidc_keystone').with({ it { is_expected.to contain_apache__vhost__fragment('configure_openidc_keystone').with({
:target => "10-keystone_wsgi.conf", :vhost => 'keystone_wsgi',
:order => params[:template_order], :priority => 10,
:order => params[:template_order],
})} })}
it 'should contain expected config' do it 'should contain expected config' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"') expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
expect(content).to match('OIDCClientID "openid_client_id"') expect(content).to match('OIDCClientID "openid_client_id"')
expect(content).to match('OIDCClientSecret "openid_client_secret"') expect(content).to match('OIDCClientSecret "openid_client_secret"')
@@ -88,7 +89,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain oauth and introspection config' do it 'should contain oauth and introspection config' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCOAuthClientID "openid_client_id"') expect(content).to match('OIDCOAuthClientID "openid_client_id"')
expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"') expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"') expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
@@ -106,7 +107,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain oauth and jwks config' do it 'should contain oauth and jwks config' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCOAuthVerifyJwksUri "http://example.com"') expect(content).to match('OIDCOAuthVerifyJwksUri "http://example.com"')
expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth') expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
end end
@@ -137,7 +138,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain memcache servers' do it 'should contain memcache servers' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCCacheType memcache') expect(content).to match('OIDCCacheType memcache')
expect(content).to match('OIDCCacheShmMax 10') expect(content).to match('OIDCCacheShmMax 10')
expect(content).to match('OIDCCacheShmEntrySize 11') expect(content).to match('OIDCCacheShmEntrySize 11')
@@ -159,7 +160,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain memcache servers' do it 'should contain memcache servers' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCCacheType redis') expect(content).to match('OIDCCacheType redis')
expect(content).to match('OIDCRedisCachePassword "redispass"') expect(content).to match('OIDCRedisCachePassword "redispass"')
expect(content).to match('OIDCRedisCacheUsername "redisuser"') expect(content).to match('OIDCRedisCacheUsername "redisuser"')
@@ -177,7 +178,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain memcache servers' do it 'should contain memcache servers' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCMemCacheServers "127.0.0.1:11211 127.0.0.2:11211"') expect(content).to match('OIDCMemCacheServers "127.0.0.1:11211 127.0.0.2:11211"')
end end
end end
@@ -190,7 +191,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain redis server' do it 'should contain redis server' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCRedisCacheServer "127.0.0.1"') expect(content).to match('OIDCRedisCacheServer "127.0.0.1"')
end end
end end
@@ -203,7 +204,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain OIDC claim delimiter' do it 'should contain OIDC claim delimiter' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCClaimDelimiter ";"') expect(content).to match('OIDCClaimDelimiter ";"')
end end
end end
@@ -216,7 +217,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain OIDC pass userinfo as' do it 'should contain OIDC pass userinfo as' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassUserInfoAs "claims"') expect(content).to match('OIDCPassUserInfoAs "claims"')
end end
end end
@@ -229,7 +230,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain OIDC pass claim as' do it 'should contain OIDC pass claim as' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassClaimsAs "both"') expect(content).to match('OIDCPassClaimsAs "both"')
end end
end end
@@ -242,7 +243,7 @@ describe 'keystone::federation::openidc' do
end end
it 'should contain OIDC response mode' do it 'should contain OIDC response mode' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCResponseMode "form_post"') expect(content).to match('OIDCResponseMode "form_post"')
end end
end end

29
spec/classes/keystone_federation_shibboleth_spec.rb
View File

@@ -82,9 +82,11 @@ describe 'keystone::federation::shibboleth' do
it { is_expected.to contain_apache__mod('shib2') } it { is_expected.to contain_apache__mod('shib2') }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ it { is_expected.to contain_apache__vhost__fragment('configure_shibboleth_keystone').with({
:target => "10-keystone_wsgi.conf", :vhost => 'keystone_wsgi',
:order => params[:template_order], # This need to change if priority is changed in keystone::wsgi::apache
:priority => 10,
:order => params[:template_order],
})} })}
end end
end end
@@ -105,9 +107,11 @@ describe 'keystone::federation::shibboleth' do
it { is_expected.to contain_apache__mod('shib2') } it { is_expected.to contain_apache__mod('shib2') }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ it { is_expected.to contain_apache__vhost__fragment('configure_shibboleth_keystone').with({
:target => "10-keystone_wsgi.conf", :vhost => 'keystone_wsgi',
:order => params[:template_order], # This need to change if priority is changed in keystone::wsgi::apache
:priority => 10,
:order => params[:template_order],
})} })}
end end
end end
@@ -117,7 +121,7 @@ describe 'keystone::federation::shibboleth' do
let (:params) { default_params } let (:params) { default_params }
it { is_expected.to_not contain_apache__mod('shib2') } it { is_expected.to_not contain_apache__mod('shib2') }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_keystone') } it { is_expected.to_not contain_apache__vhost__fragment('configure_shibboleth_keystone') }
end end
end end
end end
@@ -127,11 +131,12 @@ describe 'keystone::federation::shibboleth' do
let (:params) { default_params } let (:params) { default_params }
it { is_expected.to contain_apache__mod('shib2') } it { is_expected.to contain_apache__mod('shib2') }
it { is_expected.to contain_concat__fragment('configure_shibboleth_keystone').with({ it { is_expected.to contain_apache__vhost__fragment('configure_shibboleth_keystone').with({
:target => "10-keystone_wsgi.conf", :vhost => 'keystone_wsgi',
:order => params[:template_order], # This need to change if priority is changed in keystone::wsgi::apache
})} :priority => 10,
:order => params[:template_order],
})}
end end
end end