openstack/puppet-keystone
Code Issues Proposed changes

Add oidc options

Browse Source 
Add additional OIDC Options to allow for user defined configuration.

This change adds:
keystone::federation::openidc::openidc_pass_userinfo_as
keystone::federation::openidc::openidc_pass_claim_as

Change-Id: Id093956a4c88cfe1f70aa93ecc87da5850bb185c
This commit is contained in:
Brendan Shephard 2021-08-09 02:05:32 +00:00 committed by Takashi Kajinami
parent 39c2734cf3
commit a3ef077a8a
4 changed files with 70 additions and 0 deletions

27
manifests/federation/openidc.pp

@ -83,6 +83,19 @@
# Must be one of introspection or jwks # Must be one of introspection or jwks
# Defaults to introspection # Defaults to introspection
# #
# [*openidc_pass_userinfo_as*]
# Define the way(s) in which the claims resolved from the userinfo endpoint
# are passed to the application according to OIDCPassClaimsAs.
# Defaults to undef
#
# [*openidc_pass_claim_as*]
# Define the way in which the claims and tokens are passed to the application environment:
# "none": no claims/tokens are passed
# "environment": claims/tokens are passed as environment variables
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
# Defaults to undef
#
# [*memcached_servers*] # [*memcached_servers*]
# (Optional) A list of memcache servers. Defaults to undef. # (Optional) A list of memcache servers. Defaults to undef.
# #
@ -134,6 +147,8 @@ class keystone::federation::openidc (
$openidc_introspection_endpoint = undef, $openidc_introspection_endpoint = undef,
$openidc_verify_jwks_uri = undef, $openidc_verify_jwks_uri = undef,
$openidc_verify_method = 'introspection', $openidc_verify_method = 'introspection',
$openidc_pass_userinfo_as = undef,
$openidc_pass_claim_as = undef,
$memcached_servers = undef, $memcached_servers = undef,
$redis_server = undef, $redis_server = undef,
$redis_password = undef, $redis_password = undef,
@ -163,6 +178,18 @@ class keystone::federation::openidc (
} }
} }
if $openidc_pass_userinfo_as != undef {
if !($openidc_pass_userinfo_as in ['claims', 'json', 'jwt']) {
fail('Unsupported OIDCPassUserInfoAs. Must be one of: claims, json or jwt')
}
}
if $openidc_pass_claim_as != undef {
if !($openidc_pass_claim_as in ['none', 'environment', 'headers', 'both']) {
fail('Unsupported OIDCPassClaimAs. Must be one of: none, environment, headers, both')
}
}
if $memcached_servers != undef { if $memcached_servers != undef {
$memcached_servers_real = join(any2array($memcached_servers), ' ') $memcached_servers_real = join(any2array($memcached_servers), ' ')
} else { } else {

11
releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml Normal file

@ -0,0 +1,11 @@
---
features:
- |
Adding the following configurable items for OpenID:
- ``keystone::federation::openidc::openidc_pass_userinfo_as`` to set
``OIDCPassUserInfoAs``
- ``keystone::federation::openidc::openidc_pass_claim_as`` to set
``OIDCPassClaimsAs``

26
spec/classes/keystone_federation_openidc_spec.rb

@ -176,5 +176,31 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCClaimDelimiter ";"') expect(content).to match('OIDCClaimDelimiter ";"')
end end
end end
context 'with openidc_pass_userinfo_as attribute' do
before do
params.merge!({
:openidc_pass_userinfo_as => 'claims',
})
end
it 'should contain OIDC pass userinfo as' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassUserInfoAs "claims"')
end
end
context 'with openidc_pass_claim_as attribute' do
before do
params.merge!({
:openidc_pass_claim_as => 'both',
})
end
it 'should contain OIDC pass claim as' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassClaimsAs "both"')
end
end
end end
end end

6
templates/openidc.conf.erb

@ -34,6 +34,12 @@
<%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%> <%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>" OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
<%- end -%> <%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
<%- end -%>
# The following directives are necessary to support websso from Horizon # The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html) # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)