OIDC : Add support for setting OIDCClaimDelimiter

Depending on the configuration of the IdP and keystone, without setting the claim delimiter it's not possible to use multi-value claims. Change-Id: I0cfc0d693a5fe2815bf5f6fd5acd038db2fe4dd3
2020-02-28 13:20:43 +01:00 · 2020-02-28 13:20:43 +01:00 · a7843f0660
parent 7586bc88c1
commit a7843f0660
3 changed files with 21 additions and 0 deletions
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@ -59,6 +59,10 @@
 #  (Optional) Cache file clean interval in seconds (only triggered
 #  on writes). Defaults to undef.
 #
+# [*openidc_claim_delimiter*]
+#  (Optional) The delimiter to use when setting multi-valued claims.
+#  Defaults to undef.
+#
 # [*openidc_enable_oauth*]
 #  (Optional) Set to true to enable oauthsupport.
 #
@ -110,6 +114,7 @@ class keystone::federation::openidc (
  $openidc_cache_shm_entry_size   = undef,
  $openidc_cache_dir              = undef,
  $openidc_cache_clean_interval   = undef,
+  $openidc_claim_delimiter        = undef,
  $openidc_enable_oauth           = false,
  $openidc_introspection_endpoint = undef,
  $memcached_servers              = undef,
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@ -149,5 +149,18 @@ describe 'keystone::federation::openidc' do
        expect(content).to match('OIDCRedisCacheServer "127.0.0.1"')
      end
    end
+
+    context 'with openidc_claim_delimiter attribute' do
+      before do
+        params.merge!({
+          :openidc_claim_delimiter => ';',
+        })
+      end
+
+      it 'should contain OIDC claim delimiter' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCClaimDelimiter ";"')
+      end
+    end
  end
 end
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@ -31,6 +31,9 @@
 <%- if scope['::keystone::federation::openidc::redis_password'] != nil -%>
  OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
 <%- end -%>
+<%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
+  OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
+<%- end -%>

  # The following directives are necessary to support websso from Horizon
  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)