From cf81f460c16abec8ac0420f1106c5a9267ce4a76 Mon Sep 17 00:00:00 2001
From: Brendan Shephard <bshephar@redhat.com>
Date: Mon, 9 Aug 2021 02:05:32 +0000
Subject: [PATCH] Add oidc options

Add additional OIDC Options to allow for user defined configuration.

This change adds:
keystone::federation::openidc::openidc_pass_userinfo_as
keystone::federation::openidc::openidc_pass_claim_as

Change-Id: Id093956a4c88cfe1f70aa93ecc87da5850bb185c
(cherry picked from commit a3ef077a8a48ffdf08ea0c464c1b194253c97fe9)
---
 manifests/federation/openidc.pp               | 27 +++++++++++++++++++
 .../add-oidc-params-0bddcca8d49ccfdb.yaml     | 11 ++++++++
 .../keystone_federation_openidc_spec.rb       | 26 ++++++++++++++++++
 templates/openidc.conf.erb                    |  6 +++++
 4 files changed, 70 insertions(+)
 create mode 100644 releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml

diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp
index c248f4156..a69e10031 100644
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@@ -83,6 +83,19 @@
 #  Must be one of introspection or jwks
 #  Defaults to introspection
 #
+# [*openidc_pass_userinfo_as*]
+#  Define the way(s) in which the claims resolved from the userinfo endpoint
+#  are passed to the application according to OIDCPassClaimsAs.
+#  Defaults to undef
+#
+# [*openidc_pass_claim_as*]
+#  Define the way in which the claims and tokens are passed to the application environment:
+#  "none": no claims/tokens are passed
+#  "environment": claims/tokens are passed as environment variables
+#  "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
+#  "both": claims/tokens are passed as both headers as well as environment variables (default)
+#  Defaults to undef
+#
 # [*memcached_servers*]
 #  (Optional) A list of memcache servers. Defaults to undef.
 #
@@ -134,6 +147,8 @@ class keystone::federation::openidc (
   $openidc_introspection_endpoint = undef,
   $openidc_verify_jwks_uri        = undef,
   $openidc_verify_method          = 'introspection',
+  $openidc_pass_userinfo_as       = undef,
+  $openidc_pass_claim_as          = undef,
   $memcached_servers              = undef,
   $redis_server                   = undef,
   $redis_password                 = undef,
@@ -163,6 +178,18 @@ class keystone::federation::openidc (
     }
   }
 
+  if $openidc_pass_userinfo_as != undef {
+    if !($openidc_pass_userinfo_as in ['claims', 'json', 'jwt']) {
+      fail('Unsupported OIDCPassUserInfoAs. Must be one of: claims, json or jwt')
+    }
+  }
+
+  if $openidc_pass_claim_as != undef {
+    if !($openidc_pass_claim_as in ['none', 'environment', 'headers', 'both']) {
+      fail('Unsupported OIDCPassClaimAs. Must be one of: none, environment, headers, both')
+    }
+  }
+
   if $memcached_servers != undef {
     $memcached_servers_real = join(any2array($memcached_servers), ' ')
   } else {
diff --git a/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml b/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml
new file mode 100644
index 000000000..0f2e9dfba
--- /dev/null
+++ b/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Adding the following configurable items for OpenID:
+
+    - ``keystone::federation::openidc::openidc_pass_userinfo_as`` to set
+      ``OIDCPassUserInfoAs``
+
+    - ``keystone::federation::openidc::openidc_pass_claim_as`` to set
+      ``OIDCPassClaimsAs``
+
diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb
index 0e48e2d53..927bc8a3b 100644
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@@ -176,5 +176,31 @@ describe 'keystone::federation::openidc' do
         expect(content).to match('OIDCClaimDelimiter ";"')
       end
     end
+
+    context 'with openidc_pass_userinfo_as attribute' do
+      before do
+        params.merge!({
+          :openidc_pass_userinfo_as => 'claims',
+        })
+      end
+
+      it 'should contain OIDC pass userinfo as' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCPassUserInfoAs "claims"')
+      end
+    end
+
+    context 'with openidc_pass_claim_as attribute' do
+      before do
+        params.merge!({
+          :openidc_pass_claim_as => 'both',
+        })
+      end
+
+      it 'should contain OIDC pass claim as' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCPassClaimsAs "both"')
+      end
+    end
   end
 end
diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index 687baf4b3..63ebc516d 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -34,6 +34,12 @@
 <%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
   OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
 <%- end -%>
+<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
+  OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
+<%- end -%>
+<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
+  OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
+<%- end -%>
 
   # The following directives are necessary to support websso from Horizon
   # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)