Use puppetlabs-apache to load auth modules.

... so that we don't have to maintain the required logics to enable
the module in our modules.

Related-Bug: #2006924
Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7
This commit is contained in:
Takashi Kajinami 2023-02-10 19:26:01 +09:00
parent 6c52159c7b
commit fe95db4cb0
8 changed files with 37 additions and 48 deletions

View File

@ -27,28 +27,36 @@
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
# (Optional) Defaults to 331.
#
# [*enable_websso*]
# (optional) Whether or not to enable Web Single Sign-On (SSO)
# Defaults to false
#
# DEPRECATED PARAMETERS
#
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
# [*enable_websso*]
# (optional) Whether or not to enable Web Single Sign-On (SSO)
# Defaults to false
#
class keystone::federation::mellon (
$methods,
$idp_name,
$protocol_name,
$template_order = 331,
$package_ensure = present,
$enable_websso = false,
# DEPRECATED PARAMETERS
$package_ensure = undef,
) {
include apache
include apache::mod::auth_mellon
include keystone::deps
include keystone::params
if $package_ensure != undef {
warning('The package_ensure parameter is deprecated and has no effect.')
}
# Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 {
fail('The template order should be greater than 330 and less than 999.')
@ -76,11 +84,6 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
}
}
ensure_packages([$::keystone::params::mellon_package_name], {
ensure => $package_ensure,
tag => 'keystone-support-package',
})
concat::fragment { 'configure_mellon_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
content => template('keystone/mellon.conf.erb'),

View File

@ -128,10 +128,12 @@
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
# (Optional) Defaults to 331.
#
# DEPRECATED PARAMETERS
#
# [*package_ensure*]
# (Optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
# Defaults to undef,
#
class keystone::federation::openidc (
$keystone_url,
@ -160,16 +162,20 @@ class keystone::federation::openidc (
$redis_password = undef,
$remote_id_attribute = undef,
$template_order = 331,
$package_ensure = present,
# DEPRECATED PARAMETERS
$package_ensure = undef,
) {
include apache
include apache::mod::authn_core
include apache::mod::authz_user
include apache::mod::auth_openidc
include keystone::deps
include keystone::params
if $package_ensure != undef {
warning('The package_ensure parameter is deprecated and has no effect.')
}
if !($openidc_verify_method in ['introspection', 'jwks']) {
fail('Unsupported token verification method.' +
' Must be one of "introspection" or "jwks"')
@ -229,11 +235,6 @@ class keystone::federation::openidc (
}
}
ensure_packages([$::keystone::params::openidc_package_name], {
ensure => $package_ensure,
tag => 'keystone-support-package',
})
concat::fragment { 'configure_openidc_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
content => template('keystone/openidc.conf.erb'),

View File

@ -20,8 +20,6 @@ class keystone::params {
$python_memcache_package_name = 'python3-memcache'
$python_ldappool_package_name = 'python3-ldappool'
$python_pysaml2_package_name = 'python3-pysaml2'
$mellon_package_name = 'libapache2-mod-auth-mellon'
$openidc_package_name = 'libapache2-mod-auth-openidc'
}
'RedHat': {
$package_name = 'openstack-keystone'
@ -30,8 +28,6 @@ class keystone::params {
$python_memcache_package_name = 'python3-memcached'
$python_ldappool_package_name = 'python3-ldappool'
$python_pysaml2_package_name = 'python3-pysaml2'
$mellon_package_name = 'mod_auth_mellon'
$openidc_package_name = 'mod_auth_openidc'
}
default: {
fail("Unsupported osfamily ${::osfamily}")

View File

@ -3,7 +3,7 @@
"dependencies": [
{
"name": "puppetlabs/apache",
"version_requirement": ">=5.0.0 <9.0.0"
"version_requirement": ">=5.5.0 <9.0.0"
},
{
"name": "puppetlabs/concat",

View File

@ -0,0 +1,8 @@
---
deprecations:
- |
The following parameters have been deprecated and have no effect. Now
the module packages are managed using puppetlabs-apache module.
- ``keystone::federation::openidc::package_ensure``
- ``keystone::federation::mellon::package_ensure``

View File

@ -42,6 +42,10 @@ describe 'keystone::federation::mellon' do
shared_examples 'Federation Mellon' do
context 'with only required parameters' do
it 'should enable auth_mellon module' do
is_expected.to contain_class('apache::mod::auth_mellon')
end
it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
@ -88,13 +92,6 @@ describe 'keystone::federation::mellon' do
end
it_behaves_like 'Federation Mellon'
case [:osfamily]
when 'Debian'
it { is_expected.to contain_package('libapache2-mod-auth-mellon') }
when 'RedHat'
it { is_expected.to contain_package('mod_auth_mellon') }
end
end
end
end

View File

@ -58,22 +58,7 @@ describe 'keystone::federation::openidc' do
facts.merge!(OSDefaults.get_facts({}))
end
let(:platform_parameters) do
case facts[:osfamily]
when 'Debian'
{
:openidc_package_name => 'libapache2-mod-auth-openidc',
}
when 'RedHat'
{
:openidc_package_name => 'mod_auth_openidc',
}
end
end
it { is_expected.to contain_package(platform_parameters[:openidc_package_name]) }
it { is_expected.to contain_class('apache::mod::authn_core') }
it { is_expected.to contain_class('apache::mod::authz_user') }
it { is_expected.to contain_class('apache::mod::auth_openidc') }
context 'with only required parameters' do
it 'should have basic params for openidc in Keystone configuration' do

View File

@ -1,4 +1,3 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCClaimPrefix "OIDC-"
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
OIDCScope "openid email profile"