openstack/puppet-keystone
Code Issues Proposed changes
Files
cf1d74e55dbe749b3e37ba31a31cf0a30296ed7c
puppet-keystone/spec/classes/keystone_federation_openidc_spec.rb
Takashi Kajinami fdf2a2b31a Fix default OIDCRedirectURI hiding keystone federation auth endpoint 
This updates the default OIDCRedirectURI according to the change made
in the example file in keystone repo[1].

[1] https://review.opendev.org/925553

Closes-Bug: #2075349
Change-Id: Ia0f3cbb842a4c01e6a3ca44ca66dc9a8a731720c
2024-09-10 13:39:46 +09:00

310 lines
10 KiB
Ruby
Raw Blame History

require 'spec_helper'
describe 'keystone::federation::openidc' do
def get_param(type, title, param)
catalogue.resource(type, title).send(:parameters)[param.to_sym]
end
let(:pre_condition) do
<<-EOS
class { 'keystone': }
include keystone::wsgi::apache
EOS
end
let :params do
{ :keystone_url => 'http://localhost:5000',
:methods => 'password, token, openid',
:idp_name => 'myidp',
:openidc_provider_metadata_url => 'https://accounts.google.com/.well-known/openid-configuration',
:openidc_client_id => 'openid_client_id',
:openidc_client_secret => 'openid_client_secret',
:template_order => 331
}
end
context 'with invalid params' do
before do
params.merge!(:methods => 'external, password, token, oauth1, openid')
it_raises 'a Puppet::Error', /The external method should be dropped to avoid any interference with openid/
end
before do
params.merge!(:methods => 'password, token, oauth1')
it_raises 'a Puppet::Error', /Methods should contain openid as one of the auth methods./
end
before do
params.merge!(:template_port => 330)
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
end
before do
params.merge!(:template_port => 999)
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
end
before do
params.merge!(:openidc_enable_oauth => true)
it_raises 'a Puppet:Error', /openidc_enable_oauth/
end
before do
params.merge!({
:openidc_metadata_dir => '/CUSTOM_METADATA_DIR',
})
it_raises 'a Puppet:Error', /openidc_provider_metadata_url and openidc_metadata_dir are mutually/
end
before do
params.delete(:openidc_provider_metadata_url)
it_raises 'a Puppet:Error', /Set openidc_provider_metadata_url or openidc_metadata_dir/
end
end
on_supported_os({
}).each do |os,facts|
let (:facts) do
facts.merge!(OSDefaults.get_facts({}))
end
it { is_expected.to contain_class('apache::mod::auth_openidc') }
context 'with only required parameters' do
it 'should have basic params for openidc in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openid')
is_expected.to contain_keystone_config('openid/remote_id_attribute').with_value('<SERVICE DEFAULT>')
end
it { is_expected.to contain_apache__vhost__fragment('configure_openidc_keystone').with({
:vhost => 'keystone_wsgi',
:priority => 10,
:order => params[:template_order],
})}
it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
it 'should contain expected config' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCClientID "openid_client_id"')
expect(content).to match('OIDCClientSecret "openid_client_secret"')
expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/redirect_uri"')
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
end
end
context 'with openidc_metadata_dir' do
before do
params.delete(:openidc_provider_metadata_url)
params.merge!({
:openidc_metadata_dir => '/CUSTOM_METADATA_DIR'
})
end
it 'should contain the expected OIDCMetadataDir' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCMetadataDir "/CUSTOM_METADATA_DIR"')
end
end
context 'with redirect uri overridden' do
before do
params.merge!({
:openidc_redirect_uri => 'CUSTOM_URI'
})
end
it 'should contain the expected redirect uri' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCRedirectURI "CUSTOM_URI"')
end
end
context 'with oauth and introspection enabled' do
before do
params.merge!({
:openidc_enable_oauth => true,
:openidc_introspection_endpoint => 'http://example.com',
})
end
it 'should contain oauth and introspection config' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCOAuthClientID "openid_client_id"')
expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
end
end
context 'with oauth and jwks enabled' do
before do
params.merge!({
:openidc_enable_oauth => true,
:openidc_verify_method => 'jwks',
:openidc_verify_jwks_uri => 'http://example.com',
})
end
it 'should contain oauth and jwks config' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCOAuthVerifyJwksUri "http://example.com"')
expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
end
end
context 'with remote id attribute' do
before do
params.merge!({
:remote_id_attribute => 'myremoteid',
})
end
it 'should set remote id attribute in Keystone configuration' do
is_expected.to contain_keystone_config('openid/remote_id_attribute').with_value('myremoteid')
end
end
context 'with additional location' do
before do
params.merge!({
:additional_locations => [{
url: "/v3/auth/a-custom-url",
authtype: "openid-connect",
oidcdiscoverurl: "https://my-endpoint.example.com:40000",
requireoidc: "claim iss:https://iam.example.com",
loglevel: "debug"
}]
})
end
it 'should contain the expected additional location' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('/v3/auth/a-custom-url')
end
end
context 'with memcache options' do
before do
params.merge!({
:openidc_cache_type => 'memcache',
:openidc_cache_shm_max => 10,
:openidc_cache_shm_entry_size => 11,
:openidc_cache_dir => '/var/cache/openidc',
:openidc_cache_clean_interval => 12,
})
end
it 'should contain memcache servers' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCCacheType memcache')
expect(content).to match('OIDCCacheShmMax 10')
expect(content).to match('OIDCCacheShmEntrySize 11')
expect(content).to match('OIDCCacheDir /var/cache/openidc')
expect(content).to match('OIDCCacheFileCleanInterval 12')
end
end
context 'with redis options' do
before do
params.merge!({
:openidc_cache_type => 'redis',
:redis_password => 'redispass',
:redis_username => 'redisuser',
:redis_database => 0,
:redis_timeout => 10,
:redis_connect_timeout => 11,
})
end
it 'should contain memcache servers' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCCacheType redis')
expect(content).to match('OIDCRedisCachePassword "redispass"')
expect(content).to match('OIDCRedisCacheUsername "redisuser"')
expect(content).to match('OIDCRedisCacheDatabase 0')
expect(content).to match('OIDCRedisCacheTimeout 10')
expect(content).to match('OIDCRedisCacheConnectTimeout 11')
end
end
context 'with memcached_servers attribute' do
before do
params.merge!({
:memcached_servers => ['127.0.0.1:11211', '127.0.0.2:11211'],
})
end
it 'should contain memcache servers' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCMemCacheServers "127.0.0.1:11211 127.0.0.2:11211"')
end
end
context 'with redis_server attribute' do
before do
params.merge!({
:redis_server => '127.0.0.1',
})
end
it 'should contain redis server' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCRedisCacheServer "127.0.0.1"')
end
end
context 'with openidc_claim_delimiter attribute' do
before do
params.merge!({
:openidc_claim_delimiter => ';',
})
end
it 'should contain OIDC claim delimiter' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCClaimDelimiter ";"')
end
end
context 'with openidc_pass_userinfo_as attribute' do
before do
params.merge!({
:openidc_pass_userinfo_as => 'claims',
})
end
it 'should contain OIDC pass userinfo as' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassUserInfoAs "claims"')
end
end
context 'with openidc_pass_claim_as attribute' do
before do
params.merge!({
:openidc_pass_claim_as => 'both',
})
end
it 'should contain OIDC pass claim as' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassClaimsAs "both"')
end
end
context 'with openidc_response_mode attribute' do
before do
params.merge!({
:openidc_response_mode => 'form_post',
})
end
it 'should contain OIDC response mode' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('OIDCResponseMode "form_post"')
end
end
end
end
View Git Blame Copy Permalink