enable oauth support in keystone::fededation::openidc
add parameters for enabling OAuth support, which is required for the command line tools to interact with an openid identity provider. Change-Id: I284160e520fbb73a041c49ff1a3e1ef5f3caf59d
This commit is contained in:
parent
dcbd368d5c
commit
717d40798a
|
@ -49,13 +49,19 @@
|
|||
# with a minimum of 8464 bytes. Defaults to undef.
|
||||
#
|
||||
# [*openidc_cache_dir*]
|
||||
# (Optional) # Directory that holds cache files; must be writable
|
||||
# (Optional) Directory that holds cache files; must be writable
|
||||
# for the Apache process/user. Defaults to undef.
|
||||
#
|
||||
# [*openidc_cache_clean_interval*]
|
||||
# (Optional) # Cache file clean interval in seconds (only triggered
|
||||
# (Optional) Cache file clean interval in seconds (only triggered
|
||||
# on writes). Defaults to undef.
|
||||
#
|
||||
# [*openidc_enable_oauth*]
|
||||
# (Optional) Set to true to enable oauthsupport.
|
||||
#
|
||||
# [*openidc_introspection_endpoint*]
|
||||
# (Required if oauth is enabled) Oauth introspection endpoint url.
|
||||
#
|
||||
# [*memcached_servers*]
|
||||
# (Optional) A list of memcache servers. Defaults to undef.
|
||||
#
|
||||
|
@ -108,23 +114,25 @@ class keystone::federation::openidc (
|
|||
$openidc_provider_metadata_url,
|
||||
$openidc_client_id,
|
||||
$openidc_client_secret,
|
||||
$openidc_crypto_passphrase = 'openstack',
|
||||
$openidc_response_type = 'id_token',
|
||||
$openidc_cache_type = undef,
|
||||
$openidc_cache_shm_max = undef,
|
||||
$openidc_cache_shm_entry_size = undef,
|
||||
$openidc_cache_dir = undef,
|
||||
$openidc_cache_clean_interval = undef,
|
||||
$memcached_servers = undef,
|
||||
$redis_server = undef,
|
||||
$redis_password = undef,
|
||||
$remote_id_attribute = undef,
|
||||
$template_order = 331,
|
||||
$package_ensure = present,
|
||||
$keystone_url = undef,
|
||||
$openidc_crypto_passphrase = 'openstack',
|
||||
$openidc_response_type = 'id_token',
|
||||
$openidc_cache_type = undef,
|
||||
$openidc_cache_shm_max = undef,
|
||||
$openidc_cache_shm_entry_size = undef,
|
||||
$openidc_cache_dir = undef,
|
||||
$openidc_cache_clean_interval = undef,
|
||||
$openidc_enable_oauth = false,
|
||||
$openidc_introspection_endpoint = undef,
|
||||
$memcached_servers = undef,
|
||||
$redis_server = undef,
|
||||
$redis_password = undef,
|
||||
$remote_id_attribute = undef,
|
||||
$template_order = 331,
|
||||
$package_ensure = present,
|
||||
$keystone_url = undef,
|
||||
# DEPRECATED
|
||||
$admin_port = undef,
|
||||
$main_port = undef,
|
||||
$admin_port = undef,
|
||||
$main_port = undef,
|
||||
) {
|
||||
|
||||
include ::apache
|
||||
|
@ -144,6 +152,10 @@ class keystone::federation::openidc (
|
|||
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
|
||||
}
|
||||
|
||||
if $openidc_enable_oauth and !$openidc_introspection_endpoint {
|
||||
fail('You must set openidc_introspection_endpoint when enabling oauth support')
|
||||
}
|
||||
|
||||
$memcached_servers_real = join(any2array($memcached_servers), ' ')
|
||||
|
||||
# Note: if puppet-apache modify these values, this needs to be updated
|
||||
|
|
|
@ -48,6 +48,11 @@ describe 'keystone::federation::openidc' do
|
|||
params.merge!(:template_port => 999)
|
||||
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
|
||||
end
|
||||
|
||||
before do
|
||||
params.merge!(:openidc_enable_oauth => true)
|
||||
it_raises 'a Puppet:Error', /You must set openidc_introspection_endpoint when enabling oauth support/
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
@ -87,7 +92,23 @@ describe 'keystone::federation::openidc' do
|
|||
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
|
||||
expect(content).to match('OIDCClientID "openid_client_id"')
|
||||
expect(content).to match('OIDCClientSecret "openid_client_secret"')
|
||||
expect(content).to match('OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
|
||||
end
|
||||
end
|
||||
|
||||
context 'with oauth enabled' do
|
||||
before do
|
||||
params.merge!({
|
||||
:openidc_enable_oauth => true,
|
||||
:openidc_introspection_endpoint => 'http://example.com',
|
||||
})
|
||||
end
|
||||
|
||||
it 'should contain oauth config' do
|
||||
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
|
||||
expect(content).to match('OIDCOAuthClientID "openid_client_id"')
|
||||
expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
|
||||
expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
|
||||
expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -32,13 +32,6 @@
|
|||
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
|
||||
<%- end -%>
|
||||
|
||||
# The following directives are required to support openidc from the command
|
||||
# line
|
||||
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
|
||||
AuthType oauth20
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
# The following directives are necessary to support websso from Horizon
|
||||
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
|
||||
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
|
||||
|
@ -53,3 +46,14 @@
|
|||
AuthType "openid-connect"
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
|
||||
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
|
||||
OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
|
||||
OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
|
||||
OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
|
||||
|
||||
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
|
||||
AuthType oauth20
|
||||
Require valid-user
|
||||
</Location>
|
||||
<%- end -%>
|
||||
|
|
Loading…
Reference in New Issue