Merge "enable oauth support in keystone::fededation::openidc"
This commit is contained in:
commit
68cb306007
|
@ -49,13 +49,19 @@
|
||||||
# with a minimum of 8464 bytes. Defaults to undef.
|
# with a minimum of 8464 bytes. Defaults to undef.
|
||||||
#
|
#
|
||||||
# [*openidc_cache_dir*]
|
# [*openidc_cache_dir*]
|
||||||
# (Optional) # Directory that holds cache files; must be writable
|
# (Optional) Directory that holds cache files; must be writable
|
||||||
# for the Apache process/user. Defaults to undef.
|
# for the Apache process/user. Defaults to undef.
|
||||||
#
|
#
|
||||||
# [*openidc_cache_clean_interval*]
|
# [*openidc_cache_clean_interval*]
|
||||||
# (Optional) # Cache file clean interval in seconds (only triggered
|
# (Optional) Cache file clean interval in seconds (only triggered
|
||||||
# on writes). Defaults to undef.
|
# on writes). Defaults to undef.
|
||||||
#
|
#
|
||||||
|
# [*openidc_enable_oauth*]
|
||||||
|
# (Optional) Set to true to enable oauthsupport.
|
||||||
|
#
|
||||||
|
# [*openidc_introspection_endpoint*]
|
||||||
|
# (Required if oauth is enabled) Oauth introspection endpoint url.
|
||||||
|
#
|
||||||
# [*memcached_servers*]
|
# [*memcached_servers*]
|
||||||
# (Optional) A list of memcache servers. Defaults to undef.
|
# (Optional) A list of memcache servers. Defaults to undef.
|
||||||
#
|
#
|
||||||
|
@ -108,23 +114,25 @@ class keystone::federation::openidc (
|
||||||
$openidc_provider_metadata_url,
|
$openidc_provider_metadata_url,
|
||||||
$openidc_client_id,
|
$openidc_client_id,
|
||||||
$openidc_client_secret,
|
$openidc_client_secret,
|
||||||
$openidc_crypto_passphrase = 'openstack',
|
$openidc_crypto_passphrase = 'openstack',
|
||||||
$openidc_response_type = 'id_token',
|
$openidc_response_type = 'id_token',
|
||||||
$openidc_cache_type = undef,
|
$openidc_cache_type = undef,
|
||||||
$openidc_cache_shm_max = undef,
|
$openidc_cache_shm_max = undef,
|
||||||
$openidc_cache_shm_entry_size = undef,
|
$openidc_cache_shm_entry_size = undef,
|
||||||
$openidc_cache_dir = undef,
|
$openidc_cache_dir = undef,
|
||||||
$openidc_cache_clean_interval = undef,
|
$openidc_cache_clean_interval = undef,
|
||||||
$memcached_servers = undef,
|
$openidc_enable_oauth = false,
|
||||||
$redis_server = undef,
|
$openidc_introspection_endpoint = undef,
|
||||||
$redis_password = undef,
|
$memcached_servers = undef,
|
||||||
$remote_id_attribute = undef,
|
$redis_server = undef,
|
||||||
$template_order = 331,
|
$redis_password = undef,
|
||||||
$package_ensure = present,
|
$remote_id_attribute = undef,
|
||||||
$keystone_url = undef,
|
$template_order = 331,
|
||||||
|
$package_ensure = present,
|
||||||
|
$keystone_url = undef,
|
||||||
# DEPRECATED
|
# DEPRECATED
|
||||||
$admin_port = undef,
|
$admin_port = undef,
|
||||||
$main_port = undef,
|
$main_port = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::apache
|
include ::apache
|
||||||
|
@ -144,6 +152,10 @@ class keystone::federation::openidc (
|
||||||
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
|
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $openidc_enable_oauth and !$openidc_introspection_endpoint {
|
||||||
|
fail('You must set openidc_introspection_endpoint when enabling oauth support')
|
||||||
|
}
|
||||||
|
|
||||||
$memcached_servers_real = join(any2array($memcached_servers), ' ')
|
$memcached_servers_real = join(any2array($memcached_servers), ' ')
|
||||||
|
|
||||||
# Note: if puppet-apache modify these values, this needs to be updated
|
# Note: if puppet-apache modify these values, this needs to be updated
|
||||||
|
|
|
@ -48,6 +48,11 @@ describe 'keystone::federation::openidc' do
|
||||||
params.merge!(:template_port => 999)
|
params.merge!(:template_port => 999)
|
||||||
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
|
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
|
||||||
end
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
params.merge!(:openidc_enable_oauth => true)
|
||||||
|
it_raises 'a Puppet:Error', /You must set openidc_introspection_endpoint when enabling oauth support/
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
on_supported_os({
|
on_supported_os({
|
||||||
|
@ -87,7 +92,23 @@ describe 'keystone::federation::openidc' do
|
||||||
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
|
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
|
||||||
expect(content).to match('OIDCClientID "openid_client_id"')
|
expect(content).to match('OIDCClientID "openid_client_id"')
|
||||||
expect(content).to match('OIDCClientSecret "openid_client_secret"')
|
expect(content).to match('OIDCClientSecret "openid_client_secret"')
|
||||||
expect(content).to match('OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with oauth enabled' do
|
||||||
|
before do
|
||||||
|
params.merge!({
|
||||||
|
:openidc_enable_oauth => true,
|
||||||
|
:openidc_introspection_endpoint => 'http://example.com',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should contain oauth config' do
|
||||||
|
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
|
||||||
|
expect(content).to match('OIDCOAuthClientID "openid_client_id"')
|
||||||
|
expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
|
||||||
|
expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
|
||||||
|
expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -32,13 +32,6 @@
|
||||||
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
|
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
|
||||||
<%- end -%>
|
<%- end -%>
|
||||||
|
|
||||||
# The following directives are required to support openidc from the command
|
|
||||||
# line
|
|
||||||
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
|
|
||||||
AuthType oauth20
|
|
||||||
Require valid-user
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# The following directives are necessary to support websso from Horizon
|
# The following directives are necessary to support websso from Horizon
|
||||||
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
|
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
|
||||||
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
|
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
|
||||||
|
@ -53,3 +46,14 @@
|
||||||
AuthType "openid-connect"
|
AuthType "openid-connect"
|
||||||
Require valid-user
|
Require valid-user
|
||||||
</LocationMatch>
|
</LocationMatch>
|
||||||
|
|
||||||
|
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
|
||||||
|
OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
|
||||||
|
OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
|
||||||
|
OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
|
||||||
|
|
||||||
|
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
|
||||||
|
AuthType oauth20
|
||||||
|
Require valid-user
|
||||||
|
</Location>
|
||||||
|
<%- end -%>
|
||||||
|
|
Loading…
Reference in New Issue