File: mellon.pp

package info (click to toggle)
puppet-module-keystone 27.0.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,352 kB
  • sloc: ruby: 9,331; pascal: 301; python: 33; sh: 10; makefile: 10
file content (88 lines) | stat: -rw-r--r-- 2,784 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# == Class: keystone::federation::mellon
#
# == Parameters
#
# [*methods*]
#  A list of methods used for authentication separated by comma or an array.
#  The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2',
#  and 'openid'
#  (Required) (string or array value).
#  Note: The external value should be dropped to avoid problems.
#
# [*idp_name*]
#  The name name associated with the IdP in Keystone.
#  (Required) String value.
#
# [*protocol_name*]
#  The name for your protocol associated with the IdP.
#  (Required) String value.
#
# [*template_order*]
#  This number indicates the order for the concat::fragment that will apply
#  the shibboleth configuration to Keystone VirtualHost. The value should
#  The value should be greater than 330 an less then 999, according to:
#  https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/vhost.pp
#  The value 330 corresponds to the order for concat::fragment  "${name}-filters"
#  and "${name}-limits".
#  The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
#  (Optional) Defaults to 331.
#
# [*enable_websso*]
#   (optional) Whether or not to enable Web Single Sign-On (SSO)
#   Defaults to false
#
class keystone::federation::mellon (
  $methods,
  $idp_name,
  $protocol_name,
  $template_order        = 331,
  Boolean $enable_websso = false,
) {
  include apache
  include apache::mod::auth_mellon
  include keystone::deps
  include keystone::params

  if ! defined(Class['keystone::wsgi::apache']) {
    fail('The keystone::wsgi::apache class should be included in the catalog')
  }

  # Note: if puppet-apache modify these values, this needs to be updated
  if $template_order <= 330 or $template_order >= 999 {
    fail('The template order should be greater than 330 and less than 999.')
  }

  if ('external' in $methods ) {
    fail("The external method should be dropped to avoid any interference with some \
Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even as an empty value.")
  }

  if !('saml2' in $methods ) {
    fail('Methods should contain saml2 as one of the auth methods.')
  }

  keystone_config {
    'auth/methods': value => join(any2array($methods),',');
  }

  if $enable_websso {
    keystone_config {
      'mapped/remote_id_attribute': value => 'MELLON_IDP';
    }
  } else {
    keystone_config {
      'mapped/remote_id_attribute': ensure => absent;
    }
  }

  apache::vhost::fragment { 'configure_mellon_keystone':
    vhost    => 'keystone_wsgi',
    priority => $keystone::wsgi::apache::priority,
    content  => template('keystone/mellon.conf.erb'),
    order    => $template_order,
  }

  Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
    show_diff => false,
  }
}