File: openidc.pp

package info (click to toggle)
puppet-module-keystone 27.0.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,352 kB
  • sloc: ruby: 9,331; pascal: 301; python: 33; sh: 10; makefile: 10
file content (278 lines) | stat: -rw-r--r-- 10,755 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
 
# == Class: keystone::federation::openidc
#
# == Parameters
#
# [*keystone_url*]
#  (Required) URL to keystone endpoint.
#
# [*methods*]
#  A list of methods used for authentication separated by comma or an array.
#  The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2',
#  and 'openid'
#  (Required) (string or array value).
#  Note: The external value should be dropped to avoid problems.
#
# [*idp_name*]
#  The name name associated with the IdP in Keystone.
#  (Required) String value.
#
# [*openidc_provider_metadata_url*]
#  (Optional) The url that points to your OpenID Connect metadata provider.
#  Defaults to undef
#
# [*openidc_metadata_dir*]
#  (Optional) Path of OIDCMetadataDir, directory that holds metadata in case of
#  usage of multiple OIDC provider.
#  Defaults to undef
#
# [*openidc_client_id*]
#  The client ID to use when handshaking with your OpenID Connect provider
#  (Required) String value.
#
# [*openidc_client_secret*]
#  The client secret to use when handshaking with your OpenID Connect provider
#  (Required) String value.
#
# [*openidc_crypto_passphrase*]
#  Secret passphrase to use when encrypting data for OpenID Connect handshake
#  (Optional) String value.
#  Defaults to 'openstack'
#
# [*openidc_response_type*]
#  Response type to be expected from the OpenID Connect provider.
#  (Optional) String value.
#  Defaults to 'id_token'
#
# [*openidc_response_mode*]
#  (Optional) mod_auth_openidc response mode. Can be any response type
#  supported by mod_auth_openidc (fragment, query, form_post).
#  Defaults to undef
#
# [*openidc_cache_type*]
#  (Optional) mod_auth_openidc cache type.  Can be any cache type
#  supported by mod_auth_openidc (shm, file, memcache, redis).
#  Defaults to undef.
#
# [*openidc_scope*]
#  (Optional) Array of mod_auth_openidc requested scope(s).
#  Defaults to ['openid', 'email', 'profile'].
#
# [*openidc_cache_shm_max*]
#  (Optional) The maximum number of name/value pair entries that can
#  be cached when using the 'shm' cache type. Defaults to undef.
#
# [*openidc_cache_shm_entry_size*]
#  (Optional) The maximum size for a single shm cache entry in bytes
#  with a minimum of 8464 bytes. Defaults to undef.
#
# [*openidc_cache_dir*]
#  (Optional) Directory that holds cache files; must be writable
#  for the Apache process/user. Defaults to undef.
#
# [*openidc_cache_clean_interval*]
#  (Optional) Cache file clean interval in seconds (only triggered
#  on writes). Defaults to undef.
#
# [*openidc_claim_delimiter*]
#  (Optional) The delimiter to use when setting multi-valued claims.
#  Defaults to undef.
#
# [*openidc_enable_oauth*]
#  (Optional) Set to true to enable oauthsupport.
#  Defaults to false.
#
# [*openidc_introspection_endpoint*]
#  (Required if oauth is enabled and configured for introspection)
#  OAuth introspection endpoint url.
#  Defaults to undef.
#
# [*openidc_verify_jwks_uri*]
#  (Required if oauth is enabled and configured for JWKS based validation)
#  The JWKS URL on which the Identity Provider
#  publishes the keys used to sign its JWT access tokens.
#  Defaults to undef.
#
# [*openidc_verify_method*]
#  (Optional) The method used to verify OAuth tokens.
#  Must be one of introspection or jwks
#  Defaults to introspection
#
# [*openidc_pass_userinfo_as*]
#  Define the way(s) in which the claims resolved from the userinfo endpoint
#  are passed to the application according to OIDCPassClaimsAs.
#  Defaults to undef
#
# [*openidc_pass_claim_as*]
#  Define the way in which the claims and tokens are passed to the application environment:
#  "none": no claims/tokens are passed
#  "environment": claims/tokens are passed as environment variables
#  "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
#  "both": claims/tokens are passed as both headers as well as environment variables (default)
#  Defaults to undef
#
# [*openidc_redirect_uri*]
#  (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this
#  case the URI is generated from keystone_url and idp_name.
#
# [*additional_locations*]
#  (Optional) Array of hashes of additional Apache <Location> directives with
#  mod_auth_openidc configuration. Accepted parameters are url, authtype,
#  oidcdiscoverurl (optional), requireoidc, loglevel (optional)
#  Example:
#  additional_locations => [{
#    url             => "/v3/auth/OS-FEDERATION/a-custom-url-needed-somehow",
#    authtype        => "openid-connect",
#    oidcdiscoverurl => "https://my-endpoint.example.com:40000",
#    requireoidc     => "claim iss:https://iam.example.com",
#    loglevel        => "debug"
#  }]
#
# [*memcached_servers*]
#  (Optional) A list of memcache servers. Defaults to undef.
#
# [*redis_server*]
#  (Optional) Specifies the Redis server used for caching as
#  <hostname>[:<port>]. Defaults to undef.
#
# [*redis_password*]
#  (Optional) Password to be used if the Redis server requires
#  authentication. When not specified, no authentication is
#  performed. Defaults to undef.
#
# [*redis_username*]
#  (Optional) Username to be used if the Redis server requires
#  authentication.
#  Defaults to undef
#
# [*redis_database*]
#  (Optional) Logical database to select on the Redis server.
#  Defaults to undef
#
# [*redis_connect_timeout*]
#  (Optional) Timeout (in seconds) for connecting to the Redis servers.
#  Defaults to undef
#
# [*redis_timeout*]
#  (Optional) Timeout waiting for a response of the Redis servers after
#  a request was sent.
#  Defaults to undef
#
# [*remote_id_attribute*]
#  (Optional) Value to be used to obtain the entity ID of the Identity
#  Provider from the environment.
#  Defaults to $facts['os_service_default'].
#
# [*template_order*]
#  This number indicates the order for the concat::fragment that will apply
#  the shibboleth configuration to Keystone VirtualHost. The value should
#  The value should be greater than 330 an less then 999, according to:
#  https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/vhost.pp
#  The value 330 corresponds to the order for concat::fragment  "${name}-filters"
#  and "${name}-limits".
#  The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
#  (Optional) Defaults to 331.
#
class keystone::federation::openidc (
  $keystone_url,
  $methods,
  $idp_name,
  $openidc_client_id,
  $openidc_client_secret,
  Optional[Stdlib::HTTPUrl] $openidc_provider_metadata_url = undef,
  Optional[Stdlib::Unixpath] $openidc_metadata_dir         = undef,
  $openidc_crypto_passphrase                               = 'openstack',
  $openidc_response_type                                   = 'id_token',
  Array[String[1], 1] $openidc_scope                       = ['openid', 'email', 'profile'],
  $openidc_response_mode                                   = undef,
  $openidc_cache_type                                      = undef,
  $openidc_cache_shm_max                                   = undef,
  $openidc_cache_shm_entry_size                            = undef,
  $openidc_cache_dir                                       = undef,
  $openidc_cache_clean_interval                            = undef,
  $openidc_claim_delimiter                                 = undef,
  Boolean $openidc_enable_oauth                            = false,
  $openidc_introspection_endpoint                          = undef,
  $openidc_verify_jwks_uri                                 = undef,
  Enum['introspection', 'jwks'] $openidc_verify_method     = 'introspection',
  Optional[Enum['claims', 'json', 'jwt']] $openidc_pass_userinfo_as = undef,
  Optional[Enum['none', 'environment', 'headers', 'both']] $openidc_pass_claim_as = undef,
  $openidc_redirect_uri                                    = undef,
  Optional[Array[Hash]] $additional_locations              = undef,
  $memcached_servers                                       = undef,
  $redis_server                                            = undef,
  $redis_password                                          = undef,
  $redis_username                                          = undef,
  $redis_database                                          = undef,
  $redis_connect_timeout                                   = undef,
  $redis_timeout                                           = undef,
  $remote_id_attribute                                     = $facts['os_service_default'],
  $template_order                                          = 331,
) {
  include apache
  include apache::mod::auth_openidc

  include keystone::deps
  include keystone::params

  if ! defined(Class['keystone::wsgi::apache']) {
    fail('The keystone::wsgi::apache class should be included in the catalog')
  }
  # With a single provider, OIDCProviderMetadataURL should be set, with multiple
  # providers OIDCMetadataDir should be used instead
  if !$openidc_provider_metadata_url and !$openidc_metadata_dir {
    fail('Set one openidc_provider_metadata_url or openidc_metadata_dir')
  }
  if $openidc_provider_metadata_url and $openidc_metadata_dir {
    fail("openidc_provider_metadata_url and openidc_metadata_dir are mutually \
exclusive, set only one of the two.")
  }

  if $openidc_enable_oauth {
    if ($openidc_verify_method == 'introspection') {
      if !$openidc_introspection_endpoint {
        fail("You must set openidc_introspection_endpoint when enabling oauth support \
and introspection.")
      }
    } else { # $openidc_verify_method == 'jwks'
      if !$openidc_verify_jwks_uri {
        fail("You must set openidc_verify_jwks_uri when enabling oauth support \
and local signature verification using a JWKS URL")
      }
    }
  }

  if $memcached_servers != undef {
    $memcached_servers_real = join(any2array($memcached_servers), ' ')
  } else {
    $memcached_servers_real = undef
  }

  # Note: if puppet-apache modify these values, this needs to be updated
  if $template_order <= 330 or $template_order >= 999 {
    fail('The template order should be greater than 330 and less than 999.')
  }

  if ('external' in $methods ) {
    fail('The external method should be dropped to avoid any interference with openid.')
  }

  if !('openid' in $methods ) {
    fail('Methods should contain openid as one of the auth methods.')
  }

  keystone_config {
    'auth/methods':               value => join(any2array($methods),',');
    'openid/remote_id_attribute': value => $remote_id_attribute;
  }

  apache::vhost::fragment { 'configure_openidc_keystone':
    vhost    => 'keystone_wsgi',
    priority => $keystone::wsgi::apache::priority,
    content  => template('keystone/openidc.conf.erb'),
    order    => $template_order,
  }

  Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
    show_diff => false,
  }
}