File: shibboleth.pp

package info (click to toggle)
puppet-module-keystone 27.0.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,352 kB
  • sloc: ruby: 9,331; pascal: 301; python: 33; sh: 10; makefile: 10
file content (121 lines) | stat: -rw-r--r-- 4,526 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 
# == Class: keystone::federation::shibboleth
#
# == Parameters
#
# [*methods*]
#  A list of methods used for authentication separated by comma or an array.
#  The allowed values are: 'external', 'password', 'token', 'oauth1', 'saml2'
#  (Required) (string or array value).
#  Note: The external value should be dropped to avoid problems.
#
# [*suppress_warning*]
#  A boolean value to disable the warning about not installing shibboleth on RedHat.
#  (Optional) Defaults to false.
#
# [*template_order*]
#  This number indicates the order for the concat::fragment that will apply
#  the shibboleth configuration to Keystone VirtualHost. The value should
#  The value should be greater than 330 and less than 999, according to:
#  https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/vhost.pp
#  The value 330 corresponds to the order for concat::fragment  "${name}-filters"
#  and "${name}-limits".
#  The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
#  (Optional) Defaults to 331.
#
# [*yum_repo_name*]
#  This is the name of repo where one can find the shibboleth package on rhel
#  platform.  See the note below.  For instance this snippet would enable the
#  full configuration on RedHat platform:
#
#    yumrepo { 'shibboleth':
#      name     => 'Shibboleth',
#      baseurl  => 'http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/',
#      descr    => 'Shibboleth repo for RedHat',
#      gpgcheck => 1,
#      gpgkey   => 'http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/repodata/repomd.xml.key',
#      enabled  => 1,
#      require  => Anchor['openstack_extras_redhat']
#    }
#
# == Note about Redhat osfamily
#    According to puppet-apache we need to enable a new repo, but in puppet-openstack
#    we won't enable any external third party repo.
#    http://wiki.aaf.edu.au/tech-info/sp-install-guide.  We provide some helpers but
#    as the packaging is lacking official support, we cannot guaranty it will work.
#
class keystone::federation::shibboleth (
  $methods,
  Boolean $suppress_warning = false,
  $template_order           = 331,
  $yum_repo_name            = 'shibboleth',
) {
  include apache
  include keystone::deps

  if ! defined(Class['keystone::wsgi::apache']) {
    fail('The keystone::wsgi::apache class should be included in the catalog')
  }

  # Note: if puppet-apache modify these values, this needs to be updated
  if $template_order <= 330 or $template_order >= 999 {
    fail('The template order should be greater than 330 and less than 999.')
  }

  if ('external' in $methods ) {
    fail("The external method should be dropped to avoid any interference with some \
Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, even as an empty value.")
  }

  if !('saml2' in $methods ) {
    fail('Methods should contain saml2 as one of the auth methods.')
  }

  keystone_config {
    'auth/methods': value => join(any2array($methods),',');
  }

  case $facts['os']['family'] {
    'Debian': {
      include apache::mod::shib
      include apache::mod::authn_core

      apache::vhost::fragment { 'configure_shibboleth_keystone':
        vhost    => 'keystone_wsgi',
        priority => $keystone::wsgi::apache::priority,
        content  => template('keystone/shibboleth.conf.erb'),
        order    => $template_order,
      }

      Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
        show_diff => false,
      }
    }
    'RedHat': {
      if defined(Yumrepo[$yum_repo_name]) or defined(Package['shibboleth']) {
        warning('The platform is not officially supported, use at your own risk.  Check manifest documentation for more.')
        apache::mod { 'shib2':
          id   => 'mod_shib',
          path => '/usr/lib64/shibboleth/mod_shib_24.so',
        }

        apache::vhost::fragment { 'configure_shibboleth_keystone':
          vhost    => 'keystone_wsgi',
          priority => $keystone::wsgi::apache::priority,
          content  => template('keystone/shibboleth.conf.erb'),
          order    => $template_order,
        }

        Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
          show_diff => false,
        }
      } else {
        if !$suppress_warning {
          warning( 'Can not configure Shibboleth in Apache on RedHat OS. Read the Note on this federation/shibboleth.pp' )
        }
      }
    }
    default: {
      fail('Unsupported platform')
    }
  }
}