"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "devstack/lib/federation.sh" between
keystone-15.0.0.tar.gz and keystone-15.0.1.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Stein" series (maintained release).

federation.sh  (keystone-15.0.0):federation.sh  (keystone-15.0.1)
skipping to change at line 26 skipping to change at line 26
PROJECT_NAME=${PROJECT_NAME:-federated_project} PROJECT_NAME=${PROJECT_NAME:-federated_project}
GROUP_NAME=${GROUP_NAME:-federated_users} GROUP_NAME=${GROUP_NAME:-federated_users}
IDP_ID=${IDP_ID:-samltest} IDP_ID=${IDP_ID:-samltest}
IDP_USERNAME=${IDP_USERNAME:-morty} IDP_USERNAME=${IDP_USERNAME:-morty}
IDP_PASSWORD=${IDP_PASSWORD:-panic} IDP_PASSWORD=${IDP_PASSWORD:-panic}
IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp} IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp}
IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP} IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP}
IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp} IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp}
KEYSTONE_IDP_METADATA_URL=${KEYSTONE_IDP_METADATA_URL:-"http://$HOST_IP/identity
/v3/OS-FEDERATION/saml2/metadata"}
MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid} MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid}
MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"} MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
PROTOCOL_ID=${PROTOCOL_ID:-mapped} PROTOCOL_ID=${PROTOCOL_ID:-mapped}
# File paths # File paths
FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation" FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation"
SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml" SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml"
ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml" ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml"
skipping to change at line 60 skipping to change at line 62
# Append to the keystone.conf vhost file a <Location> directive for the Shib boleth module # Append to the keystone.conf vhost file a <Location> directive for the Shib boleth module
# and a <Location> directive for the identity provider # and a <Location> directive for the identity provider
cat $KEYSTONE_PLUGIN/files/federation/shib_apache_handler.txt | sudo tee -a $keystone_apache_conf cat $KEYSTONE_PLUGIN/files/federation/shib_apache_handler.txt | sudo tee -a $keystone_apache_conf
sudo sed -i -e "s|%IDP_ID%|$IDP_ID|g;" $keystone_apache_conf sudo sed -i -e "s|%IDP_ID%|$IDP_ID|g;" $keystone_apache_conf
restart_apache_server restart_apache_server
} }
function configure_shibboleth {
# Copy a templated /etc/shibboleth/shibboleth2.xml file...
sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
# ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% plac
eholders
sudo sed -i -e "
s|%HOST_IP%|$HOST_IP|g;
s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
s|%KEYSTONE_METADATA_URL%|$KEYSTONE_IDP_METADATA_URL|g;
" $SHIBBOLETH_XML
sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
restart_service shibd
}
function install_federation { function install_federation {
if is_ubuntu; then if is_ubuntu; then
install_package libapache2-mod-shib2 install_package libapache2-mod-shib2 xmlsec1
# Create a new keypair for Shibboleth # Create a new keypair for Shibboleth
sudo shib-keygen -f sudo shib-keygen -f
# Enable the Shibboleth module for Apache # Enable the Shibboleth module for Apache
sudo a2enmod shib2 sudo a2enmod shib2
elif is_fedora; then elif is_fedora; then
# NOTE(knikolla): For CentOS/RHEL, installing shibboleth is tricky # NOTE(knikolla): For CentOS/RHEL, installing shibboleth is tricky
# It requires adding a separate repo not officially supported # It requires adding a separate repo not officially supported
# Add Shibboleth repository with curl # Add Shibboleth repository with curl
curl https://download.opensuse.org/repositories/security://shibboleth/Ce ntOS_7/security:shibboleth.repo \ curl https://download.opensuse.org/repositories/security://shibboleth/Ce ntOS_7/security:shibboleth.repo \
| sudo tee /etc/yum.repos.d/shibboleth.repo >/dev/null | sudo tee /etc/yum.repos.d/shibboleth.repo >/dev/null
# Install Shibboleth # Install Shibboleth
install_package shibboleth install_package shibboleth xmlsec1-openssl
# Create a new keypair for Shibboleth # Create a new keypair for Shibboleth
sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
# Start Shibboleth module # Start Shibboleth module
start_service shibd start_service shibd
elif is_suse; then elif is_suse; then
# Install Shibboleth # Install Shibboleth
install_package shibboleth-sp install_package shibboleth-sp
# Install xmlsec dependency needed only for opensuse
install_package libxmlsec1-openssl1
# Create a new keypair for Shibboleth # Create a new keypair for Shibboleth
sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
# Start Shibboleth module # Start Shibboleth module
start_service shibd start_service shibd
else else
echo "Skipping installation of shibboleth for non ubuntu nor fedora nor suse host" echo "Skipping installation of shibboleth for non ubuntu nor fedora nor suse host"
fi fi
pip_install pysaml2
# xmlsec1 needed for k2k
install_package xmlsec1
} }
function upload_sp_metadata_to_samltest { function upload_sp_metadata_to_samltest {
local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp
local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata
wget $metadata_url -O $FILES/$metadata_fname wget $metadata_url -O $FILES/$metadata_fname
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo "Not found: $metadata_url" echo "Not found: $metadata_url"
return return
fi fi
curl --form userfile=@"$FILES/${metadata_fname}" --form "submit=OK" "https:/ /samltest.id/upload.php" curl --form userfile=@"$FILES/${metadata_fname}" --form "submit=OK" "https:/ /samltest.id/upload.php"
} }
function configure_federation { function configure_federation {
configure_apache # Specify the header that contains information about the identity provider
iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider"
# Copy a templated /etc/shibboleth/shibboleth2.xml file...
sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
# ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% plac
eholders
sudo sed -i -e "
s|%HOST_IP%|$HOST_IP|g;
s|%IDP_REMOTE_ID%|$IDP_REMOTE_ID|g;
s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
" $SHIBBOLETH_XML
sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
restart_service shibd # Configure certificates and keys for Keystone as an IdP
if is_service_enabled tls-proxy; then
iniset $KEYSTONE_CONF saml certfile "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt
"
iniset $KEYSTONE_CONF saml keyfile "$INT_CA_DIR/private/$DEVSTACK_CERT_N
AME.key"
else
openssl genrsa -out /etc/keystone/ca.key 4096
openssl req -new -x509 -days 1826 -key /etc/keystone/ca.key -out /etc/ke
ystone/ca.crt \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
# Enable the mapped auth method in /etc/keystone.conf iniset $KEYSTONE_CONF saml certfile "/etc/keystone/ca.crt"
iniset $KEYSTONE_CONF auth methods "external,password,token,mapped" iniset $KEYSTONE_CONF saml keyfile "/etc/keystone/ca.key"
fi
# Specify the header that contains information about the identity provider iniset $KEYSTONE_CONF saml idp_entity_id "$KEYSTONE_AUTH_URI/v3/OS-FEDERATIO
iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider" N/saml2/idp"
iniset $KEYSTONE_CONF saml idp_sso_endpoint "$KEYSTONE_AUTH_URI/v3/OS-FEDERA
TION/saml2/sso"
iniset $KEYSTONE_CONF saml idp_metadata_path "/etc/keystone/keystone_idp_met
adata.xml"
if [[ "$WSGI_MODE" == "uwsgi" ]]; then if [[ "$WSGI_MODE" == "uwsgi" ]]; then
restart_service "devstack@keystone" restart_service "devstack@keystone"
fi fi
restart_apache_server keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml
configure_shibboleth
configure_apache
# TODO(knikolla): We should not be relying on an external service. This # TODO(knikolla): We should not be relying on an external service. This
# will be removed once we have an idp deployed during devstack install. # will be removed once we have an idp deployed during devstack install.
if [[ "$IDP_ID" == "samltest" ]]; then if [[ "$IDP_ID" == "samltest" ]]; then
upload_sp_metadata_to_samltest upload_sp_metadata_to_samltest
fi fi
} }
function register_federation { function register_federation {
local federated_domain=$(get_or_create_domain $DOMAIN_NAME) local federated_domain=$(get_or_create_domain $DOMAIN_NAME)
local federated_project=$(get_or_create_project $PROJECT_NAME $DOMAIN_NAME) local federated_project=$(get_or_create_project $PROJECT_NAME $DOMAIN_NAME)
local federated_users=$(get_or_create_group $GROUP_NAME $DOMAIN_NAME) local federated_users=$(get_or_create_group $GROUP_NAME $DOMAIN_NAME)
local member_role=$(get_or_create_role Member) local member_role=$(get_or_create_role Member)
openstack role add --group $federated_users --domain $federated_domain $memb er_role openstack role add --group $federated_users --domain $federated_domain $memb er_role
openstack role add --group $federated_users --project $federated_project $me mber_role openstack role add --group $federated_users --project $federated_project $me mber_role
} }
function configure_tests_settings { function configure_tests_settings {
# Enable the mapped auth method in /etc/keystone.conf
iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
# Here we set any settings that might be need by the fed_scenario set of tes ts # Here we set any settings that might be need by the fed_scenario set of tes ts
iniset $TEMPEST_CONFIG identity-feature-enabled federation True iniset $TEMPEST_CONFIG identity-feature-enabled federation True
# If not using samltest as an external IdP, tell tempest not to test that sc
enario
if [[ "$IDP_ID" != "samltest" ]] ; then
iniset $TEMPEST_CONFIG identity-feature-enabled external_idp false
fi
# Identity provider settings # Identity provider settings
iniset $TEMPEST_CONFIG fed_scenario idp_id $IDP_ID iniset $TEMPEST_CONFIG fed_scenario idp_id $IDP_ID
iniset $TEMPEST_CONFIG fed_scenario idp_remote_ids $IDP_REMOTE_ID iniset $TEMPEST_CONFIG fed_scenario idp_remote_ids $IDP_REMOTE_ID
iniset $TEMPEST_CONFIG fed_scenario idp_username $IDP_USERNAME iniset $TEMPEST_CONFIG fed_scenario idp_username $IDP_USERNAME
iniset $TEMPEST_CONFIG fed_scenario idp_password $IDP_PASSWORD iniset $TEMPEST_CONFIG fed_scenario idp_password $IDP_PASSWORD
iniset $TEMPEST_CONFIG fed_scenario idp_ecp_url $IDP_ECP_URL iniset $TEMPEST_CONFIG fed_scenario idp_ecp_url $IDP_ECP_URL
# Mapping rules settings # Mapping rules settings
iniset $TEMPEST_CONFIG fed_scenario mapping_remote_type $MAPPING_REMOTE_TYPE iniset $TEMPEST_CONFIG fed_scenario mapping_remote_type $MAPPING_REMOTE_TYPE
 End of changes. 13 change blocks. 
21 lines changed or deleted 62 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)