"Fossies" - the Fresh Open Source Software Archive

Member "keystone-18.0.0/devstack/lib/federation.sh" (14 Oct 2020, 8635 Bytes) of package /linux/misc/openstack/keystone-18.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "federation.sh": 17.0.0_vs_18.0.0.

    1 # Copyright 2016 Massachusetts Open Cloud
    2 #
    3 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    4 # not use this file except in compliance with the License. You may obtain
    5 # a copy of the License at
    6 #
    7 #      http://www.apache.org/licenses/LICENSE-2.0
    8 #
    9 # Unless required by applicable law or agreed to in writing, software
   10 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
   11 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   12 # License for the specific language governing permissions and limitations
   13 # under the License.
   14 
   15 DOMAIN_NAME=${DOMAIN_NAME:-federated_domain}
   16 PROJECT_NAME=${PROJECT_NAME:-federated_project}
   17 GROUP_NAME=${GROUP_NAME:-federated_users}
   18 
   19 IDP_ID=${IDP_ID:-samltest}
   20 IDP_USERNAME=${IDP_USERNAME:-morty}
   21 IDP_PASSWORD=${IDP_PASSWORD:-panic}
   22 IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp}
   23 IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP}
   24 IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp}
   25 
   26 KEYSTONE_IDP_METADATA_URL=${KEYSTONE_IDP_METADATA_URL:-"http://$HOST_IP/identity/v3/OS-FEDERATION/saml2/metadata"}
   27 
   28 MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid}
   29 MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
   30 
   31 PROTOCOL_ID=${PROTOCOL_ID:-mapped}
   32 
   33 # File paths
   34 FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation"
   35 SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml"
   36 ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml"
   37 
   38 function configure_apache {
   39     if [[ "$WSGI_MODE" == "uwsgi" ]]; then
   40         local keystone_apache_conf=$(apache_site_config_for keystone-wsgi-public)
   41 
   42         echo "ProxyPass /Shibboleth.sso !" | sudo tee -a $keystone_apache_conf
   43 
   44     else
   45         local keystone_apache_conf=$(apache_site_config_for keystone)
   46 
   47         # Add WSGIScriptAlias directive to vhost configuration for port 5000
   48         sudo sed -i -e "
   49             /<VirtualHost \*:5000>/r $KEYSTONE_PLUGIN/files/federation/shib_apache_alias.txt
   50         " $keystone_apache_conf
   51     fi
   52 
   53     # Append to the keystone.conf vhost file a <Location> directive for the Shibboleth module
   54     # and a <Location> directive for the identity provider
   55     cat $KEYSTONE_PLUGIN/files/federation/shib_apache_handler.txt | sudo tee -a $keystone_apache_conf
   56 
   57     sudo sed -i -e "s|%IDP_ID%|$IDP_ID|g;" $keystone_apache_conf
   58 
   59     restart_apache_server
   60 }
   61 
   62 function configure_shibboleth {
   63     # Copy a templated /etc/shibboleth/shibboleth2.xml file...
   64     sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
   65     # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
   66     sudo sed -i -e "
   67         s|%HOST_IP%|$HOST_IP|g;
   68         s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
   69         s|%KEYSTONE_METADATA_URL%|$KEYSTONE_IDP_METADATA_URL|g;
   70         " $SHIBBOLETH_XML
   71 
   72     sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
   73 
   74     restart_service shibd
   75 }
   76 
   77 function install_federation {
   78     if is_ubuntu; then
   79         install_package libapache2-mod-shib2 xmlsec1
   80 
   81         # Create a new keypair for Shibboleth
   82         sudo shib-keygen -f
   83 
   84         # Enable the Shibboleth module for Apache
   85         sudo a2enmod shib
   86     elif is_fedora; then
   87         # NOTE(knikolla): For CentOS/RHEL, installing shibboleth is tricky
   88         # It requires adding a separate repo not officially supported
   89 
   90         # Add Shibboleth repository with curl
   91         curl https://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo \
   92         | sudo tee /etc/yum.repos.d/shibboleth.repo >/dev/null
   93 
   94         # Install Shibboleth
   95         install_package shibboleth xmlsec1-openssl
   96 
   97         # Create a new keypair for Shibboleth
   98         sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
   99 
  100         # Start Shibboleth module
  101         start_service shibd
  102     elif is_suse; then
  103         # Install Shibboleth
  104         install_package shibboleth-sp
  105         # Install xmlsec dependency needed only for opensuse
  106         install_package libxmlsec1-openssl1
  107 
  108         # Create a new keypair for Shibboleth
  109         sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth
  110 
  111         # Start Shibboleth module
  112         start_service shibd
  113     else
  114         echo "Skipping installation of shibboleth for non ubuntu nor fedora nor suse host"
  115     fi
  116 
  117     pip_install pysaml2
  118 
  119     # xmlsec1 needed for k2k
  120     install_package xmlsec1
  121 }
  122 
  123 function upload_sp_metadata_to_samltest {
  124     local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp
  125     local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata
  126 
  127     wget $metadata_url -O $FILES/$metadata_fname
  128     if [[ $? -ne 0 ]]; then
  129         echo "Not found: $metadata_url"
  130         return
  131     fi
  132 
  133     curl --form userfile=@"$FILES/${metadata_fname}" --form "submit=OK" "https://samltest.id/upload.php"
  134 }
  135 
  136 function configure_federation {
  137     # Specify the header that contains information about the identity provider
  138     iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider"
  139 
  140     # Configure certificates and keys for Keystone as an IdP
  141     if is_service_enabled tls-proxy; then
  142         iniset $KEYSTONE_CONF saml certfile "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
  143         iniset $KEYSTONE_CONF saml keyfile "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
  144     else
  145         openssl genrsa -out /etc/keystone/ca.key 4096
  146         openssl req -new -x509 -days 1826 -key /etc/keystone/ca.key -out /etc/keystone/ca.crt \
  147             -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
  148 
  149 
  150         iniset $KEYSTONE_CONF saml certfile "/etc/keystone/ca.crt"
  151         iniset $KEYSTONE_CONF saml keyfile "/etc/keystone/ca.key"
  152     fi
  153 
  154     iniset $KEYSTONE_CONF saml idp_entity_id "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/idp"
  155     iniset $KEYSTONE_CONF saml idp_sso_endpoint "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/sso"
  156     iniset $KEYSTONE_CONF saml idp_metadata_path "/etc/keystone/keystone_idp_metadata.xml"
  157 
  158     if [[ "$WSGI_MODE" == "uwsgi" ]]; then
  159         restart_service "devstack@keystone"
  160     fi
  161 
  162     keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml
  163 
  164     configure_shibboleth
  165     configure_apache
  166 
  167     # TODO(knikolla): We should not be relying on an external service. This
  168     # will be removed once we have an idp deployed during devstack install.
  169     if [[ "$IDP_ID" == "samltest" ]]; then
  170         upload_sp_metadata_to_samltest
  171     fi
  172 }
  173 
  174 function register_federation {
  175     local federated_domain=$(get_or_create_domain $DOMAIN_NAME)
  176     local federated_project=$(get_or_create_project $PROJECT_NAME $DOMAIN_NAME)
  177     local federated_users=$(get_or_create_group $GROUP_NAME $DOMAIN_NAME)
  178     local member_role=$(get_or_create_role Member)
  179 
  180     openstack role add --group $federated_users --domain $federated_domain $member_role
  181     openstack role add --group $federated_users --project $federated_project $member_role
  182 }
  183 
  184 function configure_tests_settings {
  185     # Enable the mapped auth method in /etc/keystone.conf
  186     iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
  187 
  188     # Here we set any settings that might be need by the fed_scenario set of tests
  189     iniset $TEMPEST_CONFIG identity-feature-enabled federation True
  190     # If not using samltest as an external IdP, tell tempest not to test that scenario
  191     if [[ "$IDP_ID" != "samltest" ]] ; then
  192         iniset $TEMPEST_CONFIG identity-feature-enabled external_idp false
  193     fi
  194 
  195     # Identity provider settings
  196     iniset $TEMPEST_CONFIG fed_scenario idp_id $IDP_ID
  197     iniset $TEMPEST_CONFIG fed_scenario idp_remote_ids $IDP_REMOTE_ID
  198     iniset $TEMPEST_CONFIG fed_scenario idp_username $IDP_USERNAME
  199     iniset $TEMPEST_CONFIG fed_scenario idp_password $IDP_PASSWORD
  200     iniset $TEMPEST_CONFIG fed_scenario idp_ecp_url $IDP_ECP_URL
  201 
  202     # Mapping rules settings
  203     iniset $TEMPEST_CONFIG fed_scenario mapping_remote_type $MAPPING_REMOTE_TYPE
  204     iniset $TEMPEST_CONFIG fed_scenario mapping_user_name $MAPPING_USER_NAME
  205     iniset $TEMPEST_CONFIG fed_scenario mapping_group_name $GROUP_NAME
  206     iniset $TEMPEST_CONFIG fed_scenario mapping_group_domain_name $DOMAIN_NAME
  207     iniset $TEMPEST_CONFIG fed_scenario enable_k2k_groups_mapping True
  208 
  209     # Protocol settings
  210     iniset $TEMPEST_CONFIG fed_scenario protocol_id $PROTOCOL_ID
  211 }
  212 
  213 function uninstall_federation {
  214     if is_ubuntu; then
  215         uninstall_package libapache2-mod-shib2
  216     elif is_fedora; then
  217         uninstall_package shibboleth
  218 
  219         # Remove Shibboleth repository
  220         sudo rm /etc/yum.repos.d/shibboleth.repo
  221     elif is_suse; then
  222         unistall_package shibboleth-sp
  223     else
  224         echo "Skipping uninstallation of shibboleth for non ubuntu nor fedora nor suse host"
  225     fi
  226 }