Merge pull request #2188 from guangyee/oidc_websso

support OpenID Connect WebSSO (SOC-9616)

Author: hemna

chef/cookbooks/crowbar-openstack/providers/wsgi.rb

@@ -67,6 +67,15 @@ def whyrun_supported?
         ssl_keyfile: current_resource.ssl_keyfile,
         ssl_cacert: current_resource.ssl_cacert,
         timeout: current_resource.timeout,
+        openidc_enabled: current_resource.openidc_enabled,
+        openidc_provider: current_resource.openidc_provider,
+        openidc_response_type: current_resource.openidc_response_type,
+        openidc_scope: current_resource.openidc_scope,
+        openidc_metadata_url: current_resource.openidc_metadata_url,
+        openidc_client_id: current_resource.openidc_client_id,
+        openidc_client_secret: current_resource.openidc_client_secret,
+        openidc_passphrase: current_resource.openidc_passphrase,
+        openidc_redirect_uri: current_resource.openidc_redirect_uri,
         access_log: current_resource.access_log,
         error_log: current_resource.error_log,
         apache_log_dir: node[:apache][:log_dir],
@@ -116,6 +125,16 @@ def load_current_resource
 
   @current_resource.timeout(@new_resource.timeout)
 
+  @current_resource.openidc_enabled(@new_resource.openidc_enabled)
+  @current_resource.openidc_provider(@new_resource.openidc_provider)
+  @current_resource.openidc_response_type(@new_resource.openidc_response_type)
+  @current_resource.openidc_scope(@new_resource.openidc_scope)
+  @current_resource.openidc_metadata_url(@new_resource.openidc_metadata_url)
+  @current_resource.openidc_client_id(@new_resource.openidc_client_id)
+  @current_resource.openidc_client_secret(@new_resource.openidc_client_secret)
+  @current_resource.openidc_passphrase(@new_resource.openidc_passphrase)
+  @current_resource.openidc_redirect_uri(@new_resource.openidc_redirect_uri)
+
   @current_resource.access_log(_get_access_log)
   @current_resource.error_log(_get_error_log)
 

chef/cookbooks/crowbar-openstack/resources/wsgi.rb

@@ -22,6 +22,16 @@
 
 attribute :timeout, kind_of: Integer, default: nil
 
+attribute :openidc_enabled, kind_of: [TrueClass, FalseClass], default: false
+attribute :openidc_provider, kind_of: String, default: nil
+attribute :openidc_response_type, kind_of: String, default: nil
+attribute :openidc_scope, kind_of: String, default: nil
+attribute :openidc_metadata_url, kind_of: String, default: nil
+attribute :openidc_client_id, kind_of: String, default: nil
+attribute :openidc_client_secret, kind_of: String, default: nil
+attribute :openidc_passphrase, kind_of: String, default: nil
+attribute :openidc_redirect_uri, kind_of: String, default: nil
+
 attribute :access_log, kind_of: String, default: nil
 attribute :error_log, kind_of: String, default: nil
 

chef/cookbooks/crowbar-openstack/templates/default/vhost-wsgi.conf.erb

@@ -26,6 +26,34 @@ Listen <%= @bind_host %>:<%= @bind_port %>
     <% end -%>
 <% end %>
 
+<% if @openidc_enabled %>
+# See
+# https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf
+    OIDCClaimPrefix "OIDC-"
+    OIDCResponseType "<%= @openidc_response_type %>"
+    OIDCScope "<%= @openidc_scope %>"
+    OIDCProviderMetadataURL "<%= @openidc_metadata_url %>"
+    OIDCClientID  "<%= @openidc_client_id %>"
+    OIDCClientSecret "<%= @openidc_client_secret %>"
+    OIDCCryptoPassphrase "<%= @openidc_passphrase %>"
+    OIDCRedirectURI "<%= @openidc_redirect_uri %>"
+
+    <Location /v3/OS-FEDERATION/identity_providers/<%= @openidc_provider %>/protocols/openid/auth>
+        Require valid-user
+        AuthType openid-connect
+    </Location>
+
+    <Location /v3/auth/OS-FEDERATION/websso/openid>
+        Require valid-user
+        AuthType openid-connect
+    </Location>
+
+    <Location /v3/auth/OS-FEDERATION/identity_providers/<%= @openidc_provider %>/protocols/openid/websso>
+        Require valid-user
+        AuthType openid-connect
+    </Location>
+<% end %>
+
     ErrorLogFormat "%{cu}t %M"
     ErrorLog <%= @apache_log_dir %>/<%= @error_log %>
     CustomLog <%= @apache_log_dir %>/<%= @access_log %> combined

chef/cookbooks/horizon/recipes/server.rb

@@ -447,6 +447,7 @@
     multi_domain_support: multi_domain_support,
     policy_file_path: node["horizon"]["policy_file_path"],
     policy_file: node["horizon"]["policy_file"],
+    websso_keystone_url: keystone_settings["websso_keystone_url"]
   )
   action :create
   notifies :reload, "service[horizon]"

chef/cookbooks/horizon/templates/default/local_settings.py.erb

@@ -250,3 +250,18 @@ EXTERNAL_MONITORING = [
 
 SESSION_TIMEOUT = <%= @session_timeout * 60 %>
 SECRET_KEY = "<%= @secret_key %>"
+
+# FIXME(gyee): if we ever going to support multiple protocols or multiple
+# IDPs, we'll need to refactor this accordingly.
+<% if node[:keystone][:federation][:openidc][:enabled] %>
+WEBSSO_ENABLED = True
+
+# NOTE(gyee): this need to be versioned public Keystone URL as this is used
+# to redirect the browsers to Keystone.
+WEBSSO_KEYSTONE_URL = "<%= @websso_keystone_url %>"
+
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+    ("openid", _("OpenID Connect")),
+)
+<% end %>

chef/cookbooks/keystone/libraries/helpers.rb

@@ -32,6 +32,101 @@ def self.unversioned_internal_auth_url(node, admin_host)
     service_URL(node[:keystone][:api][:protocol], admin_host, node[:keystone][:api][:service_port])
   end
 
+  # NOTE(gyee): trusted_dashboard in Keystone can be multiple URLs.
+  # For example, in a typical production deployment, there can be multiple
+  # Horizon endpoints, depending on where Horizon is being accessed. For
+  # example, the endpoint for access inside the firewall could be different
+  # from the one that is outside of the firewall. And in some cases, the
+  # endpoint could be the corporate HTTP proxy.
+  # For now, we are prepopulating one that is only understood by Crowbar for
+  # testing/demo purpopses. In a production environment, it can be amended with
+  # other external endpoints.
+  def self.dashboard_public_url(dashboard_node)
+    ha_enabled = dashboard_node[:horizon][:ha][:enabled]
+    ssl_enabled = dashboard_node[:horizon][:apache][:ssl]
+    want_fqdn = true
+    public_fqdn = CrowbarHelper.get_host_for_public_url(
+      dashboard_node,
+      ssl_enabled,
+      ha_enabled,
+      want_fqdn
+    )
+
+    protocol = "http"
+    protocol = "https" if ssl_enabled
+
+    "#{protocol}://#{public_fqdn}"
+  end
+
+  def self.websso_enabled(node)
+    node[:keystone][:federation][:openidc][:enabled]
+  end
+
+  def self.trusted_dashboard_url(node)
+    # NOTE(gyee): since Horizon is depended on Keystone and will be deployed
+    # after Keystone, the Horizon node may not be available when Keystone
+    # is first deployed. However, chef executes the recipes periodically.
+    # On the next chef run after, after Horizon had deployed, we should be
+    # able to figure out the trusted_dashboard from the node, assuming Horizon
+    # is always deployed on the same node as Keystone. Otherwise, we'll need
+    # to do node search.
+
+    horizon_server = CrowbarUtilsSearch.node_search_with_cache(node, "roles:horizon-server").first
+
+    unless horizon_server.nil?
+      horizon_url =
+        if horizon_server["horizon"].key?("apache")
+          ::File.join(dashboard_public_url(horizon_server), "/auth/websso/")
+        else
+          ""
+        end
+    end
+
+    horizon_url
+  end
+
+  def self.trusted_dashboards(node)
+    # NOTE(gyee): if user does not specify any trusted_dashboards, we'll
+    # automagically generate one based on the current knowned crowbar
+    # configuration.
+    if node[:keystone][:federation][:trusted_dashboards].empty?
+      node[:keystone][:federation][:trusted_dashboards] << trusted_dashboard_url(node)
+    end
+
+    node[:keystone][:federation][:trusted_dashboards]
+  end
+
+  # NOTE(gyee): for some WebSSO protocols (i.e. saml, openidc, etc), the
+  # authentication process involves redirecting the browser to the identity
+  # provider's endpoint for authentication, then the user is redirected back
+  # to Keystone upon successfully authentication with the identity provider.
+  # Therefore, the Keystone redirect URL must be external or public as it needs
+  # to be accessible by the browsers. Also, in some cases, the URL needs to be
+  # fully qualified. For example, Google OpenID Connection requires the URL to
+  # be FQDN instead of IP as it must match the authorized domain. Therefore,
+  # the WEBSSO_KEYSTONE_URL in Horizon should contain the FQDN, depending
+  # on the identity provider. For production deployments, we offers the user
+  # the ability to override it because we don't know the user's network
+  # topology beforehand. For example, the external endpoint could be handled
+  # by an HTTP proxy which may not be known to crowbar.
+  def self.websso_keystone_url(node)
+    ha_enabled = node[:keystone][:ha][:enabled]
+    ssl_enabled = node["keystone"]["api"]["protocol"] == "https"
+    want_fqdn = true
+    public_fqdn = CrowbarHelper.get_host_for_public_url(node, ssl_enabled, ha_enabled, want_fqdn)
+
+    websso_keystone_url =
+      if node[:keystone][:federation][:websso_keystone_url].empty?
+        # Will use the one automagically generated by crowbar if user doesn't
+        # explicitly set one. This should be for testing/demo purposes in most
+        # cases.
+        public_auth_url(node, public_fqdn)
+      else
+        node[:keystone][:federation][:websso_keystone_url]
+      end
+    websso_keystone_url
+  end
+
   def self.keystone_settings(current_node, cookbook_name)
     instance = current_node[cookbook_name][:keystone_instance] || "default"
 
@@ -56,7 +151,6 @@ def self.keystone_settings(current_node, cookbook_name)
       ha_enabled = node[:keystone][:ha][:enabled]
       use_ssl = node["keystone"]["api"]["protocol"] == "https"
       public_host = CrowbarHelper.get_host_for_public_url(node, use_ssl, ha_enabled)
-
       admin_host = CrowbarHelper.get_host_for_admin_url(node, ha_enabled)
 
       has_default_user = node["keystone"]["default"]["create_user"]
@@ -71,6 +165,7 @@ def self.keystone_settings(current_node, cookbook_name)
         "api_version_for_middleware" => "v%.1f" % node[:keystone][:api][:version],
         "admin_auth_url" => admin_auth_url(node, admin_host),
         "public_auth_url" => public_auth_url(node, public_host),
+        "websso_keystone_url" => websso_keystone_url(node),
         "internal_auth_url" => internal_auth_url(node, admin_host),
         "unversioned_internal_auth_url" => unversioned_internal_auth_url(node, admin_host),
         "use_ssl" => use_ssl,
@@ -95,7 +190,9 @@ def self.keystone_settings(current_node, cookbook_name)
         "default_user_domain_id" => has_default_user ? default_domain_id : nil,
         "default_password" => has_default_user ? node["keystone"]["default"]["password"] : nil,
         "service_project" => node["keystone"]["service"]["project"],
-        "service_tenant" => node["keystone"]["service"]["project"]
+        "service_tenant" => node["keystone"]["service"]["project"],
+        "websso_enabled" => websso_enabled(node),
+        "trusted_dashboards" => trusted_dashboards(node)
       }
     end
 

chef/cookbooks/keystone/recipes/server.rb

@@ -31,8 +31,14 @@
 # useful with .openrc
 package "python-openstackclient"
 
+# FIXME(gyee): need a more elegant way to update the default auth methods
+# if these happened to change from one release to another.
+auth_methods = "password,token,oauth1,mapped,application_credential"
+
 ha_enabled = node[:keystone][:ha][:enabled]
 
+keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name)
+
 if ha_enabled
   log "HA support for keystone is enabled"
   admin_address = Chef::Recipe::Barclamp::Inventory.get_network_by_type(node, "admin").address
@@ -48,6 +54,35 @@
   bind_service_port = node[:keystone][:api][:service_port]
 end
 
+# verify the OpenID Connect Federation parameters
+openidc_enabled = node[:keystone][:federation][:openidc][:enabled]
+openidc_provider = node[:keystone][:federation][:openidc][:identity_provider]
+openidc_response_type = node[:keystone][:federation][:openidc][:response_type]
+openidc_scope = node[:keystone][:federation][:openidc][:scope]
+openidc_metadata_url = node[:keystone][:federation][:openidc][:metadata_url]
+openidc_client_id = node[:keystone][:federation][:openidc][:client_id]
+openidc_client_secret = node[:keystone][:federation][:openidc][:client_secret]
+openidc_passphrase = node[:keystone][:federation][:openidc][:passphrase]
+openidc_redirect_uri = node[:keystone][:federation][:openidc][:redirect_uri]
+
+openidc_attributes = {
+  "openidc_response_type" => openidc_response_type,
+  "openidc_scope" => openidc_scope,
+  "openidc_metadata_url" => openidc_metadata_url,
+  "openidc_client_id" => openidc_client_id,
+  "openidc_client_secret" => openidc_client_secret,
+  "openidc_passphrase" => openidc_passphrase,
+  "openidc_provider" => openidc_provider
+}
+
+if openidc_enabled
+  auth_methods = "#{auth_methods},openid"
+  openidc_attributes.each do |openidc_attr_name, openidc_attr_value|
+    raise "#{openidc_attr_name} is required and cannot be an empty value" if
+        openidc_attr_value.empty?
+  end
+end
+
 # Ideally this would be called admin_host, but that's already being
 # misleadingly used to store a value which actually represents the
 # service bind address.
@@ -136,6 +171,17 @@
     ignore_failure true
   end
 
+  # automagically populate the redirect_uri if user does not specify one
+  if openidc_redirect_uri.empty?
+    openidc_redirect_uri = ::File.join(
+      keystone_settings["websso_keystone_url"],
+      "/OS-FEDERATION/identity_providers/#{openidc_provider}/protocols/openid/auth"
+    )
+  end
+
+  package "apache2-mod_auth_openidc" if openidc_enabled
+  apache_module "auth_openidc" if openidc_enabled
+
   crowbar_openstack_wsgi "WSGI entry for keystone-public" do
     bind_host bind_service_host
     bind_port bind_service_port
@@ -153,6 +199,16 @@
     ssl_cacert node[:keystone][:ssl][:ca_certs] unless node[:keystone][:ssl][:insecure]
     # LDAP backend can be slow..
     timeout 600
+    # auth_openidc configuration
+    openidc_enabled openidc_enabled
+    openidc_provider openidc_provider
+    openidc_response_type openidc_response_type
+    openidc_scope openidc_scope
+    openidc_metadata_url openidc_metadata_url
+    openidc_client_id openidc_client_id
+    openidc_client_secret openidc_client_secret
+    openidc_passphrase openidc_passphrase
+    openidc_redirect_uri openidc_redirect_uri
   end
 
   apache_site "keystone-public.conf" do
@@ -176,6 +232,16 @@
     ssl_cacert node[:keystone][:ssl][:ca_certs] unless node[:keystone][:ssl][:insecure]
     # LDAP backend can be slow..
     timeout 600
+    # auth_openidc configuration
+    openidc_enabled openidc_enabled
+    openidc_provider openidc_provider
+    openidc_response_type openidc_response_type
+    openidc_scope openidc_scope
+    openidc_metadata_url openidc_metadata_url
+    openidc_client_id openidc_client_id
+    openidc_client_secret openidc_client_secret
+    openidc_passphrase openidc_passphrase
+    openidc_redirect_uri openidc_redirect_uri
   end
 
   apache_site "keystone-admin.conf" do
@@ -265,7 +331,11 @@
       protocol: node[:keystone][:api][:protocol],
       frontend: node[:keystone][:frontend],
       rabbit_settings: fetch_rabbitmq_settings,
-      profiler_settings: profiler_settings
+      profiler_settings: profiler_settings,
+      websso_enabled: keystone_settings["websso_enabled"],
+      trusted_dashboards: keystone_settings["trusted_dashboards"],
+      auth_methods: auth_methods,
+      openidc_enabled: openidc_enabled
     )
     if node[:keystone][:frontend] == "apache"
       notifies :create, resources(ruby_block: "set origin for apache2 restart"), :immediately
@@ -579,8 +649,6 @@
 
 include_recipe "keystone::update_endpoint"
 
-keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name)
-
 template "/root/.openrc" do
   source "openrc.erb"
   owner "root"

chef/cookbooks/keystone/templates/default/keystone.conf.erb

@@ -114,4 +114,19 @@ enabled = true
 trace_sqlalchemy = <%= @profiler_settings[:trace_sqlalchemy] ? "true" : "false" %>
 hmac_keys = <%= @profiler_settings[:hmac_keys].join(",") %>
 connection_string = <%= @profiler_settings[:connection_string] %>
-<% end -%>
+<% end -%>
+
+<% if @websso_enabled %>
+[federation]
+<% @trusted_dashboards.each do |trusted_dashboard_url| -%>
+trusted_dashboard = <%= trusted_dashboard_url %>
+<% end -%>
+
+<% if @openidc_enabled -%>
+[openid]
+remote_id_attribute = HTTP_OIDC_ISS
+<% end -%>
+<% end -%>
+
+[auth]
+methods = <%= @auth_methods %>