class ManageIQ::ApplianceConsole::OIDCAuthentication

Constants

INTROSPECT_ENDPOINT_ERROR
INTROSPECT_SUFFIX
URL_SUFFIX

Attributes

host[RW]
options[RW]

Public Class Methods

new(options) click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 15
def initialize(options)
  @options = options
end

Public Instance Methods

configure(host) click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 19
def configure(host)
  @host = host
  validate_oidc_options
  derive_introspection_endpoint

  say("Configuring OpenID-Connect Authentication for https://#{host} ...")
  copy_apache_oidc_configfiles
  configure_auth_settings_oidc
  restart_httpd
  true
rescue AwesomeSpawn::CommandResultError => e
  log_command_error(e)
  say("Failed to Configure OpenID-Connect Authentication - #{e}")
  false
rescue => e
  say("Failed to Configure OpenID-Connect Authentication - #{e}")
  false
end
unconfigure() click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 38
def unconfigure
  raise "Appliance is not currently configured for OpenID-Connect" unless configured?

  say("Unconfiguring OpenID-Connect Authentication ...")
  remove_apache_oidc_configfiles
  configure_auth_settings_database
  restart_httpd
  true
rescue AwesomeSpawn::CommandResultError => e
  log_command_error(e)
  say("Failed to Unconfigure OpenID-Connect Authentication - #{e}")
  false
rescue => e
  say("Failed to Unconfigure OpenID-Connect Authentication - #{e}")
  false
end

Private Instance Methods

configure_auth_settings_oidc() click to toggle source

Appliance Settings

# File lib/manageiq/appliance_console/oidc_authentication.rb, line 120
def configure_auth_settings_oidc
  say("Setting Appliance Authentication Settings to OpenID-Connect ...")
  configure_auth_settings(:mode          => "httpd",
                          :httpd_role    => true,
                          :saml_enabled  => false,
                          :oidc_enabled  => true,
                          :sso_enabled   => options[:oidc_enable_sso] ? true : false,
                          :provider_type => "oidc")
end
configured?() click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 83
def configured?
  HTTPD_CONFIG_DIRECTORY.join("manageiq-external-auth-openidc.conf").exist?
end
copy_apache_oidc_configfiles() click to toggle source

Apache OpenID-Connect Configuration

# File lib/manageiq/appliance_console/oidc_authentication.rb, line 59
def copy_apache_oidc_configfiles
  debug_msg("Copying Apache OpenID-Connect Config files ...")
  copy_template(HTTPD_CONFIG_DIRECTORY, "manageiq-remote-user-openidc.conf")
  copy_template(HTTPD_CONFIG_DIRECTORY, "manageiq-external-auth-openidc.conf.erb",
                :miq_appliance               => host,
                :oidc_provider_metadata_url  => options[:oidc_url],
                :oidc_client_id              => options[:oidc_client_id],
                :oidc_client_secret          => options[:oidc_client_secret],
                :oidc_introspection_endpoint => options[:oidc_introspection_endpoint])

  if options[:oidc_insecure]
    File.open("#{HTTPD_CONFIG_DIRECTORY}/manageiq-external-auth-openidc.conf", "a") do |f|
      f.write("\nOIDCSSLValidateServer      Off\n")
      f.write("OIDCOAuthSSLValidateServer Off\n")
    end
  end
end
derive_introspection_endpoint() click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 95
def derive_introspection_endpoint
  return if options[:oidc_introspection_endpoint].present?

  options[:oidc_introspection_endpoint] = fetch_introspection_endpoint
  raise INTROSPECT_ENDPOINT_ERROR if options[:oidc_introspection_endpoint].blank?
end
fetch_introspection_endpoint() click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 102
def fetch_introspection_endpoint
  uri = URI.parse(options[:oidc_url])
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = (uri.scheme == "https")
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE if options[:oidc_insecure]

  request = Net::HTTP::Get.new(uri.request_uri)
  request.basic_auth(options[:oidc_client_id], options[:oidc_client_secret])
  response = http.request(request)

  JSON.parse(response.body)["introspection_endpoint"]
rescue => err
  say("Failed to fetch introspection endpoint - #{err}")
  nil
end
remove_apache_oidc_configfiles() click to toggle source
# File lib/manageiq/appliance_console/oidc_authentication.rb, line 77
def remove_apache_oidc_configfiles
  debug_msg("Removing Apache OpenID-Connect Config files ...")
  remove_file(HTTPD_CONFIG_DIRECTORY.join("manageiq-remote-user-openidc.conf"))
  remove_file(HTTPD_CONFIG_DIRECTORY.join("manageiq-external-auth-openidc.conf"))
end
validate_oidc_options() click to toggle source

OpenID-Connect IDP Metadata

# File lib/manageiq/appliance_console/oidc_authentication.rb, line 89
def validate_oidc_options
  raise "Must specify the OpenID-Connect Provider URL via --oidc-url" if options[:oidc_url].blank?
  raise "Must specify the OpenID-Connect Client ID via --oidc-client-id" if options[:oidc_client_id].blank?
  raise "Must specify the OpenID-Connect Client Secret via --oidc-client-secret" if options[:oidc_client_secret].blank?
end