From b129837eaad26a3d332e54b3d23f260d868d49d9 Mon Sep 17 00:00:00 2001
From: Marcus <marcus.zoller@idnt.net>
Date: Wed, 28 Feb 2018 00:29:59 +0100
Subject: [PATCH] Allows the configuration of SSO choices for horizon

This change allows enabling the WEBSSO login screen on horizon,
which allows to choose from one or more configured SSO providers.

Example configuration

 local_settings:
  auth:
    sso:
      enable: true
      initial_choice: "acme_oidc"
    idp_mapping:
      - name: "acme_oidc"
        label: "Acme Corporation - OpenID Connect"
        idp: "myidp1"
        protocol: "oidc"
      - name: "acme_saml2"
        label: "Acme Corporation - SAML2"
        idp: "myidp2"
        protocol: "saml2"

The initial_choice defaults to "credentials" which is the default
Keystone Credential authentication.

The values for idp: and protocol: will be used to construct the redirect
URL for keystone, which will look like:

 /v3/OS-FEDERATION/identity_providers/<idp>/protocols/<protocol>/auth

Change-Id: I44e11880292176114753274f965bcd0c2cd01302
---
 horizon/templates/etc/_local_settings.tpl | 24 +++++++++++++++++------
 horizon/values.yaml                       | 13 ++++++++++++
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/horizon/templates/etc/_local_settings.tpl b/horizon/templates/etc/_local_settings.tpl
index c146b808b0..7efbe3e548 100644
--- a/horizon/templates/etc/_local_settings.tpl
+++ b/horizon/templates/etc/_local_settings.tpl
@@ -177,21 +177,33 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 
+
+{{- if .Values.local_settings.auth.sso.enabled }}
 # Enables keystone web single-sign-on if set to True.
-#WEBSSO_ENABLED = False
+WEBSSO_ENABLED = True
 
 # Determines which authentication choice to show as default.
-#WEBSSO_INITIAL_CHOICE = "credentials"
+WEBSSO_INITIAL_CHOICE = "{{ .Values.local_settings.auth.sso.initial_choice }}"
 
 # The list of authentication mechanisms
 # which include keystone federation protocols.
 # Current supported protocol IDs are 'saml2' and 'oidc'
 # which represent SAML 2.0, OpenID Connect respectively.
 # Do not remove the mandatory credentials mechanism.
-#WEBSSO_CHOICES = (
-#    ("credentials", _("Keystone Credentials")),
-#    ("oidc", _("OpenID Connect")),
-#    ("saml2", _("Security Assertion Markup Language")))
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+  {{- range $i, $sso := .Values.local_settings.auth.idp_mapping }}
+    ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
+  {{- end }}
+)
+
+WEBSSO_IDP_MAPPING = {
+  {{- range $i, $sso := .Values.local_settings.auth.idp_mapping }}
+    {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
+  {{- end }}
+}
+
+{{- end }}
 
 # Disable SSL certificate checks (useful for self-signed certificates):
 #OPENSTACK_SSL_NO_VERIFY = True
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 84f3d6bb62..21f252e63f 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -66,6 +66,19 @@ local_settings:
     enable_firewall: "True"
     enable_vpn: "True"
     enable_fip_topology_check: "True"
+  auth:
+    sso:
+      enabled: False
+      initial_choice: "credentials"
+    idp_mapping:
+      - name: "acme_oidc"
+        label: "Acme Corporation - OpenID Connect"
+        idp: "myidp1"
+        protocol: "oidc"
+      - name: "acme_saml2"
+        label: "Acme Corporation - SAML2"
+        idp: "myidp2"
+        protocol: "saml2"
 
 conf:
   ceilometer_policy: