1 files changed, 74 insertions, 0 deletions
diff --git a/devstack/lib/federation.sh b/devstack/lib/federation.sh
new file mode 100644
index 000000000..4f33bfe84
--- /dev/null
+++ b/devstack/lib/federation.sh
@@ -0,0 +1,74 @@
+# Copyright 2016 Massachusetts Open Cloud
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+function install_federation {
+    if is_ubuntu; then
+        install_package libapache2-mod-shib2
+
+        # Create a new keypair for Shibboleth
+        sudo shib-keygen -f
+
+        # Enable the Shibboleth module for Apache
+        sudo a2enmod shib2
+    else
+        # Note(knikolla): For CentOS/RHEL, installing shibboleth is tricky
+        # It requires adding a separate repo not officially supported
+        echo "Skipping installation of shibboleth for non ubuntu host"
+    fi
+}
+
+function configure_federation {
+    local keystone_apache_conf=$(apache_site_config_for keystone)
+
+    # Add WSGIScriptAlias directive to vhost configuration for port 5000
+    sudo sed -i -e "
+        /<VirtualHost \*:5000>/r $KEYSTONE_PLUGIN/files/federation/shib_apache_alias.txt
+    " $keystone_apache_conf
+
+    # Append to the keystone.conf vhost file a <Location> directive for the Shibboleth module
+    # and a <Location> directive for the identity provider
+    cat $KEYSTONE_PLUGIN/files/federation/shib_apache_handler.txt | sudo tee -a $keystone_apache_conf
+    sudo sed -i -e "s|%IDP_ID%|$IDP_ID|g;" $keystone_apache_conf
+
+    # Copy a templated /etc/shibboleth/shibboleth2.xml file...
+    sudo cp $KEYSTONE_PLUGIN/files/federation/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
+    # ... and replace the %HOST_IP% placeholder with the host ip
+    sudo sed -i -e "s|%HOST_IP%|$HOST_IP|g;" /etc/shibboleth/shibboleth2.xml
+
+    restart_service shibd
+
+    # Enable the mapped auth method in /etc/keystone.conf
+    iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
+    # Specify the header that contains information about the identity provider
+    iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider"
+}
+
+function register_federation {
+    local federated_domain=$(get_or_create_domain federated_domain)
+    local federated_project=$(get_or_create_project federated_project federated_domain)
+    local federated_users=$(get_or_create_group federated_users federated_domain)
+    local member_role=$(get_or_create_role Member)
+
+    openstack role add --group $federated_users --domain $federated_domain $member_role
+    openstack role add --group $federated_users --project $federated_project $member_role
+}
+
+function uninstall_federation {
+    if is_ubuntu; then
+        uninstall_package libapache2-mod-shib2
+        sudo rm -rf /etc/shibboleth
+    else
+        echo "Skipping uninstallation of shibboleth for non ubuntu host"
+    fi
+}