keystone/files/rocky/wsgi-keystone.conf - salt-formulas/keystone - Gitiles

 {%- from "keystone/map.jinja" import server with context %}
 {%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
 {% macro setup_oidc() -%}
     SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
     {% if server.federation.oidc.oidc_claim_prefix is defined %}
     OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
     {%- endif %}
     OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
     {% if server.federation.oidc.oidc_client_secret is defined %}
     OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
     {%- endif %}
     OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
     OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
     {% if server.federation.oidc.oidc_provider_metadata_url is defined %}
     OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_response_type is defined %}
     OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_scope is defined %}
     OIDCScope "{{ server.federation.oidc.oidc_scope }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_ssl_validate_server is defined %}
     OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
     OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
     OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
     OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
     OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
     OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
     {%- endif %}
     {% if server.federation.oidc.odic_token_iat_slack is defined %}
     OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_provider_issuer is defined %}
     OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
     OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
     OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
     OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
     OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
     {%- endif %}
     {% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
     OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
     {%- endif %}
     {%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
     {%- set shared_keys_list = [] %}
     {%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
     {%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
     {%- endfor %}
     OIDCOAuthVerifySharedKeys {{ shared_keys_list|join(" ") }}
     {%- endif %}
     {%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
     {%- set cert_files_list = [] %}
     {%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
     {%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
     {%- endfor %}
     OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
     {%- endif %}

     <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
       AuthType oauth20
       Require valid-user
     </LocationMatch>
     <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
       AuthType openid-connect
       Require valid-user
     </LocationMatch>
     <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
       AuthType openid-connect
       Require valid-user
     </LocationMatch>
 {% endmacro -%}
 {% macro setup_saml2() -%}
     {% if server.federation.saml2.shib_url_scheme is defined %}
     ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
     {%- endif %}
     {% if server.federation.saml2.shib_compat_valid_user is defined %}
     ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
     {%- endif %}
     <Location /Shibboleth.sso>
       SetHandler shib
     </Location>
     <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
       ShibRequestSetting requireSession 1
       AuthType shibboleth
       ShibExportAssertion Off
       Require valid-user
     </LocationMatch>
     <LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
       ShibRequestSetting requireSession 1
       AuthType shibboleth
       ShibExportAssertion Off
       Require valid-user
     </LocationMatch>
     <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
       ShibRequestSetting requireSession 1
       AuthType shibboleth
       ShibExportAssertion Off
       Require valid-user
     </LocationMatch>
 {% endmacro -%}

 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
 Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357

 <VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
 {%- include "apache/files/_name.conf" %}
 {%- include "apache/files/_core.conf" %}
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}

     WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-public
     WSGIScriptAlias / /usr/bin/keystone-wsgi-public
     WSGIApplicationGroup %{GLOBAL}
     WSGIPassAuthorization On
     LimitRequestBody 114688
     <IfVersion >= 2.4>
       ErrorLogFormat "%{cu}t %M"
     </IfVersion>
 {%- include "apache/files/_log.conf" %}

     <Directory /usr/bin>
         <IfVersion >= 2.4>
             Require all granted
         </IfVersion>
         <IfVersion < 2.4>
             Order allow,deny
             Allow from all
         </IfVersion>
     </Directory>

     {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
     {{ setup_saml2() }}
     {%- endif %}
     {% if server.get('federation', {}).oidc is defined %}
     {{ setup_oidc() }}
     {%- endif %}

     Alias /identity_admin /usr/bin/keystone-wsgi-admin
     <Location /identity_admin>
         SetHandler wsgi-script
         Options +ExecCGI

         WSGIProcessGroup keystone-admin
         WSGIApplicationGroup %{GLOBAL}
         WSGIPassAuthorization On
     </Location>
 </VirtualHost>

 <VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
 {%- include "apache/files/_name.conf" %}
 {%- include "apache/files/_core.conf" %}
 {%- include "apache/files/_ssl.conf" %}
 {%- include "apache/files/_locations.conf" %}

     WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-admin
     WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
     WSGIApplicationGroup %{GLOBAL}
     WSGIPassAuthorization On
     LimitRequestBody 114688
     <IfVersion >= 2.4>
       ErrorLogFormat "%{cu}t %M"
     </IfVersion>
 {%- include "apache/files/_log.conf" %}

     <Directory /usr/bin>
         <IfVersion >= 2.4>
             Require all granted
         </IfVersion>
         <IfVersion < 2.4>
             Order allow,deny
             Allow from all
         </IfVersion>
     </Directory>

     {% if server.get('federation', {}).saml2 is defined %}
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
     {{ setup_saml2() }}
     {%- endif %}

     {% if server.get('federation', {}).oidc is defined %}
     {{ setup_oidc() }}
     {%- endif %}

     Alias /identity /usr/bin/keystone-wsgi-public
     <Location /identity>
         SetHandler wsgi-script
         Options +ExecCGI

         WSGIProcessGroup keystone-public
         WSGIApplicationGroup %{GLOBAL}
         WSGIPassAuthorization On
     </Location>
 </VirtualHost>
	{%- from "keystone/map.jinja" import server with context %}
	{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
	{% macro setup_oidc() -%}
	SetEnv HTTP_OIDC_ISS {{ server.federation.oidc.remote_id_attribute_value }}
	{% if server.federation.oidc.oidc_claim_prefix is defined %}
	OIDCClaimPrefix "{{ server.federation.oidc.oidc_claim_prefix }}"
	{%- endif %}
	OIDCClientID "{{ server.federation.oidc.oidc_client_id}}"
	{% if server.federation.oidc.oidc_client_secret is defined %}
	OIDCClientSecret "{{ server.federation.oidc.oidc_client_secret }}"
	{%- endif %}
	OIDCCryptoPassphrase "{{ server.federation.oidc.oidc_crypto_passphrase }}"
	OIDCRedirectURI "{{ server.federation.oidc.oidc_redirect_uri }}"
	{% if server.federation.oidc.oidc_provider_metadata_url is defined %}
	OIDCProviderMetadataURL "{{ server.federation.oidc.oidc_provider_metadata_url }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_response_type is defined %}
	OIDCResponseType "{{ server.federation.oidc.oidc_response_type }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_scope is defined %}
	OIDCScope "{{ server.federation.oidc.oidc_scope }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_ssl_validate_server is defined %}
	OIDCSSLValidateServer "{{ server.federation.oidc.oidc_ssl_validate_server }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_oauth_ssl_validate_server is defined %}
	OIDCOAuthSSLValidateServer "{{ server.federation.oidc.oidc_oauth_ssl_validate_server }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_oauth_introspection_endpoint is defined %}
	OIDCOAuthIntrospectionEndpoint "{{ server.federation.oidc.oidc_oauth_introspection_endpoint }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_oauth_introspection_token_param_name is defined %}
	OIDCOAuthIntrospectionTokenParamName "{{ server.federation.oidc.oidc_oauth_introspection_token_param_name }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_oauth_remote_user_claim is defined %}
	OIDCOAuthRemoteUserClaim "{{ server.federation.oidc.oidc_oauth_remote_user_claim }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_oauth_verify_jwks_uri is defined %}
	OIDCOAuthVerifyJwksUri "{{ server.federation.oidc.oidc_oauth_verify_jwks_uri }}"
	{%- endif %}
	{% if server.federation.oidc.odic_token_iat_slack is defined %}
	OIDCIDTokenIatSlack "{{ server.federation.oidc.odic_token_iat_slack }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_provider_issuer is defined %}
	OIDCProviderIssuer "{{ server.federation.oidc.oidc_provider_issuer }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_provider_authorization_endpoint is defined %}
	OIDCProviderAuthorizationEndpoint "{{ server.federation.oidc.oidc_provider_authorization_endpoint }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_provider_token_endpoint is defined %}
	OIDCProviderTokenEndpoint "{{ server.federation.oidc.oidc_provider_token_endpoint }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_provider_token_endpoint_auth is defined %}
	OIDCProviderTokenEndpointAuth "{{ server.federation.oidc.oidc_provider_token_endpoint_auth }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_provider_user_info_endpoint is defined %}
	OIDCProviderUserInfoEndpoint "{{ server.federation.oidc.oidc_provider_user_info_endpoint }}"
	{%- endif %}
	{% if server.federation.oidc.oidc_provider_jwks_uri is defined %}
	OIDCProviderJwksUri "{{ server.federation.oidc.oidc_provider_jwks_uri }}"
	{%- endif %}
	{%- if server.federation.oidc.oidc_oauth_verify_shared_keys is defined %}
	{%- set shared_keys_list = [] %}
	{%- for shared_key_def in server.federation.oidc.oidc_oauth_verify_shared_keys %}
	{%- do shared_keys_list.append("\""+shared_key_def.type+"#"+shared_key_def.kid+"#"+shared_key_def.key+"\"") %}
	{%- endfor %}
	OIDCOAuthVerifySharedKeys {{ shared_keys_list\|join(" ") }}
	{%- endif %}
	{%- if server.federation.oidc.oidc_oauth_verify_cert_files is defined %}
	{%- set cert_files_list = [] %}
	{%- for cert_file_def in server.federation.oidc.oidc_oauth_verify_cert_files %}
	{%- do cert_files_list.append("\""+cert_file_def.kid+"#"+cert_file_def.filename+"\"") %}
	{%- endfor %}
	OIDCOAuthVerifyCertFiles {{ cert_files_list\|join(" ") }}
	{%- endif %}

	<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
	AuthType oauth20
	Require valid-user
	</LocationMatch>
	<LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
	AuthType openid-connect
	Require valid-user
	</LocationMatch>
	<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
	AuthType openid-connect
	Require valid-user
	</LocationMatch>
	{% endmacro -%}
	{% macro setup_saml2() -%}
	{% if server.federation.saml2.shib_url_scheme is defined %}
	ShibURLScheme {{ server.federation.saml2.shib_url_scheme }}
	{%- endif %}
	{% if server.federation.saml2.shib_compat_valid_user is defined %}
	ShibCompatValidUser {{ server.federation.saml2.shib_compat_valid_user }}
	{%- endif %}
	<Location /Shibboleth.sso>
	SetHandler shib
	</Location>
	<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
	ShibRequestSetting requireSession 1
	AuthType shibboleth
	ShibExportAssertion Off
	Require valid-user
	</LocationMatch>
	<LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
	ShibRequestSetting requireSession 1
	AuthType shibboleth
	ShibExportAssertion Off
	Require valid-user
	</LocationMatch>
	<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
	ShibRequestSetting requireSession 1
	AuthType shibboleth
	ShibExportAssertion Off
	Require valid-user
	</LocationMatch>
	{% endmacro -%}

	Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
	Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357

	<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
	{%- include "apache/files/_name.conf" %}
	{%- include "apache/files/_core.conf" %}
	{%- include "apache/files/_ssl.conf" %}
	{%- include "apache/files/_locations.conf" %}

	WSGIDaemonProcess keystone-public processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
	WSGIProcessGroup keystone-public
	WSGIScriptAlias / /usr/bin/keystone-wsgi-public
	WSGIApplicationGroup %{GLOBAL}
	WSGIPassAuthorization On
	LimitRequestBody 114688
	<IfVersion >= 2.4>
	ErrorLogFormat "%{cu}t %M"
	</IfVersion>
	{%- include "apache/files/_log.conf" %}

	<Directory /usr/bin>
	<IfVersion >= 2.4>
	Require all granted
	</IfVersion>
	<IfVersion < 2.4>
	Order allow,deny
	Allow from all
	</IfVersion>
	</Directory>

	{% if server.get('federation', {}).saml2 is defined %}
	WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth)$ /usr/bin/keystone-wsgi-public/$1
	{{ setup_saml2() }}
	{%- endif %}
	{% if server.get('federation', {}).oidc is defined %}
	{{ setup_oidc() }}
	{%- endif %}

	Alias /identity_admin /usr/bin/keystone-wsgi-admin
	<Location /identity_admin>
	SetHandler wsgi-script
	Options +ExecCGI

	WSGIProcessGroup keystone-admin
	WSGIApplicationGroup %{GLOBAL}
	WSGIPassAuthorization On
	</Location>
	</VirtualHost>

	<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
	{%- include "apache/files/_name.conf" %}
	{%- include "apache/files/_core.conf" %}
	{%- include "apache/files/_ssl.conf" %}
	{%- include "apache/files/_locations.conf" %}

	WSGIDaemonProcess keystone-admin processes={{ grains.num_cpus }} threads=1 user=keystone group=keystone display-name=%{GROUP}
	WSGIProcessGroup keystone-admin
	WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
	WSGIApplicationGroup %{GLOBAL}
	WSGIPassAuthorization On
	LimitRequestBody 114688
	<IfVersion >= 2.4>
	ErrorLogFormat "%{cu}t %M"
	</IfVersion>
	{%- include "apache/files/_log.conf" %}

	<Directory /usr/bin>
	<IfVersion >= 2.4>
	Require all granted
	</IfVersion>
	<IfVersion < 2.4>
	Order allow,deny
	Allow from all
	</IfVersion>
	</Directory>

	{% if server.get('federation', {}).saml2 is defined %}
	WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth)$ /usr/bin/keystone-wsgi-admin/$1
	{{ setup_saml2() }}
	{%- endif %}

	{% if server.get('federation', {}).oidc is defined %}
	{{ setup_oidc() }}
	{%- endif %}

	Alias /identity /usr/bin/keystone-wsgi-public
	<Location /identity>
	SetHandler wsgi-script
	Options +ExecCGI

	WSGIProcessGroup keystone-public
	WSGIApplicationGroup %{GLOBAL}
	WSGIPassAuthorization On
	</Location>
	</VirtualHost>