feat: add a param for arbitrary federation OIDCRedirectURI

Allows to override federation OIDCRedirectURI generated from keystone_url and idp_name with an arbitrary URI. Use case example [1] DISCLAIMER necessary - currently I work at INFN, the research institute behind INDIGO IAM [1] https://indigo-dc.gitbook.io/keystone-with-oidc-documentation/admin-iam-conf/admin-multi-conf Closes-Bug: #2055041 Change-Id: I82bdbf832c4716e6a700fae9296f043f676dbafe (cherry picked from commit 68e0919788)
2024-06-19 16:20:32 +02:00 · 2024-06-19 16:20:32 +02:00 · 5512e49da2
commit 5512e49da2
parent 5e802ac29d
4 changed files with 27 additions and 0 deletions
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@ -101,6 +101,10 @@
 #  "both": claims/tokens are passed as both headers as well as environment variables (default)
 #  Defaults to undef
 #
+# [*openidc_redirect_uri*]
+#  (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this
+#  case the URI is generated from keystone_url and idp_name.
+#
 # [*memcached_servers*]
 #  (Optional) A list of memcache servers. Defaults to undef.
 #
@ -168,6 +172,7 @@ class keystone::federation::openidc (
  $openidc_verify_method          = 'introspection',
  $openidc_pass_userinfo_as       = undef,
  $openidc_pass_claim_as          = undef,
+  $openidc_redirect_uri           = undef,
  $memcached_servers              = undef,
  $redis_server                   = undef,
  $redis_password                 = undef,
--- a/releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml
+++ b/releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``keystone::federation::openidc::openidc_redirect_uri`` parameter
+    has been added.
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@ -79,6 +79,19 @@ describe 'keystone::federation::openidc' do
        expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
        expect(content).to match('OIDCClientID "openid_client_id"')
        expect(content).to match('OIDCClientSecret "openid_client_secret"')
+        expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth"')
+      end
+    end
+
+    context 'with redirect uri overridden' do
+      before do
+        params.merge!({
+          :openidc_redirect_uri => 'CUSTOM_URI'
+        })
+      end
+      it 'should contain the expected redirect uri' do
+        content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCRedirectURI "CUSTOM_URI"')
      end
    end

--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@ -55,7 +55,11 @@
  OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
 <%- end -%>

+<%- if scope['::keystone::federation::openidc::openidc_redirect_uri'] != nil -%>
+  OIDCRedirectURI "<%= scope['::keystone::federation::openidc::openidc_redirect_uri'] %>"
+<% else %>
  OIDCRedirectURI "<%= @keystone_url -%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"
+<%- end -%>

 <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
  <%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>