From 5512e49da257d2340598dd5b7d762025b81bc87f Mon Sep 17 00:00:00 2001 From: Francesco Di Nucci Date: Wed, 19 Jun 2024 16:20:32 +0200 Subject: [PATCH] feat: add a param for arbitrary federation OIDCRedirectURI Allows to override federation OIDCRedirectURI generated from keystone_url and idp_name with an arbitrary URI. Use case example [1] DISCLAIMER necessary - currently I work at INFN, the research institute behind INDIGO IAM [1] https://indigo-dc.gitbook.io/keystone-with-oidc-documentation/admin-iam-conf/admin-multi-conf Closes-Bug: #2055041 Change-Id: I82bdbf832c4716e6a700fae9296f043f676dbafe (cherry picked from commit 68e091978887937a46bf9dd389e4b9d85079ac59) --- manifests/federation/openidc.pp | 5 +++++ .../openidc_redirect_uri-a6f9a2adf87ec5e3.yaml | 5 +++++ spec/classes/keystone_federation_openidc_spec.rb | 13 +++++++++++++ templates/openidc.conf.erb | 4 ++++ 4 files changed, 27 insertions(+) create mode 100644 releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp index 751b34627..f8971676c 100644 --- a/manifests/federation/openidc.pp +++ b/manifests/federation/openidc.pp @@ -101,6 +101,10 @@ # "both": claims/tokens are passed as both headers as well as environment variables (default) # Defaults to undef # +# [*openidc_redirect_uri*] +# (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this +# case the URI is generated from keystone_url and idp_name. +# # [*memcached_servers*] # (Optional) A list of memcache servers. Defaults to undef. # @@ -168,6 +172,7 @@ class keystone::federation::openidc ( $openidc_verify_method = 'introspection', $openidc_pass_userinfo_as = undef, $openidc_pass_claim_as = undef, + $openidc_redirect_uri = undef, $memcached_servers = undef, $redis_server = undef, $redis_password = undef, diff --git a/releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml b/releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml new file mode 100644 index 000000000..1c6b2963f --- /dev/null +++ b/releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The new ``keystone::federation::openidc::openidc_redirect_uri`` parameter + has been added. diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb index 32918d551..5b991f8aa 100644 --- a/spec/classes/keystone_federation_openidc_spec.rb +++ b/spec/classes/keystone_federation_openidc_spec.rb @@ -79,6 +79,19 @@ describe 'keystone::federation::openidc' do expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"') expect(content).to match('OIDCClientID "openid_client_id"') expect(content).to match('OIDCClientSecret "openid_client_secret"') + expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth"') + end + end + + context 'with redirect uri overridden' do + before do + params.merge!({ + :openidc_redirect_uri => 'CUSTOM_URI' + }) + end + it 'should contain the expected redirect uri' do + content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content') + expect(content).to match('OIDCRedirectURI "CUSTOM_URI"') end end diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb index 287e821c2..f51077118 100644 --- a/templates/openidc.conf.erb +++ b/templates/openidc.conf.erb @@ -55,7 +55,11 @@ OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>" <%- end -%> +<%- if scope['::keystone::federation::openidc::openidc_redirect_uri'] != nil -%> + OIDCRedirectURI "<%= scope['::keystone::federation::openidc::openidc_redirect_uri'] %>" +<% else %> OIDCRedirectURI "<%= @keystone_url -%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth" +<%- end -%> <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%> <%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>