feat: add a param for arbitrary federation OIDCRedirectURI

Allows to override federation OIDCRedirectURI generated from
keystone_url and idp_name with an arbitrary URI. Use case example [1]
DISCLAIMER necessary - currently I work at INFN, the research institute
behind INDIGO IAM

[1] https://indigo-dc.gitbook.io/keystone-with-oidc-documentation/admin-iam-conf/admin-multi-conf

Closes-Bug: #2055041
Change-Id: I82bdbf832c4716e6a700fae9296f043f676dbafe
(cherry picked from commit 68e0919788)

manifests/federation/openidc.pp

@@ -101,6 +101,10 @@
 #  "both": claims/tokens are passed as both headers as well as environment variables (default)
 #  Defaults to undef
 #
+# [*openidc_redirect_uri*]
+#  (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this
+#  case the URI is generated from keystone_url and idp_name.
+#
 # [*memcached_servers*]
 #  (Optional) A list of memcache servers. Defaults to undef.
 #
@@ -168,6 +172,7 @@ class keystone::federation::openidc (
   $openidc_verify_method          = 'introspection',
   $openidc_pass_userinfo_as       = undef,
   $openidc_pass_claim_as          = undef,
+  $openidc_redirect_uri           = undef,
   $memcached_servers              = undef,
   $redis_server                   = undef,
   $redis_password                 = undef,

releasenotes/notes/openidc_redirect_uri-a6f9a2adf87ec5e3.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``keystone::federation::openidc::openidc_redirect_uri`` parameter
+    has been added.

spec/classes/keystone_federation_openidc_spec.rb

@@ -79,6 +79,19 @@ describe 'keystone::federation::openidc' do
         expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
         expect(content).to match('OIDCClientID "openid_client_id"')
         expect(content).to match('OIDCClientSecret "openid_client_secret"')
+        expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth"')
+      end
+    end
+
+    context 'with redirect uri overridden' do
+      before do
+        params.merge!({
+          :openidc_redirect_uri => 'CUSTOM_URI'
+        })
+      end
+      it 'should contain the expected redirect uri' do
+        content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCRedirectURI "CUSTOM_URI"')
       end
     end
 

templates/openidc.conf.erb

@@ -55,7 +55,11 @@
   OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
 <%- end -%>
 
+<%- if scope['::keystone::federation::openidc::openidc_redirect_uri'] != nil -%>
+  OIDCRedirectURI "<%= scope['::keystone::federation::openidc::openidc_redirect_uri'] %>"
+<% else %>
   OIDCRedirectURI "<%= @keystone_url -%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"
+<%- end -%>
 
 <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
   <%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>