feat: add param for additional OIDC locations

Add keystone::federation::openidc::additional_locations to add extra Location directives in OIDC WSGI config Change-Id: Ibc9becd17558cf66af4d9cf5ac8d7d8123daacc1
2024-07-02 08:08:01 +02:00 · 2024-07-02 08:08:01 +02:00 · 81d2a80f0a
commit 81d2a80f0a
parent e4acfc9f29
4 changed files with 53 additions and 0 deletions
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@ -110,6 +110,19 @@
 #  (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this
 #  case the URI is generated from keystone_url and idp_name.
 #
+# [*additional_locations*]
+#  (Optional) Array of hashes of additional Apache <Location> directives with
+#  mod_auth_openidc configuration. Accepted parameters are url, authtype,
+#  oidcdiscoverurl (optional), requireoidc, loglevel (optional)
+#  Example:
+#  additional_locations => [{
+#    url             => "/v3/auth/OS-FEDERATION/a-custom-url-needed-somehow",
+#    authtype        => "openid-connect",
+#    oidcdiscoverurl => "https://my-endpoint.example.com:40000",
+#    requireoidc     => "claim iss:https://iam.example.com",
+#    loglevel        => "debug"
+#  }]
+#
 # [*memcached_servers*]
 #  (Optional) A list of memcache servers. Defaults to undef.
 #
@ -179,6 +192,7 @@ class keystone::federation::openidc (
  $openidc_pass_userinfo_as                                = undef,
  $openidc_pass_claim_as                                   = undef,
  $openidc_redirect_uri                                    = undef,
+  Optional[Array[Hash]] $additional_locations              = undef,
  $memcached_servers                                       = undef,
  $redis_server                                            = undef,
  $redis_password                                          = undef,
--- a/releasenotes/notes/additional-locations-oidc-a4a2dc4d656e3f58.yaml
+++ b/releasenotes/notes/additional-locations-oidc-a4a2dc4d656e3f58.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add ``keystone::federation::openidc::additional_locations`` to specify
+    additional Apache Location directives with mod_auth_openidc parameters.
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@ -166,6 +166,24 @@ describe 'keystone::federation::openidc' do

    end

+    context 'with additional location' do
+      before do
+        params.merge!({
+          :additional_locations => [{
+            url:             "/v3/auth/a-custom-url",
+            authtype:        "openid-connect",
+            oidcdiscoverurl: "https://my-endpoint.example.com:40000",
+            requireoidc:     "claim iss:https://iam.example.com",
+            loglevel:        "debug"
+          }]
+        })
+      end
+      it 'should contain the expected additional location' do
+        content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
+        expect(content).to match('/v3/auth/a-custom-url')
+      end
+    end
+
    context 'with memcache options' do
      before do
        params.merge!({
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@ -96,3 +96,19 @@
      AuthType "openid-connect"
      Require valid-user
  </Location>
+
+<%- if @additional_locations -%>
+  # Additional Location directives from keystone::federation::openidc:locations
+<% @additional_locations.each do |loc| %>
+  <Location "<%= loc['url'] %>">
+    AuthType "<%= loc['authtype'] %>"
+  <%- if loc['oidcdiscoverurl'] -%>
+    OIDCDiscoverURL <%= loc['oidcdiscoverurl'] %>
+  <%- end -%>
+    Require <%= loc['requireoidc'] %>
+  <%- if loc['loglevel'] -%>
+    LogLevel <%= loc['loglevel'] %>
+  <%- end -%>
+  </Location>
+<%- end -%>
+<%- end -%>