openstack/puppet-keystone
Code Issues Proposed changes

feat: add param for additional OIDC locations

Browse Source 
Add keystone::federation::openidc::additional_locations to add extra
Location directives in OIDC WSGI config

Change-Id: Ibc9becd17558cf66af4d9cf5ac8d7d8123daacc1
This commit is contained in:
Francesco Di Nucci
2024-07-02 08:08:01 +02:00
committed by Francesco Di Nucci
parent e4acfc9f29
commit 81d2a80f0a
4 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
manifests/federation/openidc.pp
View File

@@ -110,6 +110,19 @@
# (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this # (Optional) An arbitrary URI for OIDCRedirectURI. Defaults to undef, in this
# case the URI is generated from keystone_url and idp_name. # case the URI is generated from keystone_url and idp_name.
# #
# [*additional_locations*]
# (Optional) Array of hashes of additional Apache <Location> directives with
# mod_auth_openidc configuration. Accepted parameters are url, authtype,
# oidcdiscoverurl (optional), requireoidc, loglevel (optional)
# Example:
# additional_locations => [{
# url => "/v3/auth/OS-FEDERATION/a-custom-url-needed-somehow",
# authtype => "openid-connect",
# oidcdiscoverurl => "https://my-endpoint.example.com:40000",
# requireoidc => "claim iss:https://iam.example.com",
# loglevel => "debug"
# }]
#
# [*memcached_servers*] # [*memcached_servers*]
# (Optional) A list of memcache servers. Defaults to undef. # (Optional) A list of memcache servers. Defaults to undef.
# #
@@ -179,6 +192,7 @@ class keystone::federation::openidc (
$openidc_pass_userinfo_as = undef, $openidc_pass_userinfo_as = undef,
$openidc_pass_claim_as = undef, $openidc_pass_claim_as = undef,
$openidc_redirect_uri = undef, $openidc_redirect_uri = undef,
Optional[Array[Hash]] $additional_locations = undef,
$memcached_servers = undef, $memcached_servers = undef,
$redis_server = undef, $redis_server = undef,
$redis_password = undef, $redis_password = undef,

5
releasenotes/notes/additional-locations-oidc-a4a2dc4d656e3f58.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
features:
- |
Add ``keystone::federation::openidc::additional_locations`` to specify
additional Apache Location directives with mod_auth_openidc parameters.

18
spec/classes/keystone_federation_openidc_spec.rb
View File

@@ -166,6 +166,24 @@ describe 'keystone::federation::openidc' do
end end
context 'with additional location' do
before do
params.merge!({
:additional_locations => [{
url: "/v3/auth/a-custom-url",
authtype: "openid-connect",
oidcdiscoverurl: "https://my-endpoint.example.com:40000",
requireoidc: "claim iss:https://iam.example.com",
loglevel: "debug"
}]
})
end
it 'should contain the expected additional location' do
content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
expect(content).to match('/v3/auth/a-custom-url')
end
end
context 'with memcache options' do context 'with memcache options' do
before do before do
params.merge!({ params.merge!({

16
templates/openidc.conf.erb
View File

@@ -96,3 +96,19 @@
AuthType "openid-connect" AuthType "openid-connect"
Require valid-user Require valid-user
</Location> </Location>
<%- if @additional_locations -%>
# Additional Location directives from keystone::federation::openidc:locations
<% @additional_locations.each do |loc| %>
<Location "<%= loc['url'] %>">
AuthType "<%= loc['authtype'] %>"
<%- if loc['oidcdiscoverurl'] -%>
OIDCDiscoverURL <%= loc['oidcdiscoverurl'] %>
<%- end -%>
Require <%= loc['requireoidc'] %>
<%- if loc['loglevel'] -%>
LogLevel <%= loc['loglevel'] %>
<%- end -%>
</Location>
<%- end -%>
<%- end -%>