Unhardcoded auth urls for oidc Change-Id: I4dd0f42e9df9674b21a423f892f42a22ee32133e Related-Prod: PROD-30447

commit: f06439a0e4f33bd0e51402a7b4b58294b8a20213 [log] [tgz]
author: root <root@cfg01.obryndzii-openstack-ovs-core-ssl-pike-7559.local> Mon May 27 14:58:46 2019 +0000
committer: Oleksandr Bryndzii <obryndzii@mirantis.com> Mon May 27 15:21:31 2019 +0000
tree: d82e1d4278537ff125f9e1bc9b6bddd3dff22830
parent: ad0ffc5e3d56890c5a9742dcac02094696b94a95 [diff]
diff --git a/README.rst b/README.rst
index 957c72a..0ec9620 100644
--- a/README.rst
+++ b/README.rst

@@ -1008,6 +1008,21 @@
 
 .. code-block::
 
+Setup auth urls for oidc:
+---------------
+.. code-block:: yaml
+
+  keystone:
+    server:
+      federation:
+        oidc:
+          idp_protocols_auth_url: '/v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth_url'
+          idp_protocols_websso_url: '/v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso_url'
+          websso_url: '/v3/OS-FEDERATION/websso/oidc_url'
+
+
+.. code-block::
+
 Upgrades
 ========
 

diff --git a/keystone/files/ocata/wsgi-keystone.conf b/keystone/files/ocata/wsgi-keystone.conf
index 3c18ef8..bd40f4a 100644
--- a/keystone/files/ocata/wsgi-keystone.conf
+++ b/keystone/files/ocata/wsgi-keystone.conf

@@ -74,15 +74,27 @@
     OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
     {%- endif %}
 
+    {%- if server.federation.oidc.idp_protocols_auth_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_auth_url }}">
+    {%- else %}
     <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+    {%- endif %}
       AuthType oauth20
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.idp_protocols_websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>

diff --git a/keystone/files/pike/wsgi-keystone.conf b/keystone/files/pike/wsgi-keystone.conf
index eca9ddf..2d320af 100644
--- a/keystone/files/pike/wsgi-keystone.conf
+++ b/keystone/files/pike/wsgi-keystone.conf

@@ -74,15 +74,27 @@
     OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
     {%- endif %}
 
+    {%- if server.federation.oidc.idp_protocols_auth_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_auth_url }}">
+    {%- else %}
     <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+    {%- endif %}
       AuthType oauth20
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.idp_protocols_websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>

diff --git a/keystone/files/queens/wsgi-keystone.conf b/keystone/files/queens/wsgi-keystone.conf
index eca9ddf..2d320af 100644
--- a/keystone/files/queens/wsgi-keystone.conf
+++ b/keystone/files/queens/wsgi-keystone.conf

@@ -74,15 +74,27 @@
     OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
     {%- endif %}
 
+    {%- if server.federation.oidc.idp_protocols_auth_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_auth_url }}">
+    {%- else %}
     <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+    {%- endif %}
       AuthType oauth20
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.idp_protocols_websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>

diff --git a/keystone/files/rocky/wsgi-keystone.conf b/keystone/files/rocky/wsgi-keystone.conf
index eca9ddf..2d320af 100644
--- a/keystone/files/rocky/wsgi-keystone.conf
+++ b/keystone/files/rocky/wsgi-keystone.conf

@@ -74,15 +74,27 @@
     OIDCOAuthVerifyCertFiles {{ cert_files_list|join(" ") }}
     {%- endif %}
 
+    {%- if server.federation.oidc.idp_protocols_auth_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_auth_url }}">
+    {%- else %}
     <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
+    {%- endif %}
       AuthType oauth20
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/websso/oidc">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>
+    {%- if server.federation.oidc.idp_protocols_websso_url is defined %}
+    <LocationMatch "{{ server.federation.oidc.idp_protocols_websso_url }}">
+    {%- else %}
     <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso">
+    {%- endif %}
       AuthType openid-connect
       Require valid-user
     </LocationMatch>

diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 67a8d1e..d566827 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls

@@ -74,6 +74,11 @@
         description: "Test domain"
         identity:
           list_limit: 20
+    federation:
+      oidc:
+        idp_protocols_auth_url: '/idp/auth/url'
+        idp_protocols_websso_url: '/idp/websso/url'
+        websso_url: '/websso/url'
     extra_config:
       federation:
         cache_group_membership_in_db: true
commit	f06439a0e4f33bd0e51402a7b4b58294b8a20213	[log] [tgz]
author	root <root@cfg01.obryndzii-openstack-ovs-core-ssl-pike-7559.local>	Mon May 27 14:58:46 2019 +0000
committer	Oleksandr Bryndzii <obryndzii@mirantis.com>	Mon May 27 15:21:31 2019 +0000
tree	d82e1d4278537ff125f9e1bc9b6bddd3dff22830
parent	ad0ffc5e3d56890c5a9742dcac02094696b94a95 [diff]