Add OIDCOutgoingProxy to Apache configuration

When the juju model-config key juju-https-proxy is set, its value will
be used to pass it to mod_auth_openidc in the configuration stanza
OIDCOutgoingProxy.

When trying to fetch the metadata url content the configured proxy
settings will be used as well, as returned by
charmhelpers.core.hookenv.env_proxy_settings().

Closes-Bug: #2102156
Change-Id: I38c2733921fd56275cdd1396c6fb09d9fef72b4c

README.md

@@ -98,6 +98,12 @@ the keystone-openidc git repo:
   tox -e func-target -- noble-caracal --keep-model
 -->
 
+## Proxies
+
+The keystone-openidc charm uses the `juju-https-proxy` model configuration when
+set and its value is passed to
+[OIDCOutgoingProxy in Apache mod_auth_openidc module](https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.12.3/auth_openidc.conf#L839-L842).
+
 # Bugs
 
 Please report bugs on [Launchpad][keystone-openidc-filebug].

src/charm.py

@@ -32,6 +32,7 @@ from ops_openstack.adapters import (
     ConfigurationAdapter,
 )
 from charmhelpers.contrib.openstack import templating as os_templating
+from charmhelpers.core import hookenv as ch_hookenv
 from charmhelpers.core import host as ch_host
 from charmhelpers.core import templating
 
@@ -132,6 +133,11 @@ class KeystoneOpenIDCOptions(ConfigurationAdapter):
             logger.warning('The oidc-crypto-passphrase has not been set')
             return None
 
+    @property
+    def oidc_outgoing_proxy(self) -> Optional[str]:
+        proxies = ch_hookenv.env_proxy_settings()
+        return proxies.get('https_proxy', None)
+
     @property
     def provider_metadata(self):
         """Metadata content offered by the Identity Provider.
@@ -143,8 +149,11 @@ class KeystoneOpenIDCOptions(ConfigurationAdapter):
             logging.info('GETing content from %s',
                          self.oidc_provider_metadata_url)
             try:
+                proxies = ch_hookenv.env_proxy_settings()
+                logger.debug('Using proxies: %s', str(proxies))
                 r = requests.get(self.oidc_provider_metadata_url,
-                                 verify=SYSTEM_CA_CERT)
+                                 verify=SYSTEM_CA_CERT,
+                                 proxies=proxies)
                 return r.json()
             except Exception:
                 logger.exception(('Failed to GET json content from provider '

templates/apache-openidc-location.conf

@@ -60,6 +60,9 @@ OIDCOAuthClientSecret {{ options.oidc_client_secret }}
 {%- endif %}
 {%- endif %}
 {%- endif %}
+{% if options.oidc_outgoing_proxy -%}
+OIDCOutgoingProxy {{ options.oidc_outgoing_proxy }}
+{% endif -%}
 
 <LocationMatch /v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth>
   AuthType {{ options.auth_type }}

unit_tests/test_charm.py

@@ -84,9 +84,13 @@ class TestCharm(BaseTestCharm):
             rid, self.harness.charm.unit.app.name,
             {'oidc-crypto-passphrase': str(self.crypto_passphrase)})
 
+    @mock.patch('os.environ.get')
     @mock.patch('os.fchown')
     @mock.patch('os.chown')
-    def test_render_config_leader(self, chown, fchown):
+    def test_render_config_leader(self, chown, fchown, environ_get):
+        proxy_url = 'http://1.2.3.4:3128/'
+        fake_env = {'JUJU_CHARM_HTTPS_PROXY': proxy_url}
+        environ_get.side_effect = fake_env.get
         opts = {
             'oidc-provider-metadata-url': WELL_KNOWN_URL,
             'oidc-provider-issuer': 'foo',
@@ -119,6 +123,10 @@ class TestCharm(BaseTestCharm):
                     f'OIDCCryptoPassphrase {str(self.crypto_passphrase)}',
                     content
                 )
+                self.assertIn(
+                    f'OIDCOutgoingProxy {proxy_url}',
+                    content
+                )
 
     def test_find_missing_keys_no_metadata_url(self):
         opts = {