feat(server-charm): add configuration options to set OIDC

[rene-oromtz]

Description

This PR adds the required configuration options so it can enable OIDC. The ground work was already made so this only adds the configuration at the charm level.

It also adds ProxyFix conditionally based on if the application is running behind a proxy, this is different than the HTTP_PROXY and NO_PROXY as those are used for outbound and this is required for inbound requests. Without ProxyFix, the OIDC provider is unable to redirect back to the application.

Finally, this also "sneaks" a hotfix needed with PyMongo > 4.9 e.g. db["fs."] otherwise the application is unable to start:

2026-05-21T19:41:48.356Z [testflinger]   File "/srv/testflinger/.venv/lib/python3.10/site-packages/pymongo/synchronous/collection.py", line 278, in __getattr__
2026-05-21T19:41:48.356Z [testflinger]     raise AttributeError(
2026-05-21T19:41:48.356Z [testflinger] AttributeError: Collection has no attribute '_Collection__database'. To access the fs._Collection__database collection, use database['fs._Collection__database'].
2026-05-21T19:41:48.356Z [testflinger] Collection has no attribute '_Collection__database'. To access the fs._Collection__database collection, use database['fs._Collection__database'].

Note

Integration tests are failing because of this MongoDB issue, the tests uses the image that is available on main until this fix is landed, expect failures as the application will never start (it crashes with the above traceback)

Resolved issues

Resolves CERTTF-714

Documentation

Web service API changes

Tests

Added unit tests for charm configuration and also tested on staging:

[codecov]

Codecov Report

❌ Patch coverage is 93.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.78%. Comparing base (f537c4e) to head (8e5f2ba).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1111      +/-   ##
==========================================
+ Coverage   77.74%   77.78%   +0.04%     
==========================================
  Files         118      118              
  Lines       12332    12358      +26     
  Branches     1014     1019       +5     
==========================================
+ Hits         9587     9613      +26     
  Misses       2523     2523              
  Partials      222      222              

Flag	Coverage Δ		*Carryforward flag
agent	75.78% <ø> (ø)		Carriedforward from 8b40916
cli	91.85% <ø> (ø)		Carriedforward from 8b40916
device	63.76% <ø> (ø)		Carriedforward from 8b40916
server	88.28% <93.33%> (+0.14%)	⬆️

*This pull request uses carry forward flags. Click here to find out more.

Components	Coverage Δ
Agent	75.78% <ø> (ø)
CLI	91.85% <ø> (ø)
Common	∅ <ø> (∅)
Device Connectors	63.76% <ø> (ø)
Server	88.28% <93.33%> (+0.14%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds charm-level configuration to enable/disable OIDC and to correctly handle inbound redirects when the server is deployed behind a reverse proxy. Also includes a MongoDB/GridFS access hotfix for newer PyMongo versions and expands unit coverage for the new charm/app behavior.

Changes:

• Add charm config/options and env wiring for OIDC (web_secret_key, oidc_*) and a behind_proxy toggle.
• Conditionally enable Werkzeug ProxyFix in the Flask app when BEHIND_PROXY=true.
• Update GridFS collection access to bracket notation to avoid PyMongo attribute-access issues.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
server/tests/test_app.py	Adds tests asserting ProxyFix enable/disable behavior.
server/src/testflinger/database.py	Uses bracket notation for fs.files/fs.chunks to fix PyMongo compatibility.
server/src/testflinger/application.py	Conditionally wraps the WSGI app in ProxyFix based on BEHIND_PROXY.
server/charm/tests/unit/test_config.py	Adds unit tests for OIDC config validation.
server/charm/tests/unit/test_charm.py	Adds unit tests for charm behavior with valid/invalid OIDC config.
server/charm/src/config.py	Introduces new config fields and validation for OIDC and proxy settings.
server/charm/src/charm.py	Exposes new config values to the workload via environment variables.
server/charm/charmcraft.yaml	Declares new charm config options for OIDC and proxy deployment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.