diff --git a/Puppetfile b/Puppetfile --- a/Puppetfile +++ b/Puppetfile @@ -113,7 +113,7 @@ mod 'keycloak', :git => 'https://forge.softwareheritage.org/source/puppet-treydock-keycloak', - :ref => 'v6.16.0' + :ref => 'v6.19.0' mod 'letsencrypt', :git => 'https://forge.softwareheritage.org/source/puppet-puppet-letsencrypt', diff --git a/data/common/common.yaml b/data/common/common.yaml --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -2899,7 +2899,7 @@ sentry::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" sentry::vhost::hsts_header: "%{hiera('apache::hsts_header')}" -keycloak::version: 8.0.1 +keycloak::version: 10.0.2 keycloak::swh_theme::repo_url: https://forge.softwareheritage.org/source/swh-keycloak-theme.git keycloak::swh_theme::tag: v0.3.0 @@ -2947,6 +2947,10 @@ - microprofile-jwt - offline_access +keycloak::resources::clients::swh_web:::roles: + - swh.web.api.throtlling_exempted + - swh.web.api.graph + keycloak::resources::protocol_mappers::audience: resource_name: audience type: oidc-audience-mapper @@ -2958,6 +2962,15 @@ claim_name: groups full_path: true +keycloak::resources::flows::direct_grant_no_otp: + name: direct_grant_no_otp + description: Direct grant flow without conditional OTP + executions: + direct-grant-validate-username: + requirement: REQUIRED + direct-grant-validate-password: + requirement: REQUIRED + keycloak::resources::realms: master: settings: @@ -2965,6 +2978,11 @@ SoftwareHeritage: settings: display_name: Software Heritage + registration_allowed: true + reset_password_allowed: true + verify_email: true + flows: + - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}" clients: swh-web: settings: @@ -2974,12 +2992,19 @@ - https://base.softwareheritage.org/* - https://archive.internal.softwareheritage.org/* - https://webapp0.softwareheritage.org/* + roles: "%{alias('keycloak::resources::clients::swh_web:::roles')}" + direct_grant_flow: direct_grant_no_otp-SoftwareHeritage protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" SoftwareHeritageStaging: settings: display_name: Software Heritage (Staging) + registration_allowed: true + reset_password_allowed: true + verify_email: true + flows: + - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}" clients: swh-web: settings: @@ -2987,6 +3012,8 @@ # Should match letsencrypt::certificates.archive_staging.domains - https://webapp.staging.swh.network/* - https://webapp.internal.staging.swh.network/* + roles: "%{alias('keycloak::resources::clients::swh_web:::roles')}" + direct_grant_flow: direct_grant_no_otp-SoftwareHeritageStaging protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" diff --git a/site-modules/profile/manifests/keycloak/resources.pp b/site-modules/profile/manifests/keycloak/resources.pp --- a/site-modules/profile/manifests/keycloak/resources.pp +++ b/site-modules/profile/manifests/keycloak/resources.pp @@ -38,6 +38,34 @@ * => $_full_realm_settings, } + $flows = pick($realm_data['flows'], []) + + $flows.each |$flow_data| { + $flow_alias = "${flow_data['name']}-${realm_name}" + $flow_id = fqdn_uuid("${flow_data['name']}-${realm_name}") + keycloak_flow {"${flow_data['name']} on ${realm_name}" : + ensure => present, + alias => $flow_alias, + id => $flow_id, + description => $flow_data['description'], + } + + $flow_executions = pick($flow_data['executions'], {}) + + $idx = 0 + $flow_executions.each |$flow_execution_name, $flow_execution_data| { + $flow_execution_id = fqdn_uuid("${flow_execution_name}-${realm_name}") + keycloak_flow_execution {"${flow_execution_name} under ${flow_alias} on ${realm_name}" : + ensure => present, + alias => "${flow_execution_name}-${realm_name}", + id => $flow_execution_id, + index => $idx, + * => $flow_execution_data, + } + $idx = $idx + 1 + } + } + $clients = pick($realm_data['clients'], {}) $realm_client_common_settings = deep_merge($client_common_settings, pick($realm_data['client_settings'], {}))