diff --git a/REFERENCE.md b/REFERENCE.md index f05eb78..0a91635 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1,3757 +1,3762 @@ # Reference ## Table of Contents ### Classes #### Public Classes * [`keycloak`](#keycloak): Manage Keycloak * [`keycloak::config`](#keycloakconfig): Private class. * [`keycloak::datasource::h2`](#keycloakdatasourceh2): Private class. * [`keycloak::install`](#keycloakinstall): Private class. * [`keycloak::service`](#keycloakservice): Private class. * [`keycloak::sssd`](#keycloaksssd): Private class. #### Private Classes * `keycloak::datasource::mysql`: Manage MySQL datasource * `keycloak::datasource::oracle`: Manage Oracle datasource * `keycloak::datasource::postgresql`: Manage postgresql datasource * `keycloak::resources`: Define Keycloak resources ### Defined types * [`keycloak::client_scope::oidc`](#keycloakclient_scopeoidc): Manage Keycloak OpenID Connect client scope using built-in mappers * [`keycloak::client_scope::saml`](#keycloakclient_scopesaml): Manage Keycloak SAML client scope using built-in mappers * [`keycloak::freeipa_ldap_mappers`](#keycloakfreeipa_ldap_mappers): setup FreeIPA LDAP mappers for Keycloak * [`keycloak::freeipa_user_provider`](#keycloakfreeipa_user_provider): setup IPA as an LDAP user provider for Keycloak * [`keycloak::spi_deployment`](#keycloakspi_deployment): Manage Keycloak SPI deployment * [`keycloak::truststore::host`](#keycloaktruststorehost): Add host to Keycloak truststore ### Resource types * [`keycloak_api`](#keycloak_api): Type that configures API connection parameters for other keycloak types that use the Keycloak API. * [`keycloak_client`](#keycloak_client): Manage Keycloak clients * [`keycloak_client_protocol_mapper`](#keycloak_client_protocol_mapper): Manage Keycloak protocol mappers * [`keycloak_client_scope`](#keycloak_client_scope): Manage Keycloak client scopes * [`keycloak_conn_validator`](#keycloak_conn_validator): Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to pre * [`keycloak_flow`](#keycloak_flow): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of `flow_alias` if `top_level=fals * [`keycloak_flow_execution`](#keycloak_flow_execution): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of value defined for `flow_alias` * [`keycloak_identity_provider`](#keycloak_identity_provider): Manage Keycloak identity providers * [`keycloak_ldap_mapper`](#keycloak_ldap_mapper): Manage Keycloak LDAP attribute mappers * [`keycloak_ldap_user_provider`](#keycloak_ldap_user_provider): Manage Keycloak LDAP user providers * [`keycloak_protocol_mapper`](#keycloak_protocol_mapper): Manage Keycloak client scope protocol mappers * [`keycloak_realm`](#keycloak_realm): Manage Keycloak realms * [`keycloak_required_action`](#keycloak_required_action): Manage Keycloak required actions * [`keycloak_resource_validator`](#keycloak_resource_validator): Verify that a specific Keycloak resource is available * [`keycloak_sssd_user_provider`](#keycloak_sssd_user_provider): Manage Keycloak SSSD user providers ## Classes ### `keycloak` Manage Keycloak #### Examples ##### ```puppet include ::keycloak ``` #### Parameters The following parameters are available in the `keycloak` class: * [`manage_install`](#manage_install) * [`version`](#version) * [`package_url`](#package_url) * [`install_dir`](#install_dir) * [`service_name`](#service_name) * [`service_ensure`](#service_ensure) * [`service_enable`](#service_enable) * [`service_hasstatus`](#service_hasstatus) * [`service_hasrestart`](#service_hasrestart) * [`service_bind_address`](#service_bind_address) * [`management_bind_address`](#management_bind_address) * [`java_opts`](#java_opts) * [`java_opts_append`](#java_opts_append) * [`service_extra_opts`](#service_extra_opts) * [`manage_user`](#manage_user) * [`user`](#user) * [`user_shell`](#user_shell) * [`group`](#group) * [`user_uid`](#user_uid) * [`group_gid`](#group_gid) * [`system_user`](#system_user) * [`admin_user`](#admin_user) * [`admin_user_password`](#admin_user_password) * [`wildfly_user`](#wildfly_user) * [`wildfly_user_password`](#wildfly_user_password) * [`manage_datasource`](#manage_datasource) * [`datasource_driver`](#datasource_driver) * [`datasource_host`](#datasource_host) * [`datasource_port`](#datasource_port) * [`datasource_url`](#datasource_url) * [`datasource_dbname`](#datasource_dbname) * [`datasource_username`](#datasource_username) * [`datasource_password`](#datasource_password) * [`datasource_package`](#datasource_package) * [`datasource_jar_source`](#datasource_jar_source) * [`datasource_jar_filename`](#datasource_jar_filename) * [`datasource_module_source`](#datasource_module_source) * [`datasource_xa_class`](#datasource_xa_class) * [`mysql_database_charset`](#mysql_database_charset) * [`proxy_https`](#proxy_https) * [`truststore`](#truststore) * [`truststore_hosts`](#truststore_hosts) * [`truststore_password`](#truststore_password) * [`truststore_hostname_verification_policy`](#truststore_hostname_verification_policy) * [`http_port`](#http_port) * [`theme_static_max_age`](#theme_static_max_age) * [`theme_cache_themes`](#theme_cache_themes) * [`theme_cache_templates`](#theme_cache_templates) * [`realms`](#realms) * [`realms_merge`](#realms_merge) * [`oidc_client_scopes`](#oidc_client_scopes) * [`oidc_client_scopes_merge`](#oidc_client_scopes_merge) * [`saml_client_scopes`](#saml_client_scopes) * [`saml_client_scopes_merge`](#saml_client_scopes_merge) * [`identity_providers`](#identity_providers) * [`identity_providers_merge`](#identity_providers_merge) * [`client_protocol_mappers`](#client_protocol_mappers) * [`client_scopes`](#client_scopes) * [`client_scopes_merge`](#client_scopes_merge) * [`protocol_mappers`](#protocol_mappers) * [`protocol_mappers_merge`](#protocol_mappers_merge) * [`clients`](#clients) * [`clients_merge`](#clients_merge) * [`flows`](#flows) * [`flows_merge`](#flows_merge) * [`flow_executions`](#flow_executions) * [`flow_executions_merge`](#flow_executions_merge) * [`required_actions`](#required_actions) * [`required_actions_merge`](#required_actions_merge) * [`ldap_mappers`](#ldap_mappers) * [`ldap_mappers_merge`](#ldap_mappers_merge) * [`ldap_user_providers`](#ldap_user_providers) * [`ldap_user_providers_merge`](#ldap_user_providers_merge) * [`with_sssd_support`](#with_sssd_support) * [`libunix_dbus_java_source`](#libunix_dbus_java_source) * [`install_libunix_dbus_java_build_dependencies`](#install_libunix_dbus_java_build_dependencies) * [`libunix_dbus_java_build_dependencies`](#libunix_dbus_java_build_dependencies) * [`libunix_dbus_java_libdir`](#libunix_dbus_java_libdir) * [`jna_package_name`](#jna_package_name) * [`manage_sssd_config`](#manage_sssd_config) * [`sssd_ifp_user_attributes`](#sssd_ifp_user_attributes) * [`restart_sssd`](#restart_sssd) * [`service_environment_file`](#service_environment_file) * [`operating_mode`](#operating_mode) * [`enable_jdbc_ping`](#enable_jdbc_ping) * [`jboss_bind_public_address`](#jboss_bind_public_address) * [`jboss_bind_private_address`](#jboss_bind_private_address) * [`role`](#role) * [`user_cache`](#user_cache) * [`tech_preview_features`](#tech_preview_features) * [`auto_deploy_exploded`](#auto_deploy_exploded) * [`auto_deploy_zipped`](#auto_deploy_zipped) * [`spi_deployments`](#spi_deployments) * [`custom_config_content`](#custom_config_content) * [`custom_config_source`](#custom_config_source) * [`master_address`](#master_address) * [`server_name`](#server_name) * [`syslog`](#syslog) * [`syslog_app_name`](#syslog_app_name) * [`syslog_facility`](#syslog_facility) * [`syslog_hostname`](#syslog_hostname) * [`syslog_level`](#syslog_level) * [`syslog_port`](#syslog_port) * [`syslog_server_address`](#syslog_server_address) * [`syslog_format`](#syslog_format) ##### `manage_install` Data type: `Boolean` Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true. Default value: ``true`` ##### `version` Data type: `String` Version of Keycloak to install and manage. Default value: `'12.0.4'` ##### `package_url` Data type: `Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]` URL of the Keycloak download. Default is based on version. Default value: ``undef`` ##### `install_dir` Data type: `Optional[Stdlib::Absolutepath]` The directory of where to install Keycloak. Default is `/opt/keycloak-${version}`. Default value: ``undef`` ##### `service_name` Data type: `String` Keycloak service name. Default is `keycloak`. Default value: `'keycloak'` ##### `service_ensure` Data type: `String` Keycloak service ensure property. Default is `running`. Default value: `'running'` ##### `service_enable` Data type: `Boolean` Keycloak service enable property. Default is `true`. Default value: ``true`` ##### `service_hasstatus` Data type: `Boolean` Keycloak service hasstatus parameter. Default is `true`. Default value: ``true`` ##### `service_hasrestart` Data type: `Boolean` Keycloak service hasrestart parameter. Default is `true`. Default value: ``true`` ##### `service_bind_address` Data type: `Stdlib::IP::Address` Bind address for Keycloak service. Default is '0.0.0.0'. Default value: `'0.0.0.0'` ##### `management_bind_address` Data type: `Stdlib::IP::Address` Bind address for Keycloak management. Default is '0.0.0.0'. Default value: `'0.0.0.0'` ##### `java_opts` Data type: `Optional[Variant[String, Array]]` Sets additional options to Java virtual machine environment variable. Default value: ``undef`` ##### `java_opts_append` Data type: `Boolean` Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter Default value: ``true`` ##### `service_extra_opts` Data type: `Optional[String]` Additional options added to the end of the service command-line. Default value: ``undef`` ##### `manage_user` Data type: `Boolean` Defines if the module should manage the Linux user for Keycloak installation Default value: ``true`` ##### `user` Data type: `String` Keycloak user name. Default is `keycloak`. Default value: `'keycloak'` ##### `user_shell` Data type: `Stdlib::Absolutepath` Keycloak user shell. Default value: `'/sbin/nologin'` ##### `group` Data type: `String` Keycloak user group name. Default is `keycloak`. Default value: `'keycloak'` ##### `user_uid` Data type: `Optional[Integer]` Keycloak user UID. Default is `undef`. Default value: ``undef`` ##### `group_gid` Data type: `Optional[Integer]` Keycloak user group GID. Default is `undef`. Default value: ``undef`` ##### `system_user` Data type: `Boolean` If keycloak user should be a system user with lower uid and gid. Default is `true` Default value: ``true`` ##### `admin_user` Data type: `String` Keycloak administrative username. Default is `admin`. Default value: `'admin'` ##### `admin_user_password` Data type: `String` Keycloak administrative user password. Default is `changeme`. Default value: `'changeme'` ##### `wildfly_user` Data type: `Optional[String]` Wildfly user. Required for domain mode. Default value: ``undef`` ##### `wildfly_user_password` Data type: `Optional[String]` Wildfly user password. Required for domain mode. Default value: ``undef`` ##### `manage_datasource` Data type: `Boolean` Boolean that determines if configured datasource will be managed. Default is `true`. Default value: ``true`` ##### `datasource_driver` Data type: `Enum['h2', 'mysql', 'oracle', 'postgresql']` Datasource driver to use for Keycloak. Valid values are `h2`, `mysql`, 'oracle' and 'postgresql' Default is `h2`. Default value: `'h2'` ##### `datasource_host` Data type: `Optional[String]` Datasource host. Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' Default is `localhost` for MySQL. Default value: ``undef`` ##### `datasource_port` Data type: `Optional[Integer]` Datasource port. Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' Default is `3306` for MySQL. Default value: ``undef`` ##### `datasource_url` Data type: `Optional[String]` Datasource url. Default datasource URLs are defined in init class. Default value: ``undef`` ##### `datasource_dbname` Data type: `String` Datasource database name. Default is `keycloak`. Default value: `'keycloak'` ##### `datasource_username` Data type: `String` Datasource user name. Default is `sa`. Default value: `'sa'` ##### `datasource_password` Data type: `String` Datasource user password. Default is `sa`. Default value: `'sa'` ##### `datasource_package` Data type: `Optional[String]` Package to add specified datasource support Default value: ``undef`` ##### `datasource_jar_source` Data type: `Optional[String]` Source for datasource JDBC driver - could be puppet link or local file on the node. Default is dependent on value for `datasource_driver`. This parameter is required if `datasource_driver` is `oracle`. Default value: ``undef`` ##### `datasource_jar_filename` Data type: `Optional[String]` Specify the filename of the destination datasource jar in the module dir of keycloak. This parameter is only working at the moment if `datasource_driver` is `oracle`. Default value: ``undef`` ##### `datasource_module_source` Data type: `Optional[String]` Source for datasource module.xml. Default depends on `datasource_driver`. Default value: ``undef`` ##### `datasource_xa_class` Data type: `Optional[String]` MySQL Connector/J JDBC driver xa-datasource class name Default value: ``undef`` ##### `mysql_database_charset` Data type: `String` MySQL database charset Default value: `'utf8'` ##### `proxy_https` Data type: `Boolean` Boolean that sets if HTTPS proxy should be enabled. Set to `true` if proxying traffic through Apache. Default is `false`. Default value: ``false`` ##### `truststore` Data type: `Boolean` Boolean that sets if truststore should be used. Default is `false`. Default value: ``false`` ##### `truststore_hosts` Data type: `Hash` Hash that is used to define `keycloak::turststore::host` resources. Default is `{}`. Default value: `{}` ##### `truststore_password` Data type: `String` Truststore password. Default is `keycloak`. Default value: `'keycloak'` ##### `truststore_hostname_verification_policy` Data type: `Enum['WILDCARD', 'STRICT', 'ANY']` Valid values are `WILDCARD`, `STRICT`, and `ANY`. Default is `WILDCARD`. Default value: `'WILDCARD'` ##### `http_port` Data type: `Integer` HTTP port used by Keycloak. Default is `8080`. Default value: `8080` ##### `theme_static_max_age` Data type: `Integer` Max cache age in seconds of static content. Default is `2592000`. Default value: `2592000` ##### `theme_cache_themes` Data type: `Boolean` Boolean that sets if themes should be cached. Default is `true`. Default value: ``true`` ##### `theme_cache_templates` Data type: `Boolean` Boolean that sets if templates should be cached. Default is `true`. Default value: ``true`` ##### `realms` Data type: `Hash` Hash that is used to define keycloak_realm resources. Default is `{}`. Default value: `{}` ##### `realms_merge` Data type: `Boolean` Boolean that sets if `realms` should be merged from Hiera. Default value: ``false`` ##### `oidc_client_scopes` Data type: `Hash` Hash that is used to define keycloak::client_scope::oidc resources. Default is `{}`. Default value: `{}` ##### `oidc_client_scopes_merge` Data type: `Boolean` Boolean that sets if `oidc_client_scopes` should be merged from Hiera. Default value: ``false`` ##### `saml_client_scopes` Data type: `Hash` Hash that is used to define keycloak::client_scope::saml resources. Default is `{}`. Default value: `{}` ##### `saml_client_scopes_merge` Data type: `Boolean` Boolean that sets if `saml_client_scopes` should be merged from Hiera. Default value: ``false`` ##### `identity_providers` Data type: `Hash` Hash that is used to define keycloak_identity_provider resources. Default value: `{}` ##### `identity_providers_merge` Data type: `Boolean` Boolean that sets if `identity_providers` should be merged from Hiera. Default value: ``false`` ##### `client_protocol_mappers` Data type: `Hash` Hash that is used to define keycloak_client_protocol_mapper resources. Default value: `{}` ##### `client_scopes` Data type: `Hash` Hash that is used to define keycloak_client_scope resources. Default value: `{}` ##### `client_scopes_merge` Data type: `Boolean` Boolean that sets if `client_scopes` should be merged from Hiera. Default value: ``false`` ##### `protocol_mappers` Data type: `Hash` Hash that is used to define keycloak_protocol_mapper resources. Default value: `{}` ##### `protocol_mappers_merge` Data type: `Boolean` Boolean that sets if `protocol_mappers` should be merged from Hiera. Default value: ``false`` ##### `clients` Data type: `Hash` Hash that is used to define keycloak_client resources. Default value: `{}` ##### `clients_merge` Data type: `Boolean` Boolean that sets if `clients` should be merged from Hiera. Default value: ``false`` ##### `flows` Data type: `Hash` Hash taht is used to define keycloak_flow resources. Default value: `{}` ##### `flows_merge` Data type: `Boolean` Boolean that sets if `flows` should be merged from Hiera. Default value: ``false`` ##### `flow_executions` Data type: `Hash` Hash taht is used to define keycloak_flow resources. Default value: `{}` ##### `flow_executions_merge` Data type: `Boolean` Boolean that sets if `flows` should be merged from Hiera. Default value: ``false`` ##### `required_actions` Data type: `Hash` Hash that is used to define keycloak_required_action resources. Default value: `{}` ##### `required_actions_merge` Data type: `Boolean` Boolean that sets if `required_actions` should be merged from Hiera. Default value: ``false`` ##### `ldap_mappers` Data type: `Hash` Hash that is used to define keycloak_ldap_mapper resources. Default value: `{}` ##### `ldap_mappers_merge` Data type: `Boolean` Boolean that sets if `ldap_mappers` should be merged from Hiera. Default value: ``false`` ##### `ldap_user_providers` Data type: `Hash` Hash that is used to define keycloak_ldap_user_provider resources. Default value: `{}` ##### `ldap_user_providers_merge` Data type: `Boolean` Boolean that sets if `ldap_user_providers` should be merged from Hiera. Default value: ``false`` ##### `with_sssd_support` Data type: `Boolean` Boolean that determines if SSSD user provider support should be available Default value: ``false`` ##### `libunix_dbus_java_source` Data type: `Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]` Source URL of libunix-dbus-java Default value: `'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'` ##### `install_libunix_dbus_java_build_dependencies` Data type: `Boolean` Boolean that determines of libunix-dbus-java build dependencies are managed by this module Default value: ``true`` ##### `libunix_dbus_java_build_dependencies` Data type: `Array` Packages needed to build libunix-dbus-java Default value: `[]` ##### `libunix_dbus_java_libdir` Data type: `Stdlib::Absolutepath` Path to directory to install libunix-dbus-java libraries Default value: `'/usr/lib64'` ##### `jna_package_name` Data type: `String` Package name for jna Default value: `'jna'` ##### `manage_sssd_config` Data type: `Boolean` Boolean that determines if SSSD ifp config for Keycloak is managed Default value: ``true`` ##### `sssd_ifp_user_attributes` Data type: `Array` user_attributes to define for SSSD ifp service Default value: `[]` ##### `restart_sssd` Data type: `Boolean` Boolean that determines if SSSD should be restarted Default value: ``true`` ##### `service_environment_file` Data type: `Optional[Stdlib::Absolutepath]` Path to the file with environment variables for the systemd service Default value: ``undef`` ##### `operating_mode` Data type: `Enum['standalone', 'clustered', 'domain']` Keycloak operating mode deployment Default value: `'standalone'` ##### `enable_jdbc_ping` Data type: `Boolean` Use JDBC_PING to discover the nodes and manage the replication of data More info: http://jgroups.org/manual/#_jdbc_ping Only applies when `operating_mode` is either `clustered` or `domain` JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other This module does not manage firewall changes Default value: ``false`` ##### `jboss_bind_public_address` Data type: `Stdlib::IP::Address` JBoss bind public IP address Default value: `$facts['networking']['ip']` ##### `jboss_bind_private_address` Data type: `Stdlib::IP::Address` JBoss bind private IP address Default value: `$facts['networking']['ip']` ##### `role` Data type: `Optional[Enum['master', 'slave']]` Role when operating mode is domain. Default value: ``undef`` ##### `user_cache` Data type: `Boolean` Boolean that determines if userCache is enabled Default value: ``true`` ##### `tech_preview_features` Data type: `Array` List of technology Preview features to enable Default value: `[]` ##### `auto_deploy_exploded` Data type: `Boolean` Set if exploded deployements will be auto deployed Default value: ``false`` ##### `auto_deploy_zipped` Data type: `Boolean` Set if zipped deployments will be auto deployed Default value: ``true`` ##### `spi_deployments` Data type: `Hash` Hash used to define keycloak::spi_deployment resources Default value: `{}` ##### `custom_config_content` Data type: `Optional[String]` Custom configuration content to be added to config.cli Default value: ``undef`` ##### `custom_config_source` Data type: `Optional[Variant[String, Array]]` Custom configuration source file to be added to config.cli Default value: ``undef`` ##### `master_address` Data type: `Optional[Stdlib::Host]` IP address of the master in domain mode Default value: ``undef`` ##### `server_name` Data type: `String` Server name in domain mode. Defaults to hostname. Default value: `$facts['hostname']` ##### `syslog` Data type: `Boolean` Enable syslog. Default false. Default value: ``false`` ##### `syslog_app_name` Data type: `String` Syslog app name. Default 'keycloak'. Default value: `'keycloak'` ##### `syslog_facility` Data type: `String` Syslog facility. Default 'user-level'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html Default value: `'user-level'` ##### `syslog_hostname` Data type: `Stdlib::Host` Syslog hostname of the server. Default $facts['fqdn']. Default value: `$facts['fqdn']` ##### `syslog_level` Data type: `String` Syslog level. Default 'INFO'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html Default value: `'INFO'` ##### `syslog_port` Data type: `Stdlib::Port` The port the syslog server is listening on. Default '514'. Default value: `514` ##### `syslog_server_address` Data type: `Stdlib::Host` The address of the syslog server. Default 'localhost'. Default value: `'localhost'` ##### `syslog_format` Data type: `Enum['RFC3164', 'RFC5424']` Syslog format. Either 'RFC3164' or 'RFC5424' Default 'RFC3164'. Default value: `'RFC3164'` ### `keycloak::config` Private class. ### `keycloak::datasource::h2` Private class. ### `keycloak::install` Private class. ### `keycloak::service` Private class. ### `keycloak::sssd` Private class. ## Defined types ### `keycloak::client_scope::oidc` Manage Keycloak OpenID Connect client scope using built-in mappers #### Examples ##### ```puppet keycloak::client_scope::oidc { 'oidc-clients': realm => 'test', } ``` #### Parameters The following parameters are available in the `keycloak::client_scope::oidc` defined type: * [`realm`](#realm) * [`resource_name`](#resource_name) ##### `realm` Data type: `String` Realm of the client scope. ##### `resource_name` Data type: `String` Name of the client scope resource Default value: `$name` ### `keycloak::client_scope::saml` Manage Keycloak SAML client scope using built-in mappers #### Examples ##### ```puppet keycloak::client_scope::saml { 'saml-clients': realm => 'test', } ``` #### Parameters The following parameters are available in the `keycloak::client_scope::saml` defined type: * [`realm`](#realm) * [`resource_name`](#resource_name) ##### `realm` Data type: `String` Realm of the client scope. ##### `resource_name` Data type: `String` Name of the client scope resource Default value: `$name` ### `keycloak::freeipa_ldap_mappers` setup FreeIPA LDAP mappers for Keycloak #### Examples ##### ```puppet keycloak::freeipa_ldap_mappers { 'ipa.example.org': realm => 'EXAMPLE.ORG', groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org', roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org' } ``` #### Parameters The following parameters are available in the `keycloak::freeipa_ldap_mappers` defined type: * [`realm`](#realm) * [`groups_dn`](#groups_dn) * [`roles_dn`](#roles_dn) * [`parent_id`](#parent_id) ##### `realm` Data type: `String` Keycloak realm ##### `groups_dn` Data type: `String` Groups DN ##### `roles_dn` Data type: `String` Roles DN ##### `parent_id` Data type: `Optional[String]` Identifier (parentId) for the LDAP provider to add this mapper to. Will be passed to the $ldap parameter in keycloak_ldap_mapper. Default value: ``undef`` ### `keycloak::freeipa_user_provider` setup IPA as an LDAP user provider for Keycloak #### Examples ##### Add FreeIPA as a user provider ```puppet keycloak::freeipa_user_provider { 'ipa.example.org': ensure => 'present', realm => 'EXAMPLE.ORG', bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org', bind_credential => 'secret', users_dn => 'cn=users,cn=accounts,dc=example,dc=org', priority => 10, } ``` #### Parameters The following parameters are available in the `keycloak::freeipa_user_provider` defined type: * [`ensure`](#ensure) * [`ipa_host`](#ipa_host) * [`realm`](#realm) * [`bind_dn`](#bind_dn) * [`bind_credential`](#bind_credential) * [`users_dn`](#users_dn) * [`priority`](#priority) * [`ldaps`](#ldaps) * [`full_sync_period`](#full_sync_period) * [`changed_sync_period`](#changed_sync_period) ##### `ensure` Data type: `Enum['present', 'absent']` LDAP user provider status Default value: `'present'` ##### `ipa_host` Data type: `Stdlib::Host` Hostname of the FreeIPA server (e.g. ipa.example.org) Default value: `$title` ##### `realm` Data type: `String` Keycloak realm ##### `bind_dn` Data type: `String` LDAP bind dn ##### `bind_credential` Data type: `String` LDAP bind password ##### `users_dn` Data type: `String` The DN for user search ##### `priority` Data type: `Integer` Priority for this user provider Default value: `10` ##### `ldaps` Data type: `Boolean` Use LDAPS protocol instead of LDAP Default value: ``false`` ##### `full_sync_period` Data type: `Optional[Integer]` Synchronize all users this often (fullSyncPeriod) Default value: ``undef`` ##### `changed_sync_period` Data type: `Optional[Integer]` Synchronize changed users this often (changedSyncPeriod) Default value: ``undef`` ### `keycloak::spi_deployment` } #### Examples ##### Add Duo SPI ```puppet keycloak::spi_deployment { 'duo-spi': ensure => 'present', deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar', source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar', } ``` ##### Add Duo SPI and check API for existance of resources before going onto dependenct resources ```puppet keycloak::spi_deployment { 'duo-spi': deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar', source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar', test_url => 'authentication/authenticator-providers', test_key => 'id', test_value => 'duo-mfa-authenticator', test_realm => 'test', before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'], ``` #### Parameters The following parameters are available in the `keycloak::spi_deployment` defined type: * [`ensure`](#ensure) * [`deployed_name`](#deployed_name) * [`source`](#source) * [`test_url`](#test_url) * [`test_key`](#test_key) * [`test_value`](#test_value) * [`test_realm`](#test_realm) * [`test_before`](#test_before) ##### `ensure` Data type: `Enum['present', 'absent']` State of the deployment Default value: `'present'` ##### `deployed_name` Data type: `String[1]` Name of the file to be deployed. Defaults to `$name`. Default value: `$name` ##### `source` Data type: `Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]` Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://' ##### `test_url` Data type: `Optional[String]` URL to test for existance of resources created by this SPI Default value: ``undef`` ##### `test_key` Data type: `Optional[String]` Key of resource when testing for resource created by this SPI Default value: ``undef`` ##### `test_value` Data type: `Optional[String]` Value of the `test_key` when testing for resources created by this SPI Default value: ``undef`` ##### `test_realm` Data type: `Optional[String]` Realm to query when looking for resources created by this SPI Default value: ``undef`` ##### `test_before` Data type: `Optional[Array]` Setup autorequires for validator dependent resources Default value: ``undef`` ### `keycloak::truststore::host` Add host to Keycloak truststore #### Examples ##### ```puppet keycloak::truststore::host { 'ldap1.example.com': certificate => '/etc/openldap/certs/0a00000.0', } ``` #### Parameters The following parameters are available in the `keycloak::truststore::host` defined type: * [`certificate`](#certificate) * [`ensure`](#ensure) ##### `certificate` Data type: `String` Path to host certificate ##### `ensure` Data type: `Enum['latest', 'present', 'absent']` Host ensure value passed to `java_ks` resource. Default value: `'latest'` ## Resource types ### `keycloak_api` Type that configures API connection parameters for other keycloak types that use the Keycloak API. #### Examples ##### Define API access ```puppet keycloak_api { 'keycloak' install_dir => '/opt/keycloak', server => 'http://localhost:8080/auth', realm => 'master', user => 'admin', password => 'changeme', } ``` #### Parameters The following parameters are available in the `keycloak_api` type. * [`install_dir`](#install_dir) * [`name`](#name) * [`password`](#password) * [`realm`](#realm) * [`server`](#server) * [`use_wrapper`](#use_wrapper) * [`user`](#user) ##### `install_dir` Install location of Keycloak Default value: `/opt/keycloak` ##### `name` namevar Keycloak API config ##### `password` Password for authentication Default value: `changeme` ##### `realm` Realm for authentication Default value: `master` ##### `server` Auth URL for Keycloak server Default value: `http://localhost:8080/auth` ##### `use_wrapper` Valid values: ``true``, ``false`` Boolean that determines if kcadm_wrapper.sh should be used Default value: ``false`` ##### `user` User for authentication Default value: `admin` ### `keycloak_client` Manage Keycloak clients #### Examples ##### Add a OpenID Connect client ```puppet keycloak_client { 'www.example.com': ensure => 'present', realm => 'test', redirect_uris => [ "https://www.example.com/oidc", "https://www.example.com", ], default_client_scopes => ['profile','email'], secret => 'supersecret', } ``` #### Properties The following properties are available in the `keycloak_client` type. ##### `access_token_lifespan` access.token.lifespan ##### `authorization_services_enabled` Valid values: ``true``, ``false`` authorizationServicesEnabled Default value: `false` ##### `base_url` baseUrl ##### `bearer_only` Valid values: ``true``, ``false`` bearerOnly Default value: `false` ##### `browser_flow` authenticationFlowBindingOverrides.browser (Use flow alias, not ID) Default value: `absent` ##### `client_authenticator_type` clientAuthenticatorType Default value: `client-secret` ##### `default_client_scopes` defaultClientScopes Default value: `[]` ##### `direct_access_grants_enabled` Valid values: ``true``, ``false`` enabled Default value: `true` ##### `direct_grant_flow` authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID) Default value: `absent` ##### `enabled` Valid values: ``true``, ``false`` enabled Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `full_scope_allowed` Valid values: ``true``, ``false`` fullScopeAllowed Default value: `true` ##### `implicit_flow_enabled` Valid values: ``true``, ``false`` implicitFlowEnabled Default value: `false` ##### `login_theme` login_theme Default value: `absent` ##### `optional_client_scopes` optionalClientScopes Default value: `[]` ##### `protocol` Valid values: `openid-connect`, `saml` protocol Default value: `openid-connect` ##### `public_client` Valid values: ``true``, ``false`` enabled Default value: `false` ##### `redirect_uris` redirectUris Default value: `[]` ##### `roles` roles Default value: `[]` ##### `root_url` rootUrl ##### `secret` secret ##### `service_accounts_enabled` Valid values: ``true``, ``false`` serviceAccountsEnabled Default value: `false` ##### `standard_flow_enabled` Valid values: ``true``, ``false`` standardFlowEnabled Default value: `true` ##### `web_origins` webOrigins Default value: `[]` #### Parameters The following parameters are available in the `keycloak_client` type. * [`client_id`](#client_id) * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) ##### `client_id` clientId. Defaults to `name`. ##### `id` Id. Defaults to `client_id` ##### `name` namevar The client name ##### `provider` The specific backend to use for this `keycloak_client` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` realm ### `keycloak_client_protocol_mapper` Manage Keycloak protocol mappers #### Examples ##### Add email protocol mapper to test.example.com client in realm test ```puppet keycloak_client_protocol_mapper { "email for test.example.com on test": claim_name => 'email', user_attribute => 'email', } ``` #### Properties The following properties are available in the `keycloak_client_protocol_mapper` type. ##### `access_token_claim` Valid values: ``true``, ``false`` access.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `attribute_name` attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `attribute_nameformat` attribute.nameformat ##### `claim_name` claim.name ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `friendly_name` friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `full_path` Valid values: ``true``, ``false`` full.path. Default to `false` for `type` `oidc-group-membership-mapper`. ##### `id_token_claim` Valid values: ``true``, ``false`` id.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `included_client_audience` included.client.audience Required for `type` of `oidc-audience-mapper` ##### `json_type_label` json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`. ##### `protocol` Valid values: `openid-connect`, `saml` protocol Default value: `openid-connect` ##### `script` Script, only valid for `type` of `saml-javascript-mapper`' Array values will be joined with newlines. Strings will be kept unchanged. ##### `single` Valid values: ``true``, ``false`` single. Default to `false` for `type` `saml-role-list-mapper`. ##### `user_attribute` user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper` ##### `userinfo_token_claim` Valid values: ``true``, ``false`` userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`. #### Parameters The following parameters are available in the `keycloak_client_protocol_mapper` type. * [`client`](#client) * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`resource_name`](#resource_name) * [`type`](#type) ##### `client` client ##### `id` Id. ##### `name` namevar The protocol mapper name ##### `provider` The specific backend to use for this `keycloak_client_protocol_mapper` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` realm ##### `resource_name` The protocol mapper name. Defaults to `name`. ##### `type` Valid values: `oidc-usermodel-client-role-mapper`, `oidc-usermodel-property-mapper`, `oidc-full-name-mapper`, `oidc-group-membership-mapper`, `oidc-audience-mapper`, `saml-user-property-mapper`, `saml-role-list-mapper` protocolMapper. Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and `saml-user-property-mapper` for `protocol` `saml`. ### `keycloak_client_scope` Manage Keycloak client scopes #### Examples ##### Define a OpenID Connect client scope in the test realm ```puppet keycloak_client_scope { 'email on test': protocol => 'openid-connect', } ``` #### Properties The following properties are available in the `keycloak_client_scope` type. ##### `consent_screen_text` consent.screen.text ##### `display_on_consent_screen` Valid values: ``true``, ``false`` display.on.consent.screen Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `protocol` Valid values: `openid-connect`, `saml` protocol Default value: `openid-connect` #### Parameters The following parameters are available in the `keycloak_client_scope` type. * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`resource_name`](#resource_name) ##### `id` Id. Defaults to `resource_name`. ##### `name` namevar The client scope name ##### `provider` The specific backend to use for this `keycloak_client_scope` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` realm ##### `resource_name` The client scope name. Defaults to `name`. ### `keycloak_conn_validator` Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring. #### Properties The following properties are available in the `keycloak_conn_validator` type. ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` #### Parameters The following parameters are available in the `keycloak_conn_validator` type. * [`keycloak_port`](#keycloak_port) * [`keycloak_server`](#keycloak_server) * [`name`](#name) * [`provider`](#provider) * [`test_url`](#test_url) * [`timeout`](#timeout) * [`use_ssl`](#use_ssl) ##### `keycloak_port` The port that the keycloak server should be listening on. Default value: `8080` ##### `keycloak_server` The DNS name or IP address of the server where keycloak should be running. Default value: `localhost` ##### `name` namevar An arbitrary name used as the identity of the resource. ##### `provider` The specific backend to use for this `keycloak_conn_validator` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `test_url` URL to use for testing if the Keycloak database is up Default value: `/auth/admin/serverinfo` ##### `timeout` The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds. Default value: `30` ##### `use_ssl` Whether the connection will be attemped using https Default value: ``false`` ### `keycloak_flow` Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of `flow_alias` if `top_level=false` * `keycloak_flow` of `flow_alias` if other `index` is lower and if `top_level=false` * `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower and if `top_level=false` #### Examples ##### Add custom flow ```puppet keycloak_flow { 'browser-with-duo': ensure => 'present', realm => 'test', } ``` ##### Add a flow execution to existing browser-with-duo flow ```puppet keycloak_flow { 'form-browser-with-duo under browser-with-duo on test': ensure => 'present', index => 2, requirement => 'ALTERNATIVE', top_level => false, } ``` #### Properties The following properties are available in the `keycloak_flow` type. ##### `description` description ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `index` execution index, only applied to top_level=false, required for top_level=false ##### `requirement` Valid values: `DISABLED`, `ALTERNATIVE`, `REQUIRED`, `CONDITIONAL`, `disabled`, `alternative`, `required`, `conditional` requirement, only applied to top_level=false and defaults to DISABLED #### Parameters The following parameters are available in the `keycloak_flow` type. * [`alias`](#alias) * [`flow_alias`](#flow_alias) * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`provider_id`](#provider_id) * [`realm`](#realm) * [`top_level`](#top_level) * [`type`](#type) ##### `alias` Alias. Default to `name`. ##### `flow_alias` flowAlias, required for top_level=false ##### `id` Id. Default to `$alias-$realm` when top_level is true. Only applies to top_level=true ##### `name` namevar The flow name ##### `provider` The specific backend to use for this `keycloak_flow` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `provider_id` Valid values: `basic-flow`, `form-flow` providerId Default value: `basic-flow` ##### `realm` realm ##### `top_level` Valid values: ``true``, ``false`` topLevel Default value: ``true`` ##### `type` sub-flow execution provider, default to `registration-page-form` for top_level=false and does not apply to top_level=true ### `keycloak_flow_execution` Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of value defined for `flow_alias` * `keycloak_flow` if they share same `flow_alias` value and the other resource `index` is lower * `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower #### Examples ##### Add an execution to a flow ```puppet keycloak_flow_execution { 'auth-cookie under browser-with-duo on test': ensure => 'present', configurable => false, display_name => 'Cookie', index => 0, requirement => 'ALTERNATIVE', } ``` ##### Add an execution to a execution flow that is one level deeper than top level ```puppet keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test': ensure => 'present', configurable => false, display_name => 'Username Password Form', index => 0, requirement => 'REQUIRED', } ``` ##### Add an execution with a configuration ```puppet keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test': ensure => 'present', configurable => true, display_name => 'Duo MFA', alias => 'Duo', config => { "duomfa.akey" => "foo-akey", "duomfa.apihost" => "api-foo.duosecurity.com", "duomfa.skey" => "secret", "duomfa.ikey" => "foo-ikey", "duomfa.groups" => "duo" }, requirement => 'REQUIRED', index => 1, } ``` #### Properties The following properties are available in the `keycloak_flow_execution` type. ##### `config` execution config ##### `configurable` Valid values: ``true``, ``false`` configurable ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `index` execution index ##### `requirement` Valid values: `DISABLED`, `ALTERNATIVE`, `REQUIRED`, `CONDITIONAL`, `disabled`, `alternative`, `required`, `conditional` requirement Default value: `DISABLED` #### Parameters The following parameters are available in the `keycloak_flow_execution` type. * [`alias`](#alias) * [`config_id`](#config_id) * [`display_name`](#display_name) * [`flow_alias`](#flow_alias) * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`provider_id`](#provider_id) * [`realm`](#realm) ##### `alias` alias ##### `config_id` read-only config ID ##### `display_name` displayName ##### `flow_alias` flowAlias ##### `id` read-only Id ##### `name` namevar The flow execution name ##### `provider` The specific backend to use for this `keycloak_flow_execution` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `provider_id` provider ##### `realm` realm ### `keycloak_identity_provider` Manage Keycloak identity providers #### Examples ##### Add CILogon identity provider to test realm ```puppet keycloak_identity_provider { 'cilogon on test': ensure => 'present', display_name => 'CILogon', provider_id => 'oidc', first_broker_login_flow_alias => 'browser', client_id => 'cilogon:/client_id/foobar', client_secret => 'supersecret', user_info_url => 'https://cilogon.org/oauth2/userinfo', token_url => 'https://cilogon.org/oauth2/token', authorization_url => 'https://cilogon.org/authorize', } ``` #### Properties The following properties are available in the `keycloak_identity_provider` type. ##### `add_read_token_role_on_create` Valid values: ``true``, ``false`` addReadTokenRoleOnCreate Default value: `false` ##### `allowed_clock_skew` allowedClockSkew ##### `authenticate_by_default` Valid values: ``true``, ``false`` authenticateByDefault Default value: `false` ##### `authorization_url` authorizationUrl ##### `backchannel_supported` Valid values: ``true``, ``false`` backchannelSupported Default value: `false` ##### `client_auth_method` Valid values: `client_secret_post`, `client_secret_basic`, `client_secret_jwt`, `private_key_jwt` clientAuthMethod Default value: `client_secret_post` ##### `client_id` clientId ##### `client_secret` clientSecret ##### `default_scope` default_scope ##### `disable_user_info` Valid values: ``true``, ``false`` disableUserInfo Default value: `false` ##### `display_name` displayName ##### `enabled` Valid values: ``true``, ``false`` enabled Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `first_broker_login_flow_alias` firstBrokerLoginFlowAlias Default value: `first broker login` ##### `forward_parameters` forwardParameters ##### `gui_order` guiOrder ##### `hide_on_login_page` Valid values: ``true``, ``false`` hideOnLoginPage Default value: `false` ##### `issuer` issuer ##### `jwks_url` jwksUrl ##### `link_only` Valid values: ``true``, ``false`` linkOnly Default value: `false` ##### `login_hint` Valid values: ``true``, ``false`` loginHint Default value: `false` ##### `logout_url` logoutUrl ##### `post_broker_login_flow_alias` postBrokerLoginFlowAlias ##### `prompt` Valid values: `none`, `consent`, `login`, `select_account` prompt ##### `store_token` Valid values: ``true``, ``false`` storeToken Default value: `false` ##### `sync_mode` Valid values: `IMPORT`, `LEGACY`, `FORCE` syncMode Default value: `IMPORT` ##### `token_url` tokenUrl ##### `trust_email` Valid values: ``true``, ``false`` trustEmail Default value: `false` ##### `ui_locales` Valid values: ``true``, ``false`` uiLocales Default value: `false` ##### `update_profile_first_login_mode` Valid values: `on`, `off` updateProfileFirstLoginMode Default value: `on` ##### `use_jwks_url` Valid values: ``true``, ``false`` useJwksUrl Default value: `true` ##### `user_info_url` userInfoUrl ##### `validate_signature` Valid values: ``true``, ``false`` validateSignature Default value: `false` #### Parameters The following parameters are available in the `keycloak_identity_provider` type. * [`alias`](#alias) * [`internal_id`](#internal_id) * [`name`](#name) * [`provider`](#provider) * [`provider_id`](#provider_id) * [`realm`](#realm) ##### `alias` The identity provider name. Defaults to `name`. ##### `internal_id` internalId. Defaults to "`alias`-`realm`" ##### `name` namevar The identity provider name ##### `provider` The specific backend to use for this `keycloak_identity_provider` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `provider_id` Valid values: `oidc`, `keycloak-oidc` providerId Default value: `oidc` ##### `realm` realm ### `keycloak_ldap_mapper` Manage Keycloak LDAP attribute mappers #### Examples ##### Add full name attribute mapping ```puppet keycloak_ldap_mapper { 'full name for LDAP-test on test: ensure => 'present', type => 'full-name-ldap-mapper', ldap_attribute => 'gecos', } ``` #### Properties The following properties are available in the `keycloak_ldap_mapper` type. ##### `always_read_value_from_ldap` Valid values: ``true``, ``false`` always.read.value.from.ldap. Defaults to `true` if `type` is `user-attribute-ldap-mapper`. ##### `client_id` client.id, only for `type` of `role-ldap-mapper` ##### `drop_non_existing_groups_during_sync` Valid values: ``true``, ``false`` drop.non.existing.groups.during.sync, only for `type` of `group-ldap-mapper` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `group_name_ldap_attribute` group.name.ldap.attribute, only for `type` of `group-ldap-mapper` ##### `group_object_classes` group.object.classes, only for `type` of `group-ldap-mapper` ##### `groups_dn` groups.dn, only for `type` of `group-ldap-mapper` ##### `groups_ldap_filter` groups.ldap.filter, only for `type` of `group-ldap-mapper` ##### `ignore_missing_groups` Valid values: ``true``, ``false`` ignore.missing.groups, only for `type` of `group-ldap-mapper` ##### `is_mandatory_in_ldap` is.mandatory.in.ldap. Defaults to `false` unless `type` is `full-name-ldap-mapper`. ##### `ldap_attribute` ldap.attribute ##### `mapped_group_attributes` mapped.group.attributes, only for `type` of `group-ldap-mapper` ##### `memberof_ldap_attribute` memberof.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `membership_attribute_type` Valid values: `DN`, `UID` membership.attribute.type, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `membership_ldap_attribute` membership.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `membership_user_ldap_attribute` membership.user.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `mode` Valid values: `READ_ONLY`, `LDAP_ONLY` mode, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `preserve_group_inheritance` Valid values: ``true``, ``false`` preserve.group.inheritance, only for `type` of `group-ldap-mapper` ##### `read_only` Valid values: ``true``, ``false`` read.only ##### `role_name_ldap_attribute` role.name.ldap.attribute, only for `type` of `role-ldap-mapper` ##### `role_object_classes` role.object.classes, only for `type` of `role-ldap-mapper` ##### `roles_dn` roles.dn, only for `type` of `role-ldap-mapper` ##### `roles_ldap_filter` roles.ldap.filter, only for `type` of `role-ldap-mapper` ##### `use_realm_roles_mapping` Valid values: ``true``, ``false`` use.realm.roles.mapping, only for `type` of `role-ldap-mapper` ##### `user_model_attribute` user.model.attribute ##### `user_roles_retrieve_strategy` Valid values: `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`, `LOAD_ROLES_BY_MEMBER_ATTRIBUTE`, `GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE`, `LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY` user.roles.retrieve.strategy, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `write_only` Valid values: ``true``, ``false`` write.only. Defaults to `false` if `type` is `full-name-ldap-mapper`. #### Parameters The following parameters are available in the `keycloak_ldap_mapper` type. * [`id`](#id) * [`ldap`](#ldap) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`resource_name`](#resource_name) * [`type`](#type) ##### `id` Id. ##### `ldap` parentId ##### `name` namevar The LDAP mapper name ##### `provider` The specific backend to use for this `keycloak_ldap_mapper` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` realm ##### `resource_name` The LDAP mapper name. Defaults to `name` ##### `type` Valid values: `user-attribute-ldap-mapper`, `full-name-ldap-mapper`, `group-ldap-mapper`, `role-ldap-mapper` providerId Default value: `user-attribute-ldap-mapper` ### `keycloak_ldap_user_provider` Manage Keycloak LDAP user providers #### Examples ##### Add LDAP user provider to test realm ```puppet keycloak_ldap_user_provider { 'LDAP on test': ensure => 'present', users_dn => 'ou=People,dc=example,dc=com', connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636', import_enabled => false, use_truststore_spi => 'never', } ``` #### Properties The following properties are available in the `keycloak_ldap_user_provider` type. ##### `auth_type` Valid values: `none`, `simple` authType Default value: `none` ##### `batch_size_for_sync` batchSizeForSync Default value: `1000` ##### `bind_credential` bindCredential ##### `bind_dn` bindDn ##### `changed_sync_period` changedSyncPeriod Default value: `-1` ##### `connection_url` connectionUrl ##### `custom_user_search_filter` Valid values: `%r{.*}`, `absent` customUserSearchFilter Default value: `absent` ##### `edit_mode` Valid values: `READ_ONLY`, `WRITABLE`, `UNSYNCED` editMode Default value: `READ_ONLY` ##### `enabled` Valid values: ``true``, ``false`` enabled Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `full_sync_period` fullSyncPeriod Default value: `-1` ##### `import_enabled` Valid values: ``true``, ``false`` importEnabled Default value: `true` ##### `priority` priority Default value: `0` ##### `rdn_ldap_attribute` rdnLdapAttribute Default value: `uid` ##### `search_scope` Valid values: `one`, `one_level`, `subtree`, `1`, `2`, `1`, `2` searchScope ##### `trust_email` Valid values: ``true``, ``false`` trustEmail Default value: `false` ##### `use_kerberos_for_password_authentication` Valid values: ``true``, ``false`` useKerberosForPasswordAuthentication ##### `use_truststore_spi` Valid values: `always`, `ldapsOnly`, `never` useTruststoreSpi Default value: `ldapsOnly` ##### `user_object_classes` userObjectClasses Default value: `['inetOrgPerson', 'organizationalPerson']` ##### `username_ldap_attribute` usernameLdapAttribute Default value: `uid` ##### `users_dn` usersDn ##### `uuid_ldap_attribute` uuidLdapAttribute Default value: `entryUUID` ##### `vendor` Valid values: `ad`, `rhds`, `tivoli`, `eDirectory`, `other` vendor Default value: `other` #### Parameters The following parameters are available in the `keycloak_ldap_user_provider` type. * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`resource_name`](#resource_name) ##### `id` Id. Defaults to "`resource_name`-`realm`" ##### `name` namevar The LDAP user provider name ##### `provider` The specific backend to use for this `keycloak_ldap_user_provider` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` parentId ##### `resource_name` The LDAP user provider name. Defaults to `name`. ### `keycloak_protocol_mapper` Manage Keycloak client scope protocol mappers #### Examples ##### Add email protocol mapper to oidc-client client scope in realm test ```puppet keycloak_protocol_mapper { "email for oidc-clients on test": claim_name => 'email', user_attribute => 'email', } ``` #### Properties The following properties are available in the `keycloak_protocol_mapper` type. ##### `access_token_claim` Valid values: ``true``, ``false`` access.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `attribute_name` attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `attribute_nameformat` attribute.nameformat ##### `claim_name` claim.name ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `friendly_name` friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `full_path` Valid values: ``true``, ``false`` full.path. Default to `false` for `type` `oidc-group-membership-mapper`. ##### `id_token_claim` Valid values: ``true``, ``false`` id.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `included_client_audience` included.client.audience Required for `type` of `oidc-audience-mapper` ##### `json_type_label` json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`. ##### `protocol` Valid values: `openid-connect`, `saml` protocol Default value: `openid-connect` ##### `script` Script, only valid for `type` of `saml-javascript-mapper`' Array values will be joined with newlines. Strings will be kept unchanged. ##### `single` Valid values: ``true``, ``false`` single. Default to `false` for `type` `saml-role-list-mapper` or `saml-javascript-mapper`. ##### `user_attribute` user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper` ##### `userinfo_token_claim` Valid values: ``true``, ``false`` userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`. #### Parameters The following parameters are available in the `keycloak_protocol_mapper` type. * [`client_scope`](#client_scope) * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`resource_name`](#resource_name) * [`type`](#type) ##### `client_scope` client scope ##### `id` Id. ##### `name` namevar The protocol mapper name ##### `provider` The specific backend to use for this `keycloak_protocol_mapper` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` realm ##### `resource_name` The protocol mapper name. Defaults to `name`. ##### `type` Valid values: `oidc-usermodel-property-mapper`, `oidc-usermodel-attribute-mapper`, `oidc-full-name-mapper`, `oidc-group-membership-mapper`, `oidc-audience-mapper`, `saml-group-membership-mapper`, `saml-user-property-mapper`, `saml-user-attribute-mapper`, `saml-role-list-mapper` protocolMapper. Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and `saml-user-property-mapper` for `protocol` `saml`. ### `keycloak_realm` Manage Keycloak realms #### Examples ##### Add a realm with a custom theme ```puppet keycloak_realm { 'test': ensure => 'present', remember_me => true, login_with_email_allowed => false, login_theme => 'my_theme', } ``` #### Properties The following properties are available in the `keycloak_realm` type. ##### `access_code_lifespan` accessCodeLifespan ##### `access_code_lifespan_login` accessCodeLifespanLogin ##### `access_code_lifespan_user_action` accessCodeLifespanUserAction ##### `access_token_lifespan` accessTokenLifespan ##### `access_token_lifespan_for_implicit_flow` accessTokenLifespanForImplicitFlow ##### `account_theme` accountTheme Default value: `keycloak` ##### `action_token_generated_by_admin_lifespan` actionTokenGeneratedByAdminLifespan ##### `action_token_generated_by_user_lifespan` actionTokenGeneratedByUserLifespan ##### `admin_events_details_enabled` Valid values: ``true``, ``false`` adminEventsDetailsEnabled Default value: `false` ##### `admin_events_enabled` Valid values: ``true``, ``false`` adminEventsEnabled Default value: `false` ##### `admin_theme` adminTheme Default value: `keycloak` ##### `browser_flow` browserFlow Default value: `browser` ##### `brute_force_protected` Valid values: ``true``, ``false`` bruteForceProtected ##### `client_authentication_flow` clientAuthenticationFlow Default value: `clients` ##### `content_security_policy` contentSecurityPolicy Default value: `frame-src 'self'; frame-ancestors 'self'; object-src 'none';` ##### `default_client_scopes` Default Client Scopes ##### `direct_grant_flow` directGrantFlow Default value: `direct grant` ##### `display_name` displayName ##### `display_name_html` displayNameHtml ##### `docker_authentication_flow` dockerAuthenticationFlow Default value: `docker auth` ##### `email_theme` emailTheme Default value: `keycloak` ##### `enabled` Valid values: ``true``, ``false`` enabled Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `events_enabled` Valid values: ``true``, ``false`` eventsEnabled Default value: `false` ##### `events_expiration` eventsExpiration ##### `events_listeners` eventsListeners Default value: `['jboss-logging']` ##### `internationalization_enabled` Valid values: ``true``, ``false`` internationalizationEnabled Default value: `false` ##### `login_theme` loginTheme Default value: `keycloak` ##### `login_with_email_allowed` Valid values: ``true``, ``false`` loginWithEmailAllowed Default value: `true` ##### `offline_session_idle_timeout` offlineSessionIdleTimeout ##### `offline_session_max_lifespan` offlineSessionMaxLifespan ##### `offline_session_max_lifespan_enabled` Valid values: ``true``, ``false`` offlineSessionMaxLifespanEnabled Default value: `false` ##### `optional_client_scopes` Optional Client Scopes ##### `registration_allowed` Valid values: ``true``, ``false`` registrationAllowed Default value: `false` ##### `registration_flow` registrationFlow Default value: `registration` ##### `remember_me` Valid values: ``true``, ``false`` rememberMe Default value: `false` ##### `reset_credentials_flow` resetCredentialsFlow Default value: `reset credentials` ##### `reset_password_allowed` Valid values: ``true``, ``false`` resetPasswordAllowed Default value: `false` ##### `roles` roles Default value: `['offline_access', 'uma_authorization']` ##### `smtp_server_auth` Valid values: ``true``, ``false`` smtpServer auth ##### `smtp_server_envelope_from` smtpServer envelope_from ##### `smtp_server_from` smtpServer from ##### `smtp_server_from_display_name` smtpServer fromDisplayName ##### `smtp_server_host` smtpServer host ##### `smtp_server_password` smtpServer password ##### `smtp_server_port` smtpServer port ##### `smtp_server_reply_to` smtpServer replyto ##### `smtp_server_reply_to_display_name` smtpServer replyToDisplayName ##### `smtp_server_ssl` Valid values: ``true``, ``false`` smtpServer ssl ##### `smtp_server_starttls` Valid values: ``true``, ``false`` smtpServer starttls ##### `smtp_server_user` smtpServer user ##### `sso_session_idle_timeout` ssoSessionIdleTimeout ##### `sso_session_idle_timeout_remember_me` ssoSessionIdleTimeoutRememberMe ##### `sso_session_max_lifespan` ssoSessionMaxLifespan ##### `sso_session_max_lifespan_remember_me` ssoSessionMaxLifespanRememberMe ##### `supported_locales` Supported Locales ##### `verify_email` Valid values: ``true``, ``false`` verifyEmail Default value: `false` #### Parameters The following parameters are available in the `keycloak_realm` type. * [`id`](#id) * [`manage_roles`](#manage_roles) * [`name`](#name) * [`provider`](#provider) +* [`user_managed_access_allowed`](#user_managed_access_allowed) ##### `id` Id. Default to `name`. ##### `manage_roles` Valid values: ``true``, ``false`` Manage realm roles Default value: ``true`` ##### `name` namevar The realm name ##### `provider` The specific backend to use for this `keycloak_realm` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. +##### `user_managed_access` + +Specifies if a user is able to manage their resources and permissions using the Account Management Console. Defaults to false. + ### `keycloak_required_action` Manage Keycloak required actions #### Examples ##### Enable Webauthn Register and make it default ```puppet keycloak_required_action { 'webauthn-register on master': ensure => present, provider_id => 'webauthn-register', display_name => 'Webauthn Register', default => true, enabled => true, priority => 1, config => { 'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values 'smth else' => '1', }, alias => 'webauthn', } @example Minimal example to enable email verification without making it default keycloak_required_action { 'VERIFY_EMAIL on master': ensure => present, provider_id => 'webauthn-register', } ``` #### Properties The following properties are available in the `keycloak_required_action` type. ##### `alias` Alias. Default to `provider_id`. ##### `config` Required action config ##### `default` Valid values: ``true``, ``false`` If the required action is a default one. Default to false Default value: `false` ##### `display_name` Displayed name. Default to `provider_id` ##### `enabled` Valid values: ``true``, ``false`` If the required action is enabled. Default to true. Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `priority` Required action priority #### Parameters The following parameters are available in the `keycloak_required_action` type. * [`name`](#name) * [`provider`](#provider) * [`provider_id`](#provider_id) * [`realm`](#realm) ##### `name` namevar The required action name ##### `provider` The specific backend to use for this `keycloak_required_action` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `provider_id` providerId of the required action ##### `realm` realm ### `keycloak_resource_validator` Verify that a specific Keycloak resource is available #### Properties The following properties are available in the `keycloak_resource_validator` type. ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` #### Parameters The following parameters are available in the `keycloak_resource_validator` type. * [`dependent_resources`](#dependent_resources) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`test_key`](#test_key) * [`test_url`](#test_url) * [`test_value`](#test_value) * [`timeout`](#timeout) ##### `dependent_resources` Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar] ##### `name` namevar An arbitrary name used as the identity of the resource. ##### `provider` The specific backend to use for this `keycloak_resource_validator` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` Realm to query ##### `test_key` Key to lookup ##### `test_url` URL to use for testing if the Keycloak database is up ##### `test_value` Value to lookup ##### `timeout` The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds. Default value: `30` ### `keycloak_sssd_user_provider` Manage Keycloak SSSD user providers #### Examples ##### Add SSSD user provider to test realm ```puppet keycloak_sssd_user_provider { 'SSSD on test': ensure => 'present', } ``` #### Properties The following properties are available in the `keycloak_sssd_user_provider` type. ##### `cache_policy` Valid values: `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, `NO_CACHE` cachePolicy Default value: `DEFAULT` ##### `enabled` Valid values: ``true``, ``false`` enabled Default value: `true` ##### `ensure` Valid values: `present`, `absent` The basic property that the resource should be in. Default value: `present` ##### `eviction_day` evictionDay ##### `eviction_hour` evictionHour ##### `eviction_minute` evictionMinute ##### `max_lifespan` maxLifespan ##### `priority` priority Default value: `0` #### Parameters The following parameters are available in the `keycloak_sssd_user_provider` type. * [`id`](#id) * [`name`](#name) * [`provider`](#provider) * [`realm`](#realm) * [`resource_name`](#resource_name) ##### `id` Id. Defaults to "`resource_name`-`realm`" ##### `name` namevar The SSSD user provider name ##### `provider` The specific backend to use for this `keycloak_sssd_user_provider` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. ##### `realm` parentId ##### `resource_name` The SSSD user provider name. Defaults to `name`. diff --git a/lib/puppet/type/keycloak_realm.rb b/lib/puppet/type/keycloak_realm.rb index e0b54fa..ea0bf94 100644 --- a/lib/puppet/type/keycloak_realm.rb +++ b/lib/puppet/type/keycloak_realm.rb @@ -1,328 +1,334 @@ require_relative '../../puppet_x/keycloak/type' require_relative '../../puppet_x/keycloak/array_property' require_relative '../../puppet_x/keycloak/integer_property' Puppet::Type.newtype(:keycloak_realm) do desc <<-DESC Manage Keycloak realms @example Add a realm with a custom theme keycloak_realm { 'test': ensure => 'present', remember_me => true, login_with_email_allowed => false, login_theme => 'my_theme', } DESC extend PuppetX::Keycloak::Type add_autorequires(false) ensurable newparam(:name, namevar: true) do desc 'The realm name' end newparam(:id) do desc 'Id. Default to `name`.' defaultto do @resource[:name] end end newproperty(:display_name) do desc 'displayName' end newproperty(:display_name_html) do desc 'displayNameHtml' end + newproperty(:user_managed_access_allowed, boolean: true) do + desc 'userManagedAccessAllowed' + newvalues(:true, :false) + defaultto :false + end + newproperty(:login_theme) do desc 'loginTheme' defaultto 'keycloak' end newproperty(:account_theme) do desc 'accountTheme' defaultto 'keycloak' end newproperty(:admin_theme) do desc 'adminTheme' defaultto 'keycloak' end newproperty(:email_theme) do desc 'emailTheme' defaultto 'keycloak' end newproperty(:internationalization_enabled, boolean: true) do desc 'internationalizationEnabled' newvalues(:true, :false) defaultto :false end newproperty(:sso_session_idle_timeout_remember_me, parent: PuppetX::Keycloak::IntegerProperty) do desc 'ssoSessionIdleTimeoutRememberMe' end newproperty(:sso_session_max_lifespan_remember_me, parent: PuppetX::Keycloak::IntegerProperty) do desc 'ssoSessionMaxLifespanRememberMe' end newproperty(:sso_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do desc 'ssoSessionIdleTimeout' end newproperty(:sso_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do desc 'ssoSessionMaxLifespan' end newproperty(:access_code_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do desc 'accessCodeLifespan' end newproperty(:access_code_lifespan_login, parent: PuppetX::Keycloak::IntegerProperty) do desc 'accessCodeLifespanLogin' end newproperty(:access_code_lifespan_user_action, parent: PuppetX::Keycloak::IntegerProperty) do desc 'accessCodeLifespanUserAction' end newproperty(:access_token_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do desc 'accessTokenLifespan' end newproperty(:access_token_lifespan_for_implicit_flow, parent: PuppetX::Keycloak::IntegerProperty) do desc 'accessTokenLifespanForImplicitFlow' end newproperty(:action_token_generated_by_admin_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do desc 'actionTokenGeneratedByAdminLifespan' end newproperty(:action_token_generated_by_user_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do desc 'actionTokenGeneratedByUserLifespan' end newproperty(:offline_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do desc 'offlineSessionIdleTimeout' end newproperty(:offline_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do desc 'offlineSessionMaxLifespan' end newproperty(:enabled, boolean: true) do desc 'enabled' newvalues(:true, :false) defaultto :true end newproperty(:remember_me, boolean: true) do desc 'rememberMe' newvalues(:true, :false) defaultto :false end newproperty(:registration_allowed, boolean: true) do desc 'registrationAllowed' newvalues(:true, :false) defaultto :false end newproperty(:login_with_email_allowed, boolean: true) do desc 'loginWithEmailAllowed' newvalues(:true, :false) defaultto :true end newproperty(:offline_session_max_lifespan_enabled, boolean: true) do desc 'offlineSessionMaxLifespanEnabled' newvalues(:true, :false) defaultto :false end newproperty(:reset_password_allowed, boolean: true) do desc 'resetPasswordAllowed' newvalues(:true, :false) defaultto :false end newproperty(:verify_email, boolean: true) do desc 'verifyEmail' newvalues(:true, :false) defaultto :false end newproperty(:browser_flow) do desc 'browserFlow' defaultto('browser') munge { |v| v.to_s } end newproperty(:registration_flow) do desc 'registrationFlow' defaultto('registration') munge { |v| v.to_s } end newproperty(:direct_grant_flow) do desc 'directGrantFlow' defaultto('direct grant') munge { |v| v.to_s } end newproperty(:reset_credentials_flow) do desc 'resetCredentialsFlow' defaultto('reset credentials') munge { |v| v.to_s } end newproperty(:client_authentication_flow) do desc 'clientAuthenticationFlow' defaultto('clients') munge { |v| v.to_s } end newproperty(:docker_authentication_flow) do desc 'dockerAuthenticationFlow' defaultto('docker auth') munge { |v| v.to_s } end newproperty(:default_client_scopes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do desc 'Default Client Scopes' end newproperty(:optional_client_scopes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do desc 'Optional Client Scopes' end newproperty(:supported_locales, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do desc 'Supported Locales' end newproperty(:content_security_policy) do desc 'contentSecurityPolicy' defaultto("frame-src 'self'; frame-ancestors 'self'; object-src 'none';") munge { |v| v.to_s } end newproperty(:events_enabled, boolean: true) do desc 'eventsEnabled' newvalues(:true, :false) defaultto :false end newproperty(:events_expiration) do desc 'eventsExpiration' end newproperty(:events_listeners, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do desc 'eventsListeners' defaultto ['jboss-logging'] end newproperty(:admin_events_enabled, boolean: true) do desc 'adminEventsEnabled' newvalues(:true, :false) defaultto :false end newproperty(:admin_events_details_enabled, boolean: true) do desc 'adminEventsDetailsEnabled' newvalues(:true, :false) defaultto :false end newproperty(:smtp_server_user) do desc 'smtpServer user' end newproperty(:smtp_server_password) do desc 'smtpServer password' def insync?(is) if is =~ %r{^[\*]+$} Puppet.warning("Property 'smtp_server_password' is set and Puppet has no way to check current value") true else false end end def should_to_s(_newvalue) '[new smtp_server_password redacted]' end end newproperty(:smtp_server_host) do desc 'smtpServer host' end newproperty(:smtp_server_port, parent: PuppetX::Keycloak::IntegerProperty) do desc 'smtpServer port' end newproperty(:smtp_server_auth, boolean: true) do desc 'smtpServer auth' newvalues(:true, :false) end newproperty(:smtp_server_starttls, boolean: true) do desc 'smtpServer starttls' newvalues(:true, :false) end newproperty(:smtp_server_ssl, boolean: true) do desc 'smtpServer ssl' newvalues(:true, :false) end newproperty(:smtp_server_from) do desc 'smtpServer from' end newproperty(:smtp_server_envelope_from) do desc 'smtpServer envelope_from' end newproperty(:smtp_server_from_display_name) do desc 'smtpServer fromDisplayName' end newproperty(:smtp_server_reply_to) do desc 'smtpServer replyto' end newproperty(:smtp_server_reply_to_display_name) do desc 'smtpServer replyToDisplayName' end newproperty(:brute_force_protected, boolean: true) do desc 'bruteForceProtected' newvalues(:true, :false) end newparam(:manage_roles, boolean: true) do desc 'Manage realm roles' newvalues(:true, :false) defaultto(:true) end newproperty(:roles, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do desc 'roles' defaultto ['offline_access', 'uma_authorization'] def insync?(is) if resource[:manage_roles].to_s == 'false' return true end super(is) end end end diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb index 3a94fb7..5332f2d 100644 --- a/spec/acceptance/2_realm_spec.rb +++ b/spec/acceptance/2_realm_spec.rb @@ -1,283 +1,285 @@ require 'spec_helper_acceptance' describe 'keycloak_realm:', if: RSpec.configuration.keycloak_full do context 'creates realm' do it 'runs successfully' do pp = <<-EOS include mysql::server class { 'keycloak': datasource_driver => 'mysql', } keycloak_realm { 'test': ensure => 'present', smtp_server_host => 'smtp.example.org', smtp_server_port => 587, smtp_server_starttls => false, smtp_server_auth => false, smtp_server_user => 'john', smtp_server_password => 'secret', smtp_server_envelope_from => 'keycloak@id.example.org', smtp_server_from => 'keycloak@id.example.org', smtp_server_from_display_name => 'Keycloak', smtp_server_reply_to => 'webmaster@example.org', smtp_server_reply_to_display_name => 'Webmaster', brute_force_protected => false, roles => ['offline_access', 'uma_authorization', 'new_role'], access_code_lifespan => 60, access_code_lifespan_login => 1800, access_code_lifespan_user_action => 300, access_token_lifespan => 60, access_token_lifespan_for_implicit_flow => 900, action_token_generated_by_admin_lifespan => 43200, action_token_generated_by_user_lifespan => 300, sso_session_idle_timeout_remember_me => 0, sso_session_max_lifespan_remember_me => 0, sso_session_idle_timeout => 1800, sso_session_max_lifespan => 36000, offline_session_idle_timeout => 2592000, offline_session_max_lifespan => 5184000, offline_session_max_lifespan_enabled => true, } EOS apply_manifest(pp, catch_failures: true) apply_manifest(pp, catch_changes: true) end it 'has created a realm' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do data = JSON.parse(stdout) expect(data['id']).to eq('test') expect(data['bruteForceProtected']).to eq(false) expect(data['registrationAllowed']).to eq(false) expect(data['resetPasswordAllowed']).to eq(false) expect(data['verifyEmail']).to eq(false) end end it 'has left default-client-scopes' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-default-client-scopes' do data = JSON.parse(stdout) names = data.map { |d| d['name'] }.sort expect(names).to include('email') expect(names).to include('profile') expect(names).to include('role_list') end end it 'has left optional-client-scopes' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-optional-client-scopes' do data = JSON.parse(stdout) names = data.map { |d| d['name'] }.sort expect(names).to include('address') expect(names).to include('offline_access') expect(names).to include('phone') end end it 'has default events config' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get events/config -r test' do data = JSON.parse(stdout) expect(data['eventsEnabled']).to eq(false) expect(data['eventsExpiration']).to be_nil expect(data['eventsListeners']).to eq(['jboss-logging']) expect(data['adminEventsEnabled']).to eq(false) expect(data['adminEventsDetailsEnabled']).to eq(false) end end it 'has correct smtp settings' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do data = JSON.parse(stdout) expect(data['smtpServer']['host']).to eq('smtp.example.org') expect(data['smtpServer']['port']).to eq('587') expect(data['smtpServer']['starttls']).to eq('false') expect(data['smtpServer']['auth']).to eq('false') expect(data['smtpServer']['user']).to eq('john') expect(data['smtpServer']['envelopeFrom']).to eq('keycloak@id.example.org') expect(data['smtpServer']['from']).to eq('keycloak@id.example.org') expect(data['smtpServer']['fromDisplayName']).to eq('Keycloak') expect(data['smtpServer']['replyTo']).to eq('webmaster@example.org') expect(data['smtpServer']['replyToDisplayName']).to eq('Webmaster') end end it 'has correct token settings' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do data = JSON.parse(stdout) expect(data['accessCodeLifespan']).to eq(60) expect(data['accessCodeLifespanLogin']).to eq(1800) expect(data['accessCodeLifespanUserAction']).to eq(300) expect(data['accessTokenLifespan']).to eq(60) expect(data['accessTokenLifespanForImplicitFlow']).to eq(900) expect(data['actionTokenGeneratedByAdminLifespan']).to eq(43_200) expect(data['actionTokenGeneratedByUserLifespan']).to eq(300) expect(data['ssoSessionIdleTimeoutRememberMe']).to eq(0) expect(data['ssoSessionMaxLifespanRememberMe']).to eq(0) expect(data['ssoSessionIdleTimeout']).to eq(1800) expect(data['ssoSessionMaxLifespan']).to eq(36_000) expect(data['offlineSessionIdleTimeout']).to eq(2_592_000) expect(data['offlineSessionMaxLifespan']).to eq(5_184_000) expect(data['offlineSessionMaxLifespanEnabled']).to eq(true) end end it 'has correct roles settings' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r test' do data = JSON.parse(stdout) expected_roles = ['new_role', 'offline_access', 'uma_authorization'] realm_roles = [] data.each do |d| unless d['composite'] realm_roles.push(d['name']) end end expect(expected_roles - realm_roles).to eq([]) end end end context 'updates realm' do it 'runs successfully' do pp = <<-EOS include mysql::server class { 'keycloak': datasource_driver => 'mysql', } keycloak_realm { 'test': ensure => 'present', remember_me => true, registration_allowed => true, reset_password_allowed => true, verify_email => true, + user_managed_access_allowed => true, access_code_lifespan => 3600, access_token_lifespan => 3600, access_code_lifespan_login => 3600, access_code_lifespan_user_action => 600, sso_session_idle_timeout => 3600, sso_session_max_lifespan => 72000, access_token_lifespan_for_implicit_flow => 3600, action_token_generated_by_admin_lifespan => 21600, action_token_generated_by_user_lifespan => 600, offline_session_idle_timeout => 1296000, offline_session_max_lifespan => 2592000, offline_session_max_lifespan_enabled => false, default_client_scopes => ['profile'], content_security_policy => "frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';", events_enabled => true, events_expiration => 2678400, admin_events_enabled => true, admin_events_details_enabled => true, smtp_server_host => 'smtp.example.org', smtp_server_port => 587, smtp_server_starttls => false, smtp_server_auth => true, smtp_server_user => 'jane', smtp_server_password => 'secret', smtp_server_envelope_from => 'keycloak@id.example.org', smtp_server_from => 'keycloak@id.example.org', smtp_server_from_display_name => 'Keycloak', smtp_server_reply_to => 'webmaster@example.org', smtp_server_reply_to_display_name => 'Hostmaster', brute_force_protected => true, roles => ['uma_authorization', 'new_role', 'other_new_role'], } EOS apply_manifest(pp, catch_failures: true) apply_manifest(pp, catch_changes: true) end it 'has updated the realm' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do data = JSON.parse(stdout) expect(data['rememberMe']).to eq(true) expect(data['registrationAllowed']).to eq(true) expect(data['resetPasswordAllowed']).to eq(true) expect(data['verifyEmail']).to eq(true) + expect(data['userManagedAccessAllowed']).to eq(true) expect(data['accessCodeLifespan']).to eq(3600) expect(data['accessCodeLifespanLogin']).to eq(3600) expect(data['accessCodeLifespanUserAction']).to eq(600) expect(data['accessTokenLifespan']).to eq(3600) expect(data['accessTokenLifespanForImplicitFlow']).to eq(3600) expect(data['actionTokenGeneratedByAdminLifespan']).to eq(21_600) expect(data['actionTokenGeneratedByUserLifespan']).to eq(600) expect(data['ssoSessionIdleTimeout']).to eq(3600) expect(data['ssoSessionMaxLifespan']).to eq(72_000) expect(data['offlineSessionIdleTimeout']).to eq(1_296_000) expect(data['offlineSessionMaxLifespan']).to eq(2_592_000) expect(data['offlineSessionMaxLifespanEnabled']).to eq(false) expect(data['browserSecurityHeaders']['contentSecurityPolicy']).to eq("frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';") expect(data['smtpServer']['host']).to eq('smtp.example.org') expect(data['smtpServer']['port']).to eq('587') expect(data['smtpServer']['starttls']).to eq('false') expect(data['smtpServer']['auth']).to eq('true') expect(data['smtpServer']['user']).to eq('jane') expect(data['smtpServer']['envelopeFrom']).to eq('keycloak@id.example.org') expect(data['smtpServer']['from']).to eq('keycloak@id.example.org') expect(data['smtpServer']['fromDisplayName']).to eq('Keycloak') expect(data['smtpServer']['replyTo']).to eq('webmaster@example.org') expect(data['smtpServer']['replyToDisplayName']).to eq('Hostmaster') expect(data['bruteForceProtected']).to eq(true) end end it 'has updated the realm default-client-scopes' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-default-client-scopes' do data = JSON.parse(stdout) names = data.map { |d| d['name'] } expect(names).to eq(['profile']) end end it 'has updated events config' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get events/config -r test' do data = JSON.parse(stdout) expect(data['eventsEnabled']).to eq(true) expect(data['eventsExpiration']).to eq(2_678_400) expect(data['eventsListeners']).to eq(['jboss-logging']) expect(data['adminEventsEnabled']).to eq(true) expect(data['adminEventsDetailsEnabled']).to eq(true) end end it 'has updated roles settings' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r test' do data = JSON.parse(stdout) expected_roles = ['new_role', 'other_new_role', 'uma_authorization'] realm_roles = [] data.each do |d| unless d['composite'] realm_roles.push(d['name']) end end expect(expected_roles - realm_roles).to eq([]) end end end context 'creates realm with invalid browser flow' do it 'runs successfully' do pp = <<-EOS include mysql::server class { 'keycloak': datasource_driver => 'mysql', } keycloak_realm { 'test2': ensure => 'present', browser_flow => 'Copy of browser', } EOS apply_manifest(pp, catch_failures: true) apply_manifest(pp, expect_changes: true) end it 'has created a realm' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test2' do data = JSON.parse(stdout) expect(data['browserFlow']).to eq('browser') end end end end diff --git a/spec/unit/puppet/type/keycloak_realm_spec.rb b/spec/unit/puppet/type/keycloak_realm_spec.rb index b985a05..29736ec 100644 --- a/spec/unit/puppet/type/keycloak_realm_spec.rb +++ b/spec/unit/puppet/type/keycloak_realm_spec.rb @@ -1,208 +1,210 @@ require 'spec_helper' describe Puppet::Type.type(:keycloak_realm) do let(:default_config) do { name: 'test', } end let(:config) do default_config end let(:resource) do described_class.new(config) end it 'adds to catalog without raising an error' do catalog = Puppet::Resource::Catalog.new expect { catalog.add_resource resource }.not_to raise_error end it 'has a name' do expect(resource[:name]).to eq('test') end it 'has id default to name' do expect(resource[:id]).to eq('test') end defaults = { login_theme: 'keycloak', account_theme: 'keycloak', admin_theme: 'keycloak', email_theme: 'keycloak', + user_managed_access_allowed: :false, access_code_lifespan_user_action: nil, access_token_lifespan_for_implicit_flow: nil, enabled: :true, remember_me: :false, login_with_email_allowed: :true, browser_flow: 'browser', registration_flow: 'registration', direct_grant_flow: 'direct grant', reset_credentials_flow: 'reset credentials', client_authentication_flow: 'clients', docker_authentication_flow: 'docker auth', content_security_policy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", events_enabled: :false, events_listeners: ['jboss-logging'], admin_events_enabled: :false, admin_events_details_enabled: :false, offline_session_max_lifespan_enabled: :false, } describe 'basic properties' do # Test basic properties [ :display_name, :display_name_html, :login_theme, :account_theme, :admin_theme, :email_theme, :events_expiration, :browser_flow, :registration_flow, :direct_grant_flow, :reset_credentials_flow, :client_authentication_flow, :docker_authentication_flow, :content_security_policy, :smtp_server_user, :smtp_server_password, :smtp_server_host, :smtp_server_envelope_from, :smtp_server_from, :smtp_server_from_display_name, :smtp_server_reply_to, :smtp_server_reply_to_display_name, ].each do |p| it "should accept a #{p}" do config[p] = 'foo' expect(resource[p]).to eq('foo') end next unless defaults[p] it "should have default for #{p}" do expect(resource[p]).to eq(defaults[p]) end end end describe 'integer properties' do # Test integer properties [ :sso_session_idle_timeout_remember_me, :sso_session_max_lifespan_remember_me, :sso_session_idle_timeout, :sso_session_max_lifespan, :access_code_lifespan, :access_code_lifespan_login, :access_code_lifespan_user_action, :access_token_lifespan, :access_token_lifespan_for_implicit_flow, :action_token_generated_by_admin_lifespan, :action_token_generated_by_user_lifespan, :offline_session_idle_timeout, :offline_session_max_lifespan, :smtp_server_port, ].each do |p| it "should accept a #{p}" do config[p] = 100 expect(resource[p]).to eq(100) end next unless defaults[p] it "should have default for #{p}" do expect(resource[p]).to eq(defaults[p]) end end end describe 'boolean properties' do # Test boolean properties [ + :user_managed_access_allowed, :remember_me, :registration_allowed, :reset_password_allowed, :verify_email, :login_with_email_allowed, :internationalization_enabled, :manage_roles, :events_enabled, :admin_events_enabled, :admin_events_details_enabled, :smtp_server_auth, :smtp_server_starttls, :smtp_server_ssl, :brute_force_protected, :offline_session_max_lifespan_enabled, ].each do |p| it "should accept true for #{p}" do config[p] = true expect(resource[p]).to eq(:true) end it "should accept true for #{p} string" do config[p] = 'true' expect(resource[p]).to eq(:true) end it "should accept false for #{p}" do config[p] = false expect(resource[p]).to eq(:false) end it "should accept false for #{p} string" do config[p] = 'false' expect(resource[p]).to eq(:false) end it "should not accept strings for #{p}" do config[p] = 'foo' expect { resource }.to raise_error(%r{foo}) end next unless defaults[p] it "should have default for #{p}" do expect(resource[p]).to eq(defaults[p]) end end end describe 'array properties' do # Array properties [ :default_client_scopes, :optional_client_scopes, :events_listeners, :supported_locales, :roles, ].each do |p| it "should accept array for #{p}" do config[p] = ['foo', 'bar'] expect(resource[p]).to eq(['foo', 'bar']) end next unless defaults[p] it "should have default for #{p}" do expect(resource[p]).to eq(defaults[p]) end end end it 'autorequires keycloak_conn_validator' do keycloak_conn_validator = Puppet::Type.type(:keycloak_conn_validator).new(name: 'keycloak') catalog = Puppet::Resource::Catalog.new catalog.add_resource resource catalog.add_resource keycloak_conn_validator rel = resource.autorequire[0] expect(rel.source.ref).to eq(keycloak_conn_validator.ref) expect(rel.target.ref).to eq(resource.ref) end it 'autorequires kcadm-wrapper.sh' do file = Puppet::Type.type(:file).new(name: 'kcadm-wrapper.sh', path: '/opt/keycloak/bin/kcadm-wrapper.sh') catalog = Puppet::Resource::Catalog.new catalog.add_resource resource catalog.add_resource file rel = resource.autorequire[0] expect(rel.source.ref).to eq(file.ref) expect(rel.target.ref).to eq(resource.ref) end end