diff --git a/REFERENCE.md b/REFERENCE.md
index f05eb78..0a91635 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1,3757 +1,3762 @@
# Reference
## Table of Contents
### Classes
#### Public Classes
* [`keycloak`](#keycloak): Manage Keycloak
* [`keycloak::config`](#keycloakconfig): Private class.
* [`keycloak::datasource::h2`](#keycloakdatasourceh2): Private class.
* [`keycloak::install`](#keycloakinstall): Private class.
* [`keycloak::service`](#keycloakservice): Private class.
* [`keycloak::sssd`](#keycloaksssd): Private class.
#### Private Classes
* `keycloak::datasource::mysql`: Manage MySQL datasource
* `keycloak::datasource::oracle`: Manage Oracle datasource
* `keycloak::datasource::postgresql`: Manage postgresql datasource
* `keycloak::resources`: Define Keycloak resources
### Defined types
* [`keycloak::client_scope::oidc`](#keycloakclient_scopeoidc): Manage Keycloak OpenID Connect client scope using built-in mappers
* [`keycloak::client_scope::saml`](#keycloakclient_scopesaml): Manage Keycloak SAML client scope using built-in mappers
* [`keycloak::freeipa_ldap_mappers`](#keycloakfreeipa_ldap_mappers): setup FreeIPA LDAP mappers for Keycloak
* [`keycloak::freeipa_user_provider`](#keycloakfreeipa_user_provider): setup IPA as an LDAP user provider for Keycloak
* [`keycloak::spi_deployment`](#keycloakspi_deployment): Manage Keycloak SPI deployment
* [`keycloak::truststore::host`](#keycloaktruststorehost): Add host to Keycloak truststore
### Resource types
* [`keycloak_api`](#keycloak_api): Type that configures API connection parameters for other keycloak types that use the Keycloak API.
* [`keycloak_client`](#keycloak_client): Manage Keycloak clients
* [`keycloak_client_protocol_mapper`](#keycloak_client_protocol_mapper): Manage Keycloak protocol mappers
* [`keycloak_client_scope`](#keycloak_client_scope): Manage Keycloak client scopes
* [`keycloak_conn_validator`](#keycloak_conn_validator): Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to pre
* [`keycloak_flow`](#keycloak_flow): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of `flow_alias` if `top_level=fals
* [`keycloak_flow_execution`](#keycloak_flow_execution): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of value defined for `flow_alias`
* [`keycloak_identity_provider`](#keycloak_identity_provider): Manage Keycloak identity providers
* [`keycloak_ldap_mapper`](#keycloak_ldap_mapper): Manage Keycloak LDAP attribute mappers
* [`keycloak_ldap_user_provider`](#keycloak_ldap_user_provider): Manage Keycloak LDAP user providers
* [`keycloak_protocol_mapper`](#keycloak_protocol_mapper): Manage Keycloak client scope protocol mappers
* [`keycloak_realm`](#keycloak_realm): Manage Keycloak realms
* [`keycloak_required_action`](#keycloak_required_action): Manage Keycloak required actions
* [`keycloak_resource_validator`](#keycloak_resource_validator): Verify that a specific Keycloak resource is available
* [`keycloak_sssd_user_provider`](#keycloak_sssd_user_provider): Manage Keycloak SSSD user providers
## Classes
### `keycloak`
Manage Keycloak
#### Examples
#####
```puppet
include ::keycloak
```
#### Parameters
The following parameters are available in the `keycloak` class:
* [`manage_install`](#manage_install)
* [`version`](#version)
* [`package_url`](#package_url)
* [`install_dir`](#install_dir)
* [`service_name`](#service_name)
* [`service_ensure`](#service_ensure)
* [`service_enable`](#service_enable)
* [`service_hasstatus`](#service_hasstatus)
* [`service_hasrestart`](#service_hasrestart)
* [`service_bind_address`](#service_bind_address)
* [`management_bind_address`](#management_bind_address)
* [`java_opts`](#java_opts)
* [`java_opts_append`](#java_opts_append)
* [`service_extra_opts`](#service_extra_opts)
* [`manage_user`](#manage_user)
* [`user`](#user)
* [`user_shell`](#user_shell)
* [`group`](#group)
* [`user_uid`](#user_uid)
* [`group_gid`](#group_gid)
* [`system_user`](#system_user)
* [`admin_user`](#admin_user)
* [`admin_user_password`](#admin_user_password)
* [`wildfly_user`](#wildfly_user)
* [`wildfly_user_password`](#wildfly_user_password)
* [`manage_datasource`](#manage_datasource)
* [`datasource_driver`](#datasource_driver)
* [`datasource_host`](#datasource_host)
* [`datasource_port`](#datasource_port)
* [`datasource_url`](#datasource_url)
* [`datasource_dbname`](#datasource_dbname)
* [`datasource_username`](#datasource_username)
* [`datasource_password`](#datasource_password)
* [`datasource_package`](#datasource_package)
* [`datasource_jar_source`](#datasource_jar_source)
* [`datasource_jar_filename`](#datasource_jar_filename)
* [`datasource_module_source`](#datasource_module_source)
* [`datasource_xa_class`](#datasource_xa_class)
* [`mysql_database_charset`](#mysql_database_charset)
* [`proxy_https`](#proxy_https)
* [`truststore`](#truststore)
* [`truststore_hosts`](#truststore_hosts)
* [`truststore_password`](#truststore_password)
* [`truststore_hostname_verification_policy`](#truststore_hostname_verification_policy)
* [`http_port`](#http_port)
* [`theme_static_max_age`](#theme_static_max_age)
* [`theme_cache_themes`](#theme_cache_themes)
* [`theme_cache_templates`](#theme_cache_templates)
* [`realms`](#realms)
* [`realms_merge`](#realms_merge)
* [`oidc_client_scopes`](#oidc_client_scopes)
* [`oidc_client_scopes_merge`](#oidc_client_scopes_merge)
* [`saml_client_scopes`](#saml_client_scopes)
* [`saml_client_scopes_merge`](#saml_client_scopes_merge)
* [`identity_providers`](#identity_providers)
* [`identity_providers_merge`](#identity_providers_merge)
* [`client_protocol_mappers`](#client_protocol_mappers)
* [`client_scopes`](#client_scopes)
* [`client_scopes_merge`](#client_scopes_merge)
* [`protocol_mappers`](#protocol_mappers)
* [`protocol_mappers_merge`](#protocol_mappers_merge)
* [`clients`](#clients)
* [`clients_merge`](#clients_merge)
* [`flows`](#flows)
* [`flows_merge`](#flows_merge)
* [`flow_executions`](#flow_executions)
* [`flow_executions_merge`](#flow_executions_merge)
* [`required_actions`](#required_actions)
* [`required_actions_merge`](#required_actions_merge)
* [`ldap_mappers`](#ldap_mappers)
* [`ldap_mappers_merge`](#ldap_mappers_merge)
* [`ldap_user_providers`](#ldap_user_providers)
* [`ldap_user_providers_merge`](#ldap_user_providers_merge)
* [`with_sssd_support`](#with_sssd_support)
* [`libunix_dbus_java_source`](#libunix_dbus_java_source)
* [`install_libunix_dbus_java_build_dependencies`](#install_libunix_dbus_java_build_dependencies)
* [`libunix_dbus_java_build_dependencies`](#libunix_dbus_java_build_dependencies)
* [`libunix_dbus_java_libdir`](#libunix_dbus_java_libdir)
* [`jna_package_name`](#jna_package_name)
* [`manage_sssd_config`](#manage_sssd_config)
* [`sssd_ifp_user_attributes`](#sssd_ifp_user_attributes)
* [`restart_sssd`](#restart_sssd)
* [`service_environment_file`](#service_environment_file)
* [`operating_mode`](#operating_mode)
* [`enable_jdbc_ping`](#enable_jdbc_ping)
* [`jboss_bind_public_address`](#jboss_bind_public_address)
* [`jboss_bind_private_address`](#jboss_bind_private_address)
* [`role`](#role)
* [`user_cache`](#user_cache)
* [`tech_preview_features`](#tech_preview_features)
* [`auto_deploy_exploded`](#auto_deploy_exploded)
* [`auto_deploy_zipped`](#auto_deploy_zipped)
* [`spi_deployments`](#spi_deployments)
* [`custom_config_content`](#custom_config_content)
* [`custom_config_source`](#custom_config_source)
* [`master_address`](#master_address)
* [`server_name`](#server_name)
* [`syslog`](#syslog)
* [`syslog_app_name`](#syslog_app_name)
* [`syslog_facility`](#syslog_facility)
* [`syslog_hostname`](#syslog_hostname)
* [`syslog_level`](#syslog_level)
* [`syslog_port`](#syslog_port)
* [`syslog_server_address`](#syslog_server_address)
* [`syslog_format`](#syslog_format)
##### `manage_install`
Data type: `Boolean`
Install Keycloak from upstream Keycloak tarball.
Set to false to manage installation of Keycloak outside
this module and set $install_dir to match.
Defaults to true.
Default value: ``true``
##### `version`
Data type: `String`
Version of Keycloak to install and manage.
Default value: `'12.0.4'`
##### `package_url`
Data type: `Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]`
URL of the Keycloak download.
Default is based on version.
Default value: ``undef``
##### `install_dir`
Data type: `Optional[Stdlib::Absolutepath]`
The directory of where to install Keycloak.
Default is `/opt/keycloak-${version}`.
Default value: ``undef``
##### `service_name`
Data type: `String`
Keycloak service name.
Default is `keycloak`.
Default value: `'keycloak'`
##### `service_ensure`
Data type: `String`
Keycloak service ensure property.
Default is `running`.
Default value: `'running'`
##### `service_enable`
Data type: `Boolean`
Keycloak service enable property.
Default is `true`.
Default value: ``true``
##### `service_hasstatus`
Data type: `Boolean`
Keycloak service hasstatus parameter.
Default is `true`.
Default value: ``true``
##### `service_hasrestart`
Data type: `Boolean`
Keycloak service hasrestart parameter.
Default is `true`.
Default value: ``true``
##### `service_bind_address`
Data type: `Stdlib::IP::Address`
Bind address for Keycloak service.
Default is '0.0.0.0'.
Default value: `'0.0.0.0'`
##### `management_bind_address`
Data type: `Stdlib::IP::Address`
Bind address for Keycloak management.
Default is '0.0.0.0'.
Default value: `'0.0.0.0'`
##### `java_opts`
Data type: `Optional[Variant[String, Array]]`
Sets additional options to Java virtual machine environment variable.
Default value: ``undef``
##### `java_opts_append`
Data type: `Boolean`
Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter
Default value: ``true``
##### `service_extra_opts`
Data type: `Optional[String]`
Additional options added to the end of the service command-line.
Default value: ``undef``
##### `manage_user`
Data type: `Boolean`
Defines if the module should manage the Linux user for Keycloak installation
Default value: ``true``
##### `user`
Data type: `String`
Keycloak user name.
Default is `keycloak`.
Default value: `'keycloak'`
##### `user_shell`
Data type: `Stdlib::Absolutepath`
Keycloak user shell.
Default value: `'/sbin/nologin'`
##### `group`
Data type: `String`
Keycloak user group name.
Default is `keycloak`.
Default value: `'keycloak'`
##### `user_uid`
Data type: `Optional[Integer]`
Keycloak user UID.
Default is `undef`.
Default value: ``undef``
##### `group_gid`
Data type: `Optional[Integer]`
Keycloak user group GID.
Default is `undef`.
Default value: ``undef``
##### `system_user`
Data type: `Boolean`
If keycloak user should be a system user with lower uid and gid.
Default is `true`
Default value: ``true``
##### `admin_user`
Data type: `String`
Keycloak administrative username.
Default is `admin`.
Default value: `'admin'`
##### `admin_user_password`
Data type: `String`
Keycloak administrative user password.
Default is `changeme`.
Default value: `'changeme'`
##### `wildfly_user`
Data type: `Optional[String]`
Wildfly user. Required for domain mode.
Default value: ``undef``
##### `wildfly_user_password`
Data type: `Optional[String]`
Wildfly user password. Required for domain mode.
Default value: ``undef``
##### `manage_datasource`
Data type: `Boolean`
Boolean that determines if configured datasource will be managed.
Default is `true`.
Default value: ``true``
##### `datasource_driver`
Data type: `Enum['h2', 'mysql', 'oracle', 'postgresql']`
Datasource driver to use for Keycloak.
Valid values are `h2`, `mysql`, 'oracle' and 'postgresql'
Default is `h2`.
Default value: `'h2'`
##### `datasource_host`
Data type: `Optional[String]`
Datasource host.
Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql'
Default is `localhost` for MySQL.
Default value: ``undef``
##### `datasource_port`
Data type: `Optional[Integer]`
Datasource port.
Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql'
Default is `3306` for MySQL.
Default value: ``undef``
##### `datasource_url`
Data type: `Optional[String]`
Datasource url.
Default datasource URLs are defined in init class.
Default value: ``undef``
##### `datasource_dbname`
Data type: `String`
Datasource database name.
Default is `keycloak`.
Default value: `'keycloak'`
##### `datasource_username`
Data type: `String`
Datasource user name.
Default is `sa`.
Default value: `'sa'`
##### `datasource_password`
Data type: `String`
Datasource user password.
Default is `sa`.
Default value: `'sa'`
##### `datasource_package`
Data type: `Optional[String]`
Package to add specified datasource support
Default value: ``undef``
##### `datasource_jar_source`
Data type: `Optional[String]`
Source for datasource JDBC driver - could be puppet link or local file on the node.
Default is dependent on value for `datasource_driver`.
This parameter is required if `datasource_driver` is `oracle`.
Default value: ``undef``
##### `datasource_jar_filename`
Data type: `Optional[String]`
Specify the filename of the destination datasource jar in the module dir of keycloak.
This parameter is only working at the moment if `datasource_driver` is `oracle`.
Default value: ``undef``
##### `datasource_module_source`
Data type: `Optional[String]`
Source for datasource module.xml. Default depends on `datasource_driver`.
Default value: ``undef``
##### `datasource_xa_class`
Data type: `Optional[String]`
MySQL Connector/J JDBC driver xa-datasource class name
Default value: ``undef``
##### `mysql_database_charset`
Data type: `String`
MySQL database charset
Default value: `'utf8'`
##### `proxy_https`
Data type: `Boolean`
Boolean that sets if HTTPS proxy should be enabled.
Set to `true` if proxying traffic through Apache.
Default is `false`.
Default value: ``false``
##### `truststore`
Data type: `Boolean`
Boolean that sets if truststore should be used.
Default is `false`.
Default value: ``false``
##### `truststore_hosts`
Data type: `Hash`
Hash that is used to define `keycloak::turststore::host` resources.
Default is `{}`.
Default value: `{}`
##### `truststore_password`
Data type: `String`
Truststore password.
Default is `keycloak`.
Default value: `'keycloak'`
##### `truststore_hostname_verification_policy`
Data type: `Enum['WILDCARD', 'STRICT', 'ANY']`
Valid values are `WILDCARD`, `STRICT`, and `ANY`.
Default is `WILDCARD`.
Default value: `'WILDCARD'`
##### `http_port`
Data type: `Integer`
HTTP port used by Keycloak.
Default is `8080`.
Default value: `8080`
##### `theme_static_max_age`
Data type: `Integer`
Max cache age in seconds of static content.
Default is `2592000`.
Default value: `2592000`
##### `theme_cache_themes`
Data type: `Boolean`
Boolean that sets if themes should be cached.
Default is `true`.
Default value: ``true``
##### `theme_cache_templates`
Data type: `Boolean`
Boolean that sets if templates should be cached.
Default is `true`.
Default value: ``true``
##### `realms`
Data type: `Hash`
Hash that is used to define keycloak_realm resources.
Default is `{}`.
Default value: `{}`
##### `realms_merge`
Data type: `Boolean`
Boolean that sets if `realms` should be merged from Hiera.
Default value: ``false``
##### `oidc_client_scopes`
Data type: `Hash`
Hash that is used to define keycloak::client_scope::oidc resources.
Default is `{}`.
Default value: `{}`
##### `oidc_client_scopes_merge`
Data type: `Boolean`
Boolean that sets if `oidc_client_scopes` should be merged from Hiera.
Default value: ``false``
##### `saml_client_scopes`
Data type: `Hash`
Hash that is used to define keycloak::client_scope::saml resources.
Default is `{}`.
Default value: `{}`
##### `saml_client_scopes_merge`
Data type: `Boolean`
Boolean that sets if `saml_client_scopes` should be merged from Hiera.
Default value: ``false``
##### `identity_providers`
Data type: `Hash`
Hash that is used to define keycloak_identity_provider resources.
Default value: `{}`
##### `identity_providers_merge`
Data type: `Boolean`
Boolean that sets if `identity_providers` should be merged from Hiera.
Default value: ``false``
##### `client_protocol_mappers`
Data type: `Hash`
Hash that is used to define keycloak_client_protocol_mapper resources.
Default value: `{}`
##### `client_scopes`
Data type: `Hash`
Hash that is used to define keycloak_client_scope resources.
Default value: `{}`
##### `client_scopes_merge`
Data type: `Boolean`
Boolean that sets if `client_scopes` should be merged from Hiera.
Default value: ``false``
##### `protocol_mappers`
Data type: `Hash`
Hash that is used to define keycloak_protocol_mapper resources.
Default value: `{}`
##### `protocol_mappers_merge`
Data type: `Boolean`
Boolean that sets if `protocol_mappers` should be merged from Hiera.
Default value: ``false``
##### `clients`
Data type: `Hash`
Hash that is used to define keycloak_client resources.
Default value: `{}`
##### `clients_merge`
Data type: `Boolean`
Boolean that sets if `clients` should be merged from Hiera.
Default value: ``false``
##### `flows`
Data type: `Hash`
Hash taht is used to define keycloak_flow resources.
Default value: `{}`
##### `flows_merge`
Data type: `Boolean`
Boolean that sets if `flows` should be merged from Hiera.
Default value: ``false``
##### `flow_executions`
Data type: `Hash`
Hash taht is used to define keycloak_flow resources.
Default value: `{}`
##### `flow_executions_merge`
Data type: `Boolean`
Boolean that sets if `flows` should be merged from Hiera.
Default value: ``false``
##### `required_actions`
Data type: `Hash`
Hash that is used to define keycloak_required_action resources.
Default value: `{}`
##### `required_actions_merge`
Data type: `Boolean`
Boolean that sets if `required_actions` should be merged from Hiera.
Default value: ``false``
##### `ldap_mappers`
Data type: `Hash`
Hash that is used to define keycloak_ldap_mapper resources.
Default value: `{}`
##### `ldap_mappers_merge`
Data type: `Boolean`
Boolean that sets if `ldap_mappers` should be merged from Hiera.
Default value: ``false``
##### `ldap_user_providers`
Data type: `Hash`
Hash that is used to define keycloak_ldap_user_provider resources.
Default value: `{}`
##### `ldap_user_providers_merge`
Data type: `Boolean`
Boolean that sets if `ldap_user_providers` should be merged from Hiera.
Default value: ``false``
##### `with_sssd_support`
Data type: `Boolean`
Boolean that determines if SSSD user provider support should be available
Default value: ``false``
##### `libunix_dbus_java_source`
Data type: `Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]`
Source URL of libunix-dbus-java
Default value: `'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'`
##### `install_libunix_dbus_java_build_dependencies`
Data type: `Boolean`
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: ``true``
##### `libunix_dbus_java_build_dependencies`
Data type: `Array`
Packages needed to build libunix-dbus-java
Default value: `[]`
##### `libunix_dbus_java_libdir`
Data type: `Stdlib::Absolutepath`
Path to directory to install libunix-dbus-java libraries
Default value: `'/usr/lib64'`
##### `jna_package_name`
Data type: `String`
Package name for jna
Default value: `'jna'`
##### `manage_sssd_config`
Data type: `Boolean`
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: ``true``
##### `sssd_ifp_user_attributes`
Data type: `Array`
user_attributes to define for SSSD ifp service
Default value: `[]`
##### `restart_sssd`
Data type: `Boolean`
Boolean that determines if SSSD should be restarted
Default value: ``true``
##### `service_environment_file`
Data type: `Optional[Stdlib::Absolutepath]`
Path to the file with environment variables for the systemd service
Default value: ``undef``
##### `operating_mode`
Data type: `Enum['standalone', 'clustered', 'domain']`
Keycloak operating mode deployment
Default value: `'standalone'`
##### `enable_jdbc_ping`
Data type: `Boolean`
Use JDBC_PING to discover the nodes and manage the replication of data
More info: http://jgroups.org/manual/#_jdbc_ping
Only applies when `operating_mode` is either `clustered` or `domain`
JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other
This module does not manage firewall changes
Default value: ``false``
##### `jboss_bind_public_address`
Data type: `Stdlib::IP::Address`
JBoss bind public IP address
Default value: `$facts['networking']['ip']`
##### `jboss_bind_private_address`
Data type: `Stdlib::IP::Address`
JBoss bind private IP address
Default value: `$facts['networking']['ip']`
##### `role`
Data type: `Optional[Enum['master', 'slave']]`
Role when operating mode is domain.
Default value: ``undef``
##### `user_cache`
Data type: `Boolean`
Boolean that determines if userCache is enabled
Default value: ``true``
##### `tech_preview_features`
Data type: `Array`
List of technology Preview features to enable
Default value: `[]`
##### `auto_deploy_exploded`
Data type: `Boolean`
Set if exploded deployements will be auto deployed
Default value: ``false``
##### `auto_deploy_zipped`
Data type: `Boolean`
Set if zipped deployments will be auto deployed
Default value: ``true``
##### `spi_deployments`
Data type: `Hash`
Hash used to define keycloak::spi_deployment resources
Default value: `{}`
##### `custom_config_content`
Data type: `Optional[String]`
Custom configuration content to be added to config.cli
Default value: ``undef``
##### `custom_config_source`
Data type: `Optional[Variant[String, Array]]`
Custom configuration source file to be added to config.cli
Default value: ``undef``
##### `master_address`
Data type: `Optional[Stdlib::Host]`
IP address of the master in domain mode
Default value: ``undef``
##### `server_name`
Data type: `String`
Server name in domain mode. Defaults to hostname.
Default value: `$facts['hostname']`
##### `syslog`
Data type: `Boolean`
Enable syslog. Default false.
Default value: ``false``
##### `syslog_app_name`
Data type: `String`
Syslog app name. Default 'keycloak'.
Default value: `'keycloak'`
##### `syslog_facility`
Data type: `String`
Syslog facility. Default 'user-level'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html
Default value: `'user-level'`
##### `syslog_hostname`
Data type: `Stdlib::Host`
Syslog hostname of the server. Default $facts['fqdn'].
Default value: `$facts['fqdn']`
##### `syslog_level`
Data type: `String`
Syslog level. Default 'INFO'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html
Default value: `'INFO'`
##### `syslog_port`
Data type: `Stdlib::Port`
The port the syslog server is listening on. Default '514'.
Default value: `514`
##### `syslog_server_address`
Data type: `Stdlib::Host`
The address of the syslog server. Default 'localhost'.
Default value: `'localhost'`
##### `syslog_format`
Data type: `Enum['RFC3164', 'RFC5424']`
Syslog format. Either 'RFC3164' or 'RFC5424' Default 'RFC3164'.
Default value: `'RFC3164'`
### `keycloak::config`
Private class.
### `keycloak::datasource::h2`
Private class.
### `keycloak::install`
Private class.
### `keycloak::service`
Private class.
### `keycloak::sssd`
Private class.
## Defined types
### `keycloak::client_scope::oidc`
Manage Keycloak OpenID Connect client scope using built-in mappers
#### Examples
#####
```puppet
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
```
#### Parameters
The following parameters are available in the `keycloak::client_scope::oidc` defined type:
* [`realm`](#realm)
* [`resource_name`](#resource_name)
##### `realm`
Data type: `String`
Realm of the client scope.
##### `resource_name`
Data type: `String`
Name of the client scope resource
Default value: `$name`
### `keycloak::client_scope::saml`
Manage Keycloak SAML client scope using built-in mappers
#### Examples
#####
```puppet
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
```
#### Parameters
The following parameters are available in the `keycloak::client_scope::saml` defined type:
* [`realm`](#realm)
* [`resource_name`](#resource_name)
##### `realm`
Data type: `String`
Realm of the client scope.
##### `resource_name`
Data type: `String`
Name of the client scope resource
Default value: `$name`
### `keycloak::freeipa_ldap_mappers`
setup FreeIPA LDAP mappers for Keycloak
#### Examples
#####
```puppet
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}
```
#### Parameters
The following parameters are available in the `keycloak::freeipa_ldap_mappers` defined type:
* [`realm`](#realm)
* [`groups_dn`](#groups_dn)
* [`roles_dn`](#roles_dn)
* [`parent_id`](#parent_id)
##### `realm`
Data type: `String`
Keycloak realm
##### `groups_dn`
Data type: `String`
Groups DN
##### `roles_dn`
Data type: `String`
Roles DN
##### `parent_id`
Data type: `Optional[String]`
Identifier (parentId) for the LDAP provider to add this mapper to.
Will be passed to the $ldap parameter in keycloak_ldap_mapper.
Default value: ``undef``
### `keycloak::freeipa_user_provider`
setup IPA as an LDAP user provider for Keycloak
#### Examples
##### Add FreeIPA as a user provider
```puppet
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}
```
#### Parameters
The following parameters are available in the `keycloak::freeipa_user_provider` defined type:
* [`ensure`](#ensure)
* [`ipa_host`](#ipa_host)
* [`realm`](#realm)
* [`bind_dn`](#bind_dn)
* [`bind_credential`](#bind_credential)
* [`users_dn`](#users_dn)
* [`priority`](#priority)
* [`ldaps`](#ldaps)
* [`full_sync_period`](#full_sync_period)
* [`changed_sync_period`](#changed_sync_period)
##### `ensure`
Data type: `Enum['present', 'absent']`
LDAP user provider status
Default value: `'present'`
##### `ipa_host`
Data type: `Stdlib::Host`
Hostname of the FreeIPA server (e.g. ipa.example.org)
Default value: `$title`
##### `realm`
Data type: `String`
Keycloak realm
##### `bind_dn`
Data type: `String`
LDAP bind dn
##### `bind_credential`
Data type: `String`
LDAP bind password
##### `users_dn`
Data type: `String`
The DN for user search
##### `priority`
Data type: `Integer`
Priority for this user provider
Default value: `10`
##### `ldaps`
Data type: `Boolean`
Use LDAPS protocol instead of LDAP
Default value: ``false``
##### `full_sync_period`
Data type: `Optional[Integer]`
Synchronize all users this often (fullSyncPeriod)
Default value: ``undef``
##### `changed_sync_period`
Data type: `Optional[Integer]`
Synchronize changed users this often (changedSyncPeriod)
Default value: ``undef``
### `keycloak::spi_deployment`
}
#### Examples
##### Add Duo SPI
```puppet
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}
```
##### Add Duo SPI and check API for existance of resources before going onto dependenct resources
```puppet
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],
```
#### Parameters
The following parameters are available in the `keycloak::spi_deployment` defined type:
* [`ensure`](#ensure)
* [`deployed_name`](#deployed_name)
* [`source`](#source)
* [`test_url`](#test_url)
* [`test_key`](#test_key)
* [`test_value`](#test_value)
* [`test_realm`](#test_realm)
* [`test_before`](#test_before)
##### `ensure`
Data type: `Enum['present', 'absent']`
State of the deployment
Default value: `'present'`
##### `deployed_name`
Data type: `String[1]`
Name of the file to be deployed. Defaults to `$name`.
Default value: `$name`
##### `source`
Data type: `Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]`
Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'
##### `test_url`
Data type: `Optional[String]`
URL to test for existance of resources created by this SPI
Default value: ``undef``
##### `test_key`
Data type: `Optional[String]`
Key of resource when testing for resource created by this SPI
Default value: ``undef``
##### `test_value`
Data type: `Optional[String]`
Value of the `test_key` when testing for resources created by this SPI
Default value: ``undef``
##### `test_realm`
Data type: `Optional[String]`
Realm to query when looking for resources created by this SPI
Default value: ``undef``
##### `test_before`
Data type: `Optional[Array]`
Setup autorequires for validator dependent resources
Default value: ``undef``
### `keycloak::truststore::host`
Add host to Keycloak truststore
#### Examples
#####
```puppet
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
```
#### Parameters
The following parameters are available in the `keycloak::truststore::host` defined type:
* [`certificate`](#certificate)
* [`ensure`](#ensure)
##### `certificate`
Data type: `String`
Path to host certificate
##### `ensure`
Data type: `Enum['latest', 'present', 'absent']`
Host ensure value passed to `java_ks` resource.
Default value: `'latest'`
## Resource types
### `keycloak_api`
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
#### Examples
##### Define API access
```puppet
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
```
#### Parameters
The following parameters are available in the `keycloak_api` type.
* [`install_dir`](#install_dir)
* [`name`](#name)
* [`password`](#password)
* [`realm`](#realm)
* [`server`](#server)
* [`use_wrapper`](#use_wrapper)
* [`user`](#user)
##### `install_dir`
Install location of Keycloak
Default value: `/opt/keycloak`
##### `name`
namevar
Keycloak API config
##### `password`
Password for authentication
Default value: `changeme`
##### `realm`
Realm for authentication
Default value: `master`
##### `server`
Auth URL for Keycloak server
Default value: `http://localhost:8080/auth`
##### `use_wrapper`
Valid values: ``true``, ``false``
Boolean that determines if kcadm_wrapper.sh should be used
Default value: ``false``
##### `user`
User for authentication
Default value: `admin`
### `keycloak_client`
Manage Keycloak clients
#### Examples
##### Add a OpenID Connect client
```puppet
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}
```
#### Properties
The following properties are available in the `keycloak_client` type.
##### `access_token_lifespan`
access.token.lifespan
##### `authorization_services_enabled`
Valid values: ``true``, ``false``
authorizationServicesEnabled
Default value: `false`
##### `base_url`
baseUrl
##### `bearer_only`
Valid values: ``true``, ``false``
bearerOnly
Default value: `false`
##### `browser_flow`
authenticationFlowBindingOverrides.browser (Use flow alias, not ID)
Default value: `absent`
##### `client_authenticator_type`
clientAuthenticatorType
Default value: `client-secret`
##### `default_client_scopes`
defaultClientScopes
Default value: `[]`
##### `direct_access_grants_enabled`
Valid values: ``true``, ``false``
enabled
Default value: `true`
##### `direct_grant_flow`
authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID)
Default value: `absent`
##### `enabled`
Valid values: ``true``, ``false``
enabled
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `full_scope_allowed`
Valid values: ``true``, ``false``
fullScopeAllowed
Default value: `true`
##### `implicit_flow_enabled`
Valid values: ``true``, ``false``
implicitFlowEnabled
Default value: `false`
##### `login_theme`
login_theme
Default value: `absent`
##### `optional_client_scopes`
optionalClientScopes
Default value: `[]`
##### `protocol`
Valid values: `openid-connect`, `saml`
protocol
Default value: `openid-connect`
##### `public_client`
Valid values: ``true``, ``false``
enabled
Default value: `false`
##### `redirect_uris`
redirectUris
Default value: `[]`
##### `roles`
roles
Default value: `[]`
##### `root_url`
rootUrl
##### `secret`
secret
##### `service_accounts_enabled`
Valid values: ``true``, ``false``
serviceAccountsEnabled
Default value: `false`
##### `standard_flow_enabled`
Valid values: ``true``, ``false``
standardFlowEnabled
Default value: `true`
##### `web_origins`
webOrigins
Default value: `[]`
#### Parameters
The following parameters are available in the `keycloak_client` type.
* [`client_id`](#client_id)
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
##### `client_id`
clientId. Defaults to `name`.
##### `id`
Id. Defaults to `client_id`
##### `name`
namevar
The client name
##### `provider`
The specific backend to use for this `keycloak_client` resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
##### `realm`
realm
### `keycloak_client_protocol_mapper`
Manage Keycloak protocol mappers
#### Examples
##### Add email protocol mapper to test.example.com client in realm test
```puppet
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
```
#### Properties
The following properties are available in the `keycloak_client_protocol_mapper` type.
##### `access_token_claim`
Valid values: ``true``, ``false``
access.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `attribute_name`
attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `attribute_nameformat`
attribute.nameformat
##### `claim_name`
claim.name
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `friendly_name`
friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `full_path`
Valid values: ``true``, ``false``
full.path. Default to `false` for `type` `oidc-group-membership-mapper`.
##### `id_token_claim`
Valid values: ``true``, ``false``
id.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `included_client_audience`
included.client.audience Required for `type` of `oidc-audience-mapper`
##### `json_type_label`
json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`.
##### `protocol`
Valid values: `openid-connect`, `saml`
protocol
Default value: `openid-connect`
##### `script`
Script, only valid for `type` of `saml-javascript-mapper`'
Array values will be joined with newlines. Strings will be kept unchanged.
##### `single`
Valid values: ``true``, ``false``
single. Default to `false` for `type` `saml-role-list-mapper`.
##### `user_attribute`
user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper`
##### `userinfo_token_claim`
Valid values: ``true``, ``false``
userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`.
#### Parameters
The following parameters are available in the `keycloak_client_protocol_mapper` type.
* [`client`](#client)
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`resource_name`](#resource_name)
* [`type`](#type)
##### `client`
client
##### `id`
Id.
##### `name`
namevar
The protocol mapper name
##### `provider`
The specific backend to use for this `keycloak_client_protocol_mapper` resource. You will seldom need to specify this
--- Puppet will usually discover the appropriate provider for your platform.
##### `realm`
realm
##### `resource_name`
The protocol mapper name. Defaults to `name`.
##### `type`
Valid values: `oidc-usermodel-client-role-mapper`, `oidc-usermodel-property-mapper`, `oidc-full-name-mapper`, `oidc-group-membership-mapper`, `oidc-audience-mapper`, `saml-user-property-mapper`, `saml-role-list-mapper`
protocolMapper.
Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and
`saml-user-property-mapper` for `protocol` `saml`.
### `keycloak_client_scope`
Manage Keycloak client scopes
#### Examples
##### Define a OpenID Connect client scope in the test realm
```puppet
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
```
#### Properties
The following properties are available in the `keycloak_client_scope` type.
##### `consent_screen_text`
consent.screen.text
##### `display_on_consent_screen`
Valid values: ``true``, ``false``
display.on.consent.screen
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `protocol`
Valid values: `openid-connect`, `saml`
protocol
Default value: `openid-connect`
#### Parameters
The following parameters are available in the `keycloak_client_scope` type.
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`resource_name`](#resource_name)
##### `id`
Id. Defaults to `resource_name`.
##### `name`
namevar
The client scope name
##### `provider`
The specific backend to use for this `keycloak_client_scope` resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
##### `realm`
realm
##### `resource_name`
The client scope name. Defaults to `name`.
### `keycloak_conn_validator`
Verify that a connection can be successfully established between a node
and the keycloak server. Its primary use is as a precondition to
prevent configuration changes from being applied if the keycloak
server cannot be reached, but it could potentially be used for other
purposes such as monitoring.
#### Properties
The following properties are available in the `keycloak_conn_validator` type.
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
#### Parameters
The following parameters are available in the `keycloak_conn_validator` type.
* [`keycloak_port`](#keycloak_port)
* [`keycloak_server`](#keycloak_server)
* [`name`](#name)
* [`provider`](#provider)
* [`test_url`](#test_url)
* [`timeout`](#timeout)
* [`use_ssl`](#use_ssl)
##### `keycloak_port`
The port that the keycloak server should be listening on.
Default value: `8080`
##### `keycloak_server`
The DNS name or IP address of the server where keycloak should be running.
Default value: `localhost`
##### `name`
namevar
An arbitrary name used as the identity of the resource.
##### `provider`
The specific backend to use for this `keycloak_conn_validator` resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
##### `test_url`
URL to use for testing if the Keycloak database is up
Default value: `/auth/admin/serverinfo`
##### `timeout`
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running;
defaults to 15 seconds.
Default value: `30`
##### `use_ssl`
Whether the connection will be attemped using https
Default value: ``false``
### `keycloak_flow`
Manage a Keycloak flow
**Autorequires**
* `keycloak_realm` defined for `realm` parameter
* `keycloak_flow` of `flow_alias` if `top_level=false`
* `keycloak_flow` of `flow_alias` if other `index` is lower and if `top_level=false`
* `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower and if `top_level=false`
#### Examples
##### Add custom flow
```puppet
keycloak_flow { 'browser-with-duo':
ensure => 'present',
realm => 'test',
}
```
##### Add a flow execution to existing browser-with-duo flow
```puppet
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
index => 2,
requirement => 'ALTERNATIVE',
top_level => false,
}
```
#### Properties
The following properties are available in the `keycloak_flow` type.
##### `description`
description
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `index`
execution index, only applied to top_level=false, required for top_level=false
##### `requirement`
Valid values: `DISABLED`, `ALTERNATIVE`, `REQUIRED`, `CONDITIONAL`, `disabled`, `alternative`, `required`, `conditional`
requirement, only applied to top_level=false and defaults to DISABLED
#### Parameters
The following parameters are available in the `keycloak_flow` type.
* [`alias`](#alias)
* [`flow_alias`](#flow_alias)
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`provider_id`](#provider_id)
* [`realm`](#realm)
* [`top_level`](#top_level)
* [`type`](#type)
##### `alias`
Alias. Default to `name`.
##### `flow_alias`
flowAlias, required for top_level=false
##### `id`
Id. Default to `$alias-$realm` when top_level is true. Only applies to top_level=true
##### `name`
namevar
The flow name
##### `provider`
The specific backend to use for this `keycloak_flow` resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
##### `provider_id`
Valid values: `basic-flow`, `form-flow`
providerId
Default value: `basic-flow`
##### `realm`
realm
##### `top_level`
Valid values: ``true``, ``false``
topLevel
Default value: ``true``
##### `type`
sub-flow execution provider, default to `registration-page-form` for top_level=false and does not apply to
top_level=true
### `keycloak_flow_execution`
Manage a Keycloak flow
**Autorequires**
* `keycloak_realm` defined for `realm` parameter
* `keycloak_flow` of value defined for `flow_alias`
* `keycloak_flow` if they share same `flow_alias` value and the other resource `index` is lower
* `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower
#### Examples
##### Add an execution to a flow
```puppet
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
index => 0,
requirement => 'ALTERNATIVE',
}
```
##### Add an execution to a execution flow that is one level deeper than top level
```puppet
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
index => 0,
requirement => 'REQUIRED',
}
```
##### Add an execution with a configuration
```puppet
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
index => 1,
}
```
#### Properties
The following properties are available in the `keycloak_flow_execution` type.
##### `config`
execution config
##### `configurable`
Valid values: ``true``, ``false``
configurable
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `index`
execution index
##### `requirement`
Valid values: `DISABLED`, `ALTERNATIVE`, `REQUIRED`, `CONDITIONAL`, `disabled`, `alternative`, `required`, `conditional`
requirement
Default value: `DISABLED`
#### Parameters
The following parameters are available in the `keycloak_flow_execution` type.
* [`alias`](#alias)
* [`config_id`](#config_id)
* [`display_name`](#display_name)
* [`flow_alias`](#flow_alias)
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`provider_id`](#provider_id)
* [`realm`](#realm)
##### `alias`
alias
##### `config_id`
read-only config ID
##### `display_name`
displayName
##### `flow_alias`
flowAlias
##### `id`
read-only Id
##### `name`
namevar
The flow execution name
##### `provider`
The specific backend to use for this `keycloak_flow_execution` resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
##### `provider_id`
provider
##### `realm`
realm
### `keycloak_identity_provider`
Manage Keycloak identity providers
#### Examples
##### Add CILogon identity provider to test realm
```puppet
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
```
#### Properties
The following properties are available in the `keycloak_identity_provider` type.
##### `add_read_token_role_on_create`
Valid values: ``true``, ``false``
addReadTokenRoleOnCreate
Default value: `false`
##### `allowed_clock_skew`
allowedClockSkew
##### `authenticate_by_default`
Valid values: ``true``, ``false``
authenticateByDefault
Default value: `false`
##### `authorization_url`
authorizationUrl
##### `backchannel_supported`
Valid values: ``true``, ``false``
backchannelSupported
Default value: `false`
##### `client_auth_method`
Valid values: `client_secret_post`, `client_secret_basic`, `client_secret_jwt`, `private_key_jwt`
clientAuthMethod
Default value: `client_secret_post`
##### `client_id`
clientId
##### `client_secret`
clientSecret
##### `default_scope`
default_scope
##### `disable_user_info`
Valid values: ``true``, ``false``
disableUserInfo
Default value: `false`
##### `display_name`
displayName
##### `enabled`
Valid values: ``true``, ``false``
enabled
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `first_broker_login_flow_alias`
firstBrokerLoginFlowAlias
Default value: `first broker login`
##### `forward_parameters`
forwardParameters
##### `gui_order`
guiOrder
##### `hide_on_login_page`
Valid values: ``true``, ``false``
hideOnLoginPage
Default value: `false`
##### `issuer`
issuer
##### `jwks_url`
jwksUrl
##### `link_only`
Valid values: ``true``, ``false``
linkOnly
Default value: `false`
##### `login_hint`
Valid values: ``true``, ``false``
loginHint
Default value: `false`
##### `logout_url`
logoutUrl
##### `post_broker_login_flow_alias`
postBrokerLoginFlowAlias
##### `prompt`
Valid values: `none`, `consent`, `login`, `select_account`
prompt
##### `store_token`
Valid values: ``true``, ``false``
storeToken
Default value: `false`
##### `sync_mode`
Valid values: `IMPORT`, `LEGACY`, `FORCE`
syncMode
Default value: `IMPORT`
##### `token_url`
tokenUrl
##### `trust_email`
Valid values: ``true``, ``false``
trustEmail
Default value: `false`
##### `ui_locales`
Valid values: ``true``, ``false``
uiLocales
Default value: `false`
##### `update_profile_first_login_mode`
Valid values: `on`, `off`
updateProfileFirstLoginMode
Default value: `on`
##### `use_jwks_url`
Valid values: ``true``, ``false``
useJwksUrl
Default value: `true`
##### `user_info_url`
userInfoUrl
##### `validate_signature`
Valid values: ``true``, ``false``
validateSignature
Default value: `false`
#### Parameters
The following parameters are available in the `keycloak_identity_provider` type.
* [`alias`](#alias)
* [`internal_id`](#internal_id)
* [`name`](#name)
* [`provider`](#provider)
* [`provider_id`](#provider_id)
* [`realm`](#realm)
##### `alias`
The identity provider name. Defaults to `name`.
##### `internal_id`
internalId. Defaults to "`alias`-`realm`"
##### `name`
namevar
The identity provider name
##### `provider`
The specific backend to use for this `keycloak_identity_provider` resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
##### `provider_id`
Valid values: `oidc`, `keycloak-oidc`
providerId
Default value: `oidc`
##### `realm`
realm
### `keycloak_ldap_mapper`
Manage Keycloak LDAP attribute mappers
#### Examples
##### Add full name attribute mapping
```puppet
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
```
#### Properties
The following properties are available in the `keycloak_ldap_mapper` type.
##### `always_read_value_from_ldap`
Valid values: ``true``, ``false``
always.read.value.from.ldap. Defaults to `true` if `type` is `user-attribute-ldap-mapper`.
##### `client_id`
client.id, only for `type` of `role-ldap-mapper`
##### `drop_non_existing_groups_during_sync`
Valid values: ``true``, ``false``
drop.non.existing.groups.during.sync, only for `type` of `group-ldap-mapper`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `group_name_ldap_attribute`
group.name.ldap.attribute, only for `type` of `group-ldap-mapper`
##### `group_object_classes`
group.object.classes, only for `type` of `group-ldap-mapper`
##### `groups_dn`
groups.dn, only for `type` of `group-ldap-mapper`
##### `groups_ldap_filter`
groups.ldap.filter, only for `type` of `group-ldap-mapper`
##### `ignore_missing_groups`
Valid values: ``true``, ``false``
ignore.missing.groups, only for `type` of `group-ldap-mapper`
##### `is_mandatory_in_ldap`
is.mandatory.in.ldap. Defaults to `false` unless `type` is `full-name-ldap-mapper`.
##### `ldap_attribute`
ldap.attribute
##### `mapped_group_attributes`
mapped.group.attributes, only for `type` of `group-ldap-mapper`
##### `memberof_ldap_attribute`
memberof.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `membership_attribute_type`
Valid values: `DN`, `UID`
membership.attribute.type, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `membership_ldap_attribute`
membership.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `membership_user_ldap_attribute`
membership.user.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `mode`
Valid values: `READ_ONLY`, `LDAP_ONLY`
mode, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `preserve_group_inheritance`
Valid values: ``true``, ``false``
preserve.group.inheritance, only for `type` of `group-ldap-mapper`
##### `read_only`
Valid values: ``true``, ``false``
read.only
##### `role_name_ldap_attribute`
role.name.ldap.attribute, only for `type` of `role-ldap-mapper`
##### `role_object_classes`
role.object.classes, only for `type` of `role-ldap-mapper`
##### `roles_dn`
roles.dn, only for `type` of `role-ldap-mapper`
##### `roles_ldap_filter`
roles.ldap.filter, only for `type` of `role-ldap-mapper`
##### `use_realm_roles_mapping`
Valid values: ``true``, ``false``
use.realm.roles.mapping, only for `type` of `role-ldap-mapper`
##### `user_model_attribute`
user.model.attribute
##### `user_roles_retrieve_strategy`
Valid values: `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`, `LOAD_ROLES_BY_MEMBER_ATTRIBUTE`, `GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE`, `LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY`
user.roles.retrieve.strategy, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `write_only`
Valid values: ``true``, ``false``
write.only. Defaults to `false` if `type` is `full-name-ldap-mapper`.
#### Parameters
The following parameters are available in the `keycloak_ldap_mapper` type.
* [`id`](#id)
* [`ldap`](#ldap)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`resource_name`](#resource_name)
* [`type`](#type)
##### `id`
Id.
##### `ldap`
parentId
##### `name`
namevar
The LDAP mapper name
##### `provider`
The specific backend to use for this `keycloak_ldap_mapper` resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
##### `realm`
realm
##### `resource_name`
The LDAP mapper name. Defaults to `name`
##### `type`
Valid values: `user-attribute-ldap-mapper`, `full-name-ldap-mapper`, `group-ldap-mapper`, `role-ldap-mapper`
providerId
Default value: `user-attribute-ldap-mapper`
### `keycloak_ldap_user_provider`
Manage Keycloak LDAP user providers
#### Examples
##### Add LDAP user provider to test realm
```puppet
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
```
#### Properties
The following properties are available in the `keycloak_ldap_user_provider` type.
##### `auth_type`
Valid values: `none`, `simple`
authType
Default value: `none`
##### `batch_size_for_sync`
batchSizeForSync
Default value: `1000`
##### `bind_credential`
bindCredential
##### `bind_dn`
bindDn
##### `changed_sync_period`
changedSyncPeriod
Default value: `-1`
##### `connection_url`
connectionUrl
##### `custom_user_search_filter`
Valid values: `%r{.*}`, `absent`
customUserSearchFilter
Default value: `absent`
##### `edit_mode`
Valid values: `READ_ONLY`, `WRITABLE`, `UNSYNCED`
editMode
Default value: `READ_ONLY`
##### `enabled`
Valid values: ``true``, ``false``
enabled
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `full_sync_period`
fullSyncPeriod
Default value: `-1`
##### `import_enabled`
Valid values: ``true``, ``false``
importEnabled
Default value: `true`
##### `priority`
priority
Default value: `0`
##### `rdn_ldap_attribute`
rdnLdapAttribute
Default value: `uid`
##### `search_scope`
Valid values: `one`, `one_level`, `subtree`, `1`, `2`, `1`, `2`
searchScope
##### `trust_email`
Valid values: ``true``, ``false``
trustEmail
Default value: `false`
##### `use_kerberos_for_password_authentication`
Valid values: ``true``, ``false``
useKerberosForPasswordAuthentication
##### `use_truststore_spi`
Valid values: `always`, `ldapsOnly`, `never`
useTruststoreSpi
Default value: `ldapsOnly`
##### `user_object_classes`
userObjectClasses
Default value: `['inetOrgPerson', 'organizationalPerson']`
##### `username_ldap_attribute`
usernameLdapAttribute
Default value: `uid`
##### `users_dn`
usersDn
##### `uuid_ldap_attribute`
uuidLdapAttribute
Default value: `entryUUID`
##### `vendor`
Valid values: `ad`, `rhds`, `tivoli`, `eDirectory`, `other`
vendor
Default value: `other`
#### Parameters
The following parameters are available in the `keycloak_ldap_user_provider` type.
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`resource_name`](#resource_name)
##### `id`
Id. Defaults to "`resource_name`-`realm`"
##### `name`
namevar
The LDAP user provider name
##### `provider`
The specific backend to use for this `keycloak_ldap_user_provider` resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
##### `realm`
parentId
##### `resource_name`
The LDAP user provider name. Defaults to `name`.
### `keycloak_protocol_mapper`
Manage Keycloak client scope protocol mappers
#### Examples
##### Add email protocol mapper to oidc-client client scope in realm test
```puppet
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}
```
#### Properties
The following properties are available in the `keycloak_protocol_mapper` type.
##### `access_token_claim`
Valid values: ``true``, ``false``
access.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `attribute_name`
attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `attribute_nameformat`
attribute.nameformat
##### `claim_name`
claim.name
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `friendly_name`
friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `full_path`
Valid values: ``true``, ``false``
full.path. Default to `false` for `type` `oidc-group-membership-mapper`.
##### `id_token_claim`
Valid values: ``true``, ``false``
id.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `included_client_audience`
included.client.audience Required for `type` of `oidc-audience-mapper`
##### `json_type_label`
json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`.
##### `protocol`
Valid values: `openid-connect`, `saml`
protocol
Default value: `openid-connect`
##### `script`
Script, only valid for `type` of `saml-javascript-mapper`'
Array values will be joined with newlines. Strings will be kept unchanged.
##### `single`
Valid values: ``true``, ``false``
single. Default to `false` for `type` `saml-role-list-mapper` or `saml-javascript-mapper`.
##### `user_attribute`
user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper`
##### `userinfo_token_claim`
Valid values: ``true``, ``false``
userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`.
#### Parameters
The following parameters are available in the `keycloak_protocol_mapper` type.
* [`client_scope`](#client_scope)
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`resource_name`](#resource_name)
* [`type`](#type)
##### `client_scope`
client scope
##### `id`
Id.
##### `name`
namevar
The protocol mapper name
##### `provider`
The specific backend to use for this `keycloak_protocol_mapper` resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
##### `realm`
realm
##### `resource_name`
The protocol mapper name. Defaults to `name`.
##### `type`
Valid values: `oidc-usermodel-property-mapper`, `oidc-usermodel-attribute-mapper`, `oidc-full-name-mapper`, `oidc-group-membership-mapper`, `oidc-audience-mapper`, `saml-group-membership-mapper`, `saml-user-property-mapper`, `saml-user-attribute-mapper`, `saml-role-list-mapper`
protocolMapper.
Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and
`saml-user-property-mapper` for `protocol` `saml`.
### `keycloak_realm`
Manage Keycloak realms
#### Examples
##### Add a realm with a custom theme
```puppet
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
```
#### Properties
The following properties are available in the `keycloak_realm` type.
##### `access_code_lifespan`
accessCodeLifespan
##### `access_code_lifespan_login`
accessCodeLifespanLogin
##### `access_code_lifespan_user_action`
accessCodeLifespanUserAction
##### `access_token_lifespan`
accessTokenLifespan
##### `access_token_lifespan_for_implicit_flow`
accessTokenLifespanForImplicitFlow
##### `account_theme`
accountTheme
Default value: `keycloak`
##### `action_token_generated_by_admin_lifespan`
actionTokenGeneratedByAdminLifespan
##### `action_token_generated_by_user_lifespan`
actionTokenGeneratedByUserLifespan
##### `admin_events_details_enabled`
Valid values: ``true``, ``false``
adminEventsDetailsEnabled
Default value: `false`
##### `admin_events_enabled`
Valid values: ``true``, ``false``
adminEventsEnabled
Default value: `false`
##### `admin_theme`
adminTheme
Default value: `keycloak`
##### `browser_flow`
browserFlow
Default value: `browser`
##### `brute_force_protected`
Valid values: ``true``, ``false``
bruteForceProtected
##### `client_authentication_flow`
clientAuthenticationFlow
Default value: `clients`
##### `content_security_policy`
contentSecurityPolicy
Default value: `frame-src 'self'; frame-ancestors 'self'; object-src 'none';`
##### `default_client_scopes`
Default Client Scopes
##### `direct_grant_flow`
directGrantFlow
Default value: `direct grant`
##### `display_name`
displayName
##### `display_name_html`
displayNameHtml
##### `docker_authentication_flow`
dockerAuthenticationFlow
Default value: `docker auth`
##### `email_theme`
emailTheme
Default value: `keycloak`
##### `enabled`
Valid values: ``true``, ``false``
enabled
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `events_enabled`
Valid values: ``true``, ``false``
eventsEnabled
Default value: `false`
##### `events_expiration`
eventsExpiration
##### `events_listeners`
eventsListeners
Default value: `['jboss-logging']`
##### `internationalization_enabled`
Valid values: ``true``, ``false``
internationalizationEnabled
Default value: `false`
##### `login_theme`
loginTheme
Default value: `keycloak`
##### `login_with_email_allowed`
Valid values: ``true``, ``false``
loginWithEmailAllowed
Default value: `true`
##### `offline_session_idle_timeout`
offlineSessionIdleTimeout
##### `offline_session_max_lifespan`
offlineSessionMaxLifespan
##### `offline_session_max_lifespan_enabled`
Valid values: ``true``, ``false``
offlineSessionMaxLifespanEnabled
Default value: `false`
##### `optional_client_scopes`
Optional Client Scopes
##### `registration_allowed`
Valid values: ``true``, ``false``
registrationAllowed
Default value: `false`
##### `registration_flow`
registrationFlow
Default value: `registration`
##### `remember_me`
Valid values: ``true``, ``false``
rememberMe
Default value: `false`
##### `reset_credentials_flow`
resetCredentialsFlow
Default value: `reset credentials`
##### `reset_password_allowed`
Valid values: ``true``, ``false``
resetPasswordAllowed
Default value: `false`
##### `roles`
roles
Default value: `['offline_access', 'uma_authorization']`
##### `smtp_server_auth`
Valid values: ``true``, ``false``
smtpServer auth
##### `smtp_server_envelope_from`
smtpServer envelope_from
##### `smtp_server_from`
smtpServer from
##### `smtp_server_from_display_name`
smtpServer fromDisplayName
##### `smtp_server_host`
smtpServer host
##### `smtp_server_password`
smtpServer password
##### `smtp_server_port`
smtpServer port
##### `smtp_server_reply_to`
smtpServer replyto
##### `smtp_server_reply_to_display_name`
smtpServer replyToDisplayName
##### `smtp_server_ssl`
Valid values: ``true``, ``false``
smtpServer ssl
##### `smtp_server_starttls`
Valid values: ``true``, ``false``
smtpServer starttls
##### `smtp_server_user`
smtpServer user
##### `sso_session_idle_timeout`
ssoSessionIdleTimeout
##### `sso_session_idle_timeout_remember_me`
ssoSessionIdleTimeoutRememberMe
##### `sso_session_max_lifespan`
ssoSessionMaxLifespan
##### `sso_session_max_lifespan_remember_me`
ssoSessionMaxLifespanRememberMe
##### `supported_locales`
Supported Locales
##### `verify_email`
Valid values: ``true``, ``false``
verifyEmail
Default value: `false`
#### Parameters
The following parameters are available in the `keycloak_realm` type.
* [`id`](#id)
* [`manage_roles`](#manage_roles)
* [`name`](#name)
* [`provider`](#provider)
+* [`user_managed_access_allowed`](#user_managed_access_allowed)
##### `id`
Id. Default to `name`.
##### `manage_roles`
Valid values: ``true``, ``false``
Manage realm roles
Default value: ``true``
##### `name`
namevar
The realm name
##### `provider`
The specific backend to use for this `keycloak_realm` resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
+##### `user_managed_access`
+
+Specifies if a user is able to manage their resources and permissions using the Account Management Console. Defaults to false.
+
### `keycloak_required_action`
Manage Keycloak required actions
#### Examples
##### Enable Webauthn Register and make it default
```puppet
keycloak_required_action { 'webauthn-register on master':
ensure => present,
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
alias => 'webauthn',
}
@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
provider_id => 'webauthn-register',
}
```
#### Properties
The following properties are available in the `keycloak_required_action` type.
##### `alias`
Alias. Default to `provider_id`.
##### `config`
Required action config
##### `default`
Valid values: ``true``, ``false``
If the required action is a default one. Default to false
Default value: `false`
##### `display_name`
Displayed name. Default to `provider_id`
##### `enabled`
Valid values: ``true``, ``false``
If the required action is enabled. Default to true.
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `priority`
Required action priority
#### Parameters
The following parameters are available in the `keycloak_required_action` type.
* [`name`](#name)
* [`provider`](#provider)
* [`provider_id`](#provider_id)
* [`realm`](#realm)
##### `name`
namevar
The required action name
##### `provider`
The specific backend to use for this `keycloak_required_action` resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
##### `provider_id`
providerId of the required action
##### `realm`
realm
### `keycloak_resource_validator`
Verify that a specific Keycloak resource is available
#### Properties
The following properties are available in the `keycloak_resource_validator` type.
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
#### Parameters
The following parameters are available in the `keycloak_resource_validator` type.
* [`dependent_resources`](#dependent_resources)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`test_key`](#test_key)
* [`test_url`](#test_url)
* [`test_value`](#test_value)
* [`timeout`](#timeout)
##### `dependent_resources`
Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar]
##### `name`
namevar
An arbitrary name used as the identity of the resource.
##### `provider`
The specific backend to use for this `keycloak_resource_validator` resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
##### `realm`
Realm to query
##### `test_key`
Key to lookup
##### `test_url`
URL to use for testing if the Keycloak database is up
##### `test_value`
Value to lookup
##### `timeout`
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running;
defaults to 15 seconds.
Default value: `30`
### `keycloak_sssd_user_provider`
Manage Keycloak SSSD user providers
#### Examples
##### Add SSSD user provider to test realm
```puppet
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
```
#### Properties
The following properties are available in the `keycloak_sssd_user_provider` type.
##### `cache_policy`
Valid values: `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, `NO_CACHE`
cachePolicy
Default value: `DEFAULT`
##### `enabled`
Valid values: ``true``, ``false``
enabled
Default value: `true`
##### `ensure`
Valid values: `present`, `absent`
The basic property that the resource should be in.
Default value: `present`
##### `eviction_day`
evictionDay
##### `eviction_hour`
evictionHour
##### `eviction_minute`
evictionMinute
##### `max_lifespan`
maxLifespan
##### `priority`
priority
Default value: `0`
#### Parameters
The following parameters are available in the `keycloak_sssd_user_provider` type.
* [`id`](#id)
* [`name`](#name)
* [`provider`](#provider)
* [`realm`](#realm)
* [`resource_name`](#resource_name)
##### `id`
Id. Defaults to "`resource_name`-`realm`"
##### `name`
namevar
The SSSD user provider name
##### `provider`
The specific backend to use for this `keycloak_sssd_user_provider` resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
##### `realm`
parentId
##### `resource_name`
The SSSD user provider name. Defaults to `name`.
diff --git a/lib/puppet/type/keycloak_realm.rb b/lib/puppet/type/keycloak_realm.rb
index e0b54fa..ea0bf94 100644
--- a/lib/puppet/type/keycloak_realm.rb
+++ b/lib/puppet/type/keycloak_realm.rb
@@ -1,328 +1,334 @@
require_relative '../../puppet_x/keycloak/type'
require_relative '../../puppet_x/keycloak/array_property'
require_relative '../../puppet_x/keycloak/integer_property'
Puppet::Type.newtype(:keycloak_realm) do
desc <<-DESC
Manage Keycloak realms
@example Add a realm with a custom theme
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
DESC
extend PuppetX::Keycloak::Type
add_autorequires(false)
ensurable
newparam(:name, namevar: true) do
desc 'The realm name'
end
newparam(:id) do
desc 'Id. Default to `name`.'
defaultto do
@resource[:name]
end
end
newproperty(:display_name) do
desc 'displayName'
end
newproperty(:display_name_html) do
desc 'displayNameHtml'
end
+ newproperty(:user_managed_access_allowed, boolean: true) do
+ desc 'userManagedAccessAllowed'
+ newvalues(:true, :false)
+ defaultto :false
+ end
+
newproperty(:login_theme) do
desc 'loginTheme'
defaultto 'keycloak'
end
newproperty(:account_theme) do
desc 'accountTheme'
defaultto 'keycloak'
end
newproperty(:admin_theme) do
desc 'adminTheme'
defaultto 'keycloak'
end
newproperty(:email_theme) do
desc 'emailTheme'
defaultto 'keycloak'
end
newproperty(:internationalization_enabled, boolean: true) do
desc 'internationalizationEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:sso_session_idle_timeout_remember_me, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'ssoSessionIdleTimeoutRememberMe'
end
newproperty(:sso_session_max_lifespan_remember_me, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'ssoSessionMaxLifespanRememberMe'
end
newproperty(:sso_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'ssoSessionIdleTimeout'
end
newproperty(:sso_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'ssoSessionMaxLifespan'
end
newproperty(:access_code_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessCodeLifespan'
end
newproperty(:access_code_lifespan_login, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessCodeLifespanLogin'
end
newproperty(:access_code_lifespan_user_action, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessCodeLifespanUserAction'
end
newproperty(:access_token_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessTokenLifespan'
end
newproperty(:access_token_lifespan_for_implicit_flow, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessTokenLifespanForImplicitFlow'
end
newproperty(:action_token_generated_by_admin_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'actionTokenGeneratedByAdminLifespan'
end
newproperty(:action_token_generated_by_user_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'actionTokenGeneratedByUserLifespan'
end
newproperty(:offline_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'offlineSessionIdleTimeout'
end
newproperty(:offline_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'offlineSessionMaxLifespan'
end
newproperty(:enabled, boolean: true) do
desc 'enabled'
newvalues(:true, :false)
defaultto :true
end
newproperty(:remember_me, boolean: true) do
desc 'rememberMe'
newvalues(:true, :false)
defaultto :false
end
newproperty(:registration_allowed, boolean: true) do
desc 'registrationAllowed'
newvalues(:true, :false)
defaultto :false
end
newproperty(:login_with_email_allowed, boolean: true) do
desc 'loginWithEmailAllowed'
newvalues(:true, :false)
defaultto :true
end
newproperty(:offline_session_max_lifespan_enabled, boolean: true) do
desc 'offlineSessionMaxLifespanEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:reset_password_allowed, boolean: true) do
desc 'resetPasswordAllowed'
newvalues(:true, :false)
defaultto :false
end
newproperty(:verify_email, boolean: true) do
desc 'verifyEmail'
newvalues(:true, :false)
defaultto :false
end
newproperty(:browser_flow) do
desc 'browserFlow'
defaultto('browser')
munge { |v| v.to_s }
end
newproperty(:registration_flow) do
desc 'registrationFlow'
defaultto('registration')
munge { |v| v.to_s }
end
newproperty(:direct_grant_flow) do
desc 'directGrantFlow'
defaultto('direct grant')
munge { |v| v.to_s }
end
newproperty(:reset_credentials_flow) do
desc 'resetCredentialsFlow'
defaultto('reset credentials')
munge { |v| v.to_s }
end
newproperty(:client_authentication_flow) do
desc 'clientAuthenticationFlow'
defaultto('clients')
munge { |v| v.to_s }
end
newproperty(:docker_authentication_flow) do
desc 'dockerAuthenticationFlow'
defaultto('docker auth')
munge { |v| v.to_s }
end
newproperty(:default_client_scopes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'Default Client Scopes'
end
newproperty(:optional_client_scopes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'Optional Client Scopes'
end
newproperty(:supported_locales, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'Supported Locales'
end
newproperty(:content_security_policy) do
desc 'contentSecurityPolicy'
defaultto("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
munge { |v| v.to_s }
end
newproperty(:events_enabled, boolean: true) do
desc 'eventsEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:events_expiration) do
desc 'eventsExpiration'
end
newproperty(:events_listeners, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'eventsListeners'
defaultto ['jboss-logging']
end
newproperty(:admin_events_enabled, boolean: true) do
desc 'adminEventsEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:admin_events_details_enabled, boolean: true) do
desc 'adminEventsDetailsEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:smtp_server_user) do
desc 'smtpServer user'
end
newproperty(:smtp_server_password) do
desc 'smtpServer password'
def insync?(is)
if is =~ %r{^[\*]+$}
Puppet.warning("Property 'smtp_server_password' is set and Puppet has no way to check current value")
true
else
false
end
end
def should_to_s(_newvalue)
'[new smtp_server_password redacted]'
end
end
newproperty(:smtp_server_host) do
desc 'smtpServer host'
end
newproperty(:smtp_server_port, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'smtpServer port'
end
newproperty(:smtp_server_auth, boolean: true) do
desc 'smtpServer auth'
newvalues(:true, :false)
end
newproperty(:smtp_server_starttls, boolean: true) do
desc 'smtpServer starttls'
newvalues(:true, :false)
end
newproperty(:smtp_server_ssl, boolean: true) do
desc 'smtpServer ssl'
newvalues(:true, :false)
end
newproperty(:smtp_server_from) do
desc 'smtpServer from'
end
newproperty(:smtp_server_envelope_from) do
desc 'smtpServer envelope_from'
end
newproperty(:smtp_server_from_display_name) do
desc 'smtpServer fromDisplayName'
end
newproperty(:smtp_server_reply_to) do
desc 'smtpServer replyto'
end
newproperty(:smtp_server_reply_to_display_name) do
desc 'smtpServer replyToDisplayName'
end
newproperty(:brute_force_protected, boolean: true) do
desc 'bruteForceProtected'
newvalues(:true, :false)
end
newparam(:manage_roles, boolean: true) do
desc 'Manage realm roles'
newvalues(:true, :false)
defaultto(:true)
end
newproperty(:roles, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'roles'
defaultto ['offline_access', 'uma_authorization']
def insync?(is)
if resource[:manage_roles].to_s == 'false'
return true
end
super(is)
end
end
end
diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb
index 3a94fb7..5332f2d 100644
--- a/spec/acceptance/2_realm_spec.rb
+++ b/spec/acceptance/2_realm_spec.rb
@@ -1,283 +1,285 @@
require 'spec_helper_acceptance'
describe 'keycloak_realm:', if: RSpec.configuration.keycloak_full do
context 'creates realm' do
it 'runs successfully' do
pp = <<-EOS
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
}
keycloak_realm { 'test':
ensure => 'present',
smtp_server_host => 'smtp.example.org',
smtp_server_port => 587,
smtp_server_starttls => false,
smtp_server_auth => false,
smtp_server_user => 'john',
smtp_server_password => 'secret',
smtp_server_envelope_from => 'keycloak@id.example.org',
smtp_server_from => 'keycloak@id.example.org',
smtp_server_from_display_name => 'Keycloak',
smtp_server_reply_to => 'webmaster@example.org',
smtp_server_reply_to_display_name => 'Webmaster',
brute_force_protected => false,
roles => ['offline_access', 'uma_authorization', 'new_role'],
access_code_lifespan => 60,
access_code_lifespan_login => 1800,
access_code_lifespan_user_action => 300,
access_token_lifespan => 60,
access_token_lifespan_for_implicit_flow => 900,
action_token_generated_by_admin_lifespan => 43200,
action_token_generated_by_user_lifespan => 300,
sso_session_idle_timeout_remember_me => 0,
sso_session_max_lifespan_remember_me => 0,
sso_session_idle_timeout => 1800,
sso_session_max_lifespan => 36000,
offline_session_idle_timeout => 2592000,
offline_session_max_lifespan => 5184000,
offline_session_max_lifespan_enabled => true,
}
EOS
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end
it 'has created a realm' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['id']).to eq('test')
expect(data['bruteForceProtected']).to eq(false)
expect(data['registrationAllowed']).to eq(false)
expect(data['resetPasswordAllowed']).to eq(false)
expect(data['verifyEmail']).to eq(false)
end
end
it 'has left default-client-scopes' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-default-client-scopes' do
data = JSON.parse(stdout)
names = data.map { |d| d['name'] }.sort
expect(names).to include('email')
expect(names).to include('profile')
expect(names).to include('role_list')
end
end
it 'has left optional-client-scopes' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-optional-client-scopes' do
data = JSON.parse(stdout)
names = data.map { |d| d['name'] }.sort
expect(names).to include('address')
expect(names).to include('offline_access')
expect(names).to include('phone')
end
end
it 'has default events config' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get events/config -r test' do
data = JSON.parse(stdout)
expect(data['eventsEnabled']).to eq(false)
expect(data['eventsExpiration']).to be_nil
expect(data['eventsListeners']).to eq(['jboss-logging'])
expect(data['adminEventsEnabled']).to eq(false)
expect(data['adminEventsDetailsEnabled']).to eq(false)
end
end
it 'has correct smtp settings' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['smtpServer']['host']).to eq('smtp.example.org')
expect(data['smtpServer']['port']).to eq('587')
expect(data['smtpServer']['starttls']).to eq('false')
expect(data['smtpServer']['auth']).to eq('false')
expect(data['smtpServer']['user']).to eq('john')
expect(data['smtpServer']['envelopeFrom']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['from']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['fromDisplayName']).to eq('Keycloak')
expect(data['smtpServer']['replyTo']).to eq('webmaster@example.org')
expect(data['smtpServer']['replyToDisplayName']).to eq('Webmaster')
end
end
it 'has correct token settings' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['accessCodeLifespan']).to eq(60)
expect(data['accessCodeLifespanLogin']).to eq(1800)
expect(data['accessCodeLifespanUserAction']).to eq(300)
expect(data['accessTokenLifespan']).to eq(60)
expect(data['accessTokenLifespanForImplicitFlow']).to eq(900)
expect(data['actionTokenGeneratedByAdminLifespan']).to eq(43_200)
expect(data['actionTokenGeneratedByUserLifespan']).to eq(300)
expect(data['ssoSessionIdleTimeoutRememberMe']).to eq(0)
expect(data['ssoSessionMaxLifespanRememberMe']).to eq(0)
expect(data['ssoSessionIdleTimeout']).to eq(1800)
expect(data['ssoSessionMaxLifespan']).to eq(36_000)
expect(data['offlineSessionIdleTimeout']).to eq(2_592_000)
expect(data['offlineSessionMaxLifespan']).to eq(5_184_000)
expect(data['offlineSessionMaxLifespanEnabled']).to eq(true)
end
end
it 'has correct roles settings' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r test' do
data = JSON.parse(stdout)
expected_roles = ['new_role', 'offline_access', 'uma_authorization']
realm_roles = []
data.each do |d|
unless d['composite']
realm_roles.push(d['name'])
end
end
expect(expected_roles - realm_roles).to eq([])
end
end
end
context 'updates realm' do
it 'runs successfully' do
pp = <<-EOS
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
}
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
registration_allowed => true,
reset_password_allowed => true,
verify_email => true,
+ user_managed_access_allowed => true,
access_code_lifespan => 3600,
access_token_lifespan => 3600,
access_code_lifespan_login => 3600,
access_code_lifespan_user_action => 600,
sso_session_idle_timeout => 3600,
sso_session_max_lifespan => 72000,
access_token_lifespan_for_implicit_flow => 3600,
action_token_generated_by_admin_lifespan => 21600,
action_token_generated_by_user_lifespan => 600,
offline_session_idle_timeout => 1296000,
offline_session_max_lifespan => 2592000,
offline_session_max_lifespan_enabled => false,
default_client_scopes => ['profile'],
content_security_policy => "frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
events_enabled => true,
events_expiration => 2678400,
admin_events_enabled => true,
admin_events_details_enabled => true,
smtp_server_host => 'smtp.example.org',
smtp_server_port => 587,
smtp_server_starttls => false,
smtp_server_auth => true,
smtp_server_user => 'jane',
smtp_server_password => 'secret',
smtp_server_envelope_from => 'keycloak@id.example.org',
smtp_server_from => 'keycloak@id.example.org',
smtp_server_from_display_name => 'Keycloak',
smtp_server_reply_to => 'webmaster@example.org',
smtp_server_reply_to_display_name => 'Hostmaster',
brute_force_protected => true,
roles => ['uma_authorization', 'new_role', 'other_new_role'],
}
EOS
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end
it 'has updated the realm' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['rememberMe']).to eq(true)
expect(data['registrationAllowed']).to eq(true)
expect(data['resetPasswordAllowed']).to eq(true)
expect(data['verifyEmail']).to eq(true)
+ expect(data['userManagedAccessAllowed']).to eq(true)
expect(data['accessCodeLifespan']).to eq(3600)
expect(data['accessCodeLifespanLogin']).to eq(3600)
expect(data['accessCodeLifespanUserAction']).to eq(600)
expect(data['accessTokenLifespan']).to eq(3600)
expect(data['accessTokenLifespanForImplicitFlow']).to eq(3600)
expect(data['actionTokenGeneratedByAdminLifespan']).to eq(21_600)
expect(data['actionTokenGeneratedByUserLifespan']).to eq(600)
expect(data['ssoSessionIdleTimeout']).to eq(3600)
expect(data['ssoSessionMaxLifespan']).to eq(72_000)
expect(data['offlineSessionIdleTimeout']).to eq(1_296_000)
expect(data['offlineSessionMaxLifespan']).to eq(2_592_000)
expect(data['offlineSessionMaxLifespanEnabled']).to eq(false)
expect(data['browserSecurityHeaders']['contentSecurityPolicy']).to eq("frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
expect(data['smtpServer']['host']).to eq('smtp.example.org')
expect(data['smtpServer']['port']).to eq('587')
expect(data['smtpServer']['starttls']).to eq('false')
expect(data['smtpServer']['auth']).to eq('true')
expect(data['smtpServer']['user']).to eq('jane')
expect(data['smtpServer']['envelopeFrom']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['from']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['fromDisplayName']).to eq('Keycloak')
expect(data['smtpServer']['replyTo']).to eq('webmaster@example.org')
expect(data['smtpServer']['replyToDisplayName']).to eq('Hostmaster')
expect(data['bruteForceProtected']).to eq(true)
end
end
it 'has updated the realm default-client-scopes' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-default-client-scopes' do
data = JSON.parse(stdout)
names = data.map { |d| d['name'] }
expect(names).to eq(['profile'])
end
end
it 'has updated events config' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get events/config -r test' do
data = JSON.parse(stdout)
expect(data['eventsEnabled']).to eq(true)
expect(data['eventsExpiration']).to eq(2_678_400)
expect(data['eventsListeners']).to eq(['jboss-logging'])
expect(data['adminEventsEnabled']).to eq(true)
expect(data['adminEventsDetailsEnabled']).to eq(true)
end
end
it 'has updated roles settings' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r test' do
data = JSON.parse(stdout)
expected_roles = ['new_role', 'other_new_role', 'uma_authorization']
realm_roles = []
data.each do |d|
unless d['composite']
realm_roles.push(d['name'])
end
end
expect(expected_roles - realm_roles).to eq([])
end
end
end
context 'creates realm with invalid browser flow' do
it 'runs successfully' do
pp = <<-EOS
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
}
keycloak_realm { 'test2':
ensure => 'present',
browser_flow => 'Copy of browser',
}
EOS
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, expect_changes: true)
end
it 'has created a realm' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test2' do
data = JSON.parse(stdout)
expect(data['browserFlow']).to eq('browser')
end
end
end
end
diff --git a/spec/unit/puppet/type/keycloak_realm_spec.rb b/spec/unit/puppet/type/keycloak_realm_spec.rb
index b985a05..29736ec 100644
--- a/spec/unit/puppet/type/keycloak_realm_spec.rb
+++ b/spec/unit/puppet/type/keycloak_realm_spec.rb
@@ -1,208 +1,210 @@
require 'spec_helper'
describe Puppet::Type.type(:keycloak_realm) do
let(:default_config) do
{
name: 'test',
}
end
let(:config) do
default_config
end
let(:resource) do
described_class.new(config)
end
it 'adds to catalog without raising an error' do
catalog = Puppet::Resource::Catalog.new
expect {
catalog.add_resource resource
}.not_to raise_error
end
it 'has a name' do
expect(resource[:name]).to eq('test')
end
it 'has id default to name' do
expect(resource[:id]).to eq('test')
end
defaults = {
login_theme: 'keycloak',
account_theme: 'keycloak',
admin_theme: 'keycloak',
email_theme: 'keycloak',
+ user_managed_access_allowed: :false,
access_code_lifespan_user_action: nil,
access_token_lifespan_for_implicit_flow: nil,
enabled: :true,
remember_me: :false,
login_with_email_allowed: :true,
browser_flow: 'browser',
registration_flow: 'registration',
direct_grant_flow: 'direct grant',
reset_credentials_flow: 'reset credentials',
client_authentication_flow: 'clients',
docker_authentication_flow: 'docker auth',
content_security_policy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
events_enabled: :false,
events_listeners: ['jboss-logging'],
admin_events_enabled: :false,
admin_events_details_enabled: :false,
offline_session_max_lifespan_enabled: :false,
}
describe 'basic properties' do
# Test basic properties
[
:display_name,
:display_name_html,
:login_theme,
:account_theme,
:admin_theme,
:email_theme,
:events_expiration,
:browser_flow,
:registration_flow,
:direct_grant_flow,
:reset_credentials_flow,
:client_authentication_flow,
:docker_authentication_flow,
:content_security_policy,
:smtp_server_user,
:smtp_server_password,
:smtp_server_host,
:smtp_server_envelope_from,
:smtp_server_from,
:smtp_server_from_display_name,
:smtp_server_reply_to,
:smtp_server_reply_to_display_name,
].each do |p|
it "should accept a #{p}" do
config[p] = 'foo'
expect(resource[p]).to eq('foo')
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
describe 'integer properties' do
# Test integer properties
[
:sso_session_idle_timeout_remember_me,
:sso_session_max_lifespan_remember_me,
:sso_session_idle_timeout,
:sso_session_max_lifespan,
:access_code_lifespan,
:access_code_lifespan_login,
:access_code_lifespan_user_action,
:access_token_lifespan,
:access_token_lifespan_for_implicit_flow,
:action_token_generated_by_admin_lifespan,
:action_token_generated_by_user_lifespan,
:offline_session_idle_timeout,
:offline_session_max_lifespan,
:smtp_server_port,
].each do |p|
it "should accept a #{p}" do
config[p] = 100
expect(resource[p]).to eq(100)
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
describe 'boolean properties' do
# Test boolean properties
[
+ :user_managed_access_allowed,
:remember_me,
:registration_allowed,
:reset_password_allowed,
:verify_email,
:login_with_email_allowed,
:internationalization_enabled,
:manage_roles,
:events_enabled,
:admin_events_enabled,
:admin_events_details_enabled,
:smtp_server_auth,
:smtp_server_starttls,
:smtp_server_ssl,
:brute_force_protected,
:offline_session_max_lifespan_enabled,
].each do |p|
it "should accept true for #{p}" do
config[p] = true
expect(resource[p]).to eq(:true)
end
it "should accept true for #{p} string" do
config[p] = 'true'
expect(resource[p]).to eq(:true)
end
it "should accept false for #{p}" do
config[p] = false
expect(resource[p]).to eq(:false)
end
it "should accept false for #{p} string" do
config[p] = 'false'
expect(resource[p]).to eq(:false)
end
it "should not accept strings for #{p}" do
config[p] = 'foo'
expect {
resource
}.to raise_error(%r{foo})
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
describe 'array properties' do
# Array properties
[
:default_client_scopes,
:optional_client_scopes,
:events_listeners,
:supported_locales,
:roles,
].each do |p|
it "should accept array for #{p}" do
config[p] = ['foo', 'bar']
expect(resource[p]).to eq(['foo', 'bar'])
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
it 'autorequires keycloak_conn_validator' do
keycloak_conn_validator = Puppet::Type.type(:keycloak_conn_validator).new(name: 'keycloak')
catalog = Puppet::Resource::Catalog.new
catalog.add_resource resource
catalog.add_resource keycloak_conn_validator
rel = resource.autorequire[0]
expect(rel.source.ref).to eq(keycloak_conn_validator.ref)
expect(rel.target.ref).to eq(resource.ref)
end
it 'autorequires kcadm-wrapper.sh' do
file = Puppet::Type.type(:file).new(name: 'kcadm-wrapper.sh', path: '/opt/keycloak/bin/kcadm-wrapper.sh')
catalog = Puppet::Resource::Catalog.new
catalog.add_resource resource
catalog.add_resource file
rel = resource.autorequire[0]
expect(rel.source.ref).to eq(file.ref)
expect(rel.target.ref).to eq(resource.ref)
end
end