diff --git a/REFERENCE.md b/REFERENCE.md index 6deb593..98901bc 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1,2988 +1,2997 @@ # Reference ## Table of Contents **Classes** _Public Classes_ * [`keycloak`](#keycloak): Manage Keycloak * [`keycloak::config`](#keycloakconfig): Private class. * [`keycloak::datasource::h2`](#keycloakdatasourceh2): Private class. * [`keycloak::install`](#keycloakinstall): Private class. * [`keycloak::service`](#keycloakservice): Private class. * [`keycloak::sssd`](#keycloaksssd): Private class. _Private Classes_ * `keycloak::datasource::mysql`: Manage MySQL datasource * `keycloak::datasource::oracle`: Manage Oracle datasource * `keycloak::datasource::postgresql`: Manage postgresql datasource * `keycloak::resources`: Define Keycloak resources **Defined types** * [`keycloak::client_scope::oidc`](#keycloakclient_scopeoidc): Manage Keycloak OpenID Connect client scope using built-in mappers * [`keycloak::client_scope::saml`](#keycloakclient_scopesaml): Manage Keycloak SAML client scope using built-in mappers * [`keycloak::spi_deployment`](#keycloakspi_deployment): Manage Keycloak SPI deployment * [`keycloak::truststore::host`](#keycloaktruststorehost): Add host to Keycloak truststore **Resource types** * [`keycloak_api`](#keycloak_api): Type that configures API connection parameters for other keycloak types that use the Keycloak API. * [`keycloak_client`](#keycloak_client): Manage Keycloak clients * [`keycloak_client_protocol_mapper`](#keycloak_client_protocol_mapper): Manage Keycloak protocol mappers * [`keycloak_client_scope`](#keycloak_client_scope): Manage Keycloak client scopes * [`keycloak_conn_validator`](#keycloak_conn_validator): Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to pre * [`keycloak_flow`](#keycloak_flow): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of `flow_alias` if `top_level=fals * [`keycloak_flow_execution`](#keycloak_flow_execution): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of value defined for `flow_alias` * [`keycloak_identity_provider`](#keycloak_identity_provider): Manage Keycloak identity providers * [`keycloak_ldap_mapper`](#keycloak_ldap_mapper): Manage Keycloak LDAP attribute mappers * [`keycloak_ldap_user_provider`](#keycloak_ldap_user_provider): Manage Keycloak LDAP user providers * [`keycloak_protocol_mapper`](#keycloak_protocol_mapper): Manage Keycloak client scope protocol mappers * [`keycloak_realm`](#keycloak_realm): Manage Keycloak realms * [`keycloak_required_action`](#keycloak_required_action): Manage Keycloak required actions * [`keycloak_resource_validator`](#keycloak_resource_validator): Verify that a specific Keycloak resource is available * [`keycloak_sssd_user_provider`](#keycloak_sssd_user_provider): Manage Keycloak SSSD user providers ## Classes ### keycloak Manage Keycloak #### Examples ##### ```puppet include ::keycloak ``` #### Parameters The following parameters are available in the `keycloak` class. ##### `manage_install` Data type: `Boolean` Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true. Default value: `true` ##### `version` Data type: `String` Version of Keycloak to install and manage. Default value: '8.0.1' ##### `package_url` Data type: `Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]` URL of the Keycloak download. Default is based on version. Default value: `undef` ##### `install_dir` Data type: `Optional[Stdlib::Absolutepath]` The directory of where to install Keycloak. Default is `/opt/keycloak-${version}`. Default value: `undef` ##### `service_name` Data type: `String` Keycloak service name. Default is `keycloak`. Default value: 'keycloak' ##### `service_ensure` Data type: `String` Keycloak service ensure property. Default is `running`. Default value: 'running' ##### `service_enable` Data type: `Boolean` Keycloak service enable property. Default is `true`. Default value: `true` ##### `service_hasstatus` Data type: `Boolean` Keycloak service hasstatus parameter. Default is `true`. Default value: `true` ##### `service_hasrestart` Data type: `Boolean` Keycloak service hasrestart parameter. Default is `true`. Default value: `true` ##### `service_bind_address` Data type: `Stdlib::IP::Address` Bind address for Keycloak service. Default is '0.0.0.0'. Default value: '0.0.0.0' ##### `java_opts` Data type: `Optional[Variant[String, Array]]` Sets additional options to Java virtual machine environment variable. Default value: `undef` ##### `java_opts_append` Data type: `Boolean` Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter Default value: `true` ##### `service_extra_opts` Data type: `Optional[String]` Additional options added to the end of the service command-line. Default value: `undef` ##### `manage_user` Data type: `Boolean` Defines if the module should manage the Linux user for Keycloak installation Default value: `true` ##### `user` Data type: `String` Keycloak user name. Default is `keycloak`. Default value: 'keycloak' ##### `user_shell` Data type: `Stdlib::Absolutepath` Keycloak user shell. Default value: '/sbin/nologin' ##### `group` Data type: `String` Keycloak user group name. Default is `keycloak`. Default value: 'keycloak' ##### `user_uid` Data type: `Optional[Integer]` Keycloak user UID. Default is `undef`. Default value: `undef` ##### `group_gid` Data type: `Optional[Integer]` Keycloak user group GID. Default is `undef`. Default value: `undef` +##### `system_user` + +Data type: `Boolean` + +If keycloak user should be a system user with lower uid and gid. +Default is `true`. + +Default value: `true` + ##### `admin_user` Data type: `String` Keycloak administrative username. Default is `admin`. Default value: 'admin' ##### `admin_user_password` Data type: `String` Keycloak administrative user password. Default is `changeme`. Default value: 'changeme' ##### `manage_datasource` Data type: `Boolean` Boolean that determines if configured datasource will be managed. Default is `true`. Default value: `true` ##### `datasource_driver` Data type: `Enum['h2', 'mysql', 'oracle', 'postgresql']` Datasource driver to use for Keycloak. Valid values are `h2`, `mysql`, 'oracle' and 'postgresql' Default is `h2`. Default value: 'h2' ##### `datasource_host` Data type: `Optional[String]` Datasource host. Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' Default is `localhost` for MySQL. Default value: `undef` ##### `datasource_port` Data type: `Optional[Integer]` Datasource port. Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' Default is `3306` for MySQL. Default value: `undef` ##### `datasource_url` Data type: `Optional[String]` Datasource url. Default datasource URLs are defined in init class. Default value: `undef` ##### `datasource_dbname` Data type: `String` Datasource database name. Default is `keycloak`. Default value: 'keycloak' ##### `datasource_username` Data type: `String` Datasource user name. Default is `sa`. Default value: 'sa' ##### `datasource_password` Data type: `String` Datasource user password. Default is `sa`. Default value: 'sa' ##### `datasource_package` Data type: `Optional[String]` Package to add specified datasource support Default value: `undef` ##### `datasource_jar_source` Data type: `Optional[String]` Source for datasource JDBC driver - could be puppet link or local file on the node. Default is dependent on value for `datasource_driver`. This parameter is required if `datasource_driver` is `oracle`. Default value: `undef` ##### `datasource_module_source` Data type: `Optional[String]` Source for datasource module.xml. Default depends on `datasource_driver`. Default value: `undef` ##### `datasource_xa_class` Data type: `Optional[String]` MySQL Connector/J JDBC driver xa-datasource class name Default value: `undef` ##### `proxy_https` Data type: `Boolean` Boolean that sets if HTTPS proxy should be enabled. Set to `true` if proxying traffic through Apache. Default is `false`. Default value: `false` ##### `truststore` Data type: `Boolean` Boolean that sets if truststore should be used. Default is `false`. Default value: `false` ##### `truststore_hosts` Data type: `Hash` Hash that is used to define `keycloak::turststore::host` resources. Default is `{}`. Default value: {} ##### `truststore_password` Data type: `String` Truststore password. Default is `keycloak`. Default value: 'keycloak' ##### `truststore_hostname_verification_policy` Data type: `Enum['WILDCARD', 'STRICT', 'ANY']` Valid values are `WILDCARD`, `STRICT`, and `ANY`. Default is `WILDCARD`. Default value: 'WILDCARD' ##### `http_port` Data type: `Integer` HTTP port used by Keycloak. Default is `8080`. Default value: 8080 ##### `theme_static_max_age` Data type: `Integer` Max cache age in seconds of static content. Default is `2592000`. Default value: 2592000 ##### `theme_cache_themes` Data type: `Boolean` Boolean that sets if themes should be cached. Default is `true`. Default value: `true` ##### `theme_cache_templates` Data type: `Boolean` Boolean that sets if templates should be cached. Default is `true`. Default value: `true` ##### `realms` Data type: `Hash` Hash that is used to define keycloak_realm resources. Default is `{}`. Default value: {} ##### `realms_merge` Data type: `Boolean` Boolean that sets if `realms` should be merged from Hiera. Default value: `false` ##### `oidc_client_scopes` Data type: `Hash` Hash that is used to define keycloak::client_scope::oidc resources. Default is `{}`. Default value: {} ##### `oidc_client_scopes_merge` Data type: `Boolean` Boolean that sets if `oidc_client_scopes` should be merged from Hiera. Default value: `false` ##### `saml_client_scopes` Data type: `Hash` Hash that is used to define keycloak::client_scope::saml resources. Default is `{}`. Default value: {} ##### `saml_client_scopes_merge` Data type: `Boolean` Boolean that sets if `saml_client_scopes` should be merged from Hiera. Default value: `false` ##### `identity_providers` Data type: `Hash` Hash that is used to define keycloak_identity_provider resources. Default value: {} ##### `identity_providers_merge` Data type: `Boolean` Boolean that sets if `identity_providers` should be merged from Hiera. Default value: `false` ##### `client_scopes` Data type: `Hash` Hash that is used to define keycloak_client_scope resources. Default value: {} ##### `client_scopes_merge` Data type: `Boolean` Boolean that sets if `client_scopes` should be merged from Hiera. Default value: `false` ##### `protocol_mappers` Data type: `Hash` Hash that is used to define keycloak_protocol_mapper resources. Default value: {} ##### `protocol_mappers_merge` Data type: `Boolean` Boolean that sets if `protocol_mappers` should be merged from Hiera. Default value: `false` ##### `clients` Data type: `Hash` Hash that is used to define keycloak_client resources. Default value: {} ##### `clients_merge` Data type: `Boolean` Boolean that sets if `clients` should be merged from Hiera. Default value: `false` ##### `flows` Data type: `Hash` Hash taht is used to define keycloak_flow resources. Default value: {} ##### `flows_merge` Data type: `Boolean` Boolean that sets if `flows` should be merged from Hiera. Default value: `false` ##### `flow_executions` Data type: `Hash` Hash taht is used to define keycloak_flow resources. Default value: {} ##### `flow_executions_merge` Data type: `Boolean` Boolean that sets if `flows` should be merged from Hiera. Default value: `false` ##### `required_actions` Data type: `Hash` Hash that is used to define keycloak_required_action resources. Default value: {} ##### `required_actions_merge` Data type: `Boolean` Boolean that sets if `required_actions` should be merged from Hiera. Default value: `false` ##### `ldap_mappers` Data type: `Hash` Hash that is used to define keycloak_ldap_mapper resources. Default value: {} ##### `ldap_mappers_merge` Data type: `Boolean` Boolean that sets if `ldap_mappers` should be merged from Hiera. Default value: `false` ##### `ldap_user_providers` Data type: `Hash` Hash that is used to define keycloak_ldap_user_provider resources. Default value: {} ##### `ldap_user_providers_merge` Data type: `Boolean` Boolean that sets if `ldap_user_providers` should be merged from Hiera. Default value: `false` ##### `with_sssd_support` Data type: `Boolean` Boolean that determines if SSSD user provider support should be available Default value: `false` ##### `libunix_dbus_java_source` Data type: `Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]` Source URL of libunix-dbus-java Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz' ##### `install_libunix_dbus_java_build_dependencies` Data type: `Boolean` Boolean that determines of libunix-dbus-java build dependencies are managed by this module Default value: `true` ##### `libunix_dbus_java_build_dependencies` Data type: `Array` Packages needed to build libunix-dbus-java Default value: [] ##### `libunix_dbus_java_libdir` Data type: `Stdlib::Absolutepath` Path to directory to install libunix-dbus-java libraries Default value: '/usr/lib64' ##### `jna_package_name` Data type: `String` Package name for jna Default value: 'jna' ##### `manage_sssd_config` Data type: `Boolean` Boolean that determines if SSSD ifp config for Keycloak is managed Default value: `true` ##### `sssd_ifp_user_attributes` Data type: `Array` user_attributes to define for SSSD ifp service Default value: [] ##### `restart_sssd` Data type: `Boolean` Boolean that determines if SSSD should be restarted Default value: `true` ##### `service_environment_file` Data type: `Optional[Stdlib::Absolutepath]` Path to the file with environment variables for the systemd service Default value: `undef` ##### `operating_mode` Data type: `Enum['standalone', 'clustered']` Keycloak operating mode deployment Default value: 'standalone' ##### `enable_jdbc_ping` Data type: `Boolean` Use JDBC_PING to discover the nodes and manage the replication of data More info: http://jgroups.org/manual/#_jdbc_ping Only applies when `operating_mode` is `clustered` JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other This module does not manage firewall changes Default value: `false` ##### `jboss_bind_public_address` Data type: `Stdlib::IP::Address` JBoss bind public IP address Default value: $facts['networking']['ip'] ##### `jboss_bind_private_address` Data type: `Stdlib::IP::Address` JBoss bind private IP address Default value: $facts['networking']['ip'] ##### `user_cache` Data type: `Boolean` Boolean that determines if userCache is enabled Default value: `true` ##### `tech_preview_features` Data type: `Array` List of technology Preview features to enable Default value: [] ##### `auto_deploy_exploded` Data type: `Boolean` Set if exploded deployements will be auto deployed Default value: `false` ##### `auto_deploy_zipped` Data type: `Boolean` Set if zipped deployments will be auto deployed Default value: `true` ##### `spi_deployments` Data type: `Hash` Hash used to define keycloak::spi_deployment resources Default value: {} ##### `custom_config_content` Data type: `Optional[String]` Custom configuration content to be added to config.cli Default value: `undef` ##### `custom_config_source` Data type: `Optional[Variant[String, Array]]` Custom configuration source file to be added to config.cli Default value: `undef` ### keycloak::config Private class. ### keycloak::datasource::h2 Private class. ### keycloak::install Private class. ### keycloak::service Private class. ### keycloak::sssd Private class. ## Defined types ### keycloak::client_scope::oidc Manage Keycloak OpenID Connect client scope using built-in mappers #### Examples ##### ```puppet keycloak::client_scope::oidc { 'oidc-clients': realm => 'test', } ``` #### Parameters The following parameters are available in the `keycloak::client_scope::oidc` defined type. ##### `realm` Data type: `String` Realm of the client scope. ##### `resource_name` Data type: `String` Name of the client scope resource Default value: $name ### keycloak::client_scope::saml Manage Keycloak SAML client scope using built-in mappers #### Examples ##### ```puppet keycloak::client_scope::saml { 'saml-clients': realm => 'test', } ``` #### Parameters The following parameters are available in the `keycloak::client_scope::saml` defined type. ##### `realm` Data type: `String` Realm of the client scope. ##### `resource_name` Data type: `String` Name of the client scope resource Default value: $name ### keycloak::spi_deployment } #### Examples ##### Add Duo SPI ```puppet keycloak::spi_deployment { 'duo-spi': ensure => 'present', deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar', source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar', } ``` ##### Add Duo SPI and check API for existance of resources before going onto dependenct resources ```puppet keycloak::spi_deployment { 'duo-spi': deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar', source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar', test_url => 'authentication/authenticator-providers', test_key => 'id', test_value => 'duo-mfa-authenticator', test_realm => 'test', before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'], ``` #### Parameters The following parameters are available in the `keycloak::spi_deployment` defined type. ##### `ensure` Data type: `Enum['present', 'absent']` State of the deployment Default value: 'present' ##### `deployed_name` Data type: `String[1]` Name of the file to be deployed. Defaults to `$name`. Default value: $name ##### `source` Data type: `Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]` Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://' ##### `test_url` Data type: `Optional[String]` URL to test for existance of resources created by this SPI Default value: `undef` ##### `test_key` Data type: `Optional[String]` Key of resource when testing for resource created by this SPI Default value: `undef` ##### `test_value` Data type: `Optional[String]` Value of the `test_key` when testing for resources created by this SPI Default value: `undef` ##### `test_realm` Data type: `Optional[String]` Realm to query when looking for resources created by this SPI Default value: `undef` ### keycloak::truststore::host Add host to Keycloak truststore #### Examples ##### ```puppet keycloak::truststore::host { 'ldap1.example.com': certificate => '/etc/openldap/certs/0a00000.0', } ``` #### Parameters The following parameters are available in the `keycloak::truststore::host` defined type. ##### `certificate` Data type: `String` Path to host certificate ##### `ensure` Data type: `Enum['latest', 'present', 'absent']` Host ensure value passed to `java_ks` resource. Default value: 'latest' ## Resource types ### keycloak_api Type that configures API connection parameters for other keycloak types that use the Keycloak API. #### Examples ##### Define API access ```puppet keycloak_api { 'keycloak' install_dir => '/opt/keycloak', server => 'http://localhost:8080/auth', realm => 'master', user => 'admin', password => 'changeme', } ``` #### Parameters The following parameters are available in the `keycloak_api` type. ##### `name` namevar Keycloak API config ##### `install_dir` Install location of Keycloak Default value: /opt/keycloak ##### `server` Auth URL for Keycloak server Default value: http://localhost:8080/auth ##### `realm` Realm for authentication Default value: master ##### `user` User for authentication Default value: admin ##### `password` Password for authentication Default value: changeme ##### `use_wrapper` Valid values: `true`, `false` Boolean that determines if kcadm_wrapper.sh should be used Default value: `false` ### keycloak_client Manage Keycloak clients #### Examples ##### Add a OpenID Connect client ```puppet keycloak_client { 'www.example.com': ensure => 'present', realm => 'test', redirect_uris => [ "https://www.example.com/oidc", "https://www.example.com", ], default_client_scopes => ['profile','email'], secret => 'supersecret', } ``` #### Properties The following properties are available in the `keycloak_client` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `protocol` Valid values: openid-connect, saml protocol Default value: openid-connect ##### `client_authenticator_type` clientAuthenticatorType Default value: client-secret ##### `default_client_scopes` defaultClientScopes Default value: [] ##### `optional_client_scopes` optionalClientScopes Default value: [] ##### `full_scope_allowed` Valid values: `true`, `false` fullScopeAllowed Default value: true ##### `enabled` Valid values: `true`, `false` enabled Default value: true ##### `standard_flow_enabled` Valid values: `true`, `false` standardFlowEnabled Default value: true ##### `implicit_flow_enabled` Valid values: `true`, `false` implicitFlowEnabled Default value: false ##### `direct_access_grants_enabled` Valid values: `true`, `false` enabled Default value: true ##### `service_accounts_enabled` Valid values: `true`, `false` serviceAccountsEnabled Default value: false ##### `authorization_services_enabled` Valid values: `true`, `false` authorizationServicesEnabled Default value: false ##### `public_client` Valid values: `true`, `false` enabled Default value: false ##### `root_url` rootUrl ##### `redirect_uris` redirectUris Default value: [] ##### `base_url` baseUrl ##### `web_origins` webOrigins Default value: [] ##### `login_theme` login_theme Default value: absent ##### `access_token_lifespan` access.token.lifespan #### Parameters The following parameters are available in the `keycloak_client` type. ##### `name` namevar The client name ##### `client_id` clientId. Defaults to `name`. ##### `id` Id. Defaults to `client_id` ##### `realm` realm ##### `secret` secret ### keycloak_client_protocol_mapper Manage Keycloak protocol mappers #### Examples ##### Add email protocol mapper to test.example.com client in realm test ```puppet keycloak_client_protocol_mapper { "email for test.example.com on test": claim_name => 'email', user_attribute => 'email', } ``` #### Properties The following properties are available in the `keycloak_client_protocol_mapper` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `protocol` Valid values: openid-connect, saml protocol Default value: openid-connect ##### `user_attribute` user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper` ##### `json_type_label` json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`. ##### `full_path` Valid values: `true`, `false` full.path. Default to `false` for `type` `oidc-group-membership-mapper`. ##### `friendly_name` friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `attribute_name` attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `claim_name` claim.name ##### `id_token_claim` Valid values: `true`, `false` id.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `access_token_claim` Valid values: `true`, `false` access.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `userinfo_token_claim` Valid values: `true`, `false` userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`. ##### `attribute_nameformat` attribute.nameformat ##### `single` Valid values: `true`, `false` single. Default to `false` for `type` `saml-role-list-mapper`. ##### `script` Script, only valid for `type` of `saml-javascript-mapper`' Array values will be joined with newlines. Strings will be kept unchanged. ##### `included_client_audience` included.client.audience Required for `type` of `oidc-audience-mapper` #### Parameters The following parameters are available in the `keycloak_client_protocol_mapper` type. ##### `name` namevar The protocol mapper name ##### `id` Id. ##### `resource_name` The protocol mapper name. Defaults to `name`. ##### `client` client ##### `realm` realm ##### `type` Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper protocolMapper. Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and `saml-user-property-mapper` for `protocol` `saml`. ### keycloak_client_scope Manage Keycloak client scopes #### Examples ##### Define a OpenID Connect client scope in the test realm ```puppet keycloak_client_scope { 'email on test': protocol => 'openid-connect', } ``` #### Properties The following properties are available in the `keycloak_client_scope` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `protocol` Valid values: openid-connect, saml protocol Default value: openid-connect ##### `consent_screen_text` consent.screen.text ##### `display_on_consent_screen` Valid values: `true`, `false` display.on.consent.screen Default value: true #### Parameters The following parameters are available in the `keycloak_client_scope` type. ##### `name` namevar The client scope name ##### `resource_name` The client scope name. Defaults to `name`. ##### `id` Id. Defaults to `resource_name`. ##### `realm` realm ### keycloak_conn_validator Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring. #### Properties The following properties are available in the `keycloak_conn_validator` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present #### Parameters The following parameters are available in the `keycloak_conn_validator` type. ##### `name` namevar An arbitrary name used as the identity of the resource. ##### `keycloak_server` The DNS name or IP address of the server where keycloak should be running. Default value: localhost ##### `keycloak_port` The port that the keycloak server should be listening on. Default value: 8080 ##### `use_ssl` Whether the connection will be attemped using https Default value: `false` ##### `test_url` URL to use for testing if the Keycloak database is up Default value: /auth/admin/serverinfo ##### `timeout` The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds. Default value: 30 ### keycloak_flow Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of `flow_alias` if `top_level=false` * `keycloak_flow` of `flow_alias` if other `index` is lower and if `top_level=false` * `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower and if `top_level=false` #### Examples ##### Add custom flow ```puppet keycloak_flow { 'browser-with-duo': ensure => 'present', realm => 'test', } ``` ##### Add a flow execution to existing browser-with-duo flow ```puppet keycloak_flow { 'form-browser-with-duo under browser-with-duo on test': ensure => 'present', index => 2, requirement => 'ALTERNATIVE', top_level => false, } ``` #### Properties The following properties are available in the `keycloak_flow` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `index` execution index, only applied to top_level=false, required for top_level=false ##### `description` description ##### `requirement` Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional requirement, only applied to top_level=false and defaults to DISABLED #### Parameters The following parameters are available in the `keycloak_flow` type. ##### `name` namevar The flow name ##### `id` Id. Default to `$alias-$realm` when top_level is true. Only applies to top_level=true ##### `alias` Alias. Default to `name`. ##### `flow_alias` flowAlias, required for top_level=false ##### `realm` realm ##### `provider_id` Valid values: basic-flow, form-flow providerId Default value: basic-flow ##### `type` sub-flow execution provider, default to `registration-page-form` for top_level=false and does not apply to top_level=true ##### `top_level` Valid values: `true`, `false` topLevel Default value: `true` ### keycloak_flow_execution Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of value defined for `flow_alias` * `keycloak_flow` if they share same `flow_alias` value and the other resource `index` is lower * `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower #### Examples ##### Add an execution to a flow ```puppet keycloak_flow_execution { 'auth-cookie under browser-with-duo on test': ensure => 'present', configurable => false, display_name => 'Cookie', index => 0, requirement => 'ALTERNATIVE', } ``` ##### Add an execution to a execution flow that is one level deeper than top level ```puppet keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test': ensure => 'present', configurable => false, display_name => 'Username Password Form', index => 0, requirement => 'REQUIRED', } ``` ##### Add an execution with a configuration ```puppet keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test': ensure => 'present', configurable => true, display_name => 'Duo MFA', alias => 'Duo', config => { "duomfa.akey" => "foo-akey", "duomfa.apihost" => "api-foo.duosecurity.com", "duomfa.skey" => "secret", "duomfa.ikey" => "foo-ikey", "duomfa.groups" => "duo" }, requirement => 'REQUIRED', index => 1, } ``` #### Properties The following properties are available in the `keycloak_flow_execution` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `index` execution index ##### `configurable` Valid values: `true`, `false` configurable ##### `requirement` Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional requirement Default value: DISABLED ##### `config` execution config #### Parameters The following parameters are available in the `keycloak_flow_execution` type. ##### `name` namevar The flow execution name ##### `id` read-only Id ##### `provider_id` provider ##### `flow_alias` flowAlias ##### `realm` realm ##### `display_name` displayName ##### `alias` alias ##### `config_id` read-only config ID ### keycloak_identity_provider Manage Keycloak identity providers #### Examples ##### Add CILogon identity provider to test realm ```puppet keycloak_identity_provider { 'cilogon on test': ensure => 'present', display_name => 'CILogon', provider_id => 'oidc', first_broker_login_flow_alias => 'browser', client_id => 'cilogon:/client_id/foobar', client_secret => 'supersecret', user_info_url => 'https://cilogon.org/oauth2/userinfo', token_url => 'https://cilogon.org/oauth2/token', authorization_url => 'https://cilogon.org/authorize', } ``` #### Properties The following properties are available in the `keycloak_identity_provider` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `display_name` displayName ##### `enabled` Valid values: `true`, `false` enabled Default value: true ##### `update_profile_first_login_mode` Valid values: on, off updateProfileFirstLoginMode Default value: on ##### `trust_email` Valid values: `true`, `false` trustEmail Default value: false ##### `store_token` Valid values: `true`, `false` storeToken Default value: false ##### `add_read_token_role_on_create` Valid values: `true`, `false` addReadTokenRoleOnCreate Default value: false ##### `authenticate_by_default` Valid values: `true`, `false` authenticateByDefault Default value: false ##### `link_only` Valid values: `true`, `false` linkOnly Default value: false ##### `first_broker_login_flow_alias` firstBrokerLoginFlowAlias Default value: first broker login ##### `post_broker_login_flow_alias` postBrokerLoginFlowAlias ##### `hide_on_login_page` Valid values: `true`, `false` hideOnLoginPage Default value: false ##### `user_info_url` userInfoUrl ##### `validate_signature` Valid values: `true`, `false` validateSignature Default value: false ##### `client_id` clientId ##### `client_secret` clientSecret ##### `client_auth_method` Valid values: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt clientAuthMethod Default value: client_secret_post ##### `token_url` tokenUrl ##### `ui_locales` Valid values: `true`, `false` uiLocales Default value: false ##### `backchannel_supported` Valid values: `true`, `false` backchannelSupported Default value: false ##### `use_jwks_url` Valid values: `true`, `false` useJwksUrl Default value: true ##### `login_hint` Valid values: `true`, `false` loginHint Default value: false ##### `authorization_url` authorizationUrl ##### `disable_user_info` Valid values: `true`, `false` disableUserInfo Default value: false ##### `logout_url` logoutUrl ##### `issuer` issuer ##### `default_scope` default_scope ##### `prompt` Valid values: none, consent, login, select_account prompt ##### `allowed_clock_skew` allowedClockSkew ##### `forward_parameters` forwardParameters #### Parameters The following parameters are available in the `keycloak_identity_provider` type. ##### `name` namevar The identity provider name ##### `alias` The identity provider name. Defaults to `name`. ##### `internal_id` internalId. Defaults to "`alias`-`realm`" ##### `realm` realm ##### `provider_id` Valid values: oidc providerId Default value: oidc ### keycloak_ldap_mapper Manage Keycloak LDAP attribute mappers #### Examples ##### Add full name attribute mapping ```puppet keycloak_ldap_mapper { 'full name for LDAP-test on test: ensure => 'present', type => 'full-name-ldap-mapper', ldap_attribute => 'gecos', } ``` #### Properties The following properties are available in the `keycloak_ldap_mapper` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `ldap_attribute` ldap.attribute ##### `user_model_attribute` user.model.attribute ##### `is_mandatory_in_ldap` is.mandatory.in.ldap. Defaults to `false` unless `type` is `full-name-ldap-mapper`. ##### `always_read_value_from_ldap` Valid values: `true`, `false` always.read.value.from.ldap. Defaults to `true` if `type` is `user-attribute-ldap-mapper`. ##### `read_only` Valid values: `true`, `false` read.only ##### `write_only` Valid values: `true`, `false` write.only. Defaults to `false` if `type` is `full-name-ldap-mapper`. ##### `mode` Valid values: READ_ONLY, LDAP_ONLY mode, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `membership_attribute_type` Valid values: DN, UID membership.attribute.type, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `user_roles_retrieve_strategy` Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY, LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY user.roles.retrieve.strategy, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `group_name_ldap_attribute` group.name.ldap.attribute, only for `type` of `group-ldap-mapper` ##### `ignore_missing_groups` Valid values: `true`, `false` ignore.missing.groups, only for `type` of `group-ldap-mapper` ##### `membership_user_ldap_attribute` membership.user.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `membership_ldap_attribute` membership.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `preserve_group_inheritance` Valid values: `true`, `false` preserve.group.inheritance, only for `type` of `group-ldap-mapper` ##### `groups_dn` groups.dn, only for `type` of `group-ldap-mapper` ##### `mapped_group_attributes` mapped.group.attributes, only for `type` of `group-ldap-mapper` ##### `groups_ldap_filter` groups.ldap.filter, only for `type` of `group-ldap-mapper` ##### `memberof_ldap_attribute` memberof.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper` ##### `group_object_classes` group.object.classes, only for `type` of `group-ldap-mapper` ##### `drop_non_existing_groups_during_sync` Valid values: `true`, `false` drop.non.existing.groups.during.sync, only for `type` of `group-ldap-mapper` ##### `roles_dn` roles.dn, only for `type` of `role-ldap-mapper` ##### `role_name_ldap_attribute` role.name.ldap.attribute, only for `type` of `role-ldap-mapper` ##### `role_object_classes` role.object.classes, only for `type` of `role-ldap-mapper` ##### `roles_ldap_filter` roles.ldap.filter, only for `type` of `role-ldap-mapper` ##### `use_realm_roles_mapping` Valid values: `true`, `false` use.realm.roles.mapping, only for `type` of `role-ldap-mapper` ##### `client_id` client.id, only for `type` of `role-ldap-mapper` #### Parameters The following parameters are available in the `keycloak_ldap_mapper` type. ##### `name` namevar The LDAP mapper name ##### `id` Id. ##### `resource_name` The LDAP mapper name. Defaults to `name` ##### `type` Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper, group-ldap-mapper, role-ldap-mapper providerId Default value: user-attribute-ldap-mapper ##### `realm` realm ##### `ldap` parentId ### keycloak_ldap_user_provider Manage Keycloak LDAP user providers #### Examples ##### Add LDAP user provider to test realm ```puppet keycloak_ldap_user_provider { 'LDAP on test': ensure => 'present', users_dn => 'ou=People,dc=example,dc=com', connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636', import_enabled => false, use_truststore_spi => 'never', } ``` #### Properties The following properties are available in the `keycloak_ldap_user_provider` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `enabled` Valid values: `true`, `false` enabled Default value: true ##### `auth_type` Valid values: none, simple authType Default value: none ##### `edit_mode` Valid values: READ_ONLY, WRITABLE, UNSYNCED editMode Default value: READ_ONLY ##### `vendor` Valid values: ad, rhds, tivoli, eDirectory, other vendor Default value: other ##### `use_truststore_spi` Valid values: always, ldapsOnly, never useTruststoreSpi Default value: ldapsOnly ##### `users_dn` usersDn ##### `connection_url` connectionUrl ##### `priority` priority Default value: 0 ##### `batch_size_for_sync` batchSizeForSync Default value: 1000 ##### `username_ldap_attribute` usernameLdapAttribute Default value: uid ##### `rdn_ldap_attribute` rdnLdapAttribute Default value: uid ##### `uuid_ldap_attribute` uuidLdapAttribute Default value: entryUUID ##### `bind_dn` bindDn ##### `bind_credential` bindCredential ##### `import_enabled` Valid values: `true`, `false` importEnabled Default value: true ##### `use_kerberos_for_password_authentication` Valid values: `true`, `false` useKerberosForPasswordAuthentication ##### `user_object_classes` userObjectClasses Default value: ['inetOrgPerson', 'organizationalPerson'] ##### `search_scope` Valid values: one, one_level, subtree, 1, 2, 1, 2 searchScope ##### `custom_user_search_filter` Valid values: %r{.*}, absent customUserSearchFilter Default value: absent #### Parameters The following parameters are available in the `keycloak_ldap_user_provider` type. ##### `name` namevar The LDAP user provider name ##### `resource_name` The LDAP user provider name. Defaults to `name`. ##### `id` Id. Defaults to "`resource_name`-`realm`" ##### `realm` parentId ### keycloak_protocol_mapper Manage Keycloak client scope protocol mappers #### Examples ##### Add email protocol mapper to oidc-client client scope in realm test ```puppet keycloak_protocol_mapper { "email for oidc-clients on test": claim_name => 'email', user_attribute => 'email', } ``` #### Properties The following properties are available in the `keycloak_protocol_mapper` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `protocol` Valid values: openid-connect, saml protocol Default value: openid-connect ##### `user_attribute` user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper` ##### `json_type_label` json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`. ##### `full_path` Valid values: `true`, `false` full.path. Default to `false` for `type` `oidc-group-membership-mapper`. ##### `friendly_name` friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `attribute_name` attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`. ##### `claim_name` claim.name ##### `id_token_claim` Valid values: `true`, `false` id.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `access_token_claim` Valid values: `true`, `false` access.token.claim. Default to `true` for `protocol` `openid-connect`. ##### `userinfo_token_claim` Valid values: `true`, `false` userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`. ##### `attribute_nameformat` attribute.nameformat ##### `single` Valid values: `true`, `false` single. Default to `false` for `type` `saml-role-list-mapper` or `saml-javascript-mapper`. ##### `script` Script, only valid for `type` of `saml-javascript-mapper`' Array values will be joined with newlines. Strings will be kept unchanged. ##### `included_client_audience` included.client.audience Required for `type` of `oidc-audience-mapper` #### Parameters The following parameters are available in the `keycloak_protocol_mapper` type. ##### `name` namevar The protocol mapper name ##### `id` Id. ##### `resource_name` The protocol mapper name. Defaults to `name`. ##### `client_scope` client scope ##### `realm` realm ##### `type` Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper protocolMapper. Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and `saml-user-property-mapper` for `protocol` `saml`. ### keycloak_realm Manage Keycloak realms #### Examples ##### Add a realm with a custom theme ```puppet keycloak_realm { 'test': ensure => 'present', remember_me => true, login_with_email_allowed => false, login_theme => 'my_theme', } ``` #### Properties The following properties are available in the `keycloak_realm` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `display_name` displayName ##### `display_name_html` displayNameHtml ##### `login_theme` loginTheme Default value: keycloak ##### `account_theme` accountTheme Default value: keycloak ##### `admin_theme` adminTheme Default value: keycloak ##### `email_theme` emailTheme Default value: keycloak ##### `internationalization_enabled` Valid values: `true`, `false` internationalizationEnabled Default value: false ##### `sso_session_idle_timeout` ssoSessionIdleTimeout ##### `sso_session_max_lifespan` ssoSessionMaxLifespan ##### `access_code_lifespan` accessCodeLifespan ##### `access_code_lifespan_user_action` accessCodeLifespanUserAction ##### `access_token_lifespan` accessTokenLifespan ##### `access_token_lifespan_for_implicit_flow` accessTokenLifespanForImplicitFlow ##### `enabled` Valid values: `true`, `false` enabled Default value: true ##### `remember_me` Valid values: `true`, `false` rememberMe Default value: false ##### `login_with_email_allowed` Valid values: `true`, `false` loginWithEmailAllowed Default value: true ##### `browser_flow` browserFlow Default value: browser ##### `registration_flow` registrationFlow Default value: registration ##### `direct_grant_flow` directGrantFlow Default value: direct grant ##### `reset_credentials_flow` resetCredentialsFlow Default value: reset credentials ##### `client_authentication_flow` clientAuthenticationFlow Default value: clients ##### `docker_authentication_flow` dockerAuthenticationFlow Default value: docker auth ##### `default_client_scopes` Default Client Scopes ##### `optional_client_scopes` Optional Client Scopes ##### `supported_locales` Supported Locales ##### `content_security_policy` contentSecurityPolicy Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; ##### `events_enabled` Valid values: `true`, `false` eventsEnabled Default value: false ##### `events_expiration` eventsExpiration ##### `events_listeners` eventsListeners Default value: ['jboss-logging'] ##### `admin_events_enabled` Valid values: `true`, `false` adminEventsEnabled Default value: false ##### `admin_events_details_enabled` Valid values: `true`, `false` adminEventsDetailsEnabled Default value: false ##### `smtp_server_user` smtpServer user ##### `smtp_server_password` smtpServer password ##### `smtp_server_host` smtpServer host ##### `smtp_server_port` smtpServer port ##### `smtp_server_auth` Valid values: `true`, `false` smtpServer auth ##### `smtp_server_starttls` Valid values: `true`, `false` smtpServer starttls ##### `smtp_server_ssl` Valid values: `true`, `false` smtpServer ssl ##### `smtp_server_from` smtpServer from ##### `smtp_server_envelope_from` smtpServer envelope_from ##### `smtp_server_from_display_name` smtpServer fromDisplayName ##### `smtp_server_reply_to` smtpServer replyto ##### `smtp_server_reply_to_display_name` smtpServer replyToDisplayName #### Parameters The following parameters are available in the `keycloak_realm` type. ##### `name` namevar The realm name ##### `id` Id. Default to `name`. ### keycloak_required_action Manage Keycloak required actions #### Examples ##### Enable Webauthn Register and make it default ```puppet keycloak_required_action { 'webauthn-register on master': ensure => present, provider_id => 'webauthn-register', display_name => 'Webauthn Register', default => true, enabled => true, priority => 1, config => { 'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values 'smth else' => '1', }, alias => 'webauthn', } @example Minimal example to enable email verification without making it default keycloak_required_action { 'VERIFY_EMAIL on master': ensure => present, provider_id => 'webauthn-register', } ``` #### Properties The following properties are available in the `keycloak_required_action` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `display_name` Displayed name. Default to `provider_id` ##### `enabled` Valid values: `true`, `false` If the required action is enabled. Default to true. Default value: true ##### `alias` Alias. Default to `provider_id`. ##### `default` Valid values: `true`, `false` If the required action is a default one. Default to false Default value: false ##### `priority` Required action priority ##### `config` Required action config #### Parameters The following parameters are available in the `keycloak_required_action` type. ##### `name` namevar The required action name ##### `realm` realm ##### `provider_id` providerId of the required action ### keycloak_resource_validator Verify that a specific Keycloak resource is available #### Properties The following properties are available in the `keycloak_resource_validator` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present #### Parameters The following parameters are available in the `keycloak_resource_validator` type. ##### `name` namevar An arbitrary name used as the identity of the resource. ##### `test_url` URL to use for testing if the Keycloak database is up ##### `test_key` Key to lookup ##### `test_value` Value to lookup ##### `realm` Realm to query ##### `timeout` The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds. Default value: 30 ### keycloak_sssd_user_provider Manage Keycloak SSSD user providers #### Examples ##### Add SSSD user provider to test realm ```puppet keycloak_sssd_user_provider { 'SSSD on test': ensure => 'present', } ``` #### Properties The following properties are available in the `keycloak_sssd_user_provider` type. ##### `ensure` Valid values: present, absent The basic property that the resource should be in. Default value: present ##### `enabled` Valid values: `true`, `false` enabled Default value: true ##### `priority` priority Default value: 0 ##### `cache_policy` Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE cachePolicy Default value: DEFAULT ##### `eviction_day` evictionDay ##### `eviction_hour` evictionHour ##### `eviction_minute` evictionMinute ##### `max_lifespan` maxLifespan #### Parameters The following parameters are available in the `keycloak_sssd_user_provider` type. ##### `name` namevar The SSSD user provider name ##### `resource_name` The SSSD user provider name. Defaults to `name`. ##### `id` Id. Defaults to "`resource_name`-`realm`" ##### `realm` parentId diff --git a/manifests/init.pp b/manifests/init.pp index b26f349..a41c3a5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,410 +1,414 @@ # @summary Manage Keycloak # # @example # include ::keycloak # # @param manage_install # Install Keycloak from upstream Keycloak tarball. # Set to false to manage installation of Keycloak outside # this module and set $install_dir to match. # Defaults to true. # @param version # Version of Keycloak to install and manage. # @param package_url # URL of the Keycloak download. # Default is based on version. # @param install_dir # The directory of where to install Keycloak. # Default is `/opt/keycloak-${version}`. # @param service_name # Keycloak service name. # Default is `keycloak`. # @param service_ensure # Keycloak service ensure property. # Default is `running`. # @param service_enable # Keycloak service enable property. # Default is `true`. # @param service_hasstatus # Keycloak service hasstatus parameter. # Default is `true`. # @param service_hasrestart # Keycloak service hasrestart parameter. # Default is `true`. # @param service_bind_address # Bind address for Keycloak service. # Default is '0.0.0.0'. # @param java_opts # Sets additional options to Java virtual machine environment variable. # @param java_opts_append # Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter # @param service_extra_opts # Additional options added to the end of the service command-line. # @param manage_user # Defines if the module should manage the Linux user for Keycloak installation # @param user # Keycloak user name. # Default is `keycloak`. # @param user_shell # Keycloak user shell. # @param group # Keycloak user group name. # Default is `keycloak`. # @param user_uid # Keycloak user UID. # Default is `undef`. # @param group_gid # Keycloak user group GID. # Default is `undef`. +# @param system_user +# If keycloak user should be a system user with lower uid and gid. +# Default is `true` # @param admin_user # Keycloak administrative username. # Default is `admin`. # @param admin_user_password # Keycloak administrative user password. # Default is `changeme`. # @param manage_datasource # Boolean that determines if configured datasource will be managed. # Default is `true`. # @param datasource_driver # Datasource driver to use for Keycloak. # Valid values are `h2`, `mysql`, 'oracle' and 'postgresql' # Default is `h2`. # @param datasource_host # Datasource host. # Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' # Default is `localhost` for MySQL. # @param datasource_port # Datasource port. # Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' # Default is `3306` for MySQL. # @param datasource_url # Datasource url. # Default datasource URLs are defined in init class. # @param datasource_dbname # Datasource database name. # Default is `keycloak`. # @param datasource_username # Datasource user name. # Default is `sa`. # @param datasource_password # Datasource user password. # Default is `sa`. # @param datasource_package # Package to add specified datasource support # @param datasource_jar_source # Source for datasource JDBC driver - could be puppet link or local file on the node. # Default is dependent on value for `datasource_driver`. # This parameter is required if `datasource_driver` is `oracle`. # @param datasource_module_source # Source for datasource module.xml. Default depends on `datasource_driver`. # @param datasource_xa_class # MySQL Connector/J JDBC driver xa-datasource class name # @param proxy_https # Boolean that sets if HTTPS proxy should be enabled. # Set to `true` if proxying traffic through Apache. # Default is `false`. # @param truststore # Boolean that sets if truststore should be used. # Default is `false`. # @param truststore_hosts # Hash that is used to define `keycloak::turststore::host` resources. # Default is `{}`. # @param truststore_password # Truststore password. # Default is `keycloak`. # @param truststore_hostname_verification_policy # Valid values are `WILDCARD`, `STRICT`, and `ANY`. # Default is `WILDCARD`. # @param http_port # HTTP port used by Keycloak. # Default is `8080`. # @param theme_static_max_age # Max cache age in seconds of static content. # Default is `2592000`. # @param theme_cache_themes # Boolean that sets if themes should be cached. # Default is `true`. # @param theme_cache_templates # Boolean that sets if templates should be cached. # Default is `true`. # @param realms # Hash that is used to define keycloak_realm resources. # Default is `{}`. # @param realms_merge # Boolean that sets if `realms` should be merged from Hiera. # @param oidc_client_scopes # Hash that is used to define keycloak::client_scope::oidc resources. # Default is `{}`. # @param oidc_client_scopes_merge # Boolean that sets if `oidc_client_scopes` should be merged from Hiera. # @param saml_client_scopes # Hash that is used to define keycloak::client_scope::saml resources. # Default is `{}`. # @param saml_client_scopes_merge # Boolean that sets if `saml_client_scopes` should be merged from Hiera. # @param identity_providers # Hash that is used to define keycloak_identity_provider resources. # @param identity_providers_merge # Boolean that sets if `identity_providers` should be merged from Hiera. # @param client_scopes # Hash that is used to define keycloak_client_scope resources. # @param client_scopes_merge # Boolean that sets if `client_scopes` should be merged from Hiera. # @param protocol_mappers # Hash that is used to define keycloak_protocol_mapper resources. # @param protocol_mappers_merge # Boolean that sets if `protocol_mappers` should be merged from Hiera. # @param clients # Hash that is used to define keycloak_client resources. # @param clients_merge # Boolean that sets if `clients` should be merged from Hiera. # @param flows # Hash taht is used to define keycloak_flow resources. # @param flows_merge # Boolean that sets if `flows` should be merged from Hiera. # @param flow_executions # Hash taht is used to define keycloak_flow resources. # @param flow_executions_merge # Boolean that sets if `flows` should be merged from Hiera. # @param required_actions # Hash that is used to define keycloak_required_action resources. # @param required_actions_merge # Boolean that sets if `required_actions` should be merged from Hiera. # @param ldap_mappers # Hash that is used to define keycloak_ldap_mapper resources. # @param ldap_mappers_merge # Boolean that sets if `ldap_mappers` should be merged from Hiera. # @param ldap_user_providers # Hash that is used to define keycloak_ldap_user_provider resources. # @param ldap_user_providers_merge # Boolean that sets if `ldap_user_providers` should be merged from Hiera. # @param with_sssd_support # Boolean that determines if SSSD user provider support should be available # @param libunix_dbus_java_source # Source URL of libunix-dbus-java # @param install_libunix_dbus_java_build_dependencies # Boolean that determines of libunix-dbus-java build dependencies are managed by this module # @param libunix_dbus_java_build_dependencies # Packages needed to build libunix-dbus-java # @param libunix_dbus_java_libdir # Path to directory to install libunix-dbus-java libraries # @param jna_package_name # Package name for jna # @param manage_sssd_config # Boolean that determines if SSSD ifp config for Keycloak is managed # @param sssd_ifp_user_attributes # user_attributes to define for SSSD ifp service # @param restart_sssd # Boolean that determines if SSSD should be restarted # @param service_environment_file # Path to the file with environment variables for the systemd service # @param operating_mode # Keycloak operating mode deployment # @param enable_jdbc_ping # Use JDBC_PING to discover the nodes and manage the replication of data # More info: http://jgroups.org/manual/#_jdbc_ping # Only applies when `operating_mode` is `clustered` # JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other # This module does not manage firewall changes # @param jboss_bind_public_address # JBoss bind public IP address # @param jboss_bind_private_address # JBoss bind private IP address # @param user_cache # Boolean that determines if userCache is enabled # @param tech_preview_features # List of technology Preview features to enable # @param auto_deploy_exploded # Set if exploded deployements will be auto deployed # @param auto_deploy_zipped # Set if zipped deployments will be auto deployed # @param spi_deployments # Hash used to define keycloak::spi_deployment resources # @param custom_config_content # Custom configuration content to be added to config.cli # @param custom_config_source # Custom configuration source file to be added to config.cli # class keycloak ( Boolean $manage_install = true, String $version = '8.0.1', Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $package_url = undef, Optional[Stdlib::Absolutepath] $install_dir = undef, String $service_name = 'keycloak', String $service_ensure = 'running', Boolean $service_enable = true, Boolean $service_hasstatus = true, Boolean $service_hasrestart = true, Stdlib::IP::Address $service_bind_address = '0.0.0.0', Optional[Variant[String, Array]] $java_opts = undef, Boolean $java_opts_append = true, Optional[String] $service_extra_opts = undef, Boolean $manage_user = true, String $user = 'keycloak', Stdlib::Absolutepath $user_shell = '/sbin/nologin', String $group = 'keycloak', + Boolean $system_user = true, Optional[Integer] $user_uid = undef, Optional[Integer] $group_gid = undef, String $admin_user = 'admin', String $admin_user_password = 'changeme', Boolean $manage_datasource = true, Enum['h2', 'mysql', 'oracle', 'postgresql'] $datasource_driver = 'h2', Optional[String] $datasource_host = undef, Optional[Integer] $datasource_port = undef, Optional[String] $datasource_url = undef, Optional[String] $datasource_xa_class = undef, String $datasource_dbname = 'keycloak', String $datasource_username = 'sa', String $datasource_password = 'sa', Optional[String] $datasource_package = undef, Optional[String] $datasource_jar_source = undef, Optional[String] $datasource_module_source = undef, Boolean $proxy_https = false, Boolean $truststore = false, Hash $truststore_hosts = {}, String $truststore_password = 'keycloak', Enum['WILDCARD', 'STRICT', 'ANY'] $truststore_hostname_verification_policy = 'WILDCARD', Integer $http_port = 8080, Integer $theme_static_max_age = 2592000, Boolean $theme_cache_themes = true, Boolean $theme_cache_templates = true, Hash $realms = {}, Boolean $realms_merge = false, Hash $oidc_client_scopes = {}, Boolean $oidc_client_scopes_merge = false, Hash $saml_client_scopes = {}, Boolean $saml_client_scopes_merge = false, Hash $client_scopes = {}, Boolean $client_scopes_merge = false, Hash $protocol_mappers = {}, Boolean $protocol_mappers_merge = false, Hash $identity_providers = {}, Boolean $identity_providers_merge = false, Hash $clients = {}, Boolean $clients_merge = false, Hash $flows = {}, Boolean $flows_merge = false, Hash $flow_executions = {}, Hash $required_actions = {}, Boolean $required_actions_merge = false, Hash $ldap_mappers = {}, Boolean $ldap_mappers_merge = false, Hash $ldap_user_providers = {}, Boolean $ldap_user_providers_merge = false, Boolean $flow_executions_merge = false, Boolean $with_sssd_support = false, Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl] $libunix_dbus_java_source = 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz', Boolean $install_libunix_dbus_java_build_dependencies = true, Array $libunix_dbus_java_build_dependencies = [], Stdlib::Absolutepath $libunix_dbus_java_libdir = '/usr/lib64', String $jna_package_name = 'jna', Boolean $manage_sssd_config = true, Array $sssd_ifp_user_attributes = [], Boolean $restart_sssd = true, Optional[Stdlib::Absolutepath] $service_environment_file = undef, Enum['standalone', 'clustered'] $operating_mode = 'standalone', Boolean $enable_jdbc_ping = false, Stdlib::IP::Address $jboss_bind_public_address = $facts['networking']['ip'], Stdlib::IP::Address $jboss_bind_private_address = $facts['networking']['ip'], Boolean $user_cache = true, Array $tech_preview_features = [], Boolean $auto_deploy_exploded = false, Boolean $auto_deploy_zipped = true, Hash $spi_deployments = {}, Optional[String] $custom_config_content = undef, Optional[Variant[String, Array]] $custom_config_source = undef, ) { if ! ($facts['os']['family'] in ['RedHat','Debian']) { fail("Unsupported osfamily: ${facts['os']['family']}, module ${module_name} only support osfamilies Debian and Redhat") } $download_url = pick($package_url, "https://downloads.jboss.org/keycloak/${version}/keycloak-${version}.tar.gz") case $datasource_driver { 'h2': { $datasource_connection_url = pick($datasource_url, "jdbc:h2:\${jboss.server.data.dir}/${datasource_dbname};AUTO_SERVER=TRUE") } 'mysql': { $db_host = pick($datasource_host, 'localhost') $db_port = pick($datasource_port, 3306) $datasource_connection_url = pick($datasource_url, "jdbc:mysql://${db_host}:${db_port}/${datasource_dbname}") } 'oracle': { $db_host = pick($datasource_host, 'localhost') $db_port = pick($datasource_port, 1521) $datasource_connection_url = pick($datasource_url, "jdbc:oracle:thin:@${db_host}:${db_port}:${datasource_dbname}") } 'postgresql': { $db_host = pick($datasource_host, 'localhost') $db_port = pick($datasource_port, 5432) $datasource_connection_url = pick($datasource_url, "jdbc:postgresql://${db_host}:${db_port}/${datasource_dbname}") } default: {} } if ($datasource_driver == 'oracle') and ($datasource_jar_source == undef) { fail('Using Oracle RDBMS requires definition datasource_jar_source for Oracle JDBC driver. Refer to module documentation') } case $facts['os']['family'] { 'RedHat': { if versioncmp($facts['os']['release']['major'], '8') >= 0 { $mysql_datasource_class = pick($datasource_xa_class, 'org.mariadb.jdbc.MariaDbDataSource') $mysql_jar_source = '/usr/lib/java/mariadb-java-client.jar' $postgresql_jar_source = '/usr/share/java/postgresql-jdbc/postgresql.jar' } else { $mysql_datasource_class = pick($datasource_xa_class, 'com.mysql.jdbc.jdbc2.optional.MysqlXADataSource') $mysql_jar_source = '/usr/share/java/mysql-connector-java.jar' $postgresql_jar_source = '/usr/share/java/postgresql-jdbc.jar' } } 'Debian': { if $facts['os']['name'] == 'Debian' and versioncmp($facts['os']['release']['major'], '10') >= 0 { $mysql_datasource_class = pick($datasource_xa_class, 'org.mariadb.jdbc.MariaDbDataSource') $mysql_jar_source = '/usr/share/java/mariadb-java-client.jar' } else { $mysql_datasource_class = pick($datasource_xa_class, 'com.mysql.jdbc.jdbc2.optional.MysqlXADataSource') $mysql_jar_source = '/usr/share/java/mysql-connector-java.jar' } $postgresql_jar_source = '/usr/share/java/postgresql.jar' } default: { # do nothing } } $install_base = pick($install_dir, "/opt/keycloak-${keycloak::version}") include ::java contain 'keycloak::install' contain "keycloak::datasource::${datasource_driver}" contain 'keycloak::config' contain 'keycloak::service' Class['::java'] -> Class['keycloak::install'] -> Class["keycloak::datasource::${datasource_driver}"] -> Class['keycloak::config'] -> Class['keycloak::service'] Class["keycloak::datasource::${datasource_driver}"]~>Class['keycloak::service'] if $with_sssd_support { contain 'keycloak::sssd' Class['keycloak::sssd'] ~> Class['keycloak::service'] } keycloak_conn_validator { 'keycloak': keycloak_server => 'localhost', keycloak_port => $http_port, use_ssl => false, timeout => 60, test_url => '/auth/realms/master/.well-known/openid-configuration', require => Class['keycloak::service'], } include keycloak::resources } diff --git a/manifests/install.pp b/manifests/install.pp index bcfd9e0..8a94df0 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,51 +1,53 @@ # Private class. class keycloak::install { assert_private() if $keycloak::manage_user { user { 'keycloak': ensure => 'present', name => $keycloak::user, forcelocal => true, shell => $keycloak::user_shell, gid => $keycloak::group, uid => $keycloak::user_uid, home => '/var/lib/keycloak', managehome => true, + system => $keycloak::system_user, } group { 'keycloak': ensure => 'present', name => $keycloak::group, forcelocal => true, gid => $keycloak::group_gid, + system => $keycloak::system_user, } } if $::keycloak::manage_install { file { $::keycloak::install_base: ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0755', } -> archive { "keycloak-${keycloak::version}.tar.gz": ensure => 'present', extract => true, path => "/tmp/keycloak-${keycloak::version}.tar.gz", extract_path => $::keycloak::install_base, extract_command => 'tar xfz %s --strip-components=1', source => $keycloak::download_url, creates => "${::keycloak::install_base}/bin", cleanup => true, user => $keycloak::user, group => $keycloak::group, } } else { # Set permissions properly when using a package exec { 'ensure-keycloak-dir-owner': command => "chown -R ${::keycloak::user}:${::keycloak::group} ${::keycloak::install_base}", unless => "test `stat -c %U ${::keycloak::install_base}` = ${::keycloak::user}", path => ['/bin','/usr/bin'], } } } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 55bb8d2..a449555 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,198 +1,199 @@ require 'spec_helper' describe 'keycloak' do on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do facts.merge(concat_basedir: '/dne') end let(:version) { '8.0.1' } case facts[:osfamily] when %r{RedHat} shell = '/sbin/nologin' when %r{Debian} shell = '/usr/sbin/nologin' end it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('keycloak') } it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::config]') } it { is_expected.to contain_class('keycloak::config').that_comes_before('Class[keycloak::service]') } it { is_expected.to contain_class('keycloak::service') } context 'keycloak::install' do it do is_expected.to contain_user('keycloak').only_with(ensure: 'present', name: 'keycloak', forcelocal: 'true', shell: shell, gid: 'keycloak', home: '/var/lib/keycloak', - managehome: 'true') + managehome: 'true', + system: 'true') end end context 'keycloak::datasource::mysql' do let(:pre_condition) { 'include ::mysql::server' } let(:params) { { datasource_driver: 'mysql' } } it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::datasource::mysql]') } it { is_expected.to contain_class('keycloak::datasource::mysql').that_comes_before('Class[keycloak::config]') } it do is_expected.to contain_mysql__db('keycloak').with(user: 'sa', password: 'sa', host: 'localhost', grant: 'ALL') end context 'manage_datasource => false' do let(:params) { { datasource_driver: 'mysql', manage_datasource: false } } it { is_expected.not_to contain_mysql__db('keycloak') } end end context 'keycloak::datasource::postgresql' do let(:params) { { datasource_driver: 'postgresql' } } it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::datasource::postgresql]') } it { is_expected.to contain_class('keycloak::datasource::postgresql').that_comes_before('Class[keycloak::config]') } it do is_expected.to contain_postgresql__server__db('keycloak').with(user: 'sa', password: %r{.*}) end context 'manage_datasource => false' do let(:params) { { datasource_driver: 'postgresql', manage_datasource: false } } it { is_expected.not_to contain_postgresql__server__db('keycloak') } end end context 'keycloak::config' do it do is_expected.to contain_file('kcadm-wrapper.sh').only_with( ensure: 'file', path: "/opt/keycloak-#{version}/bin/kcadm-wrapper.sh", owner: 'keycloak', group: 'keycloak', mode: '0750', content: %r{.*}, show_diff: 'false', ) end it do is_expected.to contain_exec('create-keycloak-admin') .with(command: "/opt/keycloak-#{version}/bin/add-user-keycloak.sh --user admin --password changeme --realm master && touch /opt/keycloak-#{version}/.create-keycloak-admin-h2", creates: "/opt/keycloak-#{version}/.create-keycloak-admin-h2", notify: 'Class[Keycloak::Service]') end it do is_expected.to contain_file("/opt/keycloak-#{version}/standalone/configuration").only_with( ensure: 'directory', owner: 'keycloak', group: 'keycloak', mode: '0750', ) end it do is_expected.to contain_file("/opt/keycloak-#{version}/standalone/configuration/profile.properties").only_with( ensure: 'file', owner: 'keycloak', group: 'keycloak', mode: '0644', content: %r{.*}, notify: 'Class[Keycloak::Service]', ) end it do verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/standalone/configuration/profile.properties", []) end it do is_expected.to contain_concat("/opt/keycloak-#{version}/config.cli").with( ensure: 'present', owner: 'keycloak', group: 'keycloak', mode: '0600', notify: 'Exec[jboss-cli.sh --file=config.cli]', show_diff: 'false', ) end it do is_expected.to contain_concat__fragment('config.cli-keycloak').with( target: "/opt/keycloak-#{version}/config.cli", content: %r{.*}, order: '00', ) end it do is_expected.to contain_file_line('standalone.conf-JAVA_OPTS').with( ensure: 'absent', path: "/opt/keycloak-#{version}/bin/standalone.conf", line: 'JAVA_OPTS="$JAVA_OPTS "', match: '^JAVA_OPTS=', notify: 'Class[Keycloak::Service]', ) end context 'when tech_preview_features defined' do let(:params) { { tech_preview_features: ['account_api'] } } it do verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/standalone/configuration/profile.properties", ['feature.account_api=enabled']) end end context 'when java_opts defined' do let(:params) { { java_opts: '-Xmx512m -Xms64m' } } it do is_expected.to contain_file_line('standalone.conf-JAVA_OPTS').with( ensure: 'present', path: "/opt/keycloak-#{version}/bin/standalone.conf", line: 'JAVA_OPTS="$JAVA_OPTS -Xmx512m -Xms64m"', match: '^JAVA_OPTS=', notify: 'Class[Keycloak::Service]', ) end context 'when java_opts_append is false' do let(:params) { { java_opts: '-Xmx512m -Xms64m', java_opts_append: false } } it do is_expected.to contain_file_line('standalone.conf-JAVA_OPTS').with( ensure: 'present', path: "/opt/keycloak-#{version}/bin/standalone.conf", line: 'JAVA_OPTS="-Xmx512m -Xms64m"', match: '^JAVA_OPTS=', notify: 'Class[Keycloak::Service]', ) end end end end context 'keycloak::service' do it do is_expected.to contain_service('keycloak').only_with(ensure: 'running', enable: 'true', name: 'keycloak', hasstatus: 'true', hasrestart: 'true') end end end # end context end # end on_supported_os loop end # end describe