Changeset View
Standalone View
site-modules/profile/manifests/keycloak/resources.pp
- This file was added.
class profile::keycloak::resources { | |||||
$realms = lookup({ | |||||
name => 'keycloak::resources::realms', | |||||
value_type => Hash, | |||||
merge => { | |||||
strategy => 'deep', | |||||
knockout_prefix => '--', | |||||
}, | |||||
default_value => {}, | |||||
}) | |||||
$realm_common_settings = lookup({ | |||||
name => 'keycloak::resources::realms::common_settings', | |||||
value_type => Hash, | |||||
merge => { | |||||
strategy => 'deep', | |||||
knockout_prefix => '--', | |||||
}, | |||||
default_value => {}, | |||||
}) | |||||
$client_common_settings = lookup({ | |||||
name => 'keycloak::resources::clients::common_settings', | |||||
value_type => Hash, | |||||
merge => { | |||||
strategy => 'deep', | |||||
knockout_prefix => '--', | |||||
}, | |||||
default_value => {}, | |||||
}) | |||||
$realms.each |$realm_name, $realm_data| { | |||||
$_local_realm_settings = pick($realm_data['settings'], {}) | |||||
$_full_realm_settings = deep_merge($realm_common_settings, $_local_realm_settings) | |||||
keycloak_realm {$realm_name: | |||||
ensure => present, | |||||
* => $_full_realm_settings, | |||||
anlambert: I did not know that `present` was also a keyword in puppet, we should use it instead of a… | |||||
} | |||||
$clients = pick($realm_data['clients'], {}) | |||||
$realm_client_common_settings = deep_merge($client_common_settings, | |||||
pick($realm_data['client_settings'], {})) | |||||
$clients.each |$client_name, $client_data| { | |||||
$_local_client_settings = pick($client_data['settings'], {}) | |||||
$_full_client_settings = deep_merge($realm_client_common_settings, $_local_client_settings) | |||||
$client_id = fqdn_uuid("${realm_name}.${client_name}") | |||||
Not Done Inline ActionsLet's compute a client id value here using fqdn_uuid from puppet standard library: $client_id = fqdn_uuid("${realm_name}.${client_name}") Keycloak also uses UUIDs for object ids, so let's do the same. anlambert: Let's compute a client id value here using [[ http://www.puppetmodule. | |||||
keycloak_client {"${client_name} on ${realm_name}": | |||||
Not Done Inline ActionsLet's explicitly set client id here: id => $client_id, anlambert: Let's explicitly set client id here:
```lang=puppet
id => $client_id,
``` | |||||
ensure => present, | |||||
id => $client_id, | |||||
Not Done Inline ActionsThese lines are redundant and can be removed. anlambert: These lines are redundant and can be removed. | |||||
* => $_full_client_settings, | |||||
} | |||||
$protocol_mappers = pick($client_data['protocol_mappers'], []) | |||||
$protocol_mappers.each | Hash $protocol_mapper_data | { | |||||
$_pm_data = Hash($protocol_mapper_data.map |$key, $value| { | |||||
[$key, $value ? {'__client_id__' => $client_name, default => $value}] | |||||
}) | |||||
$protocol_mapper_name = $protocol_mapper_data['name'] | |||||
Not Done Inline ActionsThis line should be turned into: keycloak_client_protocol_mapper {"${protocol_mapper_name} for ${$client_id} on ${realm_name}": Indeed, Keycloak use the client id as argument of the /{realm}/clients/{id}/protocol-mappers/models endpoint of its admin API (see documentation). anlambert: This line should be turned into:
```lang=puppet
keycloak_client_protocol_mapper… | |||||
Not Done Inline ActionsSo I guess the __client_id__ magic stuff isn't really useful anymore either? olasd: So I guess the `__client_id__` magic stuff isn't really useful anymore either? | |||||
Not Done Inline ActionsYes it is still needed as decoding of JWT tokens will fail otherwise. The client id in Keycloak is quite confusing as if you look at a client representation, there is :
Maybe client_id variable could be renamed to client_internal_id or client_kc_id to disambiguate ? anlambert: Yes it is still needed as decoding of JWT tokens will fail otherwise.
The client id in… | |||||
Not Done Inline ActionsAh! I understand. So in the end it doesn't need to match the name of the client as set in keycloak. So I guess I can remove the magic name matching and just set it to swh-web. (the client_id field is a parameter of keycloak_client_protocol_mapper so we can't really change its name) olasd: Ah! I understand. So in the end it doesn't need to match the name of the client as set in… | |||||
Not Done Inline ActionsI think you can keep the magic name matching and rename keycloak::resources::protocol_mappers::webapp to keycloak::resources::protocol_mappers::audience. This way you get a generic audience mapper that can be used for other clients than swh-web. anlambert: I think you can keep the magic name matching and rename `keycloak::resources::protocol_mappers… | |||||
Not Done Inline ActionsEven better, split keycloak::resources::protocol_mappers::webapp into keycloak::resources::protocol_mappers::audience and keycloak::resources::protocol_mappers::groups anlambert: Even better, split `keycloak::resources::protocol_mappers::webapp` into `keycloak::resources… | |||||
$protocol_mapper_id = fqdn_uuid("${realm_name}.${client_name}.${protocol_mapper_name}") | |||||
keycloak_client_protocol_mapper {"${protocol_mapper_data['name']} for ${client_id} on ${realm_name}": | |||||
ensure => present, | |||||
id => $protocol_mapper_id, | |||||
* => $_pm_data, | |||||
} | |||||
} | |||||
} | |||||
} | |||||
} |
I did not know that present was also a keyword in puppet, we should use it instead of a string for consistency in that file.