Page MenuHomeSoftware Heritage
Files F9696749

No OneTemporary
Actions

View Options

diff --git a/REFERENCE.md b/REFERENCE.md
index b03786b..7de9fd5 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1,3039 +1,3047 @@
# Reference
<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
## Table of Contents
**Classes**
_Public Classes_
* [`keycloak`](#keycloak): Manage Keycloak
* [`keycloak::config`](#keycloakconfig): Private class.
* [`keycloak::datasource::h2`](#keycloakdatasourceh2): Private class.
* [`keycloak::install`](#keycloakinstall): Private class.
* [`keycloak::service`](#keycloakservice): Private class.
* [`keycloak::sssd`](#keycloaksssd): Private class.
_Private Classes_
* `keycloak::datasource::mysql`: Manage MySQL datasource
* `keycloak::datasource::oracle`: Manage Oracle datasource
* `keycloak::datasource::postgresql`: Manage postgresql datasource
* `keycloak::resources`: Define Keycloak resources
**Defined types**
* [`keycloak::client_scope::oidc`](#keycloakclient_scopeoidc): Manage Keycloak OpenID Connect client scope using built-in mappers
* [`keycloak::client_scope::saml`](#keycloakclient_scopesaml): Manage Keycloak SAML client scope using built-in mappers
* [`keycloak::spi_deployment`](#keycloakspi_deployment): Manage Keycloak SPI deployment
* [`keycloak::truststore::host`](#keycloaktruststorehost): Add host to Keycloak truststore
**Resource types**
* [`keycloak_api`](#keycloak_api): Type that configures API connection parameters for other keycloak types that use the Keycloak API.
* [`keycloak_client`](#keycloak_client): Manage Keycloak clients
* [`keycloak_client_protocol_mapper`](#keycloak_client_protocol_mapper): Manage Keycloak protocol mappers
* [`keycloak_client_scope`](#keycloak_client_scope): Manage Keycloak client scopes
* [`keycloak_conn_validator`](#keycloak_conn_validator): Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to pre
* [`keycloak_flow`](#keycloak_flow): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of `flow_alias` if `top_level=fals
* [`keycloak_flow_execution`](#keycloak_flow_execution): Manage a Keycloak flow **Autorequires** * `keycloak_realm` defined for `realm` parameter * `keycloak_flow` of value defined for `flow_alias`
* [`keycloak_identity_provider`](#keycloak_identity_provider): Manage Keycloak identity providers
* [`keycloak_ldap_mapper`](#keycloak_ldap_mapper): Manage Keycloak LDAP attribute mappers
* [`keycloak_ldap_user_provider`](#keycloak_ldap_user_provider): Manage Keycloak LDAP user providers
* [`keycloak_protocol_mapper`](#keycloak_protocol_mapper): Manage Keycloak client scope protocol mappers
* [`keycloak_realm`](#keycloak_realm): Manage Keycloak realms
* [`keycloak_required_action`](#keycloak_required_action): Manage Keycloak required actions
* [`keycloak_resource_validator`](#keycloak_resource_validator): Verify that a specific Keycloak resource is available
* [`keycloak_sssd_user_provider`](#keycloak_sssd_user_provider): Manage Keycloak SSSD user providers
## Classes
### keycloak
Manage Keycloak
#### Examples
#####
```puppet
include ::keycloak
```
#### Parameters
The following parameters are available in the `keycloak` class.
##### `manage_install`
Data type: `Boolean`
Install Keycloak from upstream Keycloak tarball.
Set to false to manage installation of Keycloak outside
this module and set $install_dir to match.
Defaults to true.
Default value: `true`
##### `version`
Data type: `String`
Version of Keycloak to install and manage.
Default value: '8.0.1'
##### `package_url`
Data type: `Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]`
URL of the Keycloak download.
Default is based on version.
Default value: `undef`
##### `install_dir`
Data type: `Optional[Stdlib::Absolutepath]`
The directory of where to install Keycloak.
Default is `/opt/keycloak-${version}`.
Default value: `undef`
##### `service_name`
Data type: `String`
Keycloak service name.
Default is `keycloak`.
Default value: 'keycloak'
##### `service_ensure`
Data type: `String`
Keycloak service ensure property.
Default is `running`.
Default value: 'running'
##### `service_enable`
Data type: `Boolean`
Keycloak service enable property.
Default is `true`.
Default value: `true`
##### `service_hasstatus`
Data type: `Boolean`
Keycloak service hasstatus parameter.
Default is `true`.
Default value: `true`
##### `service_hasrestart`
Data type: `Boolean`
Keycloak service hasrestart parameter.
Default is `true`.
Default value: `true`
##### `service_bind_address`
Data type: `Stdlib::IP::Address`
Bind address for Keycloak service.
Default is '0.0.0.0'.
Default value: '0.0.0.0'
##### `java_opts`
Data type: `Optional[Variant[String, Array]]`
Sets additional options to Java virtual machine environment variable.
Default value: `undef`
##### `java_opts_append`
Data type: `Boolean`
Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter
Default value: `true`
##### `service_extra_opts`
Data type: `Optional[String]`
Additional options added to the end of the service command-line.
Default value: `undef`
##### `manage_user`
Data type: `Boolean`
Defines if the module should manage the Linux user for Keycloak installation
Default value: `true`
##### `user`
Data type: `String`
Keycloak user name.
Default is `keycloak`.
Default value: 'keycloak'
##### `user_shell`
Data type: `Stdlib::Absolutepath`
Keycloak user shell.
Default value: '/sbin/nologin'
##### `group`
Data type: `String`
Keycloak user group name.
Default is `keycloak`.
Default value: 'keycloak'
##### `user_uid`
Data type: `Optional[Integer]`
Keycloak user UID.
Default is `undef`.
Default value: `undef`
##### `group_gid`
Data type: `Optional[Integer]`
Keycloak user group GID.
Default is `undef`.
Default value: `undef`
##### `system_user`
Data type: `Boolean`
If keycloak user should be a system user with lower uid and gid.
Default is `true`
Default value: `true`
##### `admin_user`
Data type: `String`
Keycloak administrative username.
Default is `admin`.
Default value: 'admin'
##### `admin_user_password`
Data type: `String`
Keycloak administrative user password.
Default is `changeme`.
Default value: 'changeme'
##### `manage_datasource`
Data type: `Boolean`
Boolean that determines if configured datasource will be managed.
Default is `true`.
Default value: `true`
##### `datasource_driver`
Data type: `Enum['h2', 'mysql', 'oracle', 'postgresql']`
Datasource driver to use for Keycloak.
Valid values are `h2`, `mysql`, 'oracle' and 'postgresql'
Default is `h2`.
Default value: 'h2'
##### `datasource_host`
Data type: `Optional[String]`
Datasource host.
Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql'
Default is `localhost` for MySQL.
Default value: `undef`
##### `datasource_port`
Data type: `Optional[Integer]`
Datasource port.
Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql'
Default is `3306` for MySQL.
Default value: `undef`
##### `datasource_url`
Data type: `Optional[String]`
Datasource url.
Default datasource URLs are defined in init class.
Default value: `undef`
##### `datasource_dbname`
Data type: `String`
Datasource database name.
Default is `keycloak`.
Default value: 'keycloak'
##### `datasource_username`
Data type: `String`
Datasource user name.
Default is `sa`.
Default value: 'sa'
##### `datasource_password`
Data type: `String`
Datasource user password.
Default is `sa`.
Default value: 'sa'
##### `datasource_package`
Data type: `Optional[String]`
Package to add specified datasource support
Default value: `undef`
##### `datasource_jar_source`
Data type: `Optional[String]`
Source for datasource JDBC driver - could be puppet link or local file on the node.
Default is dependent on value for `datasource_driver`.
This parameter is required if `datasource_driver` is `oracle`.
Default value: `undef`
##### `datasource_module_source`
Data type: `Optional[String]`
Source for datasource module.xml. Default depends on `datasource_driver`.
Default value: `undef`
##### `datasource_xa_class`
Data type: `Optional[String]`
MySQL Connector/J JDBC driver xa-datasource class name
Default value: `undef`
##### `proxy_https`
Data type: `Boolean`
Boolean that sets if HTTPS proxy should be enabled.
Set to `true` if proxying traffic through Apache.
Default is `false`.
Default value: `false`
##### `truststore`
Data type: `Boolean`
Boolean that sets if truststore should be used.
Default is `false`.
Default value: `false`
##### `truststore_hosts`
Data type: `Hash`
Hash that is used to define `keycloak::turststore::host` resources.
Default is `{}`.
Default value: {}
##### `truststore_password`
Data type: `String`
Truststore password.
Default is `keycloak`.
Default value: 'keycloak'
##### `truststore_hostname_verification_policy`
Data type: `Enum['WILDCARD', 'STRICT', 'ANY']`
Valid values are `WILDCARD`, `STRICT`, and `ANY`.
Default is `WILDCARD`.
Default value: 'WILDCARD'
##### `http_port`
Data type: `Integer`
HTTP port used by Keycloak.
Default is `8080`.
Default value: 8080
##### `theme_static_max_age`
Data type: `Integer`
Max cache age in seconds of static content.
Default is `2592000`.
Default value: 2592000
##### `theme_cache_themes`
Data type: `Boolean`
Boolean that sets if themes should be cached.
Default is `true`.
Default value: `true`
##### `theme_cache_templates`
Data type: `Boolean`
Boolean that sets if templates should be cached.
Default is `true`.
Default value: `true`
##### `realms`
Data type: `Hash`
Hash that is used to define keycloak_realm resources.
Default is `{}`.
Default value: {}
##### `realms_merge`
Data type: `Boolean`
Boolean that sets if `realms` should be merged from Hiera.
Default value: `false`
##### `oidc_client_scopes`
Data type: `Hash`
Hash that is used to define keycloak::client_scope::oidc resources.
Default is `{}`.
Default value: {}
##### `oidc_client_scopes_merge`
Data type: `Boolean`
Boolean that sets if `oidc_client_scopes` should be merged from Hiera.
Default value: `false`
##### `saml_client_scopes`
Data type: `Hash`
Hash that is used to define keycloak::client_scope::saml resources.
Default is `{}`.
Default value: {}
##### `saml_client_scopes_merge`
Data type: `Boolean`
Boolean that sets if `saml_client_scopes` should be merged from Hiera.
Default value: `false`
##### `identity_providers`
Data type: `Hash`
Hash that is used to define keycloak_identity_provider resources.
Default value: {}
##### `identity_providers_merge`
Data type: `Boolean`
Boolean that sets if `identity_providers` should be merged from Hiera.
Default value: `false`
##### `client_scopes`
Data type: `Hash`
Hash that is used to define keycloak_client_scope resources.
Default value: {}
##### `client_scopes_merge`
Data type: `Boolean`
Boolean that sets if `client_scopes` should be merged from Hiera.
Default value: `false`
##### `protocol_mappers`
Data type: `Hash`
Hash that is used to define keycloak_protocol_mapper resources.
Default value: {}
##### `protocol_mappers_merge`
Data type: `Boolean`
Boolean that sets if `protocol_mappers` should be merged from Hiera.
Default value: `false`
##### `clients`
Data type: `Hash`
Hash that is used to define keycloak_client resources.
Default value: {}
##### `clients_merge`
Data type: `Boolean`
Boolean that sets if `clients` should be merged from Hiera.
Default value: `false`
##### `flows`
Data type: `Hash`
Hash taht is used to define keycloak_flow resources.
Default value: {}
##### `flows_merge`
Data type: `Boolean`
Boolean that sets if `flows` should be merged from Hiera.
Default value: `false`
##### `flow_executions`
Data type: `Hash`
Hash taht is used to define keycloak_flow resources.
Default value: {}
##### `flow_executions_merge`
Data type: `Boolean`
Boolean that sets if `flows` should be merged from Hiera.
Default value: `false`
##### `required_actions`
Data type: `Hash`
Hash that is used to define keycloak_required_action resources.
Default value: {}
##### `required_actions_merge`
Data type: `Boolean`
Boolean that sets if `required_actions` should be merged from Hiera.
Default value: `false`
##### `ldap_mappers`
Data type: `Hash`
Hash that is used to define keycloak_ldap_mapper resources.
Default value: {}
##### `ldap_mappers_merge`
Data type: `Boolean`
Boolean that sets if `ldap_mappers` should be merged from Hiera.
Default value: `false`
##### `ldap_user_providers`
Data type: `Hash`
Hash that is used to define keycloak_ldap_user_provider resources.
Default value: {}
##### `ldap_user_providers_merge`
Data type: `Boolean`
Boolean that sets if `ldap_user_providers` should be merged from Hiera.
Default value: `false`
##### `with_sssd_support`
Data type: `Boolean`
Boolean that determines if SSSD user provider support should be available
Default value: `false`
##### `libunix_dbus_java_source`
Data type: `Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]`
Source URL of libunix-dbus-java
Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'
##### `install_libunix_dbus_java_build_dependencies`
Data type: `Boolean`
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: `true`
##### `libunix_dbus_java_build_dependencies`
Data type: `Array`
Packages needed to build libunix-dbus-java
Default value: []
##### `libunix_dbus_java_libdir`
Data type: `Stdlib::Absolutepath`
Path to directory to install libunix-dbus-java libraries
Default value: '/usr/lib64'
##### `jna_package_name`
Data type: `String`
Package name for jna
Default value: 'jna'
##### `manage_sssd_config`
Data type: `Boolean`
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: `true`
##### `sssd_ifp_user_attributes`
Data type: `Array`
user_attributes to define for SSSD ifp service
Default value: []
##### `restart_sssd`
Data type: `Boolean`
Boolean that determines if SSSD should be restarted
Default value: `true`
##### `service_environment_file`
Data type: `Optional[Stdlib::Absolutepath]`
Path to the file with environment variables for the systemd service
Default value: `undef`
##### `operating_mode`
Data type: `Enum['standalone', 'clustered']`
Keycloak operating mode deployment
Default value: 'standalone'
##### `enable_jdbc_ping`
Data type: `Boolean`
Use JDBC_PING to discover the nodes and manage the replication of data
More info: http://jgroups.org/manual/#_jdbc_ping
Only applies when `operating_mode` is `clustered`
JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other
This module does not manage firewall changes
Default value: `false`
##### `jboss_bind_public_address`
Data type: `Stdlib::IP::Address`
JBoss bind public IP address
Default value: $facts['networking']['ip']
##### `jboss_bind_private_address`
Data type: `Stdlib::IP::Address`
JBoss bind private IP address
Default value: $facts['networking']['ip']
##### `user_cache`
Data type: `Boolean`
Boolean that determines if userCache is enabled
Default value: `true`
##### `tech_preview_features`
Data type: `Array`
List of technology Preview features to enable
Default value: []
##### `auto_deploy_exploded`
Data type: `Boolean`
Set if exploded deployements will be auto deployed
Default value: `false`
##### `auto_deploy_zipped`
Data type: `Boolean`
Set if zipped deployments will be auto deployed
Default value: `true`
##### `spi_deployments`
Data type: `Hash`
Hash used to define keycloak::spi_deployment resources
Default value: {}
##### `custom_config_content`
Data type: `Optional[String]`
Custom configuration content to be added to config.cli
Default value: `undef`
##### `custom_config_source`
Data type: `Optional[Variant[String, Array]]`
Custom configuration source file to be added to config.cli
Default value: `undef`
### keycloak::config
Private class.
### keycloak::datasource::h2
Private class.
### keycloak::install
Private class.
### keycloak::service
Private class.
### keycloak::sssd
Private class.
## Defined types
### keycloak::client_scope::oidc
Manage Keycloak OpenID Connect client scope using built-in mappers
#### Examples
#####
```puppet
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
```
#### Parameters
The following parameters are available in the `keycloak::client_scope::oidc` defined type.
##### `realm`
Data type: `String`
Realm of the client scope.
##### `resource_name`
Data type: `String`
Name of the client scope resource
Default value: $name
### keycloak::client_scope::saml
Manage Keycloak SAML client scope using built-in mappers
#### Examples
#####
```puppet
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
```
#### Parameters
The following parameters are available in the `keycloak::client_scope::saml` defined type.
##### `realm`
Data type: `String`
Realm of the client scope.
##### `resource_name`
Data type: `String`
Name of the client scope resource
Default value: $name
### keycloak::spi_deployment
}
#### Examples
##### Add Duo SPI
```puppet
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}
```
##### Add Duo SPI and check API for existance of resources before going onto dependenct resources
```puppet
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],
```
#### Parameters
The following parameters are available in the `keycloak::spi_deployment` defined type.
##### `ensure`
Data type: `Enum['present', 'absent']`
State of the deployment
Default value: 'present'
##### `deployed_name`
Data type: `String[1]`
Name of the file to be deployed. Defaults to `$name`.
Default value: $name
##### `source`
Data type: `Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]`
Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'
##### `test_url`
Data type: `Optional[String]`
URL to test for existance of resources created by this SPI
Default value: `undef`
##### `test_key`
Data type: `Optional[String]`
Key of resource when testing for resource created by this SPI
Default value: `undef`
##### `test_value`
Data type: `Optional[String]`
Value of the `test_key` when testing for resources created by this SPI
Default value: `undef`
##### `test_realm`
Data type: `Optional[String]`
Realm to query when looking for resources created by this SPI
Default value: `undef`
### keycloak::truststore::host
Add host to Keycloak truststore
#### Examples
#####
```puppet
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
```
#### Parameters
The following parameters are available in the `keycloak::truststore::host` defined type.
##### `certificate`
Data type: `String`
Path to host certificate
##### `ensure`
Data type: `Enum['latest', 'present', 'absent']`
Host ensure value passed to `java_ks` resource.
Default value: 'latest'
## Resource types
### keycloak_api
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
#### Examples
##### Define API access
```puppet
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
```
#### Parameters
The following parameters are available in the `keycloak_api` type.
##### `name`
namevar
Keycloak API config
##### `install_dir`
Install location of Keycloak
Default value: /opt/keycloak
##### `server`
Auth URL for Keycloak server
Default value: http://localhost:8080/auth
##### `realm`
Realm for authentication
Default value: master
##### `user`
User for authentication
Default value: admin
##### `password`
Password for authentication
Default value: changeme
##### `use_wrapper`
Valid values: `true`, `false`
Boolean that determines if kcadm_wrapper.sh should be used
Default value: `false`
### keycloak_client
Manage Keycloak clients
#### Examples
##### Add a OpenID Connect client
```puppet
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}
```
#### Properties
The following properties are available in the `keycloak_client` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `protocol`
Valid values: openid-connect, saml
protocol
Default value: openid-connect
##### `client_authenticator_type`
clientAuthenticatorType
Default value: client-secret
##### `default_client_scopes`
defaultClientScopes
Default value: []
##### `optional_client_scopes`
optionalClientScopes
Default value: []
##### `full_scope_allowed`
Valid values: `true`, `false`
fullScopeAllowed
Default value: true
##### `enabled`
Valid values: `true`, `false`
enabled
Default value: true
##### `standard_flow_enabled`
Valid values: `true`, `false`
standardFlowEnabled
Default value: true
##### `implicit_flow_enabled`
Valid values: `true`, `false`
implicitFlowEnabled
Default value: false
##### `direct_access_grants_enabled`
Valid values: `true`, `false`
enabled
Default value: true
##### `service_accounts_enabled`
Valid values: `true`, `false`
serviceAccountsEnabled
Default value: false
##### `authorization_services_enabled`
Valid values: `true`, `false`
authorizationServicesEnabled
Default value: false
##### `public_client`
Valid values: `true`, `false`
enabled
Default value: false
##### `root_url`
rootUrl
##### `redirect_uris`
redirectUris
Default value: []
##### `base_url`
baseUrl
##### `web_origins`
webOrigins
Default value: []
##### `login_theme`
login_theme
Default value: absent
##### `access_token_lifespan`
access.token.lifespan
#### Parameters
The following parameters are available in the `keycloak_client` type.
##### `name`
namevar
The client name
##### `client_id`
clientId. Defaults to `name`.
##### `id`
Id. Defaults to `client_id`
##### `realm`
realm
##### `secret`
secret
### keycloak_client_protocol_mapper
Manage Keycloak protocol mappers
#### Examples
##### Add email protocol mapper to test.example.com client in realm test
```puppet
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
```
#### Properties
The following properties are available in the `keycloak_client_protocol_mapper` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `protocol`
Valid values: openid-connect, saml
protocol
Default value: openid-connect
##### `user_attribute`
user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper`
##### `json_type_label`
json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`.
##### `full_path`
Valid values: `true`, `false`
full.path. Default to `false` for `type` `oidc-group-membership-mapper`.
##### `friendly_name`
friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `attribute_name`
attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `claim_name`
claim.name
##### `id_token_claim`
Valid values: `true`, `false`
id.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `access_token_claim`
Valid values: `true`, `false`
access.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `userinfo_token_claim`
Valid values: `true`, `false`
userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`.
##### `attribute_nameformat`
attribute.nameformat
##### `single`
Valid values: `true`, `false`
single. Default to `false` for `type` `saml-role-list-mapper`.
##### `script`
Script, only valid for `type` of `saml-javascript-mapper`'
Array values will be joined with newlines. Strings will be kept unchanged.
##### `included_client_audience`
included.client.audience Required for `type` of `oidc-audience-mapper`
#### Parameters
The following parameters are available in the `keycloak_client_protocol_mapper` type.
##### `name`
namevar
The protocol mapper name
##### `id`
Id.
##### `resource_name`
The protocol mapper name. Defaults to `name`.
##### `client`
client
##### `realm`
realm
##### `type`
Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper.
Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and
`saml-user-property-mapper` for `protocol` `saml`.
### keycloak_client_scope
Manage Keycloak client scopes
#### Examples
##### Define a OpenID Connect client scope in the test realm
```puppet
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
```
#### Properties
The following properties are available in the `keycloak_client_scope` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `protocol`
Valid values: openid-connect, saml
protocol
Default value: openid-connect
##### `consent_screen_text`
consent.screen.text
##### `display_on_consent_screen`
Valid values: `true`, `false`
display.on.consent.screen
Default value: true
#### Parameters
The following parameters are available in the `keycloak_client_scope` type.
##### `name`
namevar
The client scope name
##### `resource_name`
The client scope name. Defaults to `name`.
##### `id`
Id. Defaults to `resource_name`.
##### `realm`
realm
### keycloak_conn_validator
Verify that a connection can be successfully established between a node
and the keycloak server. Its primary use is as a precondition to
prevent configuration changes from being applied if the keycloak
server cannot be reached, but it could potentially be used for other
purposes such as monitoring.
#### Properties
The following properties are available in the `keycloak_conn_validator` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
#### Parameters
The following parameters are available in the `keycloak_conn_validator` type.
##### `name`
namevar
An arbitrary name used as the identity of the resource.
##### `keycloak_server`
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
##### `keycloak_port`
The port that the keycloak server should be listening on.
Default value: 8080
##### `use_ssl`
Whether the connection will be attemped using https
Default value: `false`
##### `test_url`
URL to use for testing if the Keycloak database is up
Default value: /auth/admin/serverinfo
##### `timeout`
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
### keycloak_flow
Manage a Keycloak flow
**Autorequires**
* `keycloak_realm` defined for `realm` parameter
* `keycloak_flow` of `flow_alias` if `top_level=false`
* `keycloak_flow` of `flow_alias` if other `index` is lower and if `top_level=false`
* `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower and if `top_level=false`
#### Examples
##### Add custom flow
```puppet
keycloak_flow { 'browser-with-duo':
ensure => 'present',
realm => 'test',
}
```
##### Add a flow execution to existing browser-with-duo flow
```puppet
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
index => 2,
requirement => 'ALTERNATIVE',
top_level => false,
}
```
#### Properties
The following properties are available in the `keycloak_flow` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `index`
execution index, only applied to top_level=false, required for top_level=false
##### `description`
description
##### `requirement`
Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional
requirement, only applied to top_level=false and defaults to DISABLED
#### Parameters
The following parameters are available in the `keycloak_flow` type.
##### `name`
namevar
The flow name
##### `id`
Id. Default to `$alias-$realm` when top_level is true. Only applies to top_level=true
##### `alias`
Alias. Default to `name`.
##### `flow_alias`
flowAlias, required for top_level=false
##### `realm`
realm
##### `provider_id`
Valid values: basic-flow, form-flow
providerId
Default value: basic-flow
##### `type`
sub-flow execution provider, default to `registration-page-form` for top_level=false and does not apply to top_level=true
##### `top_level`
Valid values: `true`, `false`
topLevel
Default value: `true`
### keycloak_flow_execution
Manage a Keycloak flow
**Autorequires**
* `keycloak_realm` defined for `realm` parameter
* `keycloak_flow` of value defined for `flow_alias`
* `keycloak_flow` if they share same `flow_alias` value and the other resource `index` is lower
* `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower
#### Examples
##### Add an execution to a flow
```puppet
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
index => 0,
requirement => 'ALTERNATIVE',
}
```
##### Add an execution to a execution flow that is one level deeper than top level
```puppet
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
index => 0,
requirement => 'REQUIRED',
}
```
##### Add an execution with a configuration
```puppet
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
index => 1,
}
```
#### Properties
The following properties are available in the `keycloak_flow_execution` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `index`
execution index
##### `configurable`
Valid values: `true`, `false`
configurable
##### `requirement`
Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional
requirement
Default value: DISABLED
##### `config`
execution config
#### Parameters
The following parameters are available in the `keycloak_flow_execution` type.
##### `name`
namevar
The flow execution name
##### `id`
read-only Id
##### `provider_id`
provider
##### `flow_alias`
flowAlias
##### `realm`
realm
##### `display_name`
displayName
##### `alias`
alias
##### `config_id`
read-only config ID
### keycloak_identity_provider
Manage Keycloak identity providers
#### Examples
##### Add CILogon identity provider to test realm
```puppet
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
```
#### Properties
The following properties are available in the `keycloak_identity_provider` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `display_name`
displayName
##### `enabled`
Valid values: `true`, `false`
enabled
Default value: true
##### `update_profile_first_login_mode`
Valid values: on, off
updateProfileFirstLoginMode
Default value: on
##### `trust_email`
Valid values: `true`, `false`
trustEmail
Default value: false
##### `store_token`
Valid values: `true`, `false`
storeToken
Default value: false
##### `add_read_token_role_on_create`
Valid values: `true`, `false`
addReadTokenRoleOnCreate
Default value: false
##### `authenticate_by_default`
Valid values: `true`, `false`
authenticateByDefault
Default value: false
##### `link_only`
Valid values: `true`, `false`
linkOnly
Default value: false
##### `gui_order`
guiOrder
##### `first_broker_login_flow_alias`
firstBrokerLoginFlowAlias
Default value: first broker login
##### `post_broker_login_flow_alias`
postBrokerLoginFlowAlias
##### `sync_mode`
Valid values: IMPORT, LEGACY, FORCE
syncMode
Default value: IMPORT
##### `hide_on_login_page`
Valid values: `true`, `false`
hideOnLoginPage
Default value: false
##### `user_info_url`
userInfoUrl
##### `validate_signature`
Valid values: `true`, `false`
validateSignature
Default value: false
##### `client_id`
clientId
##### `client_secret`
clientSecret
##### `client_auth_method`
Valid values: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt
clientAuthMethod
Default value: client_secret_post
##### `token_url`
tokenUrl
##### `ui_locales`
Valid values: `true`, `false`
uiLocales
Default value: false
##### `backchannel_supported`
Valid values: `true`, `false`
backchannelSupported
Default value: false
##### `use_jwks_url`
Valid values: `true`, `false`
useJwksUrl
Default value: true
##### `jwks_url`
jwksUrl
##### `login_hint`
Valid values: `true`, `false`
loginHint
Default value: false
##### `authorization_url`
authorizationUrl
##### `disable_user_info`
Valid values: `true`, `false`
disableUserInfo
Default value: false
##### `logout_url`
logoutUrl
##### `issuer`
issuer
##### `default_scope`
default_scope
##### `prompt`
Valid values: none, consent, login, select_account
prompt
##### `allowed_clock_skew`
allowedClockSkew
##### `forward_parameters`
forwardParameters
#### Parameters
The following parameters are available in the `keycloak_identity_provider` type.
##### `name`
namevar
The identity provider name
##### `alias`
The identity provider name. Defaults to `name`.
##### `internal_id`
internalId. Defaults to "`alias`-`realm`"
##### `realm`
realm
##### `provider_id`
Valid values: oidc, keycloak-oidc
providerId
Default value: oidc
### keycloak_ldap_mapper
Manage Keycloak LDAP attribute mappers
#### Examples
##### Add full name attribute mapping
```puppet
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
```
#### Properties
The following properties are available in the `keycloak_ldap_mapper` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `ldap_attribute`
ldap.attribute
##### `user_model_attribute`
user.model.attribute
##### `is_mandatory_in_ldap`
is.mandatory.in.ldap. Defaults to `false` unless `type` is `full-name-ldap-mapper`.
##### `always_read_value_from_ldap`
Valid values: `true`, `false`
always.read.value.from.ldap. Defaults to `true` if `type` is `user-attribute-ldap-mapper`.
##### `read_only`
Valid values: `true`, `false`
read.only
##### `write_only`
Valid values: `true`, `false`
write.only. Defaults to `false` if `type` is `full-name-ldap-mapper`.
##### `mode`
Valid values: READ_ONLY, LDAP_ONLY
mode, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `membership_attribute_type`
Valid values: DN, UID
membership.attribute.type, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `user_roles_retrieve_strategy`
Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY, LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY
user.roles.retrieve.strategy, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `group_name_ldap_attribute`
group.name.ldap.attribute, only for `type` of `group-ldap-mapper`
##### `ignore_missing_groups`
Valid values: `true`, `false`
ignore.missing.groups, only for `type` of `group-ldap-mapper`
##### `membership_user_ldap_attribute`
membership.user.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `membership_ldap_attribute`
membership.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `preserve_group_inheritance`
Valid values: `true`, `false`
preserve.group.inheritance, only for `type` of `group-ldap-mapper`
##### `groups_dn`
groups.dn, only for `type` of `group-ldap-mapper`
##### `mapped_group_attributes`
mapped.group.attributes, only for `type` of `group-ldap-mapper`
##### `groups_ldap_filter`
groups.ldap.filter, only for `type` of `group-ldap-mapper`
##### `memberof_ldap_attribute`
memberof.ldap.attribute, only for `type` of `group-ldap-mapper` and `role-ldap-mapper`
##### `group_object_classes`
group.object.classes, only for `type` of `group-ldap-mapper`
##### `drop_non_existing_groups_during_sync`
Valid values: `true`, `false`
drop.non.existing.groups.during.sync, only for `type` of `group-ldap-mapper`
##### `roles_dn`
roles.dn, only for `type` of `role-ldap-mapper`
##### `role_name_ldap_attribute`
role.name.ldap.attribute, only for `type` of `role-ldap-mapper`
##### `role_object_classes`
role.object.classes, only for `type` of `role-ldap-mapper`
##### `roles_ldap_filter`
roles.ldap.filter, only for `type` of `role-ldap-mapper`
##### `use_realm_roles_mapping`
Valid values: `true`, `false`
use.realm.roles.mapping, only for `type` of `role-ldap-mapper`
##### `client_id`
client.id, only for `type` of `role-ldap-mapper`
#### Parameters
The following parameters are available in the `keycloak_ldap_mapper` type.
##### `name`
namevar
The LDAP mapper name
##### `id`
Id.
##### `resource_name`
The LDAP mapper name. Defaults to `name`
##### `type`
Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper, group-ldap-mapper, role-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
##### `realm`
realm
##### `ldap`
parentId
### keycloak_ldap_user_provider
Manage Keycloak LDAP user providers
#### Examples
##### Add LDAP user provider to test realm
```puppet
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
```
#### Properties
The following properties are available in the `keycloak_ldap_user_provider` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `enabled`
Valid values: `true`, `false`
enabled
Default value: true
##### `auth_type`
Valid values: none, simple
authType
Default value: none
##### `edit_mode`
Valid values: READ_ONLY, WRITABLE, UNSYNCED
editMode
Default value: READ_ONLY
##### `vendor`
Valid values: ad, rhds, tivoli, eDirectory, other
vendor
Default value: other
##### `use_truststore_spi`
Valid values: always, ldapsOnly, never
useTruststoreSpi
Default value: ldapsOnly
##### `users_dn`
usersDn
##### `connection_url`
connectionUrl
##### `priority`
priority
Default value: 0
##### `batch_size_for_sync`
batchSizeForSync
Default value: 1000
##### `username_ldap_attribute`
usernameLdapAttribute
Default value: uid
##### `rdn_ldap_attribute`
rdnLdapAttribute
Default value: uid
##### `uuid_ldap_attribute`
uuidLdapAttribute
Default value: entryUUID
##### `bind_dn`
bindDn
##### `bind_credential`
bindCredential
##### `import_enabled`
Valid values: `true`, `false`
importEnabled
Default value: true
##### `use_kerberos_for_password_authentication`
Valid values: `true`, `false`
useKerberosForPasswordAuthentication
##### `user_object_classes`
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
##### `search_scope`
Valid values: one, one_level, subtree, 1, 2, 1, 2
searchScope
##### `custom_user_search_filter`
Valid values: %r{.*}, absent
customUserSearchFilter
Default value: absent
##### `trust_email`
Valid values: `true`, `false`
trustEmail
Default value: false
##### `full_sync_period`
fullSyncPeriod
Default value: -1
##### `changed_sync_period`
changedSyncPeriod
Default value: -1
#### Parameters
The following parameters are available in the `keycloak_ldap_user_provider` type.
##### `name`
namevar
The LDAP user provider name
##### `resource_name`
The LDAP user provider name. Defaults to `name`.
##### `id`
Id. Defaults to "`resource_name`-`realm`"
##### `realm`
parentId
### keycloak_protocol_mapper
Manage Keycloak client scope protocol mappers
#### Examples
##### Add email protocol mapper to oidc-client client scope in realm test
```puppet
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}
```
#### Properties
The following properties are available in the `keycloak_protocol_mapper` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `protocol`
Valid values: openid-connect, saml
protocol
Default value: openid-connect
##### `user_attribute`
user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper`
##### `json_type_label`
json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`.
##### `full_path`
Valid values: `true`, `false`
full.path. Default to `false` for `type` `oidc-group-membership-mapper`.
##### `friendly_name`
friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `attribute_name`
attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`.
##### `claim_name`
claim.name
##### `id_token_claim`
Valid values: `true`, `false`
id.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `access_token_claim`
Valid values: `true`, `false`
access.token.claim. Default to `true` for `protocol` `openid-connect`.
##### `userinfo_token_claim`
Valid values: `true`, `false`
userinfo.token.claim. Default to `true` for `protocol` `openid-connect` except `type` of `oidc-audience-mapper`.
##### `attribute_nameformat`
attribute.nameformat
##### `single`
Valid values: `true`, `false`
single. Default to `false` for `type` `saml-role-list-mapper` or `saml-javascript-mapper`.
##### `script`
Script, only valid for `type` of `saml-javascript-mapper`'
Array values will be joined with newlines. Strings will be kept unchanged.
##### `included_client_audience`
included.client.audience Required for `type` of `oidc-audience-mapper`
#### Parameters
The following parameters are available in the `keycloak_protocol_mapper` type.
##### `name`
namevar
The protocol mapper name
##### `id`
Id.
##### `resource_name`
The protocol mapper name. Defaults to `name`.
##### `client_scope`
client scope
##### `realm`
realm
##### `type`
Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper.
Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and
`saml-user-property-mapper` for `protocol` `saml`.
### keycloak_realm
Manage Keycloak realms
#### Examples
##### Add a realm with a custom theme
```puppet
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
```
#### Properties
The following properties are available in the `keycloak_realm` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `display_name`
displayName
##### `display_name_html`
displayNameHtml
##### `login_theme`
loginTheme
Default value: keycloak
##### `account_theme`
accountTheme
Default value: keycloak
##### `admin_theme`
adminTheme
Default value: keycloak
##### `email_theme`
emailTheme
Default value: keycloak
##### `internationalization_enabled`
Valid values: `true`, `false`
internationalizationEnabled
Default value: false
##### `sso_session_idle_timeout`
ssoSessionIdleTimeout
##### `sso_session_max_lifespan`
ssoSessionMaxLifespan
##### `access_code_lifespan`
accessCodeLifespan
##### `access_code_lifespan_user_action`
accessCodeLifespanUserAction
##### `access_token_lifespan`
accessTokenLifespan
##### `access_token_lifespan_for_implicit_flow`
accessTokenLifespanForImplicitFlow
##### `enabled`
Valid values: `true`, `false`
enabled
Default value: true
##### `remember_me`
Valid values: `true`, `false`
rememberMe
Default value: false
+##### `registration_allowed`
+
+Valid values: `true`, `false`
+
+registrationAllowed
+
+Default value: false
+
##### `login_with_email_allowed`
Valid values: `true`, `false`
loginWithEmailAllowed
Default value: true
##### `browser_flow`
browserFlow
Default value: browser
##### `registration_flow`
registrationFlow
Default value: registration
##### `direct_grant_flow`
directGrantFlow
Default value: direct grant
##### `reset_credentials_flow`
resetCredentialsFlow
Default value: reset credentials
##### `client_authentication_flow`
clientAuthenticationFlow
Default value: clients
##### `docker_authentication_flow`
dockerAuthenticationFlow
Default value: docker auth
##### `default_client_scopes`
Default Client Scopes
##### `optional_client_scopes`
Optional Client Scopes
##### `supported_locales`
Supported Locales
##### `content_security_policy`
contentSecurityPolicy
Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
##### `events_enabled`
Valid values: `true`, `false`
eventsEnabled
Default value: false
##### `events_expiration`
eventsExpiration
##### `events_listeners`
eventsListeners
Default value: ['jboss-logging']
##### `admin_events_enabled`
Valid values: `true`, `false`
adminEventsEnabled
Default value: false
##### `admin_events_details_enabled`
Valid values: `true`, `false`
adminEventsDetailsEnabled
Default value: false
##### `smtp_server_user`
smtpServer user
##### `smtp_server_password`
smtpServer password
##### `smtp_server_host`
smtpServer host
##### `smtp_server_port`
smtpServer port
##### `smtp_server_auth`
Valid values: `true`, `false`
smtpServer auth
##### `smtp_server_starttls`
Valid values: `true`, `false`
smtpServer starttls
##### `smtp_server_ssl`
Valid values: `true`, `false`
smtpServer ssl
##### `smtp_server_from`
smtpServer from
##### `smtp_server_envelope_from`
smtpServer envelope_from
##### `smtp_server_from_display_name`
smtpServer fromDisplayName
##### `smtp_server_reply_to`
smtpServer replyto
##### `smtp_server_reply_to_display_name`
smtpServer replyToDisplayName
##### `brute_force_protected`
Valid values: `true`, `false`
bruteForceProtected
#### Parameters
The following parameters are available in the `keycloak_realm` type.
##### `name`
namevar
The realm name
##### `id`
Id. Default to `name`.
### keycloak_required_action
Manage Keycloak required actions
#### Examples
##### Enable Webauthn Register and make it default
```puppet
keycloak_required_action { 'webauthn-register on master':
ensure => present,
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
alias => 'webauthn',
}
@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
provider_id => 'webauthn-register',
}
```
#### Properties
The following properties are available in the `keycloak_required_action` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `display_name`
Displayed name. Default to `provider_id`
##### `enabled`
Valid values: `true`, `false`
If the required action is enabled. Default to true.
Default value: true
##### `alias`
Alias. Default to `provider_id`.
##### `default`
Valid values: `true`, `false`
If the required action is a default one. Default to false
Default value: false
##### `priority`
Required action priority
##### `config`
Required action config
#### Parameters
The following parameters are available in the `keycloak_required_action` type.
##### `name`
namevar
The required action name
##### `realm`
realm
##### `provider_id`
providerId of the required action
### keycloak_resource_validator
Verify that a specific Keycloak resource is available
#### Properties
The following properties are available in the `keycloak_resource_validator` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
#### Parameters
The following parameters are available in the `keycloak_resource_validator` type.
##### `name`
namevar
An arbitrary name used as the identity of the resource.
##### `test_url`
URL to use for testing if the Keycloak database is up
##### `test_key`
Key to lookup
##### `test_value`
Value to lookup
##### `realm`
Realm to query
##### `timeout`
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
### keycloak_sssd_user_provider
Manage Keycloak SSSD user providers
#### Examples
##### Add SSSD user provider to test realm
```puppet
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
```
#### Properties
The following properties are available in the `keycloak_sssd_user_provider` type.
##### `ensure`
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
##### `enabled`
Valid values: `true`, `false`
enabled
Default value: true
##### `priority`
priority
Default value: 0
##### `cache_policy`
Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE
cachePolicy
Default value: DEFAULT
##### `eviction_day`
evictionDay
##### `eviction_hour`
evictionHour
##### `eviction_minute`
evictionMinute
##### `max_lifespan`
maxLifespan
#### Parameters
The following parameters are available in the `keycloak_sssd_user_provider` type.
##### `name`
namevar
The SSSD user provider name
##### `resource_name`
The SSSD user provider name. Defaults to `name`.
##### `id`
Id. Defaults to "`resource_name`-`realm`"
##### `realm`
parentId
diff --git a/lib/puppet/type/keycloak_realm.rb b/lib/puppet/type/keycloak_realm.rb
index 99e2793..3393ec8 100644
--- a/lib/puppet/type/keycloak_realm.rb
+++ b/lib/puppet/type/keycloak_realm.rb
@@ -1,258 +1,264 @@
require_relative '../../puppet_x/keycloak/type'
require_relative '../../puppet_x/keycloak/array_property'
require_relative '../../puppet_x/keycloak/integer_property'
Puppet::Type.newtype(:keycloak_realm) do
desc <<-DESC
Manage Keycloak realms
@example Add a realm with a custom theme
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
DESC
extend PuppetX::Keycloak::Type
add_autorequires(false)
ensurable
newparam(:name, namevar: true) do
desc 'The realm name'
end
newparam(:id) do
desc 'Id. Default to `name`.'
defaultto do
@resource[:name]
end
end
newproperty(:display_name) do
desc 'displayName'
end
newproperty(:display_name_html) do
desc 'displayNameHtml'
end
newproperty(:login_theme) do
desc 'loginTheme'
defaultto 'keycloak'
end
newproperty(:account_theme) do
desc 'accountTheme'
defaultto 'keycloak'
end
newproperty(:admin_theme) do
desc 'adminTheme'
defaultto 'keycloak'
end
newproperty(:email_theme) do
desc 'emailTheme'
defaultto 'keycloak'
end
newproperty(:internationalization_enabled, boolean: true) do
desc 'internationalizationEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:sso_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'ssoSessionIdleTimeout'
end
newproperty(:sso_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'ssoSessionMaxLifespan'
end
newproperty(:access_code_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessCodeLifespan'
end
newproperty(:access_code_lifespan_user_action, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessCodeLifespanUserAction'
end
newproperty(:access_token_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessTokenLifespan'
end
newproperty(:access_token_lifespan_for_implicit_flow, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'accessTokenLifespanForImplicitFlow'
end
newproperty(:enabled, boolean: true) do
desc 'enabled'
newvalues(:true, :false)
defaultto :true
end
newproperty(:remember_me, boolean: true) do
desc 'rememberMe'
newvalues(:true, :false)
defaultto :false
end
+ newproperty(:registration_allowed, boolean: true) do
+ desc 'registrationAllowed'
+ newvalues(:true, :false)
+ defaultto :false
+ end
+
newproperty(:login_with_email_allowed, boolean: true) do
desc 'loginWithEmailAllowed'
newvalues(:true, :false)
defaultto :true
end
newproperty(:browser_flow) do
desc 'browserFlow'
defaultto('browser')
munge { |v| v.to_s }
end
newproperty(:registration_flow) do
desc 'registrationFlow'
defaultto('registration')
munge { |v| v.to_s }
end
newproperty(:direct_grant_flow) do
desc 'directGrantFlow'
defaultto('direct grant')
munge { |v| v.to_s }
end
newproperty(:reset_credentials_flow) do
desc 'resetCredentialsFlow'
defaultto('reset credentials')
munge { |v| v.to_s }
end
newproperty(:client_authentication_flow) do
desc 'clientAuthenticationFlow'
defaultto('clients')
munge { |v| v.to_s }
end
newproperty(:docker_authentication_flow) do
desc 'dockerAuthenticationFlow'
defaultto('docker auth')
munge { |v| v.to_s }
end
newproperty(:default_client_scopes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'Default Client Scopes'
end
newproperty(:optional_client_scopes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'Optional Client Scopes'
end
newproperty(:supported_locales, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'Supported Locales'
end
newproperty(:content_security_policy) do
desc 'contentSecurityPolicy'
defaultto("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
munge { |v| v.to_s }
end
newproperty(:events_enabled, boolean: true) do
desc 'eventsEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:events_expiration) do
desc 'eventsExpiration'
end
newproperty(:events_listeners, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
desc 'eventsListeners'
defaultto ['jboss-logging']
end
newproperty(:admin_events_enabled, boolean: true) do
desc 'adminEventsEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:admin_events_details_enabled, boolean: true) do
desc 'adminEventsDetailsEnabled'
newvalues(:true, :false)
defaultto :false
end
newproperty(:smtp_server_user) do
desc 'smtpServer user'
end
newproperty(:smtp_server_password) do
desc 'smtpServer password'
def insync?(is)
if is =~ %r{^[\*]+$}
Puppet.warning("Property 'smtp_server_password' is set and Puppet has no way to check current value")
true
else
false
end
end
def should_to_s(_newvalue)
'[new smtp_server_password redacted]'
end
end
newproperty(:smtp_server_host) do
desc 'smtpServer host'
end
newproperty(:smtp_server_port, parent: PuppetX::Keycloak::IntegerProperty) do
desc 'smtpServer port'
end
newproperty(:smtp_server_auth, boolean: true) do
desc 'smtpServer auth'
newvalues(:true, :false)
end
newproperty(:smtp_server_starttls, boolean: true) do
desc 'smtpServer starttls'
newvalues(:true, :false)
end
newproperty(:smtp_server_ssl, boolean: true) do
desc 'smtpServer ssl'
newvalues(:true, :false)
end
newproperty(:smtp_server_from) do
desc 'smtpServer from'
end
newproperty(:smtp_server_envelope_from) do
desc 'smtpServer envelope_from'
end
newproperty(:smtp_server_from_display_name) do
desc 'smtpServer fromDisplayName'
end
newproperty(:smtp_server_reply_to) do
desc 'smtpServer replyto'
end
newproperty(:smtp_server_reply_to_display_name) do
desc 'smtpServer replyToDisplayName'
end
newproperty(:brute_force_protected, boolean: true) do
desc 'bruteForceProtected'
newvalues(:true, :false)
end
end
diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb
index 18d9616..23456ae 100644
--- a/spec/acceptance/2_realm_spec.rb
+++ b/spec/acceptance/2_realm_spec.rb
@@ -1,194 +1,197 @@
require 'spec_helper_acceptance'
describe 'keycloak_realm:', if: RSpec.configuration.keycloak_full do
context 'creates realm' do
it 'runs successfully' do
pp = <<-EOS
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
}
keycloak_realm { 'test':
ensure => 'present',
smtp_server_host => 'smtp.example.org',
smtp_server_port => 587,
smtp_server_starttls => false,
smtp_server_auth => false,
smtp_server_user => 'john',
smtp_server_password => 'secret',
smtp_server_envelope_from => 'keycloak@id.example.org',
smtp_server_from => 'keycloak@id.example.org',
smtp_server_from_display_name => 'Keycloak',
smtp_server_reply_to => 'webmaster@example.org',
smtp_server_reply_to_display_name => 'Webmaster',
brute_force_protected => false,
}
EOS
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end
it 'has created a realm' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['id']).to eq('test')
expect(data['bruteForceProtected']).to eq(false)
+ expect(data['registrationAllowed']).to eq(false)
end
end
it 'has left default-client-scopes' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-default-client-scopes' do
data = JSON.parse(stdout)
names = data.map { |d| d['name'] }.sort
expect(names).to include('email')
expect(names).to include('profile')
expect(names).to include('role_list')
end
end
it 'has left optional-client-scopes' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-optional-client-scopes' do
data = JSON.parse(stdout)
names = data.map { |d| d['name'] }.sort
expect(names).to include('address')
expect(names).to include('offline_access')
expect(names).to include('phone')
end
end
it 'has default events config' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get events/config -r test' do
data = JSON.parse(stdout)
expect(data['eventsEnabled']).to eq(false)
expect(data['eventsExpiration']).to be_nil
expect(data['eventsListeners']).to eq(['jboss-logging'])
expect(data['adminEventsEnabled']).to eq(false)
expect(data['adminEventsDetailsEnabled']).to eq(false)
end
end
it 'has correct smtp settings' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['smtpServer']['host']).to eq('smtp.example.org')
expect(data['smtpServer']['port']).to eq('587')
expect(data['smtpServer']['starttls']).to eq('false')
expect(data['smtpServer']['auth']).to eq('false')
expect(data['smtpServer']['user']).to eq('john')
expect(data['smtpServer']['envelopeFrom']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['from']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['fromDisplayName']).to eq('Keycloak')
expect(data['smtpServer']['replyTo']).to eq('webmaster@example.org')
expect(data['smtpServer']['replyToDisplayName']).to eq('Webmaster')
end
end
end
context 'updates realm' do
it 'runs successfully' do
pp = <<-EOS
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
}
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
+ registration_allowed => true,
access_code_lifespan => 3600,
access_token_lifespan => 3600,
sso_session_idle_timeout => 3600,
sso_session_max_lifespan => 72000,
default_client_scopes => ['profile'],
content_security_policy => "frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
events_enabled => true,
events_expiration => 2678400,
admin_events_enabled => true,
admin_events_details_enabled => true,
smtp_server_host => 'smtp.example.org',
smtp_server_port => 587,
smtp_server_starttls => false,
smtp_server_auth => true,
smtp_server_user => 'jane',
smtp_server_password => 'secret',
smtp_server_envelope_from => 'keycloak@id.example.org',
smtp_server_from => 'keycloak@id.example.org',
smtp_server_from_display_name => 'Keycloak',
smtp_server_reply_to => 'webmaster@example.org',
smtp_server_reply_to_display_name => 'Hostmaster',
brute_force_protected => true,
}
EOS
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end
it 'has updated the realm' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
data = JSON.parse(stdout)
expect(data['rememberMe']).to eq(true)
+ expect(data['registrationAllowed']).to eq(true)
expect(data['accessCodeLifespan']).to eq(3600)
expect(data['accessTokenLifespan']).to eq(3600)
expect(data['ssoSessionIdleTimeout']).to eq(3600)
expect(data['ssoSessionMaxLifespan']).to eq(72_000)
expect(data['browserSecurityHeaders']['contentSecurityPolicy']).to eq("frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
expect(data['smtpServer']['host']).to eq('smtp.example.org')
expect(data['smtpServer']['port']).to eq('587')
expect(data['smtpServer']['starttls']).to eq('false')
expect(data['smtpServer']['auth']).to eq('true')
expect(data['smtpServer']['user']).to eq('jane')
expect(data['smtpServer']['envelopeFrom']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['from']).to eq('keycloak@id.example.org')
expect(data['smtpServer']['fromDisplayName']).to eq('Keycloak')
expect(data['smtpServer']['replyTo']).to eq('webmaster@example.org')
expect(data['smtpServer']['replyToDisplayName']).to eq('Hostmaster')
expect(data['bruteForceProtected']).to eq(true)
end
end
it 'has updated the realm default-client-scopes' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test/default-default-client-scopes' do
data = JSON.parse(stdout)
names = data.map { |d| d['name'] }
expect(names).to eq(['profile'])
end
end
it 'has updated events config' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get events/config -r test' do
data = JSON.parse(stdout)
expect(data['eventsEnabled']).to eq(true)
expect(data['eventsExpiration']).to eq(2_678_400)
expect(data['eventsListeners']).to eq(['jboss-logging'])
expect(data['adminEventsEnabled']).to eq(true)
expect(data['adminEventsDetailsEnabled']).to eq(true)
end
end
end
context 'creates realm with invalid browser flow' do
it 'runs successfully' do
pp = <<-EOS
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
}
keycloak_realm { 'test2':
ensure => 'present',
browser_flow => 'Copy of browser',
}
EOS
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, expect_changes: true)
end
it 'has created a realm' do
on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test2' do
data = JSON.parse(stdout)
expect(data['browserFlow']).to eq('browser')
end
end
end
end
diff --git a/spec/unit/puppet/type/keycloak_realm_spec.rb b/spec/unit/puppet/type/keycloak_realm_spec.rb
index b5030e0..1495724 100644
--- a/spec/unit/puppet/type/keycloak_realm_spec.rb
+++ b/spec/unit/puppet/type/keycloak_realm_spec.rb
@@ -1,194 +1,195 @@
require 'spec_helper'
describe Puppet::Type.type(:keycloak_realm) do
let(:default_config) do
{
name: 'test',
}
end
let(:config) do
default_config
end
let(:resource) do
described_class.new(config)
end
it 'adds to catalog without raising an error' do
catalog = Puppet::Resource::Catalog.new
expect {
catalog.add_resource resource
}.not_to raise_error
end
it 'has a name' do
expect(resource[:name]).to eq('test')
end
it 'has id default to name' do
expect(resource[:id]).to eq('test')
end
defaults = {
login_theme: 'keycloak',
account_theme: 'keycloak',
admin_theme: 'keycloak',
email_theme: 'keycloak',
access_code_lifespan_user_action: nil,
access_token_lifespan_for_implicit_flow: nil,
enabled: :true,
remember_me: :false,
login_with_email_allowed: :true,
browser_flow: 'browser',
registration_flow: 'registration',
direct_grant_flow: 'direct grant',
reset_credentials_flow: 'reset credentials',
client_authentication_flow: 'clients',
docker_authentication_flow: 'docker auth',
content_security_policy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
events_enabled: :false,
events_listeners: ['jboss-logging'],
admin_events_enabled: :false,
admin_events_details_enabled: :false,
}
describe 'basic properties' do
# Test basic properties
[
:display_name,
:display_name_html,
:login_theme,
:account_theme,
:admin_theme,
:email_theme,
:events_expiration,
:browser_flow,
:registration_flow,
:direct_grant_flow,
:reset_credentials_flow,
:client_authentication_flow,
:docker_authentication_flow,
:content_security_policy,
:smtp_server_user,
:smtp_server_password,
:smtp_server_host,
:smtp_server_envelope_from,
:smtp_server_from,
:smtp_server_from_display_name,
:smtp_server_reply_to,
:smtp_server_reply_to_display_name,
].each do |p|
it "should accept a #{p}" do
config[p] = 'foo'
expect(resource[p]).to eq('foo')
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
describe 'integer properties' do
# Test integer properties
[
:sso_session_idle_timeout,
:sso_session_max_lifespan,
:access_code_lifespan,
:access_code_lifespan_user_action,
:access_token_lifespan,
:access_token_lifespan_for_implicit_flow,
:smtp_server_port,
].each do |p|
it "should accept a #{p}" do
config[p] = 100
expect(resource[p]).to eq(100)
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
describe 'boolean properties' do
# Test boolean properties
[
:remember_me,
+ :registration_allowed,
:login_with_email_allowed,
:internationalization_enabled,
:events_enabled,
:admin_events_enabled,
:admin_events_details_enabled,
:smtp_server_auth,
:smtp_server_starttls,
:smtp_server_ssl,
:brute_force_protected,
].each do |p|
it "should accept true for #{p}" do
config[p] = true
expect(resource[p]).to eq(:true)
end
it "should accept true for #{p} string" do
config[p] = 'true'
expect(resource[p]).to eq(:true)
end
it "should accept false for #{p}" do
config[p] = false
expect(resource[p]).to eq(:false)
end
it "should accept false for #{p} string" do
config[p] = 'false'
expect(resource[p]).to eq(:false)
end
it "should not accept strings for #{p}" do
config[p] = 'foo'
expect {
resource
}.to raise_error(%r{foo})
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
describe 'array properties' do
# Array properties
[
:default_client_scopes,
:optional_client_scopes,
:events_listeners,
:supported_locales,
].each do |p|
it "should accept array for #{p}" do
config[p] = ['foo', 'bar']
expect(resource[p]).to eq(['foo', 'bar'])
end
next unless defaults[p]
it "should have default for #{p}" do
expect(resource[p]).to eq(defaults[p])
end
end
end
it 'autorequires keycloak_conn_validator' do
keycloak_conn_validator = Puppet::Type.type(:keycloak_conn_validator).new(name: 'keycloak')
catalog = Puppet::Resource::Catalog.new
catalog.add_resource resource
catalog.add_resource keycloak_conn_validator
rel = resource.autorequire[0]
expect(rel.source.ref).to eq(keycloak_conn_validator.ref)
expect(rel.target.ref).to eq(resource.ref)
end
it 'autorequires kcadm-wrapper.sh' do
file = Puppet::Type.type(:file).new(name: 'kcadm-wrapper.sh', path: '/opt/keycloak/bin/kcadm-wrapper.sh')
catalog = Puppet::Resource::Catalog.new
catalog.add_resource resource
catalog.add_resource file
rel = resource.autorequire[0]
expect(rel.source.ref).to eq(file.ref)
expect(rel.target.ref).to eq(resource.ref)
end
end

File Metadata

Mime Type
text/x-diff
Expires
Mon, Aug 18, 9:17 PM (1 d, 7 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3309347

Event Timeline

About · Developer information · Legal