Default to Keycloak 19 (#262)

Drop support for saml-javascript-mapper protocol mappers Add support for SPI script mappers Modify keycloak_required_action to behave with how Keycloak 19 seems to expect
treydock · Nov 1, 2022 · 306b29b · 306b29b
1 parent 716af1c
commit 306b29b
Show file tree

Hide file tree

Showing 23 changed files with 131 additions and 185 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -67,17 +67,17 @@ jobs:
           - "puppet6"
           - "puppet7"
         keycloak_version:
-          - "18.0.0"
+          - "19.0.3"
         keycloak_full:
           - "no"
         include:
           - set: "el7"
             puppet: "puppet6"
-            keycloak_version: "18.0.0"
+            keycloak_version: "19.0.3"
             keycloak_full: "yes"
           - set: "el7"
             puppet: "puppet7"
-            keycloak_version: "18.0.0"
+            keycloak_version: "19.0.3"
             keycloak_full: "yes"
     env:
       BUNDLE_WITHOUT: development:release

diff --git a/.sync.yml b/.sync.yml
@@ -26,16 +26,16 @@ Rakefile:
       - puppet6
       - puppet7
     keycloak_version:
-      - '18.0.0'
+      - '19.0.3'
     keycloak_full: ['no']
   acceptance_includes:
     - set: el7
       puppet: puppet6
-      keycloak_version: 18.0.0
+      keycloak_version: 19.0.3
       keycloak_full: 'yes'
     - set: el7
       puppet: puppet7
-      keycloak_version: 18.0.0
+      keycloak_version: 19.0.3
       keycloak_full: 'yes'
 .gitignore:
   paths:

diff --git a/README.md b/README.md
@@ -172,6 +172,7 @@ This module may work on earlier versions but this is the only version tested.
 | 8.x - 12.x       | 6.x                             |
 | 12.x - 16.x      | 7.x                             |
 | 18.x             | 8.x                             |
+| 19.x             | 9.x                             |
 
 ## Usage
 

diff --git a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
@@ -49,12 +49,9 @@ def self.instances
           if protocol_mapper[:type] == 'oidc-group-membership-mapper'
             protocol_mapper[:full_path] = d['config']['full.path']
           end
-          if ['saml-user-property-mapper', 'saml-javascript-mapper'].include?(protocol_mapper[:type])
+          if ['saml-user-property-mapper'].include?(protocol_mapper[:type]) || protocol_mapper[:type] =~ /script-.+/
             protocol_mapper[:friendly_name] = d['config']['friendly.name']
           end
-          if protocol_mapper[:type] == 'saml-javascript-mapper'
-            protocol_mapper[:script] = d['config']['Script']
-          end
           if protocol_mapper[:protocol] == 'openid-connect'
             protocol_mapper[:id_token_claim] = d['config']['id.token.claim']
             protocol_mapper[:access_token_claim] = d['config']['access.token.claim']
@@ -69,7 +66,7 @@ def self.instances
             protocol_mapper[:attribute_name] = d['config']['attribute.name']
             protocol_mapper[:attribute_nameformat] = get_attribute_nameformat_reverse(d['config']['attribute.nameformat'])
           end
-          if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(protocol_mapper[:type])
+          if ['saml-role-list-mapper'].include?(protocol_mapper[:type]) || protocol_mapper[:type] =~ /script-.+/
             protocol_mapper[:single] = d['config']['single'].to_s.to_sym
           end
           protocol_mappers << new(protocol_mapper)
@@ -112,12 +109,9 @@ def create
     if resource[:type] == 'oidc-group-membership-mapper'
       data[:config][:'full.path'] = resource[:full_path] if resource[:full_path]
     end
-    if ['saml-user-property-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+    if ['saml-user-property-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
       data[:config][:'friendly.name'] = resource[:friendly_name] if resource[:friendly_name]
     end
-    if resource[:type] == 'saml-javascript-mapper'
-      data[:config][:Script] = resource[:script]
-    end
     if resource[:protocol] == 'openid-connect'
       data[:config][:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
       data[:config][:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
@@ -132,7 +126,7 @@ def create
       data[:config][:'attribute.name'] = resource[:attribute_name] if resource[:attribute_name]
       data[:config][:'attribute.nameformat'] = self.class.get_attribute_nameformat(resource[:attribute_nameformat]) if resource[:attribute_nameformat]
     end
-    if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+    if ['saml-role-list-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
       data[:config][:single] = resource[:single].to_s if resource[:single]
     end
 
@@ -196,12 +190,9 @@ def flush
       if resource[:type] == 'oidc-group-membership-mapper'
         config[:'full.path'] = resource[:full_path] if resource[:full_path]
       end
-      if ['saml-user-property-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+      if ['saml-user-property-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
         config[:'friendly.name'] = resource[:friendly_name] if resource[:friendly_name]
       end
-      if resource[:type] == 'saml-javascript-mapper'
-        config[:Script] = resource[:script]
-      end
       if resource[:protocol] == 'openid-connect'
         config[:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
         config[:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
@@ -216,7 +207,7 @@ def flush
         config[:'attribute.name'] = resource[:attribute_name] if resource[:attribute_name]
         config[:'attribute.nameformat'] = self.class.get_attribute_nameformat(resource[:attribute_nameformat]) if resource[:attribute_nameformat]
       end
-      if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+      if ['saml-role-list-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
         config[:single] = resource[:single].to_s if resource[:single]
       end
       data[:config] = config unless config.empty?

diff --git a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
@@ -49,12 +49,9 @@ def self.instances
           if ['oidc-group-membership-mapper', 'saml-group-membership-mapper'].include?(protocol_mapper[:type])
             protocol_mapper[:full_path] = d['config']['full.path']
           end
-          if ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper', 'saml-javascript-mapper'].include?(protocol_mapper[:type])
+          if ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper'].include?(protocol_mapper[:type]) || protocol_mapper[:type] =~ /script-.+/
             protocol_mapper[:friendly_name] = d['config']['friendly.name']
           end
-          if protocol_mapper[:type] == 'saml-javascript-mapper'
-            protocol_mapper[:script] = d['config']['Script']
-          end
           if protocol_mapper[:protocol] == 'openid-connect'
             protocol_mapper[:id_token_claim] = d['config']['id.token.claim']
             protocol_mapper[:access_token_claim] = d['config']['access.token.claim']
@@ -69,7 +66,7 @@ def self.instances
             protocol_mapper[:attribute_name] = d['config']['attribute.name']
             protocol_mapper[:attribute_nameformat] = get_attribute_nameformat_reverse(d['config']['attribute.nameformat'])
           end
-          if ['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(protocol_mapper[:type])
+          if ['saml-group-membership-mapper', 'saml-role-list-mapper'].include?(protocol_mapper[:type]) || protocol_mapper[:type] =~ /script-.+/
             protocol_mapper[:single] = d['config']['single'].to_s.to_sym
           end
           protocol_mappers << new(protocol_mapper)
@@ -112,12 +109,9 @@ def create
     if ['oidc-group-membership-mapper', 'saml-group-membership-mapper'].include?(resource[:type])
       data[:config][:'full.path'] = resource[:full_path] if resource[:full_path]
     end
-    if ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+    if ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
       data[:config][:'friendly.name'] = resource[:friendly_name] if resource[:friendly_name]
     end
-    if resource[:type] == 'saml-javascript-mapper'
-      data[:config][:Script] = resource[:script]
-    end
     if resource[:protocol] == 'openid-connect'
       data[:config][:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
       data[:config][:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
@@ -132,7 +126,7 @@ def create
       data[:config][:'attribute.name'] = resource[:attribute_name] if resource[:attribute_name]
       data[:config][:'attribute.nameformat'] = self.class.get_attribute_nameformat(resource[:attribute_nameformat]) if resource[:attribute_nameformat]
     end
-    if ['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+    if ['saml-group-membership-mapper', 'saml-role-list-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
       data[:config][:single] = resource[:single].to_s if resource[:single]
     end
 
@@ -196,12 +190,9 @@ def flush
       if ['oidc-group-membership-mapper', 'saml-group-membership-mapper'].include?(resource[:type])
         config[:'full.path'] = resource[:full_path] if resource[:full_path]
       end
-      if ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+      if ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
         config[:'friendly.name'] = resource[:friendly_name] if resource[:friendly_name]
       end
-      if resource[:type] == 'saml-javascript-mapper'
-        config[:Script] = resource[:script]
-      end
       if resource[:protocol] == 'openid-connect'
         config[:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
         config[:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
@@ -216,7 +207,7 @@ def flush
         config[:'attribute.name'] = resource[:attribute_name] if resource[:attribute_name]
         config[:'attribute.nameformat'] = self.class.get_attribute_nameformat(resource[:attribute_nameformat]) if resource[:attribute_nameformat]
       end
-      if ['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
+      if ['saml-group-membership-mapper', 'saml-role-list-mapper'].include?(resource[:type]) || (resource[:protocol] == 'saml' && resource[:type] =~ /script-.+/)
         config[:single] = resource[:single].to_s if resource[:single]
       end
       data[:config] = config unless config.empty?

diff --git a/lib/puppet/type/keycloak_client_protocol_mapper.rb b/lib/puppet/type/keycloak_client_protocol_mapper.rb
@@ -62,7 +62,7 @@
       'oidc-audience-mapper',
       'saml-user-property-mapper',
       'saml-role-list-mapper',
-      'saml-javascript-mapper',
+      /script-.+/
     )
     defaultto do
       if @resource[:protocol] == 'openid-connect'
@@ -188,22 +188,14 @@
     desc 'single. Default to `false` for `type` `saml-role-list-mapper`.'
     newvalues(:true, :false)
     defaultto do
-      if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(@resource['type'])
+      if ['saml-role-list-mapper'].include?(@resource['type'])
         :false
       else
         nil
       end
     end
   end
 
-  newproperty(:script) do
-    desc <<-EOS
-    Script, only valid for `type` of `saml-javascript-mapper`'
-
-    Array values will be joined with newlines. Strings will be kept unchanged.
-    EOS
-  end
-
   newproperty(:included_client_audience) do
     desc 'included.client.audience Required for `type` of `oidc-audience-mapper`'
   end
@@ -247,13 +239,13 @@ def self.title_patterns
       'oidc-group-membership-mapper',
       'oidc-audience-mapper',
     ]
-    if self[:protocol] == 'openid-connect' && !oidc_types.include?(self[:type])
+    if self[:protocol] == 'openid-connect' && !oidc_types.include?(self[:type]) && self[:type] !~ /script-.+/
       raise Puppet::Error, "type #{self[:type]} is not valid for protocol openid-connect"
     end
-    if self[:protocol] == 'saml' && !['saml-user-property-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(self[:type])
+    if self[:protocol] == 'saml' && !['saml-user-property-mapper', 'saml-role-list-mapper'].include?(self[:type]) && self[:type] !~ /script-.+/
       raise Puppet::Error, "type #{self[:type]} is not valid for protocol saml"
     end
-    if self[:friendly_name] && !['saml-user-property-mapper', 'saml-javascript-mapper'].include?(self[:type])
+    if self[:friendly_name] && self[:type] !~ /(saml-user-property-mapper|script.+)/
       raise Puppet::Error, "friendly_name is not valid for type #{self[:type]}"
     end
     if self[:attribute_name] && self[:protocol] != 'saml'
@@ -262,12 +254,9 @@ def self.title_patterns
     if self[:attribute_nameformat] && self[:protocol] != 'saml'
       raise Puppet::Error, "attribute_nameformat is not valid for protocol #{self[:protocol]}"
     end
-    if self[:single] && !['saml-role-list-mapper', 'saml-javascript-mapper'].include?(self[:type])
+    if self[:single] && self[:type] !~ /(saml-role-list-mapper|script-.+)/
       raise Puppet::Error, "single is not valid for type #{self[:type]}"
     end
-    if self[:type] == 'saml-javascript-mapper' && self[:script].nil?
-      raise Puppet::Error, 'script is required for saml-javascript-mapper'
-    end
     if self[:type] == 'oidc-audience-mapper' && self[:included_client_audience].nil?
       raise Puppet::Error, 'included_client_audience is required for oidc-audience-mapper'
     end

diff --git a/lib/puppet/type/keycloak_protocol_mapper.rb b/lib/puppet/type/keycloak_protocol_mapper.rb
@@ -64,7 +64,7 @@
       'saml-user-property-mapper',
       'saml-user-attribute-mapper',
       'saml-role-list-mapper',
-      'saml-javascript-mapper',
+      /script-.+/
     )
     defaultto do
       if @resource[:protocol] == 'openid-connect'
@@ -187,25 +187,17 @@
   end
 
   newproperty(:single, boolean: true) do
-    desc 'single. Default to `false` for `type` `saml-role-list-mapper` or `saml-javascript-mapper`.'
+    desc 'single. Default to `false` for `type` `saml-role-list-mapper`.'
     newvalues(:true, :false)
     defaultto do
-      if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(@resource['type'])
+      if ['saml-role-list-mapper'].include?(@resource['type'])
         :false
       else
         nil
       end
     end
   end
 
-  newproperty(:script) do
-    desc <<-EOS
-    Script, only valid for `type` of `saml-javascript-mapper`'
-
-    Array values will be joined with newlines. Strings will be kept unchanged.
-    EOS
-  end
-
   newproperty(:included_client_audience) do
     desc 'included.client.audience Required for `type` of `oidc-audience-mapper`'
   end
@@ -249,14 +241,14 @@ def self.title_patterns
       'oidc-audience-mapper',
       'oidc-usermodel-attribute-mapper',
     ]
-    if self[:protocol] == 'openid-connect' && !openid_connect_types.include?(self[:type])
+    if self[:protocol] == 'openid-connect' && !openid_connect_types.include?(self[:type]) && self[:type] !~ /script-.+/
       raise Puppet::Error, "type #{self[:type]} is not valid for protocol openid-connect"
     end
-    saml_mapper = ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper']
-    if self[:protocol] == 'saml' && !saml_mapper.include?(self[:type])
+    saml_mapper = ['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper', 'saml-role-list-mapper']
+    if self[:protocol] == 'saml' && !saml_mapper.include?(self[:type]) && self[:type] !~ /script-.+/
       raise Puppet::Error, "type #{self[:type]} is not valid for protocol saml"
     end
-    if self[:friendly_name] && !['saml-group-membership-mapper', 'saml-user-property-mapper', 'saml-user-attribute-mapper', 'saml-javascript-mapper'].include?(self[:type])
+    if self[:friendly_name] && self[:type] !~ /(saml-group-membership-mapper|saml-user-property-mapper|saml-user-attribute-mapper|script-.+)/
       raise Puppet::Error, "friendly_name is not valid for type #{self[:type]}"
     end
     if self[:attribute_name] && self[:protocol] != 'saml'
@@ -265,12 +257,9 @@ def self.title_patterns
     if self[:attribute_nameformat] && self[:protocol] != 'saml'
       raise Puppet::Error, "attribute_nameformat is not valid for protocol #{self[:protocol]}"
     end
-    if self[:single] && !['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(self[:type])
+    if self[:single] && self[:type] !~ /(saml-group-membership-mapper|saml-role-list-mapper|script-.+)/
       raise Puppet::Error, "single is not valid for type #{self[:type]}"
     end
-    if self[:type] == 'saml-javascript-mapper' && self[:script].nil?
-      raise Puppet::Error, 'script is required for saml-javascript-mapper'
-    end
     if self[:type] == 'oidc-audience-mapper' && self[:included_client_audience].nil?
       raise Puppet::Error, 'included_client_audience is required for oidc-audience-mapper'
     end