Add extra configurations to keycloak realm (#203)

* Add extra configurations to keycloak realm

Add support of :
- `accessCodeLifespanLogin`
- `actionTokenGeneratedByAdminLifespan`
- `actionTokenGeneratedByUserLifespan`
- `offlineSessionIdleTimeout`
- `offlineSessionMaxLifespan`
- `offlineSessionMaxLifespanEnabled`

* Add realm token settings to realm spec

* Fix default symbol on keycloak_realm_spec.rb

REFERENCE.md

@@ -3143,6 +3143,12 @@ The following properties are available in the `keycloak_realm` type.
 
 accessCodeLifespan
 
+##### `access_code_lifespan_login`
+
+Unit : minutes
+
+accessCodeLifespanLogin
+
 ##### `access_code_lifespan_user_action`
 
 accessCodeLifespanUserAction
@@ -3183,6 +3189,18 @@ adminTheme
 
 Default value: `keycloak`
 
+##### `action_token_generated_by_admin_lifespan`
+
+Unit : minutes
+
+actionTokenGeneratedByAdminLifespan
+
+##### `action_token_generated_by_user_lifespan`
+
+Unit : minutes
+
+actionTokenGeneratedByUserLifespan
+
 ##### `browser_flow`
 
 browserFlow
@@ -3293,6 +3311,26 @@ loginWithEmailAllowed
 
 Default value: `true`
 
+##### `offline_session_idle_timeout`
+
+Unit : seconds
+
+offlineSessionIdleTimeout
+
+##### `offline_session_max_lifespan`
+
+Unit : seconds
+
+offlineSessionMaxLifespan
+
+##### `offline_session_max_lifespan_enabled`
+
+Valid values: ``true``, ``false``
+
+offlineSessionMaxLifespanEnabled
+
+Default value: `false`
+
 ##### `optional_client_scopes`
 
 Optional Client Scopes

lib/puppet/type/keycloak_realm.rb

@@ -84,6 +84,10 @@
     desc 'accessCodeLifespan'
   end
 
+  newproperty(:access_code_lifespan_login, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'accessCodeLifespanLogin'
+  end
+
   newproperty(:access_code_lifespan_user_action, parent: PuppetX::Keycloak::IntegerProperty) do
     desc 'accessCodeLifespanUserAction'
   end
@@ -96,6 +100,22 @@
     desc 'accessTokenLifespanForImplicitFlow'
   end
 
+  newproperty(:action_token_generated_by_admin_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'actionTokenGeneratedByAdminLifespan'
+  end
+
+  newproperty(:action_token_generated_by_user_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'actionTokenGeneratedByUserLifespan'
+  end
+
+  newproperty(:offline_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'offlineSessionIdleTimeout'
+  end
+
+  newproperty(:offline_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'offlineSessionMaxLifespan'
+  end
+
   newproperty(:enabled, boolean: true) do
     desc 'enabled'
     newvalues(:true, :false)
@@ -120,6 +140,12 @@
     defaultto :true
   end
 
+  newproperty(:offline_session_max_lifespan_enabled, boolean: true) do
+    desc 'offlineSessionMaxLifespanEnabled'
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
   newproperty(:reset_password_allowed, boolean: true) do
     desc 'resetPasswordAllowed'
     newvalues(:true, :false)

spec/acceptance/2_realm_spec.rb

@@ -9,20 +9,34 @@ class { 'keycloak':
         datasource_driver => 'mysql',
       }
       keycloak_realm { 'test':
-        ensure                            => 'present',
-        smtp_server_host                  => 'smtp.example.org',
-        smtp_server_port                  => 587,
-        smtp_server_starttls              => false,
-        smtp_server_auth                  => false,
-        smtp_server_user                  => 'john',
-        smtp_server_password              => 'secret',
-        smtp_server_envelope_from         => '[email protected]',
-        smtp_server_from                  => '[email protected]',
-        smtp_server_from_display_name     => 'Keycloak',
-        smtp_server_reply_to              => '[email protected]',
-        smtp_server_reply_to_display_name => 'Webmaster',
-        brute_force_protected             => false,
-        roles                             => ['offline_access', 'uma_authorization', 'new_role'],
+        ensure                                   => 'present',
+        smtp_server_host                         => 'smtp.example.org',
+        smtp_server_port                         => 587,
+        smtp_server_starttls                     => false,
+        smtp_server_auth                         => false,
+        smtp_server_user                         => 'john',
+        smtp_server_password                     => 'secret',
+        smtp_server_envelope_from                => '[email protected]',
+        smtp_server_from                         => '[email protected]',
+        smtp_server_from_display_name            => 'Keycloak',
+        smtp_server_reply_to                     => '[email protected]',
+        smtp_server_reply_to_display_name        => 'Webmaster',
+        brute_force_protected                    => false,
+        roles                                    => ['offline_access', 'uma_authorization', 'new_role'],
+        access_code_lifespan                     => 60,
+        access_code_lifespan_login               => 1800,
+        access_code_lifespan_user_action         => 300,
+        access_token_lifespan                    => 60,
+        access_token_lifespan_for_implicit_flow  => 900,
+        action_token_generated_by_admin_lifespan => 43200,
+        action_token_generated_by_user_lifespan  => 300,
+        sso_session_idle_timeout_remember_me     => 0,
+        sso_session_max_lifespan_remember_me     => 0,
+        sso_session_idle_timeout                 => 1800,
+        sso_session_max_lifespan                 => 36000,
+        offline_session_idle_timeout             => 2592000,
+        offline_session_max_lifespan             => 5184000,
+        offline_session_max_lifespan_enabled     => true,
       }
       EOS
 
@@ -88,6 +102,26 @@ class { 'keycloak':
       end
     end
 
+    it 'has correct token settings' do
+      on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
+        data = JSON.parse(stdout)
+        expect(data['accessCodeLifespan']).to eq(60)
+        expect(data['accessCodeLifespanLogin']).to eq(1800)
+        expect(data['accessCodeLifespanUserAction']).to eq(300)
+        expect(data['accessTokenLifespan']).to eq(60)
+        expect(data['accessTokenLifespanForImplicitFlow']).to eq(900)
+        expect(data['actionTokenGeneratedByAdminLifespan']).to eq(43_200)
+        expect(data['actionTokenGeneratedByUserLifespan']).to eq(300)
+        expect(data['ssoSessionIdleTimeoutRememberMe']).to eq(0)
+        expect(data['ssoSessionMaxLifespanRememberMe']).to eq(0)
+        expect(data['ssoSessionIdleTimeout']).to eq(1800)
+        expect(data['ssoSessionMaxLifespan']).to eq(36_000)
+        expect(data['offlineSessionIdleTimeout']).to eq(2_592_000)
+        expect(data['offlineSessionMaxLifespan']).to eq(5_184_000)
+        expect(data['offlineSessionMaxLifespanEnabled']).to eq(true)
+      end
+    end
+
     it 'has correct roles settings' do
       on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r test' do
         data = JSON.parse(stdout)
@@ -118,8 +152,16 @@ class { 'keycloak':
         verify_email => true,
         access_code_lifespan => 3600,
         access_token_lifespan => 3600,
+        access_code_lifespan_login => 3600,
+        access_code_lifespan_user_action => 600,
         sso_session_idle_timeout => 3600,
         sso_session_max_lifespan => 72000,
+        access_token_lifespan_for_implicit_flow  => 3600,
+        action_token_generated_by_admin_lifespan => 21600,
+        action_token_generated_by_user_lifespan  => 600,
+        offline_session_idle_timeout             => 1296000,
+        offline_session_max_lifespan             => 2592000,
+        offline_session_max_lifespan_enabled     => false,
         default_client_scopes => ['profile'],
         content_security_policy => "frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
         events_enabled => true,
@@ -154,9 +196,17 @@ class { 'keycloak':
         expect(data['resetPasswordAllowed']).to eq(true)
         expect(data['verifyEmail']).to eq(true)
         expect(data['accessCodeLifespan']).to eq(3600)
+        expect(data['accessCodeLifespanLogin']).to eq(3600)
+        expect(data['accessCodeLifespanUserAction']).to eq(600)
         expect(data['accessTokenLifespan']).to eq(3600)
+        expect(data['accessTokenLifespanForImplicitFlow']).to eq(3600)
+        expect(data['actionTokenGeneratedByAdminLifespan']).to eq(21_600)
+        expect(data['actionTokenGeneratedByUserLifespan']).to eq(600)
         expect(data['ssoSessionIdleTimeout']).to eq(3600)
         expect(data['ssoSessionMaxLifespan']).to eq(72_000)
+        expect(data['offlineSessionIdleTimeout']).to eq(1_296_000)
+        expect(data['offlineSessionMaxLifespan']).to eq(2_592_000)
+        expect(data['offlineSessionMaxLifespanEnabled']).to eq(false)
         expect(data['browserSecurityHeaders']['contentSecurityPolicy']).to eq("frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
         expect(data['smtpServer']['host']).to eq('smtp.example.org')
         expect(data['smtpServer']['port']).to eq('587')

spec/unit/puppet/type/keycloak_realm_spec.rb

@@ -49,6 +49,7 @@
     events_listeners: ['jboss-logging'],
     admin_events_enabled: :false,
     admin_events_details_enabled: :false,
+    offline_session_max_lifespan_enabled: :false,
   }
 
   describe 'basic properties' do
@@ -96,9 +97,14 @@
       :sso_session_idle_timeout,
       :sso_session_max_lifespan,
       :access_code_lifespan,
+      :access_code_lifespan_login,
       :access_code_lifespan_user_action,
       :access_token_lifespan,
       :access_token_lifespan_for_implicit_flow,
+      :action_token_generated_by_admin_lifespan,
+      :action_token_generated_by_user_lifespan,
+      :offline_session_idle_timeout,
+      :offline_session_max_lifespan,
       :smtp_server_port,
     ].each do |p|
       it "should accept a #{p}" do
@@ -129,6 +135,7 @@
       :smtp_server_starttls,
       :smtp_server_ssl,
       :brute_force_protected,
+      :offline_session_max_lifespan_enabled,
     ].each do |p|
       it "should accept true for #{p}" do
         config[p] = true