From 89d9073025128df75bf53a39d4b2efa9e71583f6 Mon Sep 17 00:00:00 2001 From: Quentin Date: Fri, 13 Aug 2021 19:30:23 +0200 Subject: [PATCH] Add extra configurations to keycloak realm (#203) * Add extra configurations to keycloak realm Add support of : - `accessCodeLifespanLogin` - `actionTokenGeneratedByAdminLifespan` - `actionTokenGeneratedByUserLifespan` - `offlineSessionIdleTimeout` - `offlineSessionMaxLifespan` - `offlineSessionMaxLifespanEnabled` * Add realm token settings to realm spec * Fix default symbol on keycloak_realm_spec.rb --- REFERENCE.md | 38 ++++++++++ lib/puppet/type/keycloak_realm.rb | 26 +++++++ spec/acceptance/2_realm_spec.rb | 78 ++++++++++++++++---- spec/unit/puppet/type/keycloak_realm_spec.rb | 7 ++ 4 files changed, 135 insertions(+), 14 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5c9f5fc0..1e198bca 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -3143,6 +3143,12 @@ The following properties are available in the `keycloak_realm` type. accessCodeLifespan +##### `access_code_lifespan_login` + +Unit : minutes + +accessCodeLifespanLogin + ##### `access_code_lifespan_user_action` accessCodeLifespanUserAction @@ -3183,6 +3189,18 @@ adminTheme Default value: `keycloak` +##### `action_token_generated_by_admin_lifespan` + +Unit : minutes + +actionTokenGeneratedByAdminLifespan + +##### `action_token_generated_by_user_lifespan` + +Unit : minutes + +actionTokenGeneratedByUserLifespan + ##### `browser_flow` browserFlow @@ -3293,6 +3311,26 @@ loginWithEmailAllowed Default value: `true` +##### `offline_session_idle_timeout` + +Unit : seconds + +offlineSessionIdleTimeout + +##### `offline_session_max_lifespan` + +Unit : seconds + +offlineSessionMaxLifespan + +##### `offline_session_max_lifespan_enabled` + +Valid values: ``true``, ``false`` + +offlineSessionMaxLifespanEnabled + +Default value: `false` + ##### `optional_client_scopes` Optional Client Scopes diff --git a/lib/puppet/type/keycloak_realm.rb b/lib/puppet/type/keycloak_realm.rb index a800e54a..e0b54fab 100644 --- a/lib/puppet/type/keycloak_realm.rb +++ b/lib/puppet/type/keycloak_realm.rb @@ -84,6 +84,10 @@ desc 'accessCodeLifespan' end + newproperty(:access_code_lifespan_login, parent: PuppetX::Keycloak::IntegerProperty) do + desc 'accessCodeLifespanLogin' + end + newproperty(:access_code_lifespan_user_action, parent: PuppetX::Keycloak::IntegerProperty) do desc 'accessCodeLifespanUserAction' end @@ -96,6 +100,22 @@ desc 'accessTokenLifespanForImplicitFlow' end + newproperty(:action_token_generated_by_admin_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do + desc 'actionTokenGeneratedByAdminLifespan' + end + + newproperty(:action_token_generated_by_user_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do + desc 'actionTokenGeneratedByUserLifespan' + end + + newproperty(:offline_session_idle_timeout, parent: PuppetX::Keycloak::IntegerProperty) do + desc 'offlineSessionIdleTimeout' + end + + newproperty(:offline_session_max_lifespan, parent: PuppetX::Keycloak::IntegerProperty) do + desc 'offlineSessionMaxLifespan' + end + newproperty(:enabled, boolean: true) do desc 'enabled' newvalues(:true, :false) @@ -120,6 +140,12 @@ defaultto :true end + newproperty(:offline_session_max_lifespan_enabled, boolean: true) do + desc 'offlineSessionMaxLifespanEnabled' + newvalues(:true, :false) + defaultto :false + end + newproperty(:reset_password_allowed, boolean: true) do desc 'resetPasswordAllowed' newvalues(:true, :false) diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb index abf6864c..3a94fb75 100644 --- a/spec/acceptance/2_realm_spec.rb +++ b/spec/acceptance/2_realm_spec.rb @@ -9,20 +9,34 @@ class { 'keycloak': datasource_driver => 'mysql', } keycloak_realm { 'test': - ensure => 'present', - smtp_server_host => 'smtp.example.org', - smtp_server_port => 587, - smtp_server_starttls => false, - smtp_server_auth => false, - smtp_server_user => 'john', - smtp_server_password => 'secret', - smtp_server_envelope_from => 'keycloak@id.example.org', - smtp_server_from => 'keycloak@id.example.org', - smtp_server_from_display_name => 'Keycloak', - smtp_server_reply_to => 'webmaster@example.org', - smtp_server_reply_to_display_name => 'Webmaster', - brute_force_protected => false, - roles => ['offline_access', 'uma_authorization', 'new_role'], + ensure => 'present', + smtp_server_host => 'smtp.example.org', + smtp_server_port => 587, + smtp_server_starttls => false, + smtp_server_auth => false, + smtp_server_user => 'john', + smtp_server_password => 'secret', + smtp_server_envelope_from => 'keycloak@id.example.org', + smtp_server_from => 'keycloak@id.example.org', + smtp_server_from_display_name => 'Keycloak', + smtp_server_reply_to => 'webmaster@example.org', + smtp_server_reply_to_display_name => 'Webmaster', + brute_force_protected => false, + roles => ['offline_access', 'uma_authorization', 'new_role'], + access_code_lifespan => 60, + access_code_lifespan_login => 1800, + access_code_lifespan_user_action => 300, + access_token_lifespan => 60, + access_token_lifespan_for_implicit_flow => 900, + action_token_generated_by_admin_lifespan => 43200, + action_token_generated_by_user_lifespan => 300, + sso_session_idle_timeout_remember_me => 0, + sso_session_max_lifespan_remember_me => 0, + sso_session_idle_timeout => 1800, + sso_session_max_lifespan => 36000, + offline_session_idle_timeout => 2592000, + offline_session_max_lifespan => 5184000, + offline_session_max_lifespan_enabled => true, } EOS @@ -88,6 +102,26 @@ class { 'keycloak': end end + it 'has correct token settings' do + on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do + data = JSON.parse(stdout) + expect(data['accessCodeLifespan']).to eq(60) + expect(data['accessCodeLifespanLogin']).to eq(1800) + expect(data['accessCodeLifespanUserAction']).to eq(300) + expect(data['accessTokenLifespan']).to eq(60) + expect(data['accessTokenLifespanForImplicitFlow']).to eq(900) + expect(data['actionTokenGeneratedByAdminLifespan']).to eq(43_200) + expect(data['actionTokenGeneratedByUserLifespan']).to eq(300) + expect(data['ssoSessionIdleTimeoutRememberMe']).to eq(0) + expect(data['ssoSessionMaxLifespanRememberMe']).to eq(0) + expect(data['ssoSessionIdleTimeout']).to eq(1800) + expect(data['ssoSessionMaxLifespan']).to eq(36_000) + expect(data['offlineSessionIdleTimeout']).to eq(2_592_000) + expect(data['offlineSessionMaxLifespan']).to eq(5_184_000) + expect(data['offlineSessionMaxLifespanEnabled']).to eq(true) + end + end + it 'has correct roles settings' do on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r test' do data = JSON.parse(stdout) @@ -118,8 +152,16 @@ class { 'keycloak': verify_email => true, access_code_lifespan => 3600, access_token_lifespan => 3600, + access_code_lifespan_login => 3600, + access_code_lifespan_user_action => 600, sso_session_idle_timeout => 3600, sso_session_max_lifespan => 72000, + access_token_lifespan_for_implicit_flow => 3600, + action_token_generated_by_admin_lifespan => 21600, + action_token_generated_by_user_lifespan => 600, + offline_session_idle_timeout => 1296000, + offline_session_max_lifespan => 2592000, + offline_session_max_lifespan_enabled => false, default_client_scopes => ['profile'], content_security_policy => "frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';", events_enabled => true, @@ -154,9 +196,17 @@ class { 'keycloak': expect(data['resetPasswordAllowed']).to eq(true) expect(data['verifyEmail']).to eq(true) expect(data['accessCodeLifespan']).to eq(3600) + expect(data['accessCodeLifespanLogin']).to eq(3600) + expect(data['accessCodeLifespanUserAction']).to eq(600) expect(data['accessTokenLifespan']).to eq(3600) + expect(data['accessTokenLifespanForImplicitFlow']).to eq(3600) + expect(data['actionTokenGeneratedByAdminLifespan']).to eq(21_600) + expect(data['actionTokenGeneratedByUserLifespan']).to eq(600) expect(data['ssoSessionIdleTimeout']).to eq(3600) expect(data['ssoSessionMaxLifespan']).to eq(72_000) + expect(data['offlineSessionIdleTimeout']).to eq(1_296_000) + expect(data['offlineSessionMaxLifespan']).to eq(2_592_000) + expect(data['offlineSessionMaxLifespanEnabled']).to eq(false) expect(data['browserSecurityHeaders']['contentSecurityPolicy']).to eq("frame-src https://*.duosecurity.com/ 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';") expect(data['smtpServer']['host']).to eq('smtp.example.org') expect(data['smtpServer']['port']).to eq('587') diff --git a/spec/unit/puppet/type/keycloak_realm_spec.rb b/spec/unit/puppet/type/keycloak_realm_spec.rb index 3b41de70..b985a054 100644 --- a/spec/unit/puppet/type/keycloak_realm_spec.rb +++ b/spec/unit/puppet/type/keycloak_realm_spec.rb @@ -49,6 +49,7 @@ events_listeners: ['jboss-logging'], admin_events_enabled: :false, admin_events_details_enabled: :false, + offline_session_max_lifespan_enabled: :false, } describe 'basic properties' do @@ -96,9 +97,14 @@ :sso_session_idle_timeout, :sso_session_max_lifespan, :access_code_lifespan, + :access_code_lifespan_login, :access_code_lifespan_user_action, :access_token_lifespan, :access_token_lifespan_for_implicit_flow, + :action_token_generated_by_admin_lifespan, + :action_token_generated_by_user_lifespan, + :offline_session_idle_timeout, + :offline_session_max_lifespan, :smtp_server_port, ].each do |p| it "should accept a #{p}" do @@ -129,6 +135,7 @@ :smtp_server_starttls, :smtp_server_ssl, :brute_force_protected, + :offline_session_max_lifespan_enabled, ].each do |p| it "should accept true for #{p}" do config[p] = true