From f1e36062116b6aa83268aa1cf6484d3ca02d894e Mon Sep 17 00:00:00 2001 From: treydock Date: Mon, 18 Nov 2024 13:54:10 -0500 Subject: [PATCH] Update keycloak_flow_execution to handle script authenticators (#329) --- .../provider/keycloak_flow_execution/kcadm.rb | 3 ++ spec/acceptance/6_protocol_mapper_spec.rb | 2 +- spec/acceptance/9_flow_spec.rb | 40 ++++++++++++++++++- .../kcadm/get-executions.out | 12 ++++++ spec/spec_helper_acceptance_setup.rb | 2 + .../keycloak_flow_execution/kcadm_spec.rb | 14 ++++++- 6 files changed, 70 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/keycloak_flow_execution/kcadm.rb b/lib/puppet/provider/keycloak_flow_execution/kcadm.rb index ba35f368..f1d0290d 100644 --- a/lib/puppet/provider/keycloak_flow_execution/kcadm.rb +++ b/lib/puppet/provider/keycloak_flow_execution/kcadm.rb @@ -55,6 +55,9 @@ def self.instances execution[:flow_alias] = parent_level[1][-1] if parent_level.size > 1 end execution[:provider_id] = e['providerId'] + if e['authenticationConfig'] =~ %r{^script-.+} + execution[:provider_id] = e['authenticationConfig'] + end execution[:alias] = e['alias'] execution[:name] = "#{execution[:provider_id]} under #{execution[:flow_alias]} on #{realm}" if e['authenticationFlow'] diff --git a/spec/acceptance/6_protocol_mapper_spec.rb b/spec/acceptance/6_protocol_mapper_spec.rb index cafcb447..f4204fd4 100644 --- a/spec/acceptance/6_protocol_mapper_spec.rb +++ b/spec/acceptance/6_protocol_mapper_spec.rb @@ -170,7 +170,7 @@ class { 'keycloak': } keycloak::spi_deployment { 'osc-keycloak-scripts': deployed_name => 'osc-keycloak-scripts-jar-with-dependencies.jar', - source => 'https://github.com/OSC/osc-keycloak-scripts/releases/download/1.0.0/osc-keycloak-scripts-jar-with-dependencies.jar', + source => 'https://github.com/OSC/osc-keycloak-scripts/releases/download/1.1.0/osc-keycloak-scripts-1.1.0-jar-with-dependencies.jar', } keycloak_realm { 'test': ensure => 'present' } keycloak_client_scope { 'saml on test': diff --git a/spec/acceptance/9_flow_spec.rb b/spec/acceptance/9_flow_spec.rb index 192653b1..a23d4d21 100644 --- a/spec/acceptance/9_flow_spec.rb +++ b/spec/acceptance/9_flow_spec.rb @@ -19,6 +19,18 @@ class { 'keycloak': } 'Keycloak_flow_execution[duo-universal under form-browser-with-duo on test]', ], } + keycloak::spi_deployment { 'osc-keycloak-scripts': + deployed_name => 'osc-keycloak-scripts-jar-with-dependencies.jar', + source => "https://github.com/OSC/osc-keycloak-scripts/releases/download/1.1.0/osc-keycloak-scripts-1.1.0-jar-with-dependencies.jar", + test_url => 'authentication/authenticator-providers', + test_key => 'id', + test_value => 'script-user-enabled-authenticator.js', + test_realm => 'test', + test_before => [ + 'Keycloak_flow[form-browser-with-duo]', + 'Keycloak_flow_execution[script-user-enabled-authenticator.js under form-browser-with-duo on test]', + ], + } keycloak_realm { 'test': ensure => 'present' } keycloak_flow { 'browser-with-duo on test': ensure => 'present', @@ -52,6 +64,11 @@ class { 'keycloak': } priority => 10, requirement => 'REQUIRED', } + keycloak_flow_execution { 'script-user-enabled-authenticator.js under form-browser-with-duo on test': + ensure => 'present', + requirement => 'REQUIRED', + priority => 15, + } keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test': ensure => 'present', configurable => true, @@ -93,8 +110,10 @@ class { 'keycloak': } expect(form['description']).to eq('Form Browser with DUO') auth_form = data.find { |d| d['providerId'] == 'auth-username-password-form' } expect(auth_form['index']).to eq(0) + script = data.find { |d| d['authenticationConfig'] == 'script-user-enabled-authenticator.js' } + expect(script['index']).to eq(1) duo = data.find { |d| d['providerId'] == 'duo-universal' } - expect(duo['index']).to eq(1) + expect(duo['index']).to eq(2) end end end @@ -115,6 +134,18 @@ class { 'keycloak': } 'Keycloak_flow_execution[duo-universal under form-browser-with-duo on test]', ], } + keycloak::spi_deployment { 'osc-keycloak-scripts': + deployed_name => 'osc-keycloak-scripts-jar-with-dependencies.jar', + source => "https://github.com/OSC/osc-keycloak-scripts/releases/download/1.1.0/osc-keycloak-scripts-1.1.0-jar-with-dependencies.jar", + test_url => 'authentication/authenticator-providers', + test_key => 'id', + test_value => 'script-user-enabled-authenticator.js', + test_realm => 'test', + test_before => [ + 'Keycloak_flow[form-browser-with-duo]', + 'Keycloak_flow_execution[script-user-enabled-authenticator.js under form-browser-with-duo on test]', + ], + } keycloak_realm { 'test': ensure => 'present' } keycloak_flow { 'browser-with-duo on test': ensure => 'present', @@ -161,6 +192,11 @@ class { 'keycloak': } priority => 25, requirement => 'REQUIRED', } + keycloak_flow_execution { 'script-user-enabled-authenticator.js under form-browser-with-duo on test': + ensure => 'present', + requirement => 'REQUIRED', + priority => 35, + } PUPPET_PP apply_manifest(pp, catch_failures: true) @@ -187,6 +223,8 @@ class { 'keycloak': } expect(auth_form['index']).to eq(1) duo = data.find { |d| d['providerId'] == 'duo-universal' } expect(duo['index']).to eq(0) + script = data.find { |d| d['authenticationConfig'] == 'script-user-enabled-authenticator.js' } + expect(script['index']).to eq(2) end end end diff --git a/spec/fixtures/unit/puppet/provider/keycloak_flow_execution/kcadm/get-executions.out b/spec/fixtures/unit/puppet/provider/keycloak_flow_execution/kcadm/get-executions.out index 0fdebb8a..dc3fb7e3 100644 --- a/spec/fixtures/unit/puppet/provider/keycloak_flow_execution/kcadm/get-executions.out +++ b/spec/fixtures/unit/puppet/provider/keycloak_flow_execution/kcadm/get-executions.out @@ -46,4 +46,16 @@ "authenticationConfig" : "be93a426-077f-4235-9686-677ff0706bf8", "level" : 1, "index" : 1 +}, { + "id" : "fe1692cb-5a30-4312-ac1a-25dce4cad7ef", + "requirement" : "DISABLED", + "displayName" : "User Enabled Authenticator", + "alias" : "User Enabled Authenticator", + "requirementChoices" : [ "REQUIRED", "ALTERNATIVE", "DISABLED" ], + "configurable" : true, + "providerId" : "ONRXE2LQOQWXK43FOIWWK3TBMJWGKZBNMF2XI2DFNZ2GSY3BORXXELTKOM", + "authenticationConfig" : "script-user-enabled-authenticator.js", + "level" : 0, + "index" : 3, + "priority" : 31 } ] diff --git a/spec/spec_helper_acceptance_setup.rb b/spec/spec_helper_acceptance_setup.rb index af4310d2..4fb52a69 100644 --- a/spec/spec_helper_acceptance_setup.rb +++ b/spec/spec_helper_acceptance_setup.rb @@ -35,6 +35,8 @@ keycloak::hostname: localhost keycloak::db: mariadb keycloak::proxy: edge +keycloak::features: + - scripts # Force only listen on IPv4 for testing keycloak::java_opts: '-Djava.net.preferIPv4Stack=true' postgresql::server::service_status: 'service postgresql status 2>/dev/null 1>/dev/null' diff --git a/spec/unit/puppet/provider/keycloak_flow_execution/kcadm_spec.rb b/spec/unit/puppet/provider/keycloak_flow_execution/kcadm_spec.rb index 9690937a..37e8b636 100644 --- a/spec/unit/puppet/provider/keycloak_flow_execution/kcadm_spec.rb +++ b/spec/unit/puppet/provider/keycloak_flow_execution/kcadm_spec.rb @@ -20,7 +20,8 @@ allow(described_class).to receive(:kcadm).with('get', 'authentication/flows', 'test').and_return(my_fixture_read('get-test.out')) allow(described_class).to receive(:kcadm).with('get', 'authentication/flows/browser-with-duo/executions', 'test').and_return(my_fixture_read('get-executions.out')) allow(described_class).to receive(:kcadm).with('get', 'authentication/config/be93a426-077f-4235-9686-677ff0706bf8', 'test').and_return('{}') - expect(described_class.instances.length).to eq(4) + allow(described_class).to receive(:kcadm).with('get', 'authentication/config/script-user-enabled-authenticator.js', 'test').and_return('{}') + expect(described_class.instances.length).to eq(5) end it 'returns the resource for a flow' do @@ -28,9 +29,20 @@ allow(described_class).to receive(:kcadm).with('get', 'authentication/flows', 'test').and_return(my_fixture_read('get-test.out')) allow(described_class).to receive(:kcadm).with('get', 'authentication/flows/browser-with-duo/executions', 'test').and_return(my_fixture_read('get-executions.out')) allow(described_class).to receive(:kcadm).with('get', 'authentication/config/be93a426-077f-4235-9686-677ff0706bf8', 'test').and_return('{}') + allow(described_class).to receive(:kcadm).with('get', 'authentication/config/script-user-enabled-authenticator.js', 'test').and_return('{}') property_hash = described_class.instances[0].instance_variable_get('@property_hash') expect(property_hash[:name]).to eq('auth-cookie under browser-with-duo on test') end + + it 'returns script execution' do + allow(described_class).to receive(:realms).and_return(['test']) + allow(described_class).to receive(:kcadm).with('get', 'authentication/flows', 'test').and_return(my_fixture_read('get-test.out')) + allow(described_class).to receive(:kcadm).with('get', 'authentication/flows/browser-with-duo/executions', 'test').and_return(my_fixture_read('get-executions.out')) + allow(described_class).to receive(:kcadm).with('get', 'authentication/config/be93a426-077f-4235-9686-677ff0706bf8', 'test').and_return('{}') + allow(described_class).to receive(:kcadm).with('get', 'authentication/config/script-user-enabled-authenticator.js', 'test').and_return('{}') + property_hash = described_class.instances.last.instance_variable_get('@property_hash') + expect(property_hash[:provider_id]).to eq('script-user-enabled-authenticator.js') + end end # describe 'self.prefetch' do # let(:instances) do