BREAKING: Support Keycloak 25 (#316)

* BREAKING: Support Keycloak 25 See README for details on breaking changes * Use OpenJDK 21 except for Debian
treydock · Jul 12, 2024 · 1e252e5 · 1e252e5
1 parent 3b639d2
commit 1e252e5
Show file tree

Hide file tree

Showing 26 changed files with 183 additions and 319 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -16,11 +16,11 @@ jobs:
  fail-fast: false
  matrix:
  include:
- - ruby: 2.7.7
+ - ruby: 2.7.8
  puppet: 7
  fixtures: .fixtures.yml
  allow_failure: false
- - ruby: 3.2.2
+ - ruby: 3.2.3
  puppet: 8
  fixtures: .fixtures.yml
  allow_failure: false
@@ -65,17 +65,17 @@ jobs:
  - "puppet7"
  - "puppet8"
  keycloak_version:
- - "24.0.5"
+ - "25.0.1"
  keycloak_full:
  - "no"
  include:
  - set: "el8"
  puppet: "puppet7"
- keycloak_version: "24.0.5"
+ keycloak_version: "25.0.1"
  keycloak_full: "yes"
  - set: "el8"
  puppet: "puppet8"
- keycloak_version: "24.0.5"
+ keycloak_version: "25.0.1"
  keycloak_full: "yes"
  env:
  BUNDLE_WITHOUT: development:release

diff --git a/.sync.yml b/.sync.yml
@@ -25,16 +25,16 @@ Rakefile:
  - puppet7
  - puppet8
  keycloak_version:
- - '24.0.5'
+ - '25.0.1'
  keycloak_full: ['no']
  acceptance_includes:
  - set: el8
  puppet: puppet7
- keycloak_version: '24.0.5'
+ keycloak_version: '25.0.1'
  keycloak_full: 'yes'
  - set: el8
  puppet: puppet8
- keycloak_version: '24.0.5'
+ keycloak_version: '25.0.1'
  keycloak_full: 'yes'
 .gitignore:
  paths:

diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@
 #### Table of Contents
 
 1. [Overview](#overview)
+ * [Upgrade to 12.x](#upgrade-to-12x)
  * [Upgrade to 8.x](#upgrade-to-8x)
  * [Changes to LDAP user provider IDs](#changes-to-ldap-user-provider-ids)
  * [Supported Versions of Keycloak](#supported-versions-of-keycloak)
@@ -35,6 +36,25 @@
 
 The keycloak module allows easy installation and management of Keycloak.
 
+### Upgrade to 12.x
+
+Version 12.x of this module had some major breaking changes to support Keycloak 25.x.
+
+The default Java version is now OpenJDK 21 except for Debian. The next major release will drop Debian support unless OpenJDK 21 is added to Debian repos.
+
+The `keycloak_flow` and `keycloak_flow_execution` types had their `index` property replaced by `priority`. If you had executions with `index` 0,1,2 you'd need to set `priority` to something like 10,20,30.
+
+The configuration options switched to using Hostname v2 options.
+
+* `hostname` now accepts a URL
+* `hostname-url` is removed
+* `hostname-path` is removed
+* `hostname-port` is removed
+* `hostname-admin` now requires a URL
+* `hostname-admin-url` is removed
+* `hostname-strict-backchannel` is renamed to `hostname-backchannel-dynamic`
+* `hostname-strict-https` is removed
+
 ### Upgrade to 8.x
 
 This module underwent major changes in the 8.0.0 release to support Keycloak that uses Quarkus.
@@ -176,7 +196,7 @@ This module may work on earlier versions but this is the only version tested.
 | 19.x - 21.x | 9.x |
 | 21.x | 10.x |
 | 22.x - 24.x | 11.x |
-| 24.x | 12.x |
+| 25.x | 12.x |
 | -----------------|---------------------------------|
 
 ## Usage
@@ -523,27 +543,27 @@ keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
  ensure => 'present',
  configurable => false,
  display_name => 'Cookie',
- index  => 0,
+ priority => 10,
  requirement => 'ALTERNATIVE',
 }
 keycloak_flow_execution { 'identity-provider-redirector under browser-with-duo on test':
  ensure => 'present',
  configurable => true,
  display_name => 'Identity Provider Redirector',
- index  => 1,
+ priority => 15,
  requirement => 'ALTERNATIVE',
 }
 keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
  ensure => 'present',
- index  => 2,
+ priority => 20,
  requirement => 'ALTERNATIVE',
  top_level => false,
 }
 keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
  ensure => 'present',
  configurable => false,
  display_name => 'Username Password Form',
- index  => 0,
+ priority => 10,
  requirement => 'REQUIRED',
 }
 keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test':
@@ -558,7 +578,7 @@ keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test':
  "duoGroups" => "duo"
  },
  requirement => 'REQUIRED',
- index  => 1,
+ priority => 15,
 }
 ```
 

diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml
@@ -1,8 +1,8 @@
 ---
-keycloak::java_package: openjdk-17-jdk
-keycloak::java_home: /usr/lib/jvm/java-1.17.0-openjdk-amd64/
-keycloak::java_alternative_path: /usr/lib/jvm/java-1.17.0-openjdk-amd64/bin/java
-keycloak::java_alternative: java-1.17.0-openjdk-amd64
+keycloak::java_package: openjdk-21-jdk
+keycloak::java_home: /usr/lib/jvm/java-1.21.0-openjdk-amd64/
+keycloak::java_alternative_path: /usr/lib/jvm/java-1.21.0-openjdk-amd64/bin/java
+keycloak::java_alternative: java-1.21.0-openjdk-amd64
 keycloak::user_shell: '/usr/sbin/nologin'
 keycloak::libunix_dbus_java_build_dependencies:
  - 'zlib1g-dev'

diff --git a/data/os/Debian/11.yaml b/data/os/Debian/11.yaml
@@ -1,3 +1,7 @@
 ---
 keycloak::java_package_dependencies:
  - ca-certificates-java
+keycloak::java_package: openjdk-17-jdk
+keycloak::java_home: /usr/lib/jvm/java-1.17.0-openjdk-amd64/
+keycloak::java_alternative_path: /usr/lib/jvm/java-1.17.0-openjdk-amd64/bin/java
+keycloak::java_alternative: java-1.17.0-openjdk-amd64
diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml
@@ -1,8 +1,8 @@
 ---
-keycloak::java_package: java-17-openjdk-devel
-keycloak::java_home: /usr/lib/jvm/java-17-openjdk/
-keycloak::java_alternative_path: /usr/lib/jvm/java-17-openjdk/bin/java
-keycloak::java_alternative: /usr/lib/jvm/java-17-openjdk/bin/java
+keycloak::java_package: java-21-openjdk-devel
+keycloak::java_home: /usr/lib/jvm/java-21-openjdk/
+keycloak::java_alternative_path: /usr/lib/jvm/java-21-openjdk/bin/java
+keycloak::java_alternative: /usr/lib/jvm/java-21-openjdk/bin/java
 keycloak::user_shell: '/sbin/nologin'
 keycloak::libunix_dbus_java_build_dependencies:
  - 'which'

diff --git a/lib/puppet/provider/keycloak_flow/kcadm.rb b/lib/puppet/provider/keycloak_flow/kcadm.rb
@@ -62,7 +62,7 @@ def self.instances
  flow[:flow_alias] = d['alias']
  flow[:realm] = realm
  flow[:description] = e['description']
- flow[:index] = e['index']
+ flow[:priority] = e['priority']
  flow[:display_name] = e['displayName']
  flow[:alias] = e['displayName']
  if e['level'] != 0
@@ -105,6 +105,7 @@ def create
  data[:provider] = resource[:type]
  data[:description] = resource[:description]
  data[:type] = resource[:provider_id]
+ data[:priority] = resource[:priority]
  url = "authentication/flows/#{resource[:flow_alias]}/executions/flow"
  end
  t = Tempfile.new('keycloak_flow')
@@ -134,7 +135,8 @@ def create
  unless execution_id.nil?
  update_data = {
  id: execution_id,
- requirement: resource[:requirement]
+ requirement: resource[:requirement],
+ priority: resource[:priority]
  }
  t = Tempfile.new('keycloak_flow_execution')
  t.write(JSON.pretty_generate(update_data))
@@ -181,19 +183,6 @@ def initialize(value = {})
  end
  end
 
- def current_priority
- data = {}
- begin
- output = kcadm('get', "authentication/executions/#{id}", resource[:realm])
- data = JSON.parse(output)
- rescue Puppet::ExecutionFailure => e
- Puppet.debug("kcadm get execution failed\nError message: #{e.message}")
- rescue JSON::ParserError
- Puppet.debug('Unable to parse output from kcadm get execution')
- end
- data['priority'] || resource[:index]
- end
-
  def flush
  unless @property_flush.empty?
  data = {}
@@ -204,10 +193,11 @@ def flush
  data[:providerId] = resource[:provider_id]
  data[:topLevel] = true
  url = "authentication/flows/#{id}"
- elsif @property_flush[:requirement]
+ elsif @property_flush[:requirement] || @property_flush[:priority]
  data[:id] = id
  data[:description] = resource[:description]
  data[:requirement] = resource[:requirement]
+ data[:priority] = resource[:priority]
  url = "authentication/flows/#{resource[:flow_alias]}/executions"
  end
  unless data.empty?
@@ -221,22 +211,6 @@ def flush
  raise Puppet::Error, "kcadm update flow failed\nError message: #{e.message}"
  end
  end
- if resource[:top_level] == :false && @property_flush[:index]
- index_difference = current_priority - @property_flush[:index]
- if index_difference.zero?
- Puppet.notice("Index difference for Keycloak_flow[#{resource[:name]}] is unchanged, skipping.")
- elsif index_difference.negative?
- incrementer = 1
- action = 'lower-priority'
- else
- incrementer = -1
- action = 'raise-priority'
- end
- while index_difference != 0
- kcadm('create', "authentication/executions/#{id}/#{action}", resource[:realm])
- index_difference += incrementer
- end
- end
  end
  # Collect the resources again once they've been changed (that way `puppet
  # resource` will show the correct values after changes have been made).

diff --git a/lib/puppet/provider/keycloak_flow_execution/kcadm.rb b/lib/puppet/provider/keycloak_flow_execution/kcadm.rb
@@ -48,7 +48,7 @@ def self.instances
  execution[:configurable] = e['configurable'].to_s.to_sym if e.key?('configurable')
  execution[:flow_alias] = f['alias']
  execution[:realm] = realm
- execution[:index] = e['index']
+ execution[:priority] = e['priority']
  execution[:display_name] = e['displayName'] if e.key?('displayName')
  if e['level'] != 0
  parent_level = levels.find { |k, _v| k == (e['level'] - 1) }
@@ -104,6 +104,7 @@ def create
  data[:displayName] = resource[:display_name] if resource[:display_name]
  data[:configurable] = convert_property_value(resource[:configurable]) if resource[:configurable]
  data[:alias] = resource[:alias] if resource[:alias]
+ data[:priority] = resource[:priority]
  t = Tempfile.new('keycloak_flow_execution')
  t.write(JSON.pretty_generate(data))
  t.close
@@ -117,7 +118,8 @@ def create
  if resource[:requirement] != 'DISABLED'
  update_data = {
  id: new_id.strip,
- requirement: resource[:requirement]
+ requirement: resource[:requirement],
+ priority: resource[:priority]
  }
  tu = Tempfile.new('keycloak_flow_execution_update')
  tu.write(JSON.pretty_generate(update_data))
@@ -173,25 +175,13 @@ def initialize(value = {})
  end
  end
 
- def current_priority
- data = {}
- begin
- output = kcadm('get', "authentication/executions/#{id}", resource[:realm])
- data = JSON.parse(output)
- rescue Puppet::ExecutionFailure => e
- Puppet.debug("kcadm get execution failed\nError message: #{e.message}")
- rescue JSON::ParserError
- Puppet.debug('Unable to parse output from kcadm get execution')
- end
- data['priority'] || resource[:index]
- end
-
  def flush
  unless @property_flush.empty?
- if @property_flush[:requirement]
+ if @property_flush[:requirement] || @property_flush[:priority]
  data = {}
  data[:id] = id
- data[:requirement] = resource[:requirement] if @property_flush[:requirement]
+ data[:requirement] = resource[:requirement]
+ data[:priority] = resource[:priority]
  t = Tempfile.new('keycloak_flow_execution')
  t.write(JSON.pretty_generate(data))
  t.close
@@ -225,22 +215,6 @@ def flush
  raise Puppet::Error, "kcadm update flow execution config failed\nError message: #{e.message}"
  end
  end
- if @property_flush[:index]
- index_difference = current_priority - @property_flush[:index]
- if index_difference.zero?
- Puppet.notice("Index difference for Keycloak_flow_execution[#{resource[:name]}] is unchanged, skipping.")
- elsif index_difference.negative?
- incrementer = 1
- action = 'lower-priority'
- else
- incrementer = -1
- action = 'raise-priority'
- end
- while index_difference != 0
- kcadm('create', "authentication/executions/#{id}/#{action}", resource[:realm])
- index_difference += incrementer
- end
- end
  end
  # Collect the resources again once they've been changed (that way `puppet
  # resource` will show the correct values after changes have been made).

diff --git a/lib/puppet/type/keycloak_client.rb b/lib/puppet/type/keycloak_client.rb
@@ -215,7 +215,6 @@ def insync?(is)
 
  newproperty(:web_origins, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
  desc 'webOrigins'
- defaultto []
  end
 
  newproperty(:login_theme) do