Implement webauthn extra origins & Raise KeyCloak version to 24.0.5 i…

…n acceptance tests (#313)

* Raise KeyCloak version for acceptance testing to 24.0.5 as minimal version

* Implement webauthn & webauthn passwordless extra origins property

* Add tests for webauthn & webauthn passwordless extra origins property

* Fix keycloak version to module version table in README.md

.github/workflows/ci.yaml

@@ -65,26 +65,17 @@ jobs:
  - "puppet7"
  - "puppet8"
  keycloak_version:
- - "22.0.0"
- - "24.0.3"
+ - "24.0.5"
  keycloak_full:
  - "no"
  include:
  - set: "el8"
  puppet: "puppet7"
- keycloak_version: "22.0.0"
+ keycloak_version: "24.0.5"
  keycloak_full: "yes"
  - set: "el8"
  puppet: "puppet8"
- keycloak_version: "22.0.0"
- keycloak_full: "yes"
- - set: "el8"
- puppet: "puppet7"
- keycloak_version: "24.0.3"
- keycloak_full: "yes"
- - set: "el8"
- puppet: "puppet8"
- keycloak_version: "24.0.3"
+ keycloak_version: "24.0.5"
  keycloak_full: "yes"
  env:
  BUNDLE_WITHOUT: development:release

.sync.yml

@@ -25,25 +25,16 @@ Rakefile:
  - puppet7
  - puppet8
  keycloak_version:
- - '22.0.0'
- - '24.0.3'
+ - '24.0.5'
  keycloak_full: ['no']
  acceptance_includes:
  - set: el8
  puppet: puppet7
- keycloak_version: '22.0.0'
+ keycloak_version: '24.0.5'
  keycloak_full: 'yes'
  - set: el8
  puppet: puppet8
- keycloak_version: '22.0.0'
- keycloak_full: 'yes'
- - set: el8
- puppet: puppet7
- keycloak_version: '24.0.3'
- keycloak_full: 'yes'
- - set: el8
- puppet: puppet8
- keycloak_version: '24.0.3'
+ keycloak_version: '24.0.5'
  keycloak_full: 'yes'
 .gitignore:
  paths:

README.md

@@ -162,11 +162,11 @@ For `keycloak_ldap_mapper` ensure the `parent_id` property is set to point to ol
 
 ### Supported Versions of Keycloak
 
-Currently this module supports Keycloak version 12.x.
+Currently this module supports Keycloak version 24.x.
 This module may work on earlier versions but this is the only version tested.
 
 | Keycloak Version | Keycloak Puppet module versions |
-| ---------------- | ------------------------------- |
+|------------------|---------------------------------|
 | 3.x | 2.x |
 | 4.x - 6.x | 3.x |
 | 6.x - 8.x | 4.x - 5.x |
@@ -176,6 +176,8 @@ This module may work on earlier versions but this is the only version tested.
 | 19.x - 21.x | 9.x |
 | 21.x | 10.x |
 | 22.x - 24.x | 11.x |
+| 24.x | 12.x |
+| -----------------|---------------------------------|
 
 ## Usage
 
@@ -191,18 +193,18 @@ Install a specific version of Keycloak.
 
 ```puppet
 class { 'keycloak':
- version => '22.0.0',
+ version => '24.0.0',
  db => 'mariadb',
 }
 ```
 
 Upgrading Keycloak version works by changing `version` parameter as long as the `db` parameter is not the default of `dev-file`. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to `/opt/keycloak`, applying all changes to new version and then restarting the `keycloak` service.
 
-If the previous `version` was `22.0.0` using the following will upgrade to `23.0.0`:
+If the previous `version` was `22.0.0` using the following will upgrade to `24.0.0`:
 
 ```puppet
 class { 'keycloak':
- version => '23.0.0',
+ version => '24.0.0',
  db => 'mariadb',
 }
 ```

lib/puppet/type/keycloak_realm.rb

@@ -492,6 +492,11 @@ def insync?(is)
  defaultto []
  end
 
+ newproperty(:web_authn_policy_extra_origins, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+ desc 'webAuthnPolicyExtraOrigins'
+ defaultto []
+ end
+
  newproperty(:web_authn_policy_passwordless_rp_entity_name) do
  desc 'webAuthnPolicyPasswordlessRpEntityName'
  defaultto 'keycloak'
@@ -547,6 +552,11 @@ def insync?(is)
  defaultto []
  end
 
+ newproperty(:web_authn_policy_passwordless_extra_origins, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+ desc 'webAuthnPolicyPasswordlessExtraOrigins'
+ defaultto []
+ end
+
  newproperty(:custom_properties) do
  desc 'custom properties to pass as realm configurations'
  defaultto {}

manifests/init.pp

@@ -222,7 +222,7 @@
 # Only necessary to set if the URL path to Keycloak is modified
 class keycloak (
  Boolean $manage_install = true,
- String $version = '22.0.0',
+ String $version = '24.0.5',
  Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl, Stdlib::Absolutepath]] $package_url= undef,
  Optional[Stdlib::Absolutepath] $install_dir = undef,
  Array[String[1]] $java_package_dependencies = [],

spec/acceptance/2_realm_spec.rb

@@ -240,6 +240,7 @@ class { 'keycloak': }
  web_authn_policy_create_timeout => 600,
  web_authn_policy_avoid_same_authenticator_register => true,
  web_authn_policy_acceptable_aaguids => ['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'],
+ web_authn_policy_extra_origins => ['https://example.com'],
  web_authn_policy_passwordless_rp_entity_name => 'Keycloak',
  web_authn_policy_passwordless_signature_algorithms => ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'],
  web_authn_policy_passwordless_rp_id => 'https://example.com',
@@ -250,6 +251,7 @@ class { 'keycloak': }
  web_authn_policy_passwordless_create_timeout => 600,
  web_authn_policy_passwordless_avoid_same_authenticator_register => true,
  web_authn_policy_passwordless_acceptable_aaguids => ['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'],
+ web_authn_policy_passwordless_extra_origins => ['https://example.com'],
  }
  PUPPET_PP
 
@@ -337,6 +339,7 @@ class { 'keycloak': }
  expect(data['webAuthnPolicyCreateTimeout']).to eq(600)
  expect(data['webAuthnPolicyAvoidSameAuthenticatorRegister']).to eq(true)
  expect(data['webAuthnPolicyAcceptableAaguids']).to eq(['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'])
+ expect(data['webAuthnPolicyExtraOrigins']).to eq(['https://example.com'])
  expect(data['webAuthnPolicyPasswordlessRpEntityName']).to eq('Keycloak')
  expect(data['webAuthnPolicyPasswordlessSignatureAlgorithms']).to eq(['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'])
  expect(data['webAuthnPolicyPasswordlessRpId']).to eq('https://example.com')
@@ -347,6 +350,7 @@ class { 'keycloak': }
  expect(data['webAuthnPolicyPasswordlessCreateTimeout']).to eq(600)
  expect(data['webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister']).to eq(true)
  expect(data['webAuthnPolicyPasswordlessAcceptableAaguids']).to eq(['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'])
+ expect(data['webAuthnPolicyPasswordlessExtraOrigins']).to eq(['https://example.com'])
  end
  end
 

spec/classes/init_spec.rb

@@ -8,7 +8,7 @@
  let(:facts) do
  facts.merge(concat_basedir: '/dne')
  end
- let(:version) { '22.0.0' }
+ let(:version) { '24.0.5' }
 
  case facts[:osfamily]
  when %r{RedHat}

spec/defines/partial_import_spec.rb

@@ -8,7 +8,7 @@
  let(:facts) do
  facts.merge(concat_basedir: '/dne')
  end
- let(:version) { '22.0.0' }
+ let(:version) { '24.0.5' }
  let(:title) { 'test' }
  let(:params) do
  {

spec/defines/spi_deployment_spec.rb

@@ -8,7 +8,7 @@
  let(:facts) do
  facts.merge(concat_basedir: '/dne')
  end
- let(:version) { '22.0.0' }
+ let(:version) { '24.0.5' }
  let(:title) { 'duo-spi' }
  let(:params) { { deployed_name: 'keycloak-duo-spi-jar-with-dependencies.jar', source: 'https://example.com/files/keycloak-duo-spi-jar-with-dependencies.jar' } }
 

spec/spec_helper_acceptance_setup.rb

@@ -3,7 +3,7 @@
 RSpec.configure do |c|
  c.add_setting :keycloak_version
  keycloak_version = if ENV['BEAKER_keycloak_version'].nil? || ENV['BEAKER_keycloak_version'].empty?
- '22.0.0'
+ '24.0.5'
  else
  ENV['BEAKER_keycloak_version']
  end

spec/unit/puppet/type/keycloak_realm_spec.rb

@@ -82,6 +82,7 @@
  web_authn_policy_create_timeout: 0,
  web_authn_policy_avoid_same_authenticator_register: :false,
  web_authn_policy_acceptable_aaguids: [],
+ web_authn_policy_extra_origins: [],
  web_authn_policy_passwordless_rp_entity_name: 'keycloak',
  web_authn_policy_passwordless_signature_algorithms: ['ES256'],
  web_authn_policy_passwordless_rp_id: '',
@@ -91,7 +92,8 @@
  web_authn_policy_passwordless_user_verification_requirement: 'not specified',
  web_authn_policy_passwordless_create_timeout: 0,
  web_authn_policy_passwordless_avoid_same_authenticator_register: :false,
- web_authn_policy_passwordless_acceptable_aaguids: []
+ web_authn_policy_passwordless_acceptable_aaguids: [],
+ web_authn_policy_passwordless_extra_origins: []
  }
 
  describe 'otp_policy_digits' do
@@ -349,8 +351,10 @@
  :roles,
  :web_authn_policy_signature_algorithms,
  :web_authn_policy_acceptable_aaguids,
+ :web_authn_policy_extra_origins,
  :web_authn_policy_passwordless_signature_algorithms,
- :web_authn_policy_passwordless_acceptable_aaguids
+ :web_authn_policy_passwordless_acceptable_aaguids,
+ :web_authn_policy_passwordless_extra_origins
  ].each do |p|
  it "accepts array for #{p}" do
  config[p] = ['foo', 'bar']