Implement password policy property

treydock · Jun 19, 2024 · 69ec356 · 69ec356
1 parent 8f51082
commit 69ec356
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/lib/puppet/type/keycloak_realm.rb b/lib/puppet/type/keycloak_realm.rb
@@ -420,6 +420,10 @@ def should_to_s(_newvalue)
  defaultto :false
  end
 
+ newproperty(:password_policy) do
+ desc 'passwordPolicy'
+ end
+
  newproperty(:roles, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
  desc 'roles'
  defaultto ['offline_access', 'uma_authorization']

diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb
@@ -229,6 +229,7 @@ class { 'keycloak': }
  otp_policy_digits => 8,
  otp_policy_period => 30,
  otp_policy_code_reusable => true,
+ password_policy => 'length(12) and notUsername(undefined) and notEmail(undefined) and forceExpiredPasswordChange(365) and hashIterations(27500) and passwordHistory(3) and regexPattern(^(?!\d+$)(?!.*test).*$) and specialChars(1) and upperCase(1) and lowerCase(1) and digits(1) and hashAlgorithm(pbkdf2-sha256) and maxLength(64)',
  web_authn_policy_rp_entity_name => 'Keycloak',
  web_authn_policy_signature_algorithms => ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'],
  web_authn_policy_rp_id => 'https://example.com',
@@ -258,6 +259,10 @@ class { 'keycloak': }
 
  it 'has updated the realm' do
  on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get realms/test' do
+ passwordPolicyValue = %w[length(12) and notUsername(undefined) and notEmail(undefined) and forceExpiredPasswordChange(365) and hashIterations(27_500] +
+ %w[ and passwordHistory(3) and regexPattern(^(?!\d+$)(?!.*test).*$) and specialChars(1) and upperCase(1)] +
+ %w[ and lowerCase(1) and digits(1) and hashAlgorithm(pbkdf2-sha256) and maxLength(64)]
+
  data = JSON.parse(stdout)
  expect(data['rememberMe']).to eq(true)
  expect(data['registrationAllowed']).to eq(true)
@@ -311,6 +316,7 @@ class { 'keycloak': }
  expect(data['otpPolicyDigits']).to eq(8)
  expect(data['otpPolicyPeriod']).to eq(30)
  expect(data['otpPolicyCodeReusable']).to eq(true)
+ expect(data['passwordPolicy']).to eq(passwordPolicyValue)
  expect(data['webAuthnPolicyRpEntityName']).to eq('Keycloak')
  expect(data['webAuthnPolicySignatureAlgorithms']).to eq(['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'])
  expect(data['webAuthnPolicyRpId']).to eq('https://example.com')

diff --git a/spec/unit/puppet/type/keycloak_realm_spec.rb b/spec/unit/puppet/type/keycloak_realm_spec.rb
@@ -219,6 +219,7 @@
  :smtp_server_reply_to,
  :smtp_server_reply_to_display_name,
  :default_locale,
+ :password_policy,
  :web_authn_policy_rp_entity_name,
  :web_authn_policy_rp_id,
  :web_authn_policy_passwordless_rp_entity_name,