Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flow & required action resources issue with multiple realms #320

Open
TuningYourCode opened this issue Sep 23, 2024 · 6 comments · May be fixed by #321
Open

flow & required action resources issue with multiple realms #320

TuningYourCode opened this issue Sep 23, 2024 · 6 comments · May be fixed by #321

Comments

@TuningYourCode
Copy link
Contributor

Hi,

we currently try to setup another realm besides our existing realm in our keycloak instance and face some issues.

We require user to register an webauthn device (YubiKey) and deploy a custom flow. I will focus on the former one as it's the easier case but both seem so have simular issues:

Example 1:

  keycloak_required_action { "webauthn-register on master":
    ensure       => present,
    display_name => 'Webauthn Register',
    provider_id  => 'webauthn-register',
    realm        => 'master',
  }

  keycloak_required_action { "webauthn-register on test":
    ensure       => present,
    display_name => 'Webauthn Register',
    provider_id  => 'webauthn-register',
    realm        => 'test',
  }

Result:

Error: Cannot alias Keycloak_required_action[webauthn-register on test] to "webauthn-register" at (file: /etc/puppetlabs/code/modules/xxx/manifests/resources/keycloak/realm.pp, line: 74); resource ["Keycloak_required_action", "webauthn-register"] already declared (file: /etc/puppetlabs/code/modules/xxx/manifests/resources/keycloak/realm.pp, line: 74) on node login1.docker.local

Example 2 (this version worked for flows):

  keycloak_required_action { "webauthn-register on master":
    ensure       => present,
    display_name => 'Webauthn Register',
    provider_id  => 'webauthn-register',
    alias          => 'webauthn-register-master',
    realm        => 'master',
  }

  keycloak_required_action { "webauthn-register on test":
    ensure       => present,
    display_name => 'Webauthn Register',
    provider_id  => 'webauthn-register',
    alias          => 'webauthn-register-test',
    realm        => 'test',
  }

Result:

run-puppet-node1-1  | Error: kcadm registration of required action failed
run-puppet-node1-1  | Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create authentication/register-required-action -o -r master -f /tmp/keycloak_required_action_register20240923-109455-16e53p0' returned 1:
run-puppet-node1-1  | Error: /Stage[main]/XXX::Profiles::Service::Keycloak/XXX::Resources::Keycloak::Realm[master]/Keycloak_required_action[webauthn-register on master]/ensure: change from 'absent' to 'present' failed: kcadm registration of required action failed
run-puppet-node1-1  | Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create authentication/register-required-action -o -r master -f /tmp/keycloak_required_action_register20240923-109455-16e53p0' returned 1:
run-puppet-node1-1  | Warning: Parameter 'bind_credential' is set and Puppet has no way to check current value
run-puppet-node1-1  | Error: kcadm registration of required action failed
run-puppet-node1-1  | Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create authentication/register-required-action -o -r rlv -f /tmp/keycloak_required_action_register20240923-109455-1lbkbmp' returned 1:
run-puppet-node1-1  | Error: /Stage[main]/XXX::Profiles::Service::Keycloak/XXX::Resources::Keycloak::Realm[test]/Keycloak_required_action[webauthn-register on test]/ensure: change from 'absent' to 'present' failed: kcadm registration of required action failed
run-puppet-node1-1  | Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create authentication/register-required-action -o -r rlv -f /tmp/keycloak_required_action_register20240923-109455-1lbkbmp' returned 1:

Now the question is just if it is a bug or if i am just holding it wrong? If somebody is already managing keycloak instances with multiply realms with same flows / configuration (required actions etc.) i would be greatful if you can share how i am supposed to do it.
@treydock
Copy link
Owner

I think the first failure is a limitation of namevar handling in Puppet. I haven't yet deployed Puppet resources to multiple realms so there might be some improvements needed to better handle how naming works across realms.

For second set of errors, is there anything in Keycloak logs to show what failed? The error returned from attempt to run commands seems limited. Also you could make the name be like webauthn-register-test on test which is kind of redundant but part of the naming limitations.

@TuningYourCode
Copy link
Contributor Author

For second set of errors there is no output in keycloak logs as far as i can see (at the flows i had errors because the database columns are limited and it failed doing the insert with "long" aliases.

I'm still checking if i can somehow debug it but i guess it's related to alias field which might be read only / write once for required actions but didn't verfied it yet.

Good to know that it might be a bug/issue, i hope i find more time tomorrow to deep dive into the issue :)

@treydock
Copy link
Owner

I'm not very familiar with the required actions as I don't use them, they were a community contribution. It would not surprise me if the alias is read-only as I believe that's the case for Flows so likely the same for required actions. If the alias can't be modified, then I think some changes to how naming is handled would be required.

@TuningYourCode
Copy link
Contributor Author

Just documenting my findings so far:

Seems like alias is a reserved word in resources:

So i check if i can disable that or change the code without (major) breaking change.

@TuningYourCode TuningYourCode linked a pull request Sep 24, 2024 that will close this issue
Open
@TuningYourCode
Copy link
Contributor Author

TuningYourCode commented Sep 26, 2024
edited
Loading

Pull request for keycloak_required_action is finished. It has to be noted that keycloak_flow and some other resources might suffer from the issue that alias is an metaparameter on puppet resources.

Would be nice if you could let me know if the solution is ok or if we directly should rename the attribute? Both implementations will be a breaking change at different degrees.

I can also offer a (dirty) workaround for the current module version in case you want to manage more than one realm:

  [
    'webauthn-register',
    'CONFIGURE_TOTP'
  ].each |String $type| {
    exec { "delete-default-required-action-${type} on ${realm}":
      command     => "/opt/keycloak/bin/kcadm-wrapper.sh delete authentication/required-actions/${type} -r ${realm}",
      path        => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
      onlyif      => "/opt/keycloak/bin/kcadm-wrapper.sh get authentication/required-actions/${type} -r ${realm}",
      before      => [
        Keycloak_required_action["${type}-${realm} on ${realm}"],
      ],
      require     => [
        File['kcadm-wrapper.sh'],
        Keycloak_conn_validator['keycloak'],
        Keycloak_realm[$realm],
      ]
    }

    keycloak_required_action { "${type}-${realm} on ${realm}":
      ensure       => $ensure,
      provider_id  => $type,
    }
  }

@TuningYourCode
Copy link
Contributor Author

Sadly the workaround seems to break the admin ui: keycloak/keycloak#33309

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@treydock @TuningYourCode