BREAKING: Support Keycloak 25

See README for details on breaking changes

.github/workflows/ci.yaml

@@ -16,11 +16,11 @@ jobs:
  fail-fast: false
  matrix:
  include:
- - ruby: 2.7.7
+ - ruby: 2.7.8
  puppet: 7
  fixtures: .fixtures.yml
  allow_failure: false
- - ruby: 3.2.2
+ - ruby: 3.2.3
  puppet: 8
  fixtures: .fixtures.yml
  allow_failure: false
@@ -65,17 +65,17 @@ jobs:
  - "puppet7"
  - "puppet8"
  keycloak_version:
- - "24.0.5"
+ - "25.0.1"
  keycloak_full:
  - "no"
  include:
  - set: "el8"
  puppet: "puppet7"
- keycloak_version: "24.0.5"
+ keycloak_version: "25.0.1"
  keycloak_full: "yes"
  - set: "el8"
  puppet: "puppet8"
- keycloak_version: "24.0.5"
+ keycloak_version: "25.0.1"
  keycloak_full: "yes"
  env:
  BUNDLE_WITHOUT: development:release

.sync.yml

@@ -25,16 +25,16 @@ Rakefile:
  - puppet7
  - puppet8
  keycloak_version:
- - '24.0.5'
+ - '25.0.1'
  keycloak_full: ['no']
  acceptance_includes:
  - set: el8
  puppet: puppet7
- keycloak_version: '24.0.5'
+ keycloak_version: '25.0.1'
  keycloak_full: 'yes'
  - set: el8
  puppet: puppet8
- keycloak_version: '24.0.5'
+ keycloak_version: '25.0.1'
  keycloak_full: 'yes'
 .gitignore:
  paths:

README.md

@@ -6,6 +6,7 @@
 #### Table of Contents
 
 1. [Overview](#overview)
+ * [Upgrade to 12.x](#upgrade-to-12x)
  * [Upgrade to 8.x](#upgrade-to-8x)
  * [Changes to LDAP user provider IDs](#changes-to-ldap-user-provider-ids)
  * [Supported Versions of Keycloak](#supported-versions-of-keycloak)
@@ -35,6 +36,23 @@
 
 The keycloak module allows easy installation and management of Keycloak.
 
+### Upgrade to 12.x
+
+Version 12.x of this module had some major breaking changes to support Keycloak 25.x.
+
+The `keycloak_flow` and `keycloak_flow_execution` types had their `index` property replaced by `priority`. If you had executions with `index` 0,1,2 you'd need to set `priority` to something like 10,20,30.
+
+The configuration options switched to using Hostname v2 options.
+
+* `hostname` now accepts a URL
+* `hostname-url` is removed
+* `hostname-path` is removed
+* `hostname-port` is removed
+* `hostname-admin` now requires a URL
+* `hostname-admin-url` is removed
+* `hostname-strict-backchannel` is renamed to `hostname-backchannel-dynamic`
+* `hostname-strict-https` is removed
+
 ### Upgrade to 8.x
 
 This module underwent major changes in the 8.0.0 release to support Keycloak that uses Quarkus.
@@ -523,27 +541,27 @@ keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
  ensure => 'present',
  configurable => false,
  display_name => 'Cookie',
- index  => 0,
+ priority => 10,
  requirement => 'ALTERNATIVE',
 }
 keycloak_flow_execution { 'identity-provider-redirector under browser-with-duo on test':
  ensure => 'present',
  configurable => true,
  display_name => 'Identity Provider Redirector',
- index  => 1,
+ priority => 15,
  requirement => 'ALTERNATIVE',
 }
 keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
  ensure => 'present',
- index  => 2,
+ priority => 20,
  requirement => 'ALTERNATIVE',
  top_level => false,
 }
 keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
  ensure => 'present',
  configurable => false,
  display_name => 'Username Password Form',
- index  => 0,
+ priority => 10,
  requirement => 'REQUIRED',
 }
 keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test':
@@ -558,7 +576,7 @@ keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test':
  "duoGroups" => "duo"
  },
  requirement => 'REQUIRED',
- index  => 1,
+ priority => 15,
 }
 ```
 

lib/puppet/provider/keycloak_flow/kcadm.rb

@@ -63,6 +63,7 @@ def self.instances
  flow[:realm] = realm
  flow[:description] = e['description']
  flow[:index] = e['index']
+ flow[:priority] = e['priority']
  flow[:display_name] = e['displayName']
  flow[:alias] = e['displayName']
  if e['level'] != 0
@@ -105,6 +106,7 @@ def create
  data[:provider] = resource[:type]
  data[:description] = resource[:description]
  data[:type] = resource[:provider_id]
+ data[:priority] = resource[:priority]
  url = "authentication/flows/#{resource[:flow_alias]}/executions/flow"
  end
  t = Tempfile.new('keycloak_flow')
@@ -134,7 +136,8 @@ def create
  unless execution_id.nil?
  update_data = {
  id: execution_id,
- requirement: resource[:requirement]
+ requirement: resource[:requirement],
+ priority: resource[:priority]
  }
  t = Tempfile.new('keycloak_flow_execution')
  t.write(JSON.pretty_generate(update_data))
@@ -181,19 +184,6 @@ def initialize(value = {})
  end
  end
 
- def current_priority
- data = {}
- begin
- output = kcadm('get', "authentication/executions/#{id}", resource[:realm])
- data = JSON.parse(output)
- rescue Puppet::ExecutionFailure => e
- Puppet.debug("kcadm get execution failed\nError message: #{e.message}")
- rescue JSON::ParserError
- Puppet.debug('Unable to parse output from kcadm get execution')
- end
- data['priority'] || resource[:index]
- end
-
  def flush
  unless @property_flush.empty?
  data = {}
@@ -204,10 +194,11 @@ def flush
  data[:providerId] = resource[:provider_id]
  data[:topLevel] = true
  url = "authentication/flows/#{id}"
- elsif @property_flush[:requirement]
+ elsif @property_flush[:requirement] || @property_flush[:priority]
  data[:id] = id
  data[:description] = resource[:description]
  data[:requirement] = resource[:requirement]
+ data[:priority] = resource[:priority]
  url = "authentication/flows/#{resource[:flow_alias]}/executions"
  end
  unless data.empty?
@@ -221,22 +212,6 @@ def flush
  raise Puppet::Error, "kcadm update flow failed\nError message: #{e.message}"
  end
  end
- if resource[:top_level] == :false && @property_flush[:index]
- index_difference = current_priority - @property_flush[:index]
- if index_difference.zero?
- Puppet.notice("Index difference for Keycloak_flow[#{resource[:name]}] is unchanged, skipping.")
- elsif index_difference.negative?
- incrementer = 1
- action = 'lower-priority'
- else
- incrementer = -1
- action = 'raise-priority'
- end
- while index_difference != 0
- kcadm('create', "authentication/executions/#{id}/#{action}", resource[:realm])
- index_difference += incrementer
- end
- end
  end
  # Collect the resources again once they've been changed (that way `puppet
  # resource` will show the correct values after changes have been made).

lib/puppet/provider/keycloak_flow_execution/kcadm.rb

@@ -49,6 +49,7 @@ def self.instances
  execution[:flow_alias] = f['alias']
  execution[:realm] = realm
  execution[:index] = e['index']
+ execution[:priority] = e['priority']
  execution[:display_name] = e['displayName'] if e.key?('displayName')
  if e['level'] != 0
  parent_level = levels.find { |k, _v| k == (e['level'] - 1) }
@@ -104,6 +105,7 @@ def create
  data[:displayName] = resource[:display_name] if resource[:display_name]
  data[:configurable] = convert_property_value(resource[:configurable]) if resource[:configurable]
  data[:alias] = resource[:alias] if resource[:alias]
+ data[:priority] = resource[:priority]
  t = Tempfile.new('keycloak_flow_execution')
  t.write(JSON.pretty_generate(data))
  t.close
@@ -117,7 +119,8 @@ def create
  if resource[:requirement] != 'DISABLED'
  update_data = {
  id: new_id.strip,
- requirement: resource[:requirement]
+ requirement: resource[:requirement],
+ priority: resource[:priority]
  }
  tu = Tempfile.new('keycloak_flow_execution_update')
  tu.write(JSON.pretty_generate(update_data))
@@ -173,25 +176,13 @@ def initialize(value = {})
  end
  end
 
- def current_priority
- data = {}
- begin
- output = kcadm('get', "authentication/executions/#{id}", resource[:realm])
- data = JSON.parse(output)
- rescue Puppet::ExecutionFailure => e
- Puppet.debug("kcadm get execution failed\nError message: #{e.message}")
- rescue JSON::ParserError
- Puppet.debug('Unable to parse output from kcadm get execution')
- end
- data['priority'] || resource[:index]
- end
-
  def flush
  unless @property_flush.empty?
- if @property_flush[:requirement]
+ if @property_flush[:requirement] || @property_flush[:priority]
  data = {}
  data[:id] = id
- data[:requirement] = resource[:requirement] if @property_flush[:requirement]
+ data[:requirement] = resource[:requirement]
+ data[:priority] = resource[:priority]
  t = Tempfile.new('keycloak_flow_execution')
  t.write(JSON.pretty_generate(data))
  t.close
@@ -225,22 +216,6 @@ def flush
  raise Puppet::Error, "kcadm update flow execution config failed\nError message: #{e.message}"
  end
  end
- if @property_flush[:index]
- index_difference = current_priority - @property_flush[:index]
- if index_difference.zero?
- Puppet.notice("Index difference for Keycloak_flow_execution[#{resource[:name]}] is unchanged, skipping.")
- elsif index_difference.negative?
- incrementer = 1
- action = 'lower-priority'
- else
- incrementer = -1
- action = 'raise-priority'
- end
- while index_difference != 0
- kcadm('create', "authentication/executions/#{id}/#{action}", resource[:realm])
- index_difference += incrementer
- end
- end
  end
  # Collect the resources again once they've been changed (that way `puppet
  # resource` will show the correct values after changes have been made).

lib/puppet/type/keycloak_client.rb

@@ -215,7 +215,6 @@ def insync?(is)
 
  newproperty(:web_origins, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
  desc 'webOrigins'
- defaultto []
  end
 
  newproperty(:login_theme) do

lib/puppet/type/keycloak_flow.rb

@@ -16,16 +16,16 @@
 @example Add a flow execution to existing browser-with-duo flow
  keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
  ensure => 'present',
- index  => 2,
+ priority => 20,
  requirement => 'ALTERNATIVE',
  top_level => false,
  }
 
 **Autorequires**
 * `keycloak_realm` defined for `realm` parameter
 * `keycloak_flow` of `flow_alias` if `top_level=false`
-* `keycloak_flow` of `flow_alias` if other `index` is lower and if `top_level=false`
-* `keycloak_flow_execution` if `flow_alias` is the same and other `index` is lower and if `top_level=false`
+* `keycloak_flow` of `flow_alias` if other `priority` is lower and if `top_level=false`
+* `keycloak_flow_execution` if `flow_alias` is the same and other `priority` is lower and if `top_level=false`
  DESC
 
  extend PuppetX::Keycloak::Type
@@ -88,8 +88,8 @@
  defaultto(:true)
  end
 
- newproperty(:index, parent: PuppetX::Keycloak::IntegerProperty) do
- desc 'execution index, only applied to top_level=false, required for top_level=false'
+ newproperty(:priority, parent: PuppetX::Keycloak::IntegerProperty) do
+ desc 'execution priority, only applied to top_level=false, required for top_level=false'
  end
 
  newproperty(:description) do
@@ -148,7 +148,7 @@ def self.title_patterns
  if self[:flow_alias] == resource[:alias]
  requires << resource.name
  end
- if !resource[:index].nil? && !self[:index].nil? && self[:index] > resource[:index] && self[:flow_alias] == resource[:flow_alias]
+ if !resource[:priority].nil? && !self[:priority].nil? && self[:priority] > resource[:priority] && self[:flow_alias] == resource[:flow_alias]
  requires << resource.name
  end
  end
@@ -162,7 +162,7 @@ def self.title_patterns
  next if self[:realm] != resource[:realm]
  next if self[:top_level] == :true
 
- if self[:flow_alias] == resource[:flow_alias] && !self[:index].nil? && !resource[:index].nil? && self[:index] > resource[:index]
+ if self[:flow_alias] == resource[:flow_alias] && !self[:priority].nil? && !resource[:priority].nil? && self[:priority] > resource[:priority]
  requires << resource.name
  end
  end
@@ -187,8 +187,8 @@ def self.title_patterns
  end
 
  if self[:ensure] == :present
- if self[:top_level] == :false && self[:index].nil?
- raise "Keycloak_flow[#{self[:name]}] index is required when top_level is false"
+ if self[:top_level] == :false && self[:priority].nil?
+ raise "Keycloak_flow[#{self[:name]}] priority is required when top_level is false"
  end
  if self[:top_level] == :false && self[:flow_alias].nil?
  raise "Keycloak_flow[#{self[:name]}] flow_alias is required when top_level is false"