From 7471950f5024f11b30fca7c27d6286d7081006d2 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Tue, 26 Nov 2024 12:24:19 -0500 Subject: [PATCH] Add introspection_token_claim to protocol mapper types --- .../keycloak_client_protocol_mapper/kcadm.rb | 3 ++ .../keycloak_protocol_mapper/kcadm.rb | 3 ++ .../type/keycloak_client_protocol_mapper.rb | 12 ++++++++ lib/puppet/type/keycloak_protocol_mapper.rb | 12 ++++++++ .../keycloak_client_protocol_mapper_spec.rb | 30 +++++++++++++++++++ .../type/keycloak_protocol_mapper_spec.rb | 30 +++++++++++++++++++ 6 files changed, 90 insertions(+) diff --git a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb index b3e28d7e..d114ae8f 100644 --- a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb +++ b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb @@ -61,6 +61,7 @@ def self.instances if protocol_mapper[:protocol] == 'openid-connect' protocol_mapper[:id_token_claim] = d['config']['id.token.claim'] protocol_mapper[:access_token_claim] = d['config']['access.token.claim'] + protocol_mapper[:introspection_token_claim] = d['config']['introspection.token.claim'] end unless ['oidc-audience-mapper'].include?(protocol_mapper[:type]) protocol_mapper[:userinfo_token_claim] = d['config']['userinfo.token.claim'] @@ -127,6 +128,7 @@ def create if resource[:protocol] == 'openid-connect' data[:config][:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim] data[:config][:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim] + data[:config][:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim] end if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim] data[:config][:'userinfo.token.claim'] = resource[:userinfo_token_claim] @@ -216,6 +218,7 @@ def flush if resource[:protocol] == 'openid-connect' config[:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim] config[:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim] + config[:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim] end if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim] config[:'userinfo.token.claim'] = resource[:userinfo_token_claim] diff --git a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb index ee033c9a..0bc83557 100644 --- a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb +++ b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb @@ -59,6 +59,7 @@ def self.instances if protocol_mapper[:protocol] == 'openid-connect' protocol_mapper[:id_token_claim] = d['config']['id.token.claim'] protocol_mapper[:access_token_claim] = d['config']['access.token.claim'] + protocol_mapper[:introspection_token_claim] = d['config']['introspection.token.claim'] end unless ['oidc-audience-mapper'].include?(protocol_mapper[:type]) protocol_mapper[:userinfo_token_claim] = d['config']['userinfo.token.claim'] @@ -123,6 +124,7 @@ def create if resource[:protocol] == 'openid-connect' data[:config][:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim] data[:config][:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim] + data[:config][:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim] end if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim] data[:config][:'userinfo.token.claim'] = resource[:userinfo_token_claim] @@ -210,6 +212,7 @@ def flush if resource[:protocol] == 'openid-connect' config[:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim] config[:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim] + config[:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim] end if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim] config[:'userinfo.token.claim'] = resource[:userinfo_token_claim] diff --git a/lib/puppet/type/keycloak_client_protocol_mapper.rb b/lib/puppet/type/keycloak_client_protocol_mapper.rb index 20d3b748..24833987 100644 --- a/lib/puppet/type/keycloak_client_protocol_mapper.rb +++ b/lib/puppet/type/keycloak_client_protocol_mapper.rb @@ -175,6 +175,18 @@ end end + newproperty(:introspection_token_claim, boolean: true) do + desc 'introspection.token.claim. Default to `true` for `protocol` `openid-connect`.' + newvalues(:true, :false) + defaultto do + if @resource['protocol'] == 'openid-connect' + :true + else + nil + end + end + end + newproperty(:attribute_nameformat) do desc 'attribute.nameformat' validate do |v| diff --git a/lib/puppet/type/keycloak_protocol_mapper.rb b/lib/puppet/type/keycloak_protocol_mapper.rb index b06dfd71..57f12685 100644 --- a/lib/puppet/type/keycloak_protocol_mapper.rb +++ b/lib/puppet/type/keycloak_protocol_mapper.rb @@ -177,6 +177,18 @@ end end + newproperty(:introspection_token_claim, boolean: true) do + desc 'introspection.token.claim. Default to `true` for `protocol` `openid-connect`.' + newvalues(:true, :false) + defaultto do + if @resource['protocol'] == 'openid-connect' + :true + else + nil + end + end + end + newproperty(:attribute_nameformat) do desc 'attribute.nameformat' validate do |v| diff --git a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb index fa0285dc..3b07da8d 100644 --- a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb +++ b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb @@ -251,6 +251,36 @@ }.to raise_error(%r{foo}) end + it 'defaults for introspection_token_claim' do + expect(resource[:introspection_token_claim]).to eq(:true) + end + + it 'does not default introspection_token_claim for saml' do + config[:protocol] = 'saml' + expect(resource[:introspection_token_claim]).to be_nil + end + + it 'accepts true for introspection_token_claim' do + config[:introspection_token_claim] = true + expect(resource[:introspection_token_claim]).to eq(:true) + config[:introspection_token_claim] = 'true' + expect(resource[:introspection_token_claim]).to eq(:true) + end + + it 'accepts false for introspection_token_claim' do + config[:introspection_token_claim] = false + expect(resource[:introspection_token_claim]).to eq(:false) + config[:introspection_token_claim] = 'false' + expect(resource[:introspection_token_claim]).to eq(:false) + end + + it 'does not accept strings for introspection_token_claim' do + config[:introspection_token_claim] = 'foo' + expect { + resource + }.to raise_error(%r{foo}) + end + defaults = {} describe 'basic properties' do diff --git a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb index c8517aaf..8cf5ff27 100644 --- a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb +++ b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb @@ -251,6 +251,36 @@ }.to raise_error(%r{foo}) end + it 'defaults for introspection_token_claim' do + expect(resource[:introspection_token_claim]).to eq(:true) + end + + it 'does not default introspection_token_claim for saml' do + config[:protocol] = 'saml' + expect(resource[:introspection_token_claim]).to be_nil + end + + it 'accepts true for introspection_token_claim' do + config[:introspection_token_claim] = true + expect(resource[:introspection_token_claim]).to eq(:true) + config[:introspection_token_claim] = 'true' + expect(resource[:introspection_token_claim]).to eq(:true) + end + + it 'accepts false for introspection_token_claim' do + config[:introspection_token_claim] = false + expect(resource[:introspection_token_claim]).to eq(:false) + config[:introspection_token_claim] = 'false' + expect(resource[:introspection_token_claim]).to eq(:false) + end + + it 'does not accept strings for introspection_token_claim' do + config[:introspection_token_claim] = 'foo' + expect { + resource + }.to raise_error(%r{foo}) + end + defaults = {} describe 'basic properties' do