Add keycloak_role_mapping type and provider

mattock · mattock · commit cbf40d7e4564 · 2022-01-13T18:58:46.000+02:00
This new type allows attaching client and realm roles into users and groups.
Using the normal JSON payload approach ended up being overly complex as well as
much less performant than this simplistic approach.

Signed-off-by: Samuli Seppänen &lt;samuli.seppanen@puppeteers.net&gt;
diff --git a/README.md b/README.md
@@ -11,6 +11,7 @@
     * [Keycloak](#keycloak)
     * [Deploy SPI](#deploy-spi)
     * [keycloak_realm](#keycloak_realm)
+    * [keycloak_role_mapping](#keycloak_role_mapping)
     * [keycloak_ldap_user_provider](#keycloak_ldap_user_provider)
     * [keycloak_ldap_mapper](#keycloak_ldap_mapper)
     * [keycloak_sssd_user_provider](#keycloak_sssd_user_provider)
@@ -282,6 +283,23 @@ keycloak_realm { 'test':
 
 **NOTE:** If the flow properties such as `browser_flow` are changed from their defaults then this value will not be set when a realm is first created. The value will also not be updated if the flow does not exist. For new realms you will have to run Puppet twice in order to create the flows then update the realm setting.
 
+### keycloak\_role\_mapping
+
+Manage realm role mappings for users and groups. Example:
+
+    keycloak_role_mapping { 'roles for john on master':
+      realm       => 'master',
+      name        => 'john',
+      realm_roles => ['role1', 'role2'],
+    }
+    
+    keycloak_role_mapping { 'roles for mygroup on master':
+      realm        => 'master',
+      name         => 'mygroup',
+      group        => true,
+      realm_roles  => ['role1'],
+    }
+
 ### keycloak\_ldap\_user_provider
 
 Define a LDAP user provider so that authentication can be performed against LDAP.  The example below uses two LDAP servers, disables importing of users and assumes the SSL certificates are trusted and do not require being in the truststore.
diff --git a/lib/puppet/provider/keycloak_role_mapping/kcadm.rb b/lib/puppet/provider/keycloak_role_mapping/kcadm.rb
@@ -0,0 +1,43 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '..', 'keycloak_api'))
+
+Puppet::Type.type(:keycloak_role_mapping).provide(:kcadm, parent: Puppet::Provider::KeycloakAPI) do
+  desc ''
+
+  def opt
+    (resource[:group] == :true) ? 'gname' : 'uusername'
+  end
+
+  def realm_roles
+    @active_realm_roles = []
+
+    output = kcadm('get-roles', nil, resource[:realm], nil, nil, false, opt => resource[:name])
+    begin
+      data = JSON.parse(output)
+    rescue JSON::ParserError
+      Puppet.debug('Unable to parse output from kcadm get-roles')
+    end
+
+    data.each do |d|
+      @active_realm_roles << d['name']
+    end
+    @active_realm_roles
+  end
+
+  def realm_roles=(_value)
+    removed_roles = @active_realm_roles.reject { |role| resource[:realm_roles].include?(role) }
+    remove_roles(removed_roles)
+
+    new_roles = resource[:realm_roles].reject { |role| @active_realm_roles.include?(role) }
+    add_roles(new_roles)
+  end
+
+  def remove_roles(roles)
+    return if roles.empty?
+    kcadm('remove-roles', '', resource[:realm], nil, nil, false, opt => resource[:name], rolename: roles)
+  end
+
+  def add_roles(roles)
+    return if roles.empty?
+    kcadm('add-roles', '', resource[:realm], nil, nil, false, opt => resource[:name], rolename: roles)
+  end
+end
diff --git a/lib/puppet/type/keycloak_role_mapping.rb b/lib/puppet/type/keycloak_role_mapping.rb
@@ -0,0 +1,36 @@
+require_relative '../../puppet_x/keycloak/type'
+require_relative '../../puppet_x/keycloak/array_property'
+
+Puppet::Type.newtype(:keycloak_role_mapping) do
+  desc <<-DESC
+Attach realm roles to users and groups
+@example Ensure that a user has the defined realm roles
+  keycloak_role_mapping { 'john-offline_access':
+    realm       => 'test',
+    name        => 'john',
+    realm_roles => ['offline_access'],
+  }
+  DESC
+
+  extend PuppetX::Keycloak::Type
+  add_autorequires
+
+  newparam(:name, namevar: true) do
+    desc '--uusername/--gname'
+  end
+
+  newparam(:group, boolean: true) do
+    desc 'is this a group instead of a user'
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
+  newparam(:realm) do
+    desc 'realm'
+  end
+
+  newproperty(:realm_roles, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+    desc 'realm roles'
+    defaultto []
+  end
+end
