Implement all Keycloak settings

Today the instructions for users are to set various settings in the UI after enabling Keycloak, but that's not great. Especially since some values are known or even must be set to a certain value. This creates settings files so the user is unable to change the values in the UI. The result is also a shorter instructions in the manual.
theforeman · Jan 15, 2025 · e8a15a4 · e8a15a4
1 parent 0428d42
commit e8a15a4
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 15 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -279,6 +279,36 @@
           order   => '03',
         }
       }
+      'keycloak': {
+        $foreman_socket_override = undef
+
+        unless $foreman::ssl {
+          fail('Keycloak requires HTTPS')
+        }
+
+        foreman::settings_fragment { 'authorize_login_delegation.yaml':
+          content => template('foreman/settings-external-auth.yaml.erb'),
+          order   => '02',
+        }
+
+        # TODO: parameter
+        $keycloak_url = 'https://keycloak.example.com'
+        $oidc_issuer = "${keycloak_url}/auth/realms/${foreman::keycloak_realm}"
+        $keycloak_settings = {
+          ':login_delegation_logout_url' => "${foreman::foreman_url}/users/extlogout",
+          # TODO: parameters or obtain from ${oidc_issuer}/.well-known/openid-configuration
+          ':oidc_algorithm'              => 'RS256',
+          ':oidc_audience'               => ["${foreman::servername}-foreman-openidc"],
+          ':oidc_issuer'                 => $oidc_issuer,
+          ':oidc_jwks_url'               => "${oidc_issuer}/protocol/openid-connect/certs",
+        }
+
+        foreman::settings_fragment { 'authorize_login_delegation-keycloak.yaml':
+          # TODO: does this include the document marker?
+          content => stdlib::to_yaml($keycloak_settings),
+          order   => '04',
+        }
+      }
       default: {
         $foreman_socket_override = undef
       }

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -243,21 +243,42 @@
     'keycloak': {
       include apache::mod::auth_openidc
 
-      # This file is generated by keycloak-httpd-client-install and that manages
-      # the content. The command would be:
-      #
-      # keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin
-      #
-      # If $suburi is used, --location-root should also be passed in
-      #
-      # By defining it here we avoid purging it and also tighten the
-      # permissions so the world can't read its secrets.
-      # This is functionally equivalent to apache::custom_config without content/source
-      file { "${apache::confd_dir}/${keycloak_app_name}_oidc_keycloak_${keycloak_realm}.conf":
-        ensure => file,
-        owner  => 'root',
-        group  => 'root',
-        mode   => '0640',
+      # TODO: parameter
+      $use_keycloak_httpd_client_install = true
+      if $use_keycloak_httpd_client_install {
+        # This file is generated by keycloak-httpd-client-install and that manages
+        # the content. The command would be:
+        #
+        # keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin
+        #
+        # If $suburi is used, --location-root should also be passed in
+        #
+        # By defining it here we avoid purging it and also tighten the
+        # permissions so the world can't read its secrets.
+        # This is functionally equivalent to apache::custom_config without content/source
+        file { "${apache::confd_dir}/${keycloak_app_name}_oidc_keycloak_${keycloak_realm}.conf":
+          ensure => file,
+          owner  => 'root',
+          group  => 'root',
+          mode   => '0640',
+        }
+      } else {
+        # TODO: parameters
+        $oidc_parameters = {
+          'OIDCClientID'            => '{{ clientid }}',
+          'OIDCProviderMetadataURL' => "{{ keycloak_server_url }}/realms/${keycloak_realm}/.well-known/openid-configuration",
+          'OIDCCryptoPassphrase'    => '{{ crypto_passphrase }}',
+          'OIDCClientSecret'        => '{{ oidc_client_secret }}',
+          'OIDCRedirectURI'         => "${foreman_url}/users/extlogin/redirect_uri",
+          'OIDCRemoteUserClaim'     => '{{ oidc_remote_user_claim }}',
+        }
+        # TODO: pass to Apache
+        $locations = {
+          '/users/extlogin' => [
+            'AuthType openid-connect',
+            'Require valid-user',
+          ],
+        }
       }
     }
     default: {}