diff --git a/manifests/config.pp b/manifests/config.pp index fb787602..40619ed4 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -279,6 +279,36 @@ order => '03', } } + 'keycloak': { + $foreman_socket_override = undef + + unless $foreman::ssl { + fail('Keycloak requires HTTPS') + } + + foreman::settings_fragment { 'authorize_login_delegation.yaml': + content => template('foreman/settings-external-auth.yaml.erb'), + order => '02', + } + + # TODO: parameter + $keycloak_url = 'https://keycloak.example.com' + $oidc_issuer = "${keycloak_url}/auth/realms/${foreman::keycloak_realm}" + $keycloak_settings = { + ':login_delegation_logout_url' => "${foreman::foreman_url}/users/extlogout", + # TODO: parameters or obtain from ${oidc_issuer}/.well-known/openid-configuration + ':oidc_algorithm' => 'RS256', + ':oidc_audience' => ["${foreman::servername}-foreman-openidc"], + ':oidc_issuer' => $oidc_issuer, + ':oidc_jwks_url' => "${oidc_issuer}/protocol/openid-connect/certs", + } + + foreman::settings_fragment { 'authorize_login_delegation-keycloak.yaml': + # TODO: does this include the document marker? + content => stdlib::to_yaml($keycloak_settings), + order => '04', + } + } default: { $foreman_socket_override = undef } diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp index 790ba152..5e445df1 100644 --- a/manifests/config/apache.pp +++ b/manifests/config/apache.pp @@ -243,21 +243,42 @@ 'keycloak': { include apache::mod::auth_openidc - # This file is generated by keycloak-httpd-client-install and that manages - # the content. The command would be: - # - # keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin - # - # If $suburi is used, --location-root should also be passed in - # - # By defining it here we avoid purging it and also tighten the - # permissions so the world can't read its secrets. - # This is functionally equivalent to apache::custom_config without content/source - file { "${apache::confd_dir}/${keycloak_app_name}_oidc_keycloak_${keycloak_realm}.conf": - ensure => file, - owner => 'root', - group => 'root', - mode => '0640', + # TODO: parameter + $use_keycloak_httpd_client_install = true + if $use_keycloak_httpd_client_install { + # This file is generated by keycloak-httpd-client-install and that manages + # the content. The command would be: + # + # keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin + # + # If $suburi is used, --location-root should also be passed in + # + # By defining it here we avoid purging it and also tighten the + # permissions so the world can't read its secrets. + # This is functionally equivalent to apache::custom_config without content/source + file { "${apache::confd_dir}/${keycloak_app_name}_oidc_keycloak_${keycloak_realm}.conf": + ensure => file, + owner => 'root', + group => 'root', + mode => '0640', + } + } else { + # TODO: parameters + $oidc_parameters = { + 'OIDCClientID' => '{{ clientid }}', + 'OIDCProviderMetadataURL' => "{{ keycloak_server_url }}/realms/${keycloak_realm}/.well-known/openid-configuration", + 'OIDCCryptoPassphrase' => '{{ crypto_passphrase }}', + 'OIDCClientSecret' => '{{ oidc_client_secret }}', + 'OIDCRedirectURI' => "${foreman_url}/users/extlogin/redirect_uri", + 'OIDCRemoteUserClaim' => '{{ oidc_remote_user_claim }}', + } + # TODO: pass to Apache + $locations = { + '/users/extlogin' => [ + 'AuthType openid-connect', + 'Require valid-user', + ], + } } } default: {}