Add introspection_token_claim to protocol mapper types

treydock · Nov 26, 2024 · 7471950 · 7471950
1 parent 149c85b
commit 7471950
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 0 deletions.
diff --git a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
@@ -61,6 +61,7 @@ def self.instances
           if protocol_mapper[:protocol] == 'openid-connect'
             protocol_mapper[:id_token_claim] = d['config']['id.token.claim']
             protocol_mapper[:access_token_claim] = d['config']['access.token.claim']
+            protocol_mapper[:introspection_token_claim] = d['config']['introspection.token.claim']
           end
           unless ['oidc-audience-mapper'].include?(protocol_mapper[:type])
             protocol_mapper[:userinfo_token_claim] = d['config']['userinfo.token.claim']
@@ -127,6 +128,7 @@ def create
     if resource[:protocol] == 'openid-connect'
       data[:config][:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
       data[:config][:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
+      data[:config][:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim]
     end
     if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim]
       data[:config][:'userinfo.token.claim'] = resource[:userinfo_token_claim]
@@ -216,6 +218,7 @@ def flush
       if resource[:protocol] == 'openid-connect'
         config[:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
         config[:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
+        config[:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim]
       end
       if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim]
         config[:'userinfo.token.claim'] = resource[:userinfo_token_claim]

diff --git a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
@@ -59,6 +59,7 @@ def self.instances
           if protocol_mapper[:protocol] == 'openid-connect'
             protocol_mapper[:id_token_claim] = d['config']['id.token.claim']
             protocol_mapper[:access_token_claim] = d['config']['access.token.claim']
+            protocol_mapper[:introspection_token_claim] = d['config']['introspection.token.claim']
           end
           unless ['oidc-audience-mapper'].include?(protocol_mapper[:type])
             protocol_mapper[:userinfo_token_claim] = d['config']['userinfo.token.claim']
@@ -123,6 +124,7 @@ def create
     if resource[:protocol] == 'openid-connect'
       data[:config][:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
       data[:config][:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
+      data[:config][:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim]
     end
     if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim]
       data[:config][:'userinfo.token.claim'] = resource[:userinfo_token_claim]
@@ -210,6 +212,7 @@ def flush
       if resource[:protocol] == 'openid-connect'
         config[:'id.token.claim'] = resource[:id_token_claim] if resource[:id_token_claim]
         config[:'access.token.claim'] = resource[:access_token_claim] if resource[:access_token_claim]
+        config[:'introspection.token.claim'] = resource[:introspection_token_claim] if resource[:introspection_token_claim]
       end
       if !['oidc-audience-mapper'].include?(resource[:type]) && resource[:userinfo_token_claim]
         config[:'userinfo.token.claim'] = resource[:userinfo_token_claim]

diff --git a/lib/puppet/type/keycloak_client_protocol_mapper.rb b/lib/puppet/type/keycloak_client_protocol_mapper.rb
@@ -175,6 +175,18 @@
     end
   end
 
+  newproperty(:introspection_token_claim, boolean: true) do
+    desc 'introspection.token.claim. Default to `true` for `protocol` `openid-connect`.'
+    newvalues(:true, :false)
+    defaultto do
+      if @resource['protocol'] == 'openid-connect'
+        :true
+      else
+        nil
+      end
+    end
+  end
+
   newproperty(:attribute_nameformat) do
     desc 'attribute.nameformat'
     validate do |v|

diff --git a/lib/puppet/type/keycloak_protocol_mapper.rb b/lib/puppet/type/keycloak_protocol_mapper.rb
@@ -177,6 +177,18 @@
     end
   end
 
+  newproperty(:introspection_token_claim, boolean: true) do
+    desc 'introspection.token.claim. Default to `true` for `protocol` `openid-connect`.'
+    newvalues(:true, :false)
+    defaultto do
+      if @resource['protocol'] == 'openid-connect'
+        :true
+      else
+        nil
+      end
+    end
+  end
+
   newproperty(:attribute_nameformat) do
     desc 'attribute.nameformat'
     validate do |v|

diff --git a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
@@ -251,6 +251,36 @@
     }.to raise_error(%r{foo})
   end
 
+  it 'defaults for introspection_token_claim' do
+    expect(resource[:introspection_token_claim]).to eq(:true)
+  end
+
+  it 'does not default introspection_token_claim for saml' do
+    config[:protocol] = 'saml'
+    expect(resource[:introspection_token_claim]).to be_nil
+  end
+
+  it 'accepts true for introspection_token_claim' do
+    config[:introspection_token_claim] = true
+    expect(resource[:introspection_token_claim]).to eq(:true)
+    config[:introspection_token_claim] = 'true'
+    expect(resource[:introspection_token_claim]).to eq(:true)
+  end
+
+  it 'accepts false for introspection_token_claim' do
+    config[:introspection_token_claim] = false
+    expect(resource[:introspection_token_claim]).to eq(:false)
+    config[:introspection_token_claim] = 'false'
+    expect(resource[:introspection_token_claim]).to eq(:false)
+  end
+
+  it 'does not accept strings for introspection_token_claim' do
+    config[:introspection_token_claim] = 'foo'
+    expect {
+      resource
+    }.to raise_error(%r{foo})
+  end
+
   defaults = {}
 
   describe 'basic properties' do

diff --git a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
@@ -251,6 +251,36 @@
     }.to raise_error(%r{foo})
   end
 
+  it 'defaults for introspection_token_claim' do
+    expect(resource[:introspection_token_claim]).to eq(:true)
+  end
+
+  it 'does not default introspection_token_claim for saml' do
+    config[:protocol] = 'saml'
+    expect(resource[:introspection_token_claim]).to be_nil
+  end
+
+  it 'accepts true for introspection_token_claim' do
+    config[:introspection_token_claim] = true
+    expect(resource[:introspection_token_claim]).to eq(:true)
+    config[:introspection_token_claim] = 'true'
+    expect(resource[:introspection_token_claim]).to eq(:true)
+  end
+
+  it 'accepts false for introspection_token_claim' do
+    config[:introspection_token_claim] = false
+    expect(resource[:introspection_token_claim]).to eq(:false)
+    config[:introspection_token_claim] = 'false'
+    expect(resource[:introspection_token_claim]).to eq(:false)
+  end
+
+  it 'does not accept strings for introspection_token_claim' do
+    config[:introspection_token_claim] = 'foo'
+    expect {
+      resource
+    }.to raise_error(%r{foo})
+  end
+
   defaults = {}
 
   describe 'basic properties' do