Implement realm otp, webauthn, webauthn passwordless and bruteforce p…

…roperties (#312) * Implement bruteforce properties * Add tests for bruteforce properties * Implement webauthn policy properties * Add tests for webauthn policy properties * Add unit tests for bruteforce and webauthn properties * Implement webauthn passwordless policy properties * Add tests for webauthn passwordless policy properties * Implement otp policy properties * Add tests for otp policy properties
treydock · Jun 19, 2024 · a627fa4 · a627fa4
1 parent 739f8ae
commit a627fa4
Show file tree

Hide file tree

Showing 3 changed files with 410 additions and 6 deletions.
diff --git a/lib/puppet/type/keycloak_realm.rb b/lib/puppet/type/keycloak_realm.rb
@@ -338,12 +338,88 @@ def should_to_s(_newvalue)
     newvalues(:true, :false)
   end
 
+  newproperty(:permanent_lockout, boolean: true) do
+    desc 'permanentLockout'
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
+  newproperty(:max_failure_wait_seconds, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'maxFailureWaitSeconds'
+    defaultto 900
+  end
+
+  newproperty(:minimum_quick_login_wait_seconds, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'minimumQuickLoginWaitSeconds'
+    defaultto 60
+  end
+
+  newproperty(:wait_increment_seconds, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'waitIncrementSeconds'
+    defaultto 60
+  end
+
+  newproperty(:quick_login_check_milli_seconds, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'quickLoginCheckMilliSeconds'
+    defaultto 1_000
+  end
+
+  newproperty(:max_delta_time_seconds, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'maxDeltaTimeSeconds'
+    defaultto 43_200
+  end
+
+  newproperty(:failure_factor, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'failureFactor'
+    defaultto 30
+  end
+
   newparam(:manage_roles, boolean: true) do
     desc 'Manage realm roles'
     newvalues(:true, :false)
     defaultto(:true)
   end
 
+  newproperty(:otp_policy_type) do
+    desc 'otpPolicyType'
+    newvalues('totp', 'hotp')
+    defaultto 'totp'
+  end
+
+  newproperty(:otp_policy_algorithm) do
+    desc 'otpPolicyAlgorithm'
+    newvalues('HmacSHA1', 'HmacSHA256', 'HmacSHA512')
+    defaultto 'HmacSHA1'
+  end
+
+  newproperty(:otp_policy_initial_counter, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'otpPolicyInitialCounter'
+    defaultto 0
+  end
+
+  newproperty(:otp_policy_digits) do
+    desc 'otpPolicyDigits'
+    newvalues(6, 8)
+    defaultto 6
+    munge { |v| v.to_i }
+  end
+
+  newproperty(:otp_policy_look_ahead_window, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'otpPolicyLookAheadWindow'
+    defaultto 1
+  end
+
+  newproperty(:otp_policy_period, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'otpPolicyPeriod'
+    defaultto 30
+  end
+
+  newproperty(:otp_policy_code_reusable, boolean: true) do
+    desc 'otpPolicyCodeReusable'
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
   newproperty(:roles, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
     desc 'roles'
     defaultto ['offline_access', 'uma_authorization']
@@ -357,6 +433,116 @@ def insync?(is)
     end
   end
 
+  newproperty(:web_authn_policy_rp_entity_name) do
+    desc 'webAuthnPolicyRpEntityName'
+    defaultto 'keycloak'
+  end
+
+  newproperty(:web_authn_policy_signature_algorithms, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+    desc 'webAuthnPolicySignatureAlgorithms'
+    defaultto ['ES256']
+  end
+
+  newproperty(:web_authn_policy_rp_id) do
+    desc 'webAuthnPolicyRpId'
+    defaultto ''
+  end
+
+  newproperty(:web_authn_policy_attestation_conveyance_preference) do
+    desc 'webAuthnPolicyAttestationConveyancePreference'
+    newvalues('none', 'direct', 'indirect', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_authenticator_attachment) do
+    desc 'webAuthnPolicyAuthenticatorAttachment'
+    newvalues('platform', 'cross-platform', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_require_resident_key) do
+    desc 'webAuthnPolicyRequireResidentKey'
+    newvalues('No', 'Yes', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_user_verification_requirement) do
+    desc 'webAuthnPolicyUserVerificationRequirement'
+    newvalues('required', 'preferred', 'discouraged', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_create_timeout, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'webAuthnPolicyCreateTimeout'
+    defaultto 0
+  end
+
+  newproperty(:web_authn_policy_avoid_same_authenticator_register, boolean: true) do
+    desc 'webAuthnPolicyAvoidSameAuthenticatorRegister'
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
+  newproperty(:web_authn_policy_acceptable_aaguids, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+    desc 'webAuthnPolicyAcceptableAaguids'
+    defaultto []
+  end
+
+  newproperty(:web_authn_policy_passwordless_rp_entity_name) do
+    desc 'webAuthnPolicyPasswordlessRpEntityName'
+    defaultto 'keycloak'
+  end
+
+  newproperty(:web_authn_policy_passwordless_signature_algorithms, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+    desc 'webAuthnPolicyPasswordlessSignatureAlgorithms'
+    defaultto ['ES256']
+  end
+
+  newproperty(:web_authn_policy_passwordless_rp_id) do
+    desc 'webAuthnPolicyPasswordlessRpId'
+    defaultto ''
+  end
+
+  newproperty(:web_authn_policy_passwordless_attestation_conveyance_preference) do
+    desc 'webAuthnPolicyPasswordlessAttestationConveyancePreference'
+    newvalues('none', 'direct', 'indirect', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_passwordless_authenticator_attachment) do
+    desc 'webAuthnPolicyPasswordlessAuthenticatorAttachment'
+    newvalues('platform', 'cross-platform', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_passwordless_require_resident_key) do
+    desc 'webAuthnPolicyPasswordlessRequireResidentKey'
+    newvalues('No', 'Yes', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_passwordless_user_verification_requirement) do
+    desc 'webAuthnPolicyPasswordlessUserVerificationRequirement'
+    newvalues('required', 'preferred', 'discouraged', 'not specified')
+    defaultto 'not specified'
+  end
+
+  newproperty(:web_authn_policy_passwordless_create_timeout, parent: PuppetX::Keycloak::IntegerProperty) do
+    desc 'webAuthnPolicyPasswordlessCreateTimeout'
+    defaultto 0
+  end
+
+  newproperty(:web_authn_policy_passwordless_avoid_same_authenticator_register, boolean: true) do
+    desc 'webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister'
+    newvalues(:true, :false)
+    defaultto :false
+  end
+
+  newproperty(:web_authn_policy_passwordless_acceptable_aaguids, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
+    desc 'webAuthnPolicyPasswordlessAcceptableAaguids'
+    defaultto []
+  end
+
   newproperty(:custom_properties) do
     desc 'custom properties to pass as realm configurations'
     defaultto {}

diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb
@@ -214,9 +214,41 @@ class { 'keycloak': }
         default_locale                    => 'en',
         supported_locales                 => ['en','de'],
         custom_properties                 => {
-          'failureFactor'      => 60,
           'revokeRefreshToken' => true,
         },
+        failure_factor                    => 60,
+        permanent_lockout                 => true,
+        max_failure_wait_seconds          => 999,
+        minimum_quick_login_wait_seconds  => 40,
+        wait_increment_seconds            => 10,
+        quick_login_check_milli_seconds   => 10,
+        max_delta_time_seconds            => 3600,
+        otp_policy_type                   => 'totp',
+        otp_policy_algorithm              => 'HmacSHA512',
+        otp_policy_initial_counter        => 1,
+        otp_policy_digits                 => 8,
+        otp_policy_period                 => 30,
+        otp_policy_code_reusable          => true,
+        web_authn_policy_rp_entity_name                    => 'Keycloak',
+        web_authn_policy_signature_algorithms              => ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'],
+        web_authn_policy_rp_id                             => 'https://example.com',
+        web_authn_policy_attestation_conveyance_preference => 'direct',
+        web_authn_policy_authenticator_attachment          => 'cross-platform',
+        web_authn_policy_require_resident_key              => 'No',
+        web_authn_policy_user_verification_requirement     => 'required',
+        web_authn_policy_create_timeout                    => 600,
+        web_authn_policy_avoid_same_authenticator_register => true,
+        web_authn_policy_acceptable_aaguids                => ['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'],
+        web_authn_policy_passwordless_rp_entity_name                    => 'Keycloak',
+        web_authn_policy_passwordless_signature_algorithms              => ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'],
+        web_authn_policy_passwordless_rp_id                             => 'https://example.com',
+        web_authn_policy_passwordless_attestation_conveyance_preference => 'direct',
+        web_authn_policy_passwordless_authenticator_attachment          => 'cross-platform',
+        web_authn_policy_passwordless_require_resident_key              => 'No',
+        web_authn_policy_passwordless_user_verification_requirement     => 'required',
+        web_authn_policy_passwordless_create_timeout                    => 600,
+        web_authn_policy_passwordless_avoid_same_authenticator_register => true,
+        web_authn_policy_passwordless_acceptable_aaguids                => ['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'],
       }
       PUPPET_PP
 
@@ -263,10 +295,42 @@ class { 'keycloak': }
         expect(data['adminTheme']).to eq('keycloak.v2')
         expect(data['emailTheme']).to eq('keycloak.v2')
         expect(data['failureFactor']).to eq(60)
+        expect(data['permanentLockout']).to eq(true)
+        expect(data['maxFailureWaitSeconds']).to eq(999)
+        expect(data['minimumQuickLoginWaitSeconds']).to eq(40)
+        expect(data['waitIncrementSeconds']).to eq(10)
+        expect(data['quickLoginCheckMilliSeconds']).to eq(10)
+        expect(data['maxDeltaTimeSeconds']).to eq(3600)
         expect(data['revokeRefreshToken']).to eq(true)
         expect(data['internationalizationEnabled']).to eq(true)
         expect(data['defaultLocale']).to eq('en')
         expect(data['supportedLocales']).to eq(['de', 'en'])
+        expect(data['otpPolicyType']).to eq('totp')
+        expect(data['otpPolicyAlgorithm']).to eq('HmacSHA512')
+        expect(data['otpPolicyInitialCounter']).to eq(1)
+        expect(data['otpPolicyDigits']).to eq(8)
+        expect(data['otpPolicyPeriod']).to eq(30)
+        expect(data['otpPolicyCodeReusable']).to eq(true)
+        expect(data['webAuthnPolicyRpEntityName']).to eq('Keycloak')
+        expect(data['webAuthnPolicySignatureAlgorithms']).to eq(['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'])
+        expect(data['webAuthnPolicyRpId']).to eq('https://example.com')
+        expect(data['webAuthnPolicyAttestationConveyancePreference']).to eq('direct')
+        expect(data['webAuthnPolicyAuthenticatorAttachment']).to eq('cross-platform')
+        expect(data['webAuthnPolicyRequireResidentKey']).to eq('No')
+        expect(data['webAuthnPolicyUserVerificationRequirement']).to eq('required')
+        expect(data['webAuthnPolicyCreateTimeout']).to eq(600)
+        expect(data['webAuthnPolicyAvoidSameAuthenticatorRegister']).to eq(true)
+        expect(data['webAuthnPolicyAcceptableAaguids']).to eq(['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'])
+        expect(data['webAuthnPolicyPasswordlessRpEntityName']).to eq('Keycloak')
+        expect(data['webAuthnPolicyPasswordlessSignatureAlgorithms']).to eq(['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'])
+        expect(data['webAuthnPolicyPasswordlessRpId']).to eq('https://example.com')
+        expect(data['webAuthnPolicyPasswordlessAttestationConveyancePreference']).to eq('direct')
+        expect(data['webAuthnPolicyPasswordlessAuthenticatorAttachment']).to eq('cross-platform')
+        expect(data['webAuthnPolicyPasswordlessRequireResidentKey']).to eq('No')
+        expect(data['webAuthnPolicyPasswordlessUserVerificationRequirement']).to eq('required')
+        expect(data['webAuthnPolicyPasswordlessCreateTimeout']).to eq(600)
+        expect(data['webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister']).to eq(true)
+        expect(data['webAuthnPolicyPasswordlessAcceptableAaguids']).to eq(['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'])
       end
     end