From ac65098c0251040fb80574b71812e548b7d85169 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Mon, 18 Nov 2024 09:18:43 -0500
Subject: [PATCH] Remove kcmadm login session when Keycloak service restarts
 unless using persistent sessions

---
 files/kcadm-wrapper.sh         | 2 +-
 manifests/config.pp            | 2 +-
 manifests/init.pp              | 1 +
 templates/keycloak.service.erb | 4 ++++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/files/kcadm-wrapper.sh b/files/kcadm-wrapper.sh
index 055502a5..d8d8acbf 100644
--- a/files/kcadm-wrapper.sh
+++ b/files/kcadm-wrapper.sh
@@ -3,7 +3,7 @@
 # shellcheck source=/dev/null
 . /opt/keycloak/conf/kcadm-wrapper.conf
 
-EXPIRES=$(/usr/bin/sed  -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" || echo "0")
+EXPIRES=$(/usr/bin/sed  -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" 2>/dev/null || echo "0")
 NOW=$(/usr/bin/date +%s%3N)
 
 if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -lt "$NOW" ]; then
diff --git a/manifests/config.pp b/manifests/config.pp
index 32e697f5..de09dc95 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -11,7 +11,7 @@
 
   $wrapper_conf = {
     'KCADM'      => "${keycloak::install_base}/bin/kcadm.sh",
-    'CONFIG'     => "${keycloak::conf_dir}/kcadm.config",
+    'CONFIG'     => $keycloak::login_config,
     'SERVER'     => $keycloak::wrapper_server,
     'REALM'      => 'master',
     'ADMIN_USER' => $keycloak::admin_user,
diff --git a/manifests/init.pp b/manifests/init.pp
index beb3481e..429ceb39 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -331,6 +331,7 @@
   $providers_dir = "${install_base}/providers"
   $wrapper_path = "${keycloak::install_base}/bin/kcadm-wrapper.sh"
   $wrapper_conf = "${conf_dir}/kcadm-wrapper.conf"
+  $login_config = "${conf_dir}/kcadm.config"
 
   $default_config = {
     'hostname' => $hostname,
diff --git a/templates/keycloak.service.erb b/templates/keycloak.service.erb
index 88d8a0c5..393a76ac 100644
--- a/templates/keycloak.service.erb
+++ b/templates/keycloak.service.erb
@@ -21,6 +21,10 @@ Environment='JAVA_HOME=<%= scope['keycloak::java_home'] %>'
 User=<%= scope['keycloak::user'] %>
 Group=<%= scope['keycloak::group'] %>
 ExecStart=<%= scope['keycloak::service_start_cmd'] %>
+# TODO: remove once upgraded from Keycloak 25 to 26
+<% unless (scope['keycloak::features'] || []).include?('persistent-user-sessions') -%>
+ExecStartPost=-/usr/bin/rm -f <%= scope['keycloak::login_config'] %>
+<% end -%>
 TimeoutStartSec=600
 TimeoutStopSec=600
 SuccessExitStatus=0 143