Update keycloak_flow_execution to handle script authenticators

Author: treydock

lib/puppet/provider/keycloak_flow_execution/kcadm.rb

@@ -55,6 +55,9 @@ def self.instances
             execution[:flow_alias] = parent_level[1][-1] if parent_level.size > 1
           end
           execution[:provider_id] = e['providerId']
+          if e['authenticationConfig'] =~ %r{^script-.+}
+            execution[:provider_id] = e['authenticationConfig']
+          end
           execution[:alias] = e['alias']
           execution[:name] = "#{execution[:provider_id]} under #{execution[:flow_alias]} on #{realm}"
           if e['authenticationFlow']

spec/acceptance/9_flow_spec.rb

@@ -19,6 +19,18 @@ class { 'keycloak': }
           'Keycloak_flow_execution[duo-universal under form-browser-with-duo on test]',
         ],
       }
+      keycloak::spi_deployment { 'osc-keycloak-scripts':
+        deployed_name => 'osc-keycloak-scripts-jar-with-dependencies.jar',
+        source        => "https://github.com/OSC/osc-keycloak-scripts/releases/download/1.1.0/osc-keycloak-scripts-jar-with-dependencies.jar",
+        test_url      => 'authentication/authenticator-providers',
+        test_key      => 'id',
+        test_value    => 'script-user-enabled-authenticator.js',
+        test_realm    => 'test',
+        test_before   => [
+          'Keycloak_flow[form-browser-with-duo]',
+          'Keycloak_flow_execution[script-user-enabled-authenticator.js under form-browser-with-duo on test]',
+        ],
+      }
       keycloak_realm { 'test': ensure => 'present' }
       keycloak_flow { 'browser-with-duo on test':
         ensure      => 'present',
@@ -52,6 +64,11 @@ class { 'keycloak': }
         priority     => 10,
         requirement  => 'REQUIRED',
       }
+      keycloak_flow_execution { 'script-user-enabled-authenticator.js under form-browser-with-duo on test':
+        ensure      => 'present',
+        requirement => 'REQUIRED',
+        priority    => 15,
+      }
       keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test':
         ensure       => 'present',
         configurable => true,
@@ -93,8 +110,10 @@ class { 'keycloak': }
         expect(form['description']).to eq('Form Browser with DUO')
         auth_form = data.find { |d| d['providerId'] == 'auth-username-password-form' }
         expect(auth_form['index']).to eq(0)
+        script = data.find { |d| d['authenticationConfig'] == 'script-user-enabled-authenticator.js' }
+        expect(script['index']).to eq(1)
         duo = data.find { |d| d['providerId'] == 'duo-universal' }
-        expect(duo['index']).to eq(1)
+        expect(duo['index']).to eq(2)
       end
     end
   end
@@ -115,6 +134,18 @@ class { 'keycloak': }
           'Keycloak_flow_execution[duo-universal under form-browser-with-duo on test]',
         ],
       }
+      keycloak::spi_deployment { 'osc-keycloak-scripts':
+        deployed_name => 'osc-keycloak-scripts-jar-with-dependencies.jar',
+        source        => "https://github.com/OSC/osc-keycloak-scripts/releases/download/1.1.0/osc-keycloak-scripts-jar-with-dependencies.jar",
+        test_url      => 'authentication/authenticator-providers',
+        test_key      => 'id',
+        test_value    => 'script-user-enabled-authenticator.js',
+        test_realm    => 'test',
+        test_before   => [
+          'Keycloak_flow[form-browser-with-duo]',
+          'Keycloak_flow_execution[script-user-enabled-authenticator.js under form-browser-with-duo on test]',
+        ],
+      }
       keycloak_realm { 'test': ensure => 'present' }
       keycloak_flow { 'browser-with-duo on test':
         ensure => 'present',
@@ -161,6 +192,11 @@ class { 'keycloak': }
         priority     => 25,
         requirement  => 'REQUIRED',
       }
+      keycloak_flow_execution { 'script-user-enabled-authenticator.js under form-browser-with-duo on test':
+        ensure      => 'present',
+        requirement => 'REQUIRED',
+        priority    => 35,
+      }
       PUPPET_PP
 
       apply_manifest(pp, catch_failures: true)
@@ -187,6 +223,8 @@ class { 'keycloak': }
         expect(auth_form['index']).to eq(1)
         duo = data.find { |d| d['providerId'] == 'duo-universal' }
         expect(duo['index']).to eq(0)
+        script = data.find { |d| d['authenticationConfig'] == 'script-user-enabled-authenticator.js' }
+        expect(script['index']).to eq(2)
       end
     end
   end

spec/fixtures/unit/puppet/provider/keycloak_flow_execution/kcadm/get-executions.out

@@ -46,4 +46,16 @@
   "authenticationConfig" : "be93a426-077f-4235-9686-677ff0706bf8",
   "level" : 1,
   "index" : 1
+}, {
+  "id" : "fe1692cb-5a30-4312-ac1a-25dce4cad7ef",
+  "requirement" : "DISABLED",
+  "displayName" : "User Enabled Authenticator",
+  "alias" : "User Enabled Authenticator",
+  "requirementChoices" : [ "REQUIRED", "ALTERNATIVE", "DISABLED" ],
+  "configurable" : true,
+  "providerId" : "ONRXE2LQOQWXK43FOIWWK3TBMJWGKZBNMF2XI2DFNZ2GSY3BORXXELTKOM",
+  "authenticationConfig" : "script-user-enabled-authenticator.js",
+  "level" : 0,
+  "index" : 3,
+  "priority" : 31
 } ]

spec/spec_helper_acceptance_setup.rb

@@ -35,6 +35,8 @@
 keycloak::hostname: localhost
 keycloak::db: mariadb
 keycloak::proxy: edge
+keycloak::features:
+  - scripts
 # Force only listen on IPv4 for testing
 keycloak::java_opts: '-Djava.net.preferIPv4Stack=true'
 postgresql::server::service_status: 'service postgresql status 2>/dev/null 1>/dev/null'

spec/unit/puppet/provider/keycloak_flow_execution/kcadm_spec.rb

@@ -20,17 +20,29 @@
       allow(described_class).to receive(:kcadm).with('get', 'authentication/flows', 'test').and_return(my_fixture_read('get-test.out'))
       allow(described_class).to receive(:kcadm).with('get', 'authentication/flows/browser-with-duo/executions', 'test').and_return(my_fixture_read('get-executions.out'))
       allow(described_class).to receive(:kcadm).with('get', 'authentication/config/be93a426-077f-4235-9686-677ff0706bf8', 'test').and_return('{}')
-      expect(described_class.instances.length).to eq(4)
+      allow(described_class).to receive(:kcadm).with('get', 'authentication/config/script-user-enabled-authenticator.js', 'test').and_return('{}')
+      expect(described_class.instances.length).to eq(5)
     end
 
     it 'returns the resource for a flow' do
       allow(described_class).to receive(:realms).and_return(['test'])
       allow(described_class).to receive(:kcadm).with('get', 'authentication/flows', 'test').and_return(my_fixture_read('get-test.out'))
       allow(described_class).to receive(:kcadm).with('get', 'authentication/flows/browser-with-duo/executions', 'test').and_return(my_fixture_read('get-executions.out'))
       allow(described_class).to receive(:kcadm).with('get', 'authentication/config/be93a426-077f-4235-9686-677ff0706bf8', 'test').and_return('{}')
+      allow(described_class).to receive(:kcadm).with('get', 'authentication/config/script-user-enabled-authenticator.js', 'test').and_return('{}')
       property_hash = described_class.instances[0].instance_variable_get('@property_hash')
       expect(property_hash[:name]).to eq('auth-cookie under browser-with-duo on test')
     end
+
+    it 'returns script execution' do
+      allow(described_class).to receive(:realms).and_return(['test'])
+      allow(described_class).to receive(:kcadm).with('get', 'authentication/flows', 'test').and_return(my_fixture_read('get-test.out'))
+      allow(described_class).to receive(:kcadm).with('get', 'authentication/flows/browser-with-duo/executions', 'test').and_return(my_fixture_read('get-executions.out'))
+      allow(described_class).to receive(:kcadm).with('get', 'authentication/config/be93a426-077f-4235-9686-677ff0706bf8', 'test').and_return('{}')
+      allow(described_class).to receive(:kcadm).with('get', 'authentication/config/script-user-enabled-authenticator.js', 'test').and_return('{}')
+      property_hash = described_class.instances.last.instance_variable_get('@property_hash')
+      expect(property_hash[:provider_id]).to eq('script-user-enabled-authenticator.js')
+    end
   end
   #   describe 'self.prefetch' do
   #     let(:instances) do