From 9f4623b05a776ec555e3a1581798a530fddf4cbd Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 14 May 2024 08:36:55 +0200 Subject: [PATCH 1/2] #224: keycloak_quarkus: Add support for policy files --- molecule/quarkus/converge.yml | 6 ++++++ roles/keycloak_quarkus/README.md | 16 ++++++++++++++++ roles/keycloak_quarkus/defaults/main.yml | 2 ++ roles/keycloak_quarkus/tasks/install.yml | 22 ++++++++++++++++++++++ roles/keycloak_quarkus/tasks/prereqs.yml | 10 ++++++++++ 5 files changed, 56 insertions(+) diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index 9e74aa62..29822507 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -31,6 +31,12 @@ value: 10 - id: spid-saml url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar + keycloak_quarkus_policies: + - name: "xato-net-10-million-passwords.txt" + url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt" + - name: "xato-net-10-million-passwords-10.txt" + url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt" + type: password-blacklists roles: - role: keycloak_quarkus - role: keycloak_realm diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index f7f1be3e..47d5a215 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -176,6 +176,22 @@ bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-cl ``` +#### Configuring policies + +| Variable | Description | Default | +|:---------|:------------|:--------| +|`keycloak_quarkus_policies`| List of policy definitions; see below | `[]` | + +Provider definition: + +```yaml +keycloak_quarkus_policies: + - name: xato-net-10-million-passwords.txt # required, resulting file name + url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download + type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] +``` + + Role Variables -------------- diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 242482dd..8a4f9f11 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -150,3 +150,5 @@ keycloak_quarkus_ks_vault_type: PKCS12 keycloak_quarkus_ks_vault_pass: keycloak_quarkus_providers: [] +keycloak_quarkus_policies: [] +keycloak_quarkus_supported_policy_types: ['password-blacklists'] diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index 480ccbcf..ab7c3961 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -226,3 +226,25 @@ loop: "{{ keycloak_quarkus_providers }}" when: item.url is defined and item.url | length > 0 notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" + +- name: Ensure required folder structure for policies exits + ansible.builtin.file: + path: "{{ keycloak.home }}/data/{{ item | lower }}" + state: directory + owner: "{{ keycloak.service_user }}" + group: "{{ keycloak.service_group }}" + mode: '0750' + become: true + loop: "{{ keycloak_quarkus_supported_policy_types }}" + +- name: "Install custom policies" + ansible.builtin.get_url: + url: "{{ item.url }}" + dest: "{{ keycloak.home }}/data/{{ item.type|default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}" + owner: "{{ keycloak.service_user }}" + group: "{{ keycloak.service_group }}" + mode: '0640' + become: true + loop: "{{ keycloak_quarkus_policies }}" + when: item.url is defined and item.url | length > 0 + notify: "restart keycloak" diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index e0a76d56..1e422a78 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -65,3 +65,13 @@ quiet: true fail_msg: "Providers definition is incorrect; `id` and one of `spi` or `url` are mandatory. `key` and `value` are mandatory for each property" loop: "{{ keycloak_quarkus_providers }}" + +- name: "Validate policies" + ansible.builtin.assert: + that: + - item.name is defined and item.name | length > 0 + - item.url is defined and item.url | length > 0 + - item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types + quiet: true + fail_msg: "Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}." + loop: "{{ keycloak_quarkus_policies }}" From 6682853a2d105aa701ac9f30a33b47ebf1e0f028 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 14 May 2024 08:58:57 +0200 Subject: [PATCH 2/2] #224: Add missing argument specs --- roles/keycloak_quarkus/meta/argument_specs.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 56a99ce4..c5f5138e 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -394,6 +394,14 @@ argument_specs: description: "List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'default': bool, 'properties': list of key/value }" default: [] type: "list" + keycloak_quarkus_supported_policy_types: + description: "List of str of supported policy types" + default: ['password-blacklists'] + type: "list" + keycloak_quarkus_policies: + description: "List of policy definition dicts: { 'name': str, 'url': str, 'type': str }" + default: [] + type: "list" keycloak_quarkus_jdbc_download_url: description: "Override the default Maven Central download URL for the JDBC driver" type: "str"