diff --git a/manifests/init.pp b/manifests/init.pp index a3dde8393..ee44b3ec9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -211,6 +211,28 @@ # # $keycloak_realm:: The realm as passed to keycloak-httpd-client-install # +# === OIDC parameters: +# +# $authorize_login_delegation:: Authorize login delegation with REMOTE_USER HTTP header (true/false) +# +# $authorize_login_delegation_auth_source_user_autocreate:: Name of the external auth source where unknown externally authentication +# users (see authorize_login_delegation) should be created. Empty means no autocreation. +# +# $login_delegation_logout_url:: Redirect your users to this url on logout (authorize_login_delegation should also be enabled) +# +# $oidc_jwks_url:: OpenID Connect JSON Web Key Set(JWKS) URL. +# Typically https://keycloak.example.com/auth/realms//protocol/openid-connect/certs when using +# Keycloak as an OpenID provider +# +# $oidc_audience:: Name of the OpenID Connect Audience that is being used for Authentication. In case of Keycloak this is the Client ID. +# ['oidc_app_name'] +# +# $oidc_issuer:: The iss (issuer) claim identifies the principal that issued the JWT, which exists at a +# `/.well-known/openid-configuration` in case of most of the OpenID providers. +# +# $oidc_algorithm:: The algorithm used to encode the JWT in the OpenID provider. +# +# class foreman ( Stdlib::HTTPUrl $foreman_url = $foreman::params::foreman_url, Boolean $unattended = true, @@ -307,6 +329,13 @@ Boolean $register_in_foreman = true, Optional[Stdlib::Absolutepath] $provisioning_ct_location = undef, Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef, + Boolean $authorize_login_delegation = false, + String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External', + Optional[String[1]] $login_delegation_logout_url = undef, + Optional[String[1]] $oidc_jwks_url = undef, + Array[String[1]] $oidc_audience = [], + Optional[String[1]] $oidc_issuer = undef, + String[1] $oidc_algorithm = 'RS256', ) inherits foreman::params { assert_type(Array[Stdlib::IP::Address], $trusted_proxies) diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb index 35e4a2d65..cd6708246 100644 --- a/spec/classes/foreman_spec.rb +++ b/spec/classes/foreman_spec.rb @@ -250,6 +250,13 @@ keycloak_realm: 'myrealm', provisioning_ct_location: '/usr/bin/myct', provisioning_fcct_location: '/usr/bin/myfcct', + authorize_login_delegation: true, + authorize_login_delegation_auth_source_user_autocreate: 'External', + login_delegation_logout_url: 'https://foreman.top.com/users/extlogout', + oidc_jwks_url: 'https://keycloak.top.com/realms/myrealm/protocol/openid-connect/certs', + oidc_audience: ['cloack-app'], + oidc_issuer: 'https://keycloak.top.com/realms/myrealm', + oidc_algorithm: 'RS256', } end diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb index 50bcf8da0..df21eba9b 100644 --- a/templates/settings.yaml.erb +++ b/templates/settings.yaml.erb @@ -10,6 +10,17 @@ :oauth_consumer_key: <%= scope.lookupvar("foreman::oauth_consumer_key") %> :oauth_consumer_secret: <%= scope.lookupvar("foreman::oauth_consumer_secret") %> +<% if scope.lookupvar('foreman::authorize_login_delegation') -%> +# The following values are used for oidc authentication +:authorize_login_delegation: <%= scope.lookupvar("foreman::authorize_login_delegation") %> +:authorize_login_delegation_auth_source_user_autocreate: <%= scope.lookupvar("foreman::authorize_login_delegation_auth_source_user_autocreate") %> +:login_delegation_logout_url: <%= scope.lookupvar("foreman::login_delegation_logout_url") %> +:oidc_jwks_url: <%= scope.lookupvar("foreman::oidc_jwks_url") %> +:oidc_audience: <%= scope.lookupvar("foreman::oidc_audience") %> +:oidc_issuer: <%= scope.lookupvar("foreman::oidc_issuer") %> +:oidc_algorithm: <%= scope.lookupvar("foreman::oidc_algorithm") %> + +<% end -%> # Websockets :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %> :websockets_ssl_key: <%= @websockets_ssl_key %>