ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-03-21 20:59:10 +00:00
Code Activity

11583 update documentation and comments

Browse source
This commit is contained in:
Thomas Bargetz 2026-03-16 21:25:22 +01:00
parent 9d55c9fbee
commit 95da8393cb
1 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
plugins/modules/keycloak_authentication_v2.py
View file

@ -16,8 +16,8 @@ description:
- Rather than modifying an existing flow in place, the module re-creates the flow using the B(Safe Swap) mechanism described below. - Rather than modifying an existing flow in place, the module re-creates the flow using the B(Safe Swap) mechanism described below.
- B(Safe Swap mechanism) - When an authentication flow needs to be updated, the module never modifies the existing flow in place. - B(Safe Swap mechanism) - When an authentication flow needs to be updated, the module never modifies the existing flow in place.
Instead it follows a multi-step swap procedure to ensure the flow is never left in an intermediate or unsafe state during the update. Instead it follows a multi-step swap procedure to ensure the flow is never left in an intermediate or unsafe state during the update.
This is especially important when the flow is actively bound to a realm binding or a client override, This is especially important when the flow is actively bound to a realm binding, a client override, or as an identity-provider
because a partially-updated flow could inadvertently allow unauthorised access. login-flow or post-flow, because a partially-updated flow could inadvertently allow unauthorised access.
- The B(Safe Swap mechanism) is as follows. 1. A new flow is created under a temporary name (the original alias plus a configurable suffix, - The B(Safe Swap mechanism) is as follows. 1. A new flow is created under a temporary name (the original alias plus a configurable suffix,
for example C(myflow_tmp_for_swap)). for example C(myflow_tmp_for_swap)).
2. All executions and their configurations are added to the new temporary flow. 3. If the existing flow is currently bound to a realm or a client, 2. All executions and their configurations are added to the new temporary flow. 3. If the existing flow is currently bound to a realm or a client,
@ -639,8 +639,8 @@ def existing_auth_to_diff_repr(kc: KeycloakAPI, realm: str, existing_auth: dict)
def is_auth_flow_in_use(kc: KeycloakAPI, realm: str, existing_auth: dict) -> bool: def is_auth_flow_in_use(kc: KeycloakAPI, realm: str, existing_auth: dict) -> bool:
"""Determine whether the given flow is currently bound to a realm binding or a client """Determine whether the given flow is currently bound to a realm binding, a client
authentication flow override. authentication flow override or as an identity-provider login-flow or post-flow.
:param kc: a KeycloakAPI instance. :param kc: a KeycloakAPI instance.
:param realm: the realm to inspect. :param realm: the realm to inspect.
@ -690,8 +690,8 @@ def rebind_auth_flow_bindings(
to_id: str, to_id: str,
to_alias: str, to_alias: str,
) -> None: ) -> None:
"""Re-point all realm bindings and client overrides that reference the source flow to the """Re-point all realm bindings, client flow overrides and identity-provider login-flows or post-flows
target flow. that reference the source flow to the target flow.
This is the critical step in the Safe Swap procedure that transfers live bindings from the This is the critical step in the Safe Swap procedure that transfers live bindings from the
old flow to the newly-created temporary flow without any gap in coverage. old flow to the newly-created temporary flow without any gap in coverage.