ansible/community.general

Fork 0

mirror of https://github.com/ansible-collections/community.general.git synced 2026-03-22 05:09:12 +00:00

Commit graph

Author	SHA1	Message	Date
Ivan Kokalovic	80d21f2a0d	keycloak_realm_key: add full support for all Keycloak key providers (#11468 ) * feat(keycloak_realm_key): add support for auto-generated key providers Add support for Keycloak's auto-generated key providers where Keycloak manages the key material automatically: - rsa-generated: Auto-generates RSA signing keys - hmac-generated: Auto-generates HMAC signing keys - aes-generated: Auto-generates AES encryption keys - ecdsa-generated: Auto-generates ECDSA signing keys New algorithms: - HMAC: HS256, HS384, HS512 - ECDSA: ES256, ES384, ES512 - AES: AES (no algorithm parameter needed) New config options: - secret_size: For HMAC/AES providers (key size in bytes) - key_size: For RSA-generated provider (key size in bits) - elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521) Changes: - Make private_key/certificate optional (only required for rsa/rsa-enc) - Add provider-algorithm validation with clear error messages - Fix KeyError when managing default realm keys (issue #11459) - Maintain backward compatibility: RS256 default works for rsa/rsa-generated Fixes: #11459 * fix: address sanity test failures - Add 'default: RS256' to algorithm documentation to match spec - Add no_log=True to secret_size parameter per sanity check * feat(keycloak_realm_key): extend support for all Keycloak key providers Add support for remaining auto-generated key providers: - rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256) - ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW) - eddsa-generated (EdDSA signing with Ed25519, Ed448 curves) Changes: - Add provider-specific elliptic curve config key mapping (ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey) - Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm - Add elliptic curve validation per provider type - Update documentation with all supported algorithms and examples - Add comprehensive integration tests for all new providers This completes full coverage of all Keycloak key provider types. * style: apply ruff formatting * feat(keycloak_realm_key): add java-keystore provider and update_password Add support for java-keystore provider to import keys from Java Keystore (JKS or PKCS12) files on the Keycloak server filesystem. Add update_password parameter to control password handling for java-keystore provider: - always (default): Always send passwords to Keycloak - on_create: Only send passwords when creating, preserve existing passwords when updating (enables idempotent playbooks) The on_create mode sends the masked value ("*********") that Keycloak recognizes as "preserve existing password", matching the behavior when re-importing an exported realm. Replace password_checksum with update_password - the checksum approach was complex and error-prone. The update_password parameter is simpler and follows the pattern used by ansible.builtin.user module. Also adds key_info return value containing kid, certificate fingerprint, status, and expiration for java-keystore keys. address PR review feedback - Remove no_log=True from secret_size (just an int, not sensitive) - Add version_added: 12.4.0 to new parameters and return values - Remove "Added in community.general 12.4.0" from description text - Consolidate changelog entries into 4 focused entries - Remove bugfix from changelog (now in separate PR #11470) * address review feedback from russoz and felixfontein - remove docstrings from module-local helpers - remove line-by-line comments and unnecessary null guard - use specific exceptions instead of bare except Exception - use module.params["key"] instead of .get("key") - consolidate changelog into single entry - avoid "complete set" claim, reference Keycloak 26 instead * address round 2 review feedback - Extract remove_sensitive_config_keys() helper (DRY refactor) - Simplify RS256 validation to single code path - Add TypeError to inner except in compute_certificate_fingerprint() - Remove redundant comments (L812, L1031) - Switch .get() to direct dict access for module.params	2026-02-18 07:48:37 +01:00
Felix Fontein	eff25c8a6e	Fix/improve tests (#9859 ) * Fix tests. * Improve callback tests.	2025-03-09 16:48:36 +01:00
Samuli Seppänen	9a7a7a9658	Add keycloak_realm_key module (#7127 ) * Add keycloak_realm_key module * keycloak_realm_key: make "ansible-test sanity" happy Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net> * keycloak_realm_key: support check_mode * keycloak_realm_key: add integration tests * keycloak_realm_key: remove FIXME comment * keycloak_realm_key: fix EOL in integration test variables * keycloak_realm_key: remove unused import * keycloak_realm_key: remove integration test realm at the end of test suite * keycloak_realm_key: add version_added metadata * keycloak_realm_key: add documentation for end_state * keycloak_realm_key: support the "certificate" parameter As with "private_key" changing the certificate after creation is not possible because we can't compare the current value to the desired value. * keycloak_realm_key: document default for certificate parameter Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net> * keycloak_realm_key: implement diff mode * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * keycloak_realm_key: remove note about literal linefeeds * keycloak_realm_key: remove defaults from priority and certificate * keycloak_realm_key: mark diff and check modes as partially supported * keycloak_realm_key: implement "force" parameter This ensures that the desired state is always enforced on keys that should be, and are, present. * keycloak_realm_key: fix yaml parsing error in documentation * keycloak_realm_key: document why check_mode support is partial * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> * keycloak_realm_key: documentation and metadata fixes * keycloak_realm_key: small documentation fix * keycloak_realm_key: change version_added to 7.5.0 * Update plugins/modules/keycloak_realm_key.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net> Co-authored-by: Felix Fontein <felix@fontein.de>	2023-09-19 18:08:10 +02:00

Author

SHA1

Message

Date

Ivan Kokalovic

80d21f2a0d

keycloak_realm_key: add full support for all Keycloak key providers (#11468 )

* feat(keycloak_realm_key): add support for auto-generated key providers

Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:

- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys

New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)

New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)

Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated

Fixes: #11459

* fix: address sanity test failures

- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check

* feat(keycloak_realm_key): extend support for all Keycloak key providers

Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)

Changes:
- Add provider-specific elliptic curve config key mapping
  (ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers

This completes full coverage of all Keycloak key provider types.

* style: apply ruff formatting

* feat(keycloak_realm_key): add java-keystore provider and update_password

Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.

Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
  passwords when updating (enables idempotent playbooks)

The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.

Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.

Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.

* address PR review feedback

- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)

* address review feedback from russoz and felixfontein

- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead

* address round 2 review feedback

- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params

2026-02-18 07:48:37 +01:00

Felix Fontein

eff25c8a6e

Fix/improve tests (#9859 )

* Fix tests.

* Improve callback tests.

2025-03-09 16:48:36 +01:00

Samuli Seppänen

9a7a7a9658

Add keycloak_realm_key module (#7127 )

* Add keycloak_realm_key module

* keycloak_realm_key: make "ansible-test sanity" happy

Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>

* keycloak_realm_key: support check_mode

* keycloak_realm_key: add integration tests

* keycloak_realm_key: remove FIXME comment

* keycloak_realm_key: fix EOL in integration test variables

* keycloak_realm_key: remove unused import

* keycloak_realm_key: remove integration test realm at the end of test suite

* keycloak_realm_key: add version_added metadata

* keycloak_realm_key: add documentation for end_state

* keycloak_realm_key: support the "certificate" parameter

As with "private_key" changing the certificate after creation is not possible
because we can't compare the current value to the desired value.

* keycloak_realm_key: document default for certificate parameter

Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>

* keycloak_realm_key: implement diff mode

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* keycloak_realm_key: remove note about literal linefeeds

* keycloak_realm_key: remove defaults from priority and certificate

* keycloak_realm_key: mark diff and check modes as partially supported

* keycloak_realm_key: implement "force" parameter

This ensures that the desired state is always enforced on keys that should be,
and are, present.

* keycloak_realm_key: fix yaml parsing error in documentation

* keycloak_realm_key: document why check_mode support is partial

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* keycloak_realm_key: documentation and metadata fixes

* keycloak_realm_key: small documentation fix

* keycloak_realm_key: change version_added to 7.5.0

* Update plugins/modules/keycloak_realm_key.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>
Co-authored-by: Felix Fontein <felix@fontein.de>

2023-09-19 18:08:10 +02:00

3 commits