mirror of
https://github.com/ansible-collections/community.general.git
synced 2026-03-22 05:09:12 +00:00
80d21f2a0d
* feat(keycloak_realm_key): add support for auto-generated key providers Add support for Keycloak's auto-generated key providers where Keycloak manages the key material automatically: - rsa-generated: Auto-generates RSA signing keys - hmac-generated: Auto-generates HMAC signing keys - aes-generated: Auto-generates AES encryption keys - ecdsa-generated: Auto-generates ECDSA signing keys New algorithms: - HMAC: HS256, HS384, HS512 - ECDSA: ES256, ES384, ES512 - AES: AES (no algorithm parameter needed) New config options: - secret_size: For HMAC/AES providers (key size in bytes) - key_size: For RSA-generated provider (key size in bits) - elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521) Changes: - Make private_key/certificate optional (only required for rsa/rsa-enc) - Add provider-algorithm validation with clear error messages - Fix KeyError when managing default realm keys (issue #11459) - Maintain backward compatibility: RS256 default works for rsa/rsa-generated Fixes: #11459 * fix: address sanity test failures - Add 'default: RS256' to algorithm documentation to match spec - Add no_log=True to secret_size parameter per sanity check * feat(keycloak_realm_key): extend support for all Keycloak key providers Add support for remaining auto-generated key providers: - rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256) - ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW) - eddsa-generated (EdDSA signing with Ed25519, Ed448 curves) Changes: - Add provider-specific elliptic curve config key mapping (ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey) - Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm - Add elliptic curve validation per provider type - Update documentation with all supported algorithms and examples - Add comprehensive integration tests for all new providers This completes full coverage of all Keycloak key provider types. * style: apply ruff formatting * feat(keycloak_realm_key): add java-keystore provider and update_password Add support for java-keystore provider to import keys from Java Keystore (JKS or PKCS12) files on the Keycloak server filesystem. Add update_password parameter to control password handling for java-keystore provider: - always (default): Always send passwords to Keycloak - on_create: Only send passwords when creating, preserve existing passwords when updating (enables idempotent playbooks) The on_create mode sends the masked value ("**********") that Keycloak recognizes as "preserve existing password", matching the behavior when re-importing an exported realm. Replace password_checksum with update_password - the checksum approach was complex and error-prone. The update_password parameter is simpler and follows the pattern used by ansible.builtin.user module. Also adds key_info return value containing kid, certificate fingerprint, status, and expiration for java-keystore keys. * address PR review feedback - Remove no_log=True from secret_size (just an int, not sensitive) - Add version_added: 12.4.0 to new parameters and return values - Remove "Added in community.general 12.4.0" from description text - Consolidate changelog entries into 4 focused entries - Remove bugfix from changelog (now in separate PR #11470) * address review feedback from russoz and felixfontein - remove docstrings from module-local helpers - remove line-by-line comments and unnecessary null guard - use specific exceptions instead of bare except Exception - use module.params["key"] instead of .get("key") - consolidate changelog into single entry - avoid "complete set" claim, reference Keycloak 26 instead * address round 2 review feedback - Extract remove_sensitive_config_keys() helper (DRY refactor) - Simplify RS256 validation to single code path - Add TypeError to inner except in compute_certificate_fingerprint() - Remove redundant comments (L812, L1031) - Switch .get() to direct dict access for module.params |
||
|---|---|---|
| .. | ||
| tasks | ||
| vars | ||
| aliases | ||
| readme.adoc | ||
// Copyright (c) Ansible Project // GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) // SPDX-License-Identifier: GPL-3.0-or-later To be able to run these integration tests a keycloak server must be reachable under a specific url with a specific admin user and password. The exact values expected for these parameters can be found in 'vars/main.yml' file. A simple way to do this is to use the official keycloak docker images like this: ---- docker run --name mykeycloak -p 8080:8080 -e KC_HTTP_RELATIVE_PATH=<url-path> -e KEYCLOAK_ADMIN=<admin_user> -e KEYCLOAK_ADMIN_PASSWORD=<admin_password> quay.io/keycloak/keycloak:20.0.2 start-dev ---- Example with concrete values inserted: ---- docker run --name mykeycloak -p 8080:8080 -e KC_HTTP_RELATIVE_PATH=/auth -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:20.0.2 start-dev ---- This test suite can run against a fresh unconfigured server instance (no preconfiguration required) and cleans up after itself (undoes all its config changes) as long as it runs through completely. While its active it changes the server configuration in the following ways: * creating, modifying and deleting some keycloak groups