[PR #8973/464812a2 backport][stable-9] keycloak_client add option to support client-x509 authentication (#9005)

keycloak_client add option to support client-x509 authentication (#8973) * keycloak_client: add client-x509 option to client_authenticator_type Signed-off-by: boolman <boolman@gmail.com> * keycloak_client: add attributes for client-x509 Signed-off-by: boolman <boolman@gmail.com> * keycloak_client update description Signed-off-by: boolman <boolman@gmail.com> * keycloak_client add fragment Signed-off-by: boolman <boolman@gmail.com> * remove trailing whitespace Signed-off-by: boolman <boolman@gmail.com> * keycloak_client add example with x509 authentication Signed-off-by: boolman <boolman@gmail.com> * Update plugins/modules/keycloak_client.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/8973-keycloak_client-add-x509-auth.yml Co-authored-by: Felix Fontein <felix@fontein.de> * keycloak_client added type on new suboptions Signed-off-by: boolman <boolman@gmail.com> --------- Signed-off-by: boolman <boolman@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit 464812a2c2) Co-authored-by: Boolman <boolman@gmail.com>
2024-10-07 23:10:46 +02:00 · 2024-10-07 23:10:46 +02:00 · 9fe31235d8
parent fc7609628e
commit 9fe31235d8
2 changed files with 37 additions and 7 deletions
--- a/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml
+++ b/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - keycloak_client - add ``client-x509`` choice to ``client_authenticator_type`` (https://github.com/ansible-collections/community.general/pull/8973).
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
@ -108,13 +108,14 @@ options:

    client_authenticator_type:
        description:
-            - How do clients authenticate with the auth server? Either V(client-secret) or
-              V(client-jwt) can be chosen. When using V(client-secret), the module parameter
-              O(secret) can set it, while for V(client-jwt), you can use the keys C(use.jwks.url),
+            - How do clients authenticate with the auth server? Either V(client-secret),
+              V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter
+              O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url),
              C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter
-              to configure its behavior.
+              to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison)
+              and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept.
            - This is 'clientAuthenticatorType' in the Keycloak REST API.
-        choices: ['client-secret', 'client-jwt']
+        choices: ['client-secret', 'client-jwt', 'client-x509']
        aliases:
            - clientAuthenticatorType
        type: str
@ -533,7 +534,6 @@ options:
                description:
                    - SAML Redirect Binding URL for the client's assertion consumer service (login responses).

-
            saml_force_name_id_format:
                description:
                    - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
@ -581,6 +581,18 @@ options:
                    - For OpenID-Connect clients, client certificate for validating JWT issued by
                      client and signed by its key, base64-encoded.

+            x509.subjectdn:
+                description:
+                    - For OpenID-Connect clients, subject which will be used to authenticate the client.
+                type: str
+                version_added: 9.5.0
+
+            x509.allow.regex.pattern.comparison:
+                description:
+                    - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression.
+                type: bool
+                version_added: 9.5.0
+
 extends_documentation_fragment:
    - community.general.keycloak
    - community.general.attributes
@ -624,6 +636,22 @@ EXAMPLES = '''
  delegate_to: localhost


+- name: Create or update a Keycloak client (minimal example), with x509 authentication
+  community.general.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: master
+    state: present
+    client_id: test
+    client_authenticator_type: client-x509
+    attributes:
+      x509.subjectdn: "CN=client"
+      x509.allow.regex.pattern.comparison: false
+
+
 - name: Create or update a Keycloak client (with all the bells and whistles)
  community.general.keycloak_client:
    auth_client_id: admin-cli
@ -913,7 +941,7 @@ def main():
        base_url=dict(type='str', aliases=['baseUrl']),
        surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']),
        enabled=dict(type='bool'),
-        client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
+        client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']),
        secret=dict(type='str', no_log=True),
        registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
        default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),