From 367033157974ad7b81864d6bf6fcf49e70263621 Mon Sep 17 00:00:00 2001
From: Wout Resseler <woutresseler@inuits.eu>
Date: Thu, 9 Jan 2025 14:52:51 +0100
Subject: [PATCH 1/3] Add oidc config parameters

---
 manifests/init.pp            | 29 +++++++++++++++++++++++++++++
 spec/classes/foreman_spec.rb |  7 +++++++
 templates/settings.yaml.erb  | 11 +++++++++++
 3 files changed, 47 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index a3dde8393..b20543ed8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -211,6 +211,28 @@
 #
 # $keycloak_realm::               The realm as passed to keycloak-httpd-client-install
 #
+# === OIDC parameters:
+#
+# $authorize_login_delegation::   Authorize login delegation with REMOTE_USER HTTP header (true/false)
+#
+# $authorize_login_delegation_auth_source_user_autocreate::   Name of the external auth source where unknown externally authentication
+#                                                             users (see authorize_login_delegation) should be created. Empty means no autocreation.
+#
+# $login_delegation_logout_url::  Redirect your users to this url on logout (authorize_login_delegation should also be enabled)
+#
+# $oidc_jwks_url::                OpenID Connect JSON Web Key Set(JWKS) URL.
+#                                 Typically https://keycloak.example.com/auth/realms/<realm name>/protocol/openid-connect/certs when using
+#                                 Keycloak as an OpenID provider
+#
+# $oidc_audience::                Name of the OpenID Connect Audience that is being used for Authentication. In case of Keycloak this is the Client ID.
+#                                 ['oidc_app_name']
+#
+# $oidc_issuer::                  The iss (issuer) claim identifies the principal that issued the JWT, which exists at a
+#                                 `/.well-known/openid-configuration` in case of most of the OpenID providers.
+#
+# $oidc_algorithm::               The algorithm used to encode the JWT in the OpenID provider.
+#
+#
 class foreman (
   Stdlib::HTTPUrl $foreman_url = $foreman::params::foreman_url,
   Boolean $unattended = true,
@@ -307,6 +329,13 @@
   Boolean $register_in_foreman = true,
   Optional[Stdlib::Absolutepath] $provisioning_ct_location = undef,
   Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef,
+  Boolean $authorize_login_delegation = $keycloak,
+  String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External',
+  Optional[String[1]] $login_delegation_logout_url,
+  Optional[String[1]] $oidc_jwks_url,
+  Optional[Array[String[1]]] $oidc_audience = [],
+  Optional[String[1]] $oidc_issuer,
+  String[1] $oidc_algorithm = 'RS256',
 ) inherits foreman::params {
   assert_type(Array[Stdlib::IP::Address], $trusted_proxies)
 
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
index 35e4a2d65..cd6708246 100644
--- a/spec/classes/foreman_spec.rb
+++ b/spec/classes/foreman_spec.rb
@@ -250,6 +250,13 @@
             keycloak_realm: 'myrealm',
             provisioning_ct_location: '/usr/bin/myct',
             provisioning_fcct_location: '/usr/bin/myfcct',
+            authorize_login_delegation: true,
+            authorize_login_delegation_auth_source_user_autocreate: 'External',
+            login_delegation_logout_url: 'https://foreman.top.com/users/extlogout',
+            oidc_jwks_url: 'https://keycloak.top.com/realms/myrealm/protocol/openid-connect/certs',
+            oidc_audience: ['cloack-app'],
+            oidc_issuer: 'https://keycloak.top.com/realms/myrealm',
+            oidc_algorithm: 'RS256',
           }
         end
 
diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb
index 50bcf8da0..df21eba9b 100644
--- a/templates/settings.yaml.erb
+++ b/templates/settings.yaml.erb
@@ -10,6 +10,17 @@
 :oauth_consumer_key: <%= scope.lookupvar("foreman::oauth_consumer_key") %>
 :oauth_consumer_secret: <%= scope.lookupvar("foreman::oauth_consumer_secret") %>
 
+<% if scope.lookupvar('foreman::authorize_login_delegation') -%>
+# The following values are used for oidc authentication
+:authorize_login_delegation: <%= scope.lookupvar("foreman::authorize_login_delegation") %>
+:authorize_login_delegation_auth_source_user_autocreate: <%= scope.lookupvar("foreman::authorize_login_delegation_auth_source_user_autocreate") %>
+:login_delegation_logout_url: <%= scope.lookupvar("foreman::login_delegation_logout_url") %>
+:oidc_jwks_url: <%= scope.lookupvar("foreman::oidc_jwks_url") %>
+:oidc_audience: <%= scope.lookupvar("foreman::oidc_audience") %>
+:oidc_issuer: <%= scope.lookupvar("foreman::oidc_issuer") %>
+:oidc_algorithm: <%= scope.lookupvar("foreman::oidc_algorithm") %>
+
+<% end -%>
 # Websockets
 :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %>
 :websockets_ssl_key: <%= @websockets_ssl_key %>

From e4c1320bbf2751342dae6fa095531641db97cda8 Mon Sep 17 00:00:00 2001
From: Wout Resseler <woutresseler@inuits.eu>
Date: Thu, 9 Jan 2025 15:33:54 +0100
Subject: [PATCH 2/3] Fix optional params to be undef

---
 manifests/init.pp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index b20543ed8..9c59921b1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -331,10 +331,10 @@
   Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef,
   Boolean $authorize_login_delegation = $keycloak,
   String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External',
-  Optional[String[1]] $login_delegation_logout_url,
-  Optional[String[1]] $oidc_jwks_url,
-  Optional[Array[String[1]]] $oidc_audience = [],
-  Optional[String[1]] $oidc_issuer,
+  Optional[String[1]] $login_delegation_logout_url = undef,
+  Optional[String[1]] $oidc_jwks_url = undef,
+  Array[String[1]] $oidc_audience = [],
+  Optional[String[1]] $oidc_issuer = undef,
   String[1] $oidc_algorithm = 'RS256',
 ) inherits foreman::params {
   assert_type(Array[Stdlib::IP::Address], $trusted_proxies)

From 974293d17fac8c9e422a5f2f333b79d093b35dee Mon Sep 17 00:00:00 2001
From: Wout Resseler <woutresseler@inuits.eu>
Date: Thu, 9 Jan 2025 15:46:40 +0100
Subject: [PATCH 3/3] Do not follow keycloak config by default

---
 manifests/init.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 9c59921b1..ee44b3ec9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -329,7 +329,7 @@
   Boolean $register_in_foreman = true,
   Optional[Stdlib::Absolutepath] $provisioning_ct_location = undef,
   Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef,
-  Boolean $authorize_login_delegation = $keycloak,
+  Boolean $authorize_login_delegation = false,
   String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External',
   Optional[String[1]] $login_delegation_logout_url = undef,
   Optional[String[1]] $oidc_jwks_url = undef,