From f2a3c23b8ac408a5070efa0a8fe53fdd17d041fe Mon Sep 17 00:00:00 2001
From: Robert Wolf <robert.wolf@abacus.ch>
Date: Tue, 4 Feb 2025 14:30:01 +0100
Subject: [PATCH 1/3] add aggregate_attrs property

---
 REFERENCE.md                                         | 12 ++++++++++++
 .../keycloak_client_protocol_mapper/kcadm.rb         |  7 +++++++
 .../provider/keycloak_protocol_mapper/kcadm.rb       |  7 +++++++
 lib/puppet/type/keycloak_client_protocol_mapper.rb   |  5 +++++
 lib/puppet/type/keycloak_protocol_mapper.rb          |  5 +++++
 5 files changed, 36 insertions(+)

diff --git a/REFERENCE.md b/REFERENCE.md
index 87b6f9f6..dcc51316 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1867,6 +1867,12 @@ included.client.audience Required for `type` of `oidc-audience-mapper`
 
 json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`.
 
+##### `aggregate_attrs`
+
+Valid values: `true`, `false`
+
+aggregate.attrs
+
 ##### `protocol`
 
 Valid values: `openid-connect`, `saml`
@@ -3102,6 +3108,12 @@ included.client.audience Required for `type` of `oidc-audience-mapper`
 
 json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper` and `oidc-group-membership-mapper`.
 
+##### `aggregate_attrs`
+
+Valid values: `true`, `false`
+
+aggregate.attrs
+
 ##### `protocol`
 
 Valid values: `openid-connect`, `saml`
diff --git a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
index 24bc57bd..7279545c 100644
--- a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
+++ b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
@@ -72,6 +72,7 @@ def self.instances
           if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(protocol_mapper[:type])
             protocol_mapper[:single] = d['config']['single'].to_s.to_sym
           end
+          protocol_mapper[:aggregate_attrs] = d['config']['aggregate.attrs'].to_s.to_sym if d['config']['aggregate.attrs']
           protocol_mappers << new(protocol_mapper)
         end
       end
@@ -135,6 +136,9 @@ def create
     if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
       data[:config][:single] = resource[:single].to_s if resource[:single]
     end
+    if resource[:aggregate_attrs]
+      data[:config][:aggregate.attrs] = resource[:aggregate_attrs].to_s
+    end
 
     t = Tempfile.new('keycloak_protocol_mapper')
     t.write(JSON.pretty_generate(data))
@@ -219,6 +223,9 @@ def flush
       if ['saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
         config[:single] = resource[:single].to_s if resource[:single]
       end
+      if resource[:aggregate_attrs]
+        config[:aggregate.attrs] = resource[:aggregate_attrs].to_s
+      end
       data[:config] = config unless config.empty?
 
       t = Tempfile.new('keycloak_protocol_mapper')
diff --git a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
index d26bab62..ab0891ee 100644
--- a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
+++ b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
@@ -72,6 +72,7 @@ def self.instances
           if ['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(protocol_mapper[:type])
             protocol_mapper[:single] = d['config']['single'].to_s.to_sym
           end
+          protocol_mapper[:aggregate_attrs] = d['config']['aggregate.attrs'].to_s.to_sym if d['config']['aggregate.attrs']
           protocol_mappers << new(protocol_mapper)
         end
       end
@@ -135,6 +136,9 @@ def create
     if ['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
       data[:config][:single] = resource[:single].to_s if resource[:single]
     end
+    if resource[:aggregate_attrs]
+      data[:config][:aggregate.attrs] = resource[:aggregate_attrs].to_s
+    end
 
     t = Tempfile.new('keycloak_protocol_mapper')
     t.write(JSON.pretty_generate(data))
@@ -219,6 +223,9 @@ def flush
       if ['saml-group-membership-mapper', 'saml-role-list-mapper', 'saml-javascript-mapper'].include?(resource[:type])
         config[:single] = resource[:single].to_s if resource[:single]
       end
+      if resource[:aggregate_attrs]
+        config[:aggregate.attrs] = resource[:aggregate_attrs].to_s
+      end
       data[:config] = config unless config.empty?
 
       t = Tempfile.new('keycloak_protocol_mapper')
diff --git a/lib/puppet/type/keycloak_client_protocol_mapper.rb b/lib/puppet/type/keycloak_client_protocol_mapper.rb
index 33d2b695..ff55e650 100644
--- a/lib/puppet/type/keycloak_client_protocol_mapper.rb
+++ b/lib/puppet/type/keycloak_client_protocol_mapper.rb
@@ -196,6 +196,11 @@
     end
   end
 
+  newproperty(:aggregate_attrs, boolean: true) do
+    desc 'aggregate.attrs'
+    newvalues(:true, :false)
+  end
+
   newproperty(:script) do
     desc <<-EOS
     Script, only valid for `type` of `saml-javascript-mapper`'
diff --git a/lib/puppet/type/keycloak_protocol_mapper.rb b/lib/puppet/type/keycloak_protocol_mapper.rb
index ce782d41..b4fe6574 100644
--- a/lib/puppet/type/keycloak_protocol_mapper.rb
+++ b/lib/puppet/type/keycloak_protocol_mapper.rb
@@ -198,6 +198,11 @@
     end
   end
 
+  newproperty(:aggregate_attrs, boolean: true) do
+    desc 'aggregate.attrs'
+    newvalues(:true, :false)
+  end
+
   newproperty(:script) do
     desc <<-EOS
     Script, only valid for `type` of `saml-javascript-mapper`'

From 89b61a4fc18866c1b3787d9ced86b7d0cc7adbbd Mon Sep 17 00:00:00 2001
From: Robert Wolf <robert.wolf@abacus.ch>
Date: Tue, 4 Feb 2025 14:47:24 +0100
Subject: [PATCH 2/3] spec files

---
 .../7_client_protocol_mapper_spec.rb          | 17 +++++++++++++++
 .../keycloak_client_protocol_mapper_spec.rb   | 21 +++++++++++++++++++
 .../type/keycloak_protocol_mapper_spec.rb     | 21 +++++++++++++++++++
 3 files changed, 59 insertions(+)

diff --git a/spec/acceptance/7_client_protocol_mapper_spec.rb b/spec/acceptance/7_client_protocol_mapper_spec.rb
index 9e34578f..668fa1c4 100644
--- a/spec/acceptance/7_client_protocol_mapper_spec.rb
+++ b/spec/acceptance/7_client_protocol_mapper_spec.rb
@@ -35,6 +35,12 @@ class { 'keycloak': }
         multivalued                             => true,
         usermodel_client_role_mapping_client_id => 'test.foo.bar',
       }
+      keycloak_client_protocol_mapper { 'role mapper AA for test.foo.bar on test':
+        type                                    => 'oidc-usermodel-client-role-mapper',
+        claim_name                              => 'permissions',
+        aggregate_attrs                         => true,
+        usermodel_client_role_mapping_client_id => 'test.foo.bar',
+      }
       PUPPET_PP
 
       apply_manifest(pp, catch_failures: true)
@@ -94,6 +100,17 @@ class { 'keycloak': }
         expect(mapper['config']['usermodel.clientRoleMapping.clientId']).to eq('test.foo.bar')
       end
     end
+
+    it 'has created protocol mapper AA type=oidc-usermodel-client-role-mapper' do
+      on hosts, '/opt/keycloak/bin/kcadm-wrapper.sh get clients/test.foo.bar/protocol-mappers/models -r test' do
+        data = JSON.parse(stdout)
+        mapper = data.select { |d| d['name'] == 'role mapper AA' }[0]
+        expect(mapper['protocolMapper']).to eq('oidc-usermodel-client-role-mapper')
+        expect(mapper['config']['claim.name']).to eq('permissions')
+        expect(mapper['config']['aggregate.attrs']).to eq('true')
+        expect(mapper['config']['usermodel.clientRoleMapping.clientId']).to eq('test.foo.bar')
+      end
+    end
   end
 
   context 'when updates protocol_mapper' do
diff --git a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
index fa0285dc..ce3f62dc 100644
--- a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
+++ b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
@@ -370,6 +370,27 @@
     }.to raise_error(%r{foo})
   end
 
+  it 'accepts value for aggregate_attrs' do
+    config[:aggregate.attrs] = false
+    expect(resource[:aggregate_attrs]).to eq(:false)
+  end
+
+  it 'accepts value for aggregate_attrs string' do
+    config[:aggregate.attrs] = 'false'
+    expect(resource[:aggregate_attrs]).to eq(:false)
+  end
+
+  it 'has default for aggregate_attrs' do
+    expect(resource[:aggregate_attrs]).to be_nil
+  end
+
+  it 'does not accept invalid value for aggregate_attrs' do
+    config[:aggregate.attrs] = 'foo'
+    expect {
+      resource
+    }.to raise_error(%r{foo})
+  end
+
   it 'accepts script' do
     config[:protocol] = 'saml'
     config[:type] = 'script-foo.js'
diff --git a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
index c8517aaf..b24872d5 100644
--- a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
+++ b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
@@ -362,6 +362,27 @@
     }.to raise_error(%r{foo})
   end
 
+  it 'accepts value for aggregate_attrs' do
+    config[:aggregate.attrs] = false
+    expect(resource[:aggregate_attrs]).to eq(:false)
+  end
+
+  it 'accepts value for aggregate_attrs string' do
+    config[:aggregate.attrs] = 'false'
+    expect(resource[:aggregate_attrs]).to eq(:false)
+  end
+
+  it 'has default for aggregate_attrs' do
+    expect(resource[:aggregate_attrs]).to be_nil
+  end
+
+  it 'does not accept invalid value for aggregate_attrs' do
+    config[:aggregate.attrs] = 'foo'
+    expect {
+      resource
+    }.to raise_error(%r{foo})
+  end
+
   it 'accepts script' do
     config[:protocol] = 'saml'
     config[:type] = 'script-foo.js'

From e20fd42479c52d8a67f39d2d46c5d97e1ce16a6b Mon Sep 17 00:00:00 2001
From: Robert Wolf <robert.wolf@abacus.ch>
Date: Tue, 4 Feb 2025 15:03:15 +0100
Subject: [PATCH 3/3] fix key

---
 .../provider/keycloak_client_protocol_mapper/kcadm.rb       | 4 ++--
 lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb       | 4 ++--
 .../puppet/type/keycloak_client_protocol_mapper_spec.rb     | 6 +++---
 spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb      | 6 +++---
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
index 6fb09587..4c376809 100644
--- a/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
+++ b/lib/puppet/provider/keycloak_client_protocol_mapper/kcadm.rb
@@ -146,7 +146,7 @@ def create
       data[:config][:multivalued] = resource[:multivalued].to_s
     end
     if resource[:aggregate_attrs]
-      data[:config][:aggregate.attrs] = resource[:aggregate_attrs].to_s
+      data[:config][:'aggregate.attrs'] = resource[:aggregate_attrs].to_s
     end
 
     t = Tempfile.new('keycloak_protocol_mapper')
@@ -238,7 +238,7 @@ def flush
         config[:multivalued] = resource[:multivalued].to_s
       end
       if resource[:aggregate_attrs]
-        config[:aggregate.attrs] = resource[:aggregate_attrs].to_s
+        config[:'aggregate.attrs'] = resource[:aggregate_attrs].to_s
       end
       data[:config] = config unless config.empty?
 
diff --git a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
index b7a29c90..467ded73 100644
--- a/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
+++ b/lib/puppet/provider/keycloak_protocol_mapper/kcadm.rb
@@ -142,7 +142,7 @@ def create
       data[:config][:multivalued] = resource[:multivalued].to_s
     end
     if resource[:aggregate_attrs]
-      data[:config][:aggregate.attrs] = resource[:aggregate_attrs].to_s
+      data[:config][:'aggregate.attrs'] = resource[:aggregate_attrs].to_s
     end
 
     t = Tempfile.new('keycloak_protocol_mapper')
@@ -232,7 +232,7 @@ def flush
         config[:multivalued] = resource[:multivalued].to_s
       end
       if resource[:aggregate_attrs]
-        config[:aggregate.attrs] = resource[:aggregate_attrs].to_s
+        config[:'aggregate.attrs'] = resource[:aggregate_attrs].to_s
       end
       data[:config] = config unless config.empty?
 
diff --git a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
index ce3f62dc..2fa1e87c 100644
--- a/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
+++ b/spec/unit/puppet/type/keycloak_client_protocol_mapper_spec.rb
@@ -371,12 +371,12 @@
   end
 
   it 'accepts value for aggregate_attrs' do
-    config[:aggregate.attrs] = false
+    config[:'aggregate.attrs'] = false
     expect(resource[:aggregate_attrs]).to eq(:false)
   end
 
   it 'accepts value for aggregate_attrs string' do
-    config[:aggregate.attrs] = 'false'
+    config[:'aggregate.attrs'] = 'false'
     expect(resource[:aggregate_attrs]).to eq(:false)
   end
 
@@ -385,7 +385,7 @@
   end
 
   it 'does not accept invalid value for aggregate_attrs' do
-    config[:aggregate.attrs] = 'foo'
+    config[:'aggregate.attrs'] = 'foo'
     expect {
       resource
     }.to raise_error(%r{foo})
diff --git a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
index b24872d5..76a44959 100644
--- a/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
+++ b/spec/unit/puppet/type/keycloak_protocol_mapper_spec.rb
@@ -363,12 +363,12 @@
   end
 
   it 'accepts value for aggregate_attrs' do
-    config[:aggregate.attrs] = false
+    config[:'aggregate.attrs'] = false
     expect(resource[:aggregate_attrs]).to eq(:false)
   end
 
   it 'accepts value for aggregate_attrs string' do
-    config[:aggregate.attrs] = 'false'
+    config[:'aggregate.attrs'] = 'false'
     expect(resource[:aggregate_attrs]).to eq(:false)
   end
 
@@ -377,7 +377,7 @@
   end
 
   it 'does not accept invalid value for aggregate_attrs' do
-    config[:aggregate.attrs] = 'foo'
+    config[:'aggregate.attrs'] = 'foo'
     expect {
       resource
     }.to raise_error(%r{foo})