From 90f7482290c4143d168f4d209e16518b5968c27f Mon Sep 17 00:00:00 2001 From: Peter Jackson Date: Fri, 20 Sep 2024 12:38:04 +0100 Subject: [PATCH 1/5] Update config parameters to match latest OIDC release and fix typos. #2567 #2566 --- REFERENCE.md | 250 +++++++++++++++++++++++------------------ types/oidcsettings.pp | 251 ++++++++++++++++++++++++------------------ 2 files changed, 286 insertions(+), 215 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index b637f3722..5b43bcb8e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11306,113 +11306,149 @@ Alias of ```puppet Struct[{ - Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], - Optional['CryptoPassphrase'] => String, - Optional['MetadataDir'] => String, - Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, - Optional['ProviderIssuer'] => String, - Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, - Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderTokenEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'none'], - Optional['ProviderTokenEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['ProviderUserInfoEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, - Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderBackChannelLogoutSupported'] => Enum['On', 'Off'], - Optional['ProviderRegistrationEndpointJson'] => String, - Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], - Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['SSLValidateServer'] => Enum['On', 'Off'], - Optional['UserInfoRefreshInterval'] => Integer, - Optional['JWKSRefreshInterval'] => Integer, - Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], - Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST'], - Optional['PublicKeyFiles'] => String, - Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], - Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], - Optional['ClientID'] => String, - Optional['ClientSecret'] => String, - Optional['ClientTokenEndpointCert'] => String, - Optional['ClientTokenEndpointKey'] => String, - Optional['ClientName'] => String, - Optional['ClientContact'] => String, - Optional['PKCDMethod'] => Enum['plain', 'S256', 'referred_tb'], - Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], - Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, - Optional['IDTokenSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], - Optional['IDTokenEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], - Optional['IDTokenEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], - Optional['UserInfoSignedResposeAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], - Optional['UserInfoEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], - Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], - Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, - Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, - Optional['OAuthClientID'] => String, - Optional['OAuthClientSecret'] => String, - Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], - Optional['OAuthIntrospectionClientAuthBearerToken'] => String, - Optional['OAuthIntrospectionEndpointCert'] => String, - Optional['OAuthIntrospectionEndpointKey'] => String, - Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], - Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['OAuthIntrospectionTokenParamName'] => String, - Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s(absolute|relative)\s(mandatory|optional)$/], - Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], - Optional['OAuthVerifySharedKeys'] => String, - Optional['OAuthVerifyCertFiles'] => String, - Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, - Optional['OAuthRemoteUserClaim'] => String, - Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], - Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], - Optional['Cookie'] => String, - Optional['SessionCookieChunkSize'] => Integer, - Optional['CookieHTTPOnly'] => Enum['On', 'Off'], - Optional['CookieSameSite'] => Enum['On', 'Off'], - Optional['PassCookies'] => String, - Optional['StripCookies'] => String, - Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+\s(false|true)$/], - Optional['SessionInactivityTimeout'] => Integer, - Optional['SessionMaxDuration'] => Integer, - Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent)?)$/], - Optional['SessionCacheFallbackToCookie'] => Enum['On', 'Off'], - Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], - Optional['CacheEncrypt'] => Enum['On', 'Off'], - Optional['CacheShmMax'] => Integer, - Optional['CacheShmEntrySizeMax'] => Integer, - Optional['CacheFileCleanInterval'] => Integer, - Optional['MemCacheServers'] => String, - Optional['RedisCacheServer'] => String, - Optional['RedisCachePassword'] => String, - Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['HTMLErrorTemplate'] => String, - Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], - Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['IDTokenIatSlack'] => Integer, - Optional['ClaimPrefix'] => String, - Optional['ClaimDelimiter'] => Pattern[/^.$/], - Optional['RemoteUserClaim'] => String, - Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], - Optional['PassUserInfoAs'] => Pattern[/^((claims|json|jwt)\s?)+$/], - Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], - Optional['AuthNHeader'] => String, - Optional['HTTPTimeoutLong'] => Integer, - Optional['HTTPTimeoutShort'] => Integer, - Optional['StateTimeout'] => Integer, - Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], - Optional['OutgoingProxy'] => String, - Optional['UnAuthAction'] => Enum['auth', 'pass', '401', '410'], - Optional['UnAuthzAction'] => Enum['401', '403', 'auth'], - Optional['PreservePost'] => Enum['On', 'Off'], - Optional['PassRefreshToken'] => Enum['On', 'Off'], - Optional['RequestObject'] => String, - Optional['ProviderMetadataRefreshInterval'] => Integer, - Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|userinfo|refresh_token|session)\s?)+$/], - Optional['BlackListedClaims'] => String, - Optional['WhiteListedClaims'] => String, - Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\slogout_on_error)?$/], + Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], + Optional['CryptoPassphrase'] => String, + Optional['MetadataDir'] => String, + Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, + Optional['ProviderIssuer'] => String, + Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'none'], + Optional['ProviderTokenEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['ProviderUserInfoEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, + Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderBackChannelLogoutSupported'] => Enum['On', 'Off'], + Optional['ProviderRegistrationEndpointJson'] => String, + Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], + Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['SSLValidateServer'] => Enum['On', 'Off'], + Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s?(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['JWKSRefreshInterval'] => Integer, + Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], + Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST', 'PAR'], + Optional['PublicKeyFiles'] => String, + Optional['PrivateKeyFiles'] => String, + Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], + Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], + Optional['ClientID'] => String, + Optional['ClientSecret'] => String, + Optional['ClientTokenEndpointCert'] => String, + Optional['ClientTokenEndpointKey'] => String, + Optional['ClientTokenEndpointKeyPassword'] => String, + Optional['ClientName'] => String, + Optional['ClientContact'] => String, + Optional['PKCEMethod'] => Enum['plain', 'S256', 'referred_tb', 'none'], + Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], + Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, + Optional['IDTokenSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], + Optional['IDTokenEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], + Optional['IDTokenEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], + Optional['UserInfoSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], + Optional['UserInfoEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], + Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], + Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, + Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, + Optional['OAuthClientID'] => String, + Optional['OAuthClientSecret'] => String, + Optional['OAuthIntrospectionEndpoint'] => String, + Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], + Optional['OAuthIntrospectionClientAuthBearerToken'] => String, + Optional['OAuthIntrospectionEndpointCert'] => String, + Optional['OAuthIntrospectionEndpointKey'] => String, + Optional['OAuthIntrospectionEndpointKeyPassword'] => String, + Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], + Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['OAuthIntrospectionTokenParamName'] => String, + Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], + Optional['OAuthTokenIntrospectionInterval'] => Integer, + Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], + Optional['OAuthVerifySharedKeys'] => String, + Optional['OAuthVerifyCertFiles'] => String, + Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, + Optional['OAuthRemoteUserClaim'] => String, + Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], + Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], + Optional['Cookie'] => String, + Optional['CookieDomain'] => String, + Optional['CookiePath'] => String, + Optional['SessionCookieChunkSize'] => Integer, + Optional['CookieHTTPOnly'] => Enum['On', 'Off'], + Optional['CookieSameSite'] => Enum['On', 'Off'], + Optional['PassCookies'] => String, + Optional['StripCookies'] => String, + Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s?(false|true))?$/], + Optional['SessionInactivityTimeout'] => Integer, + Optional['SessionMaxDuration'] => Integer, + Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent|:store_id_token|:persistent:store_id_token)?)$/], + Optional['SessionCacheFallbackToCookie'] => Enum['On', 'Off'], + Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], + Optional['CacheDir'] => String, + Optional['CacheEncrypt'] => Enum['On', 'Off'], + Optional['CacheShmMax'] => Integer, + Optional['CacheShmEntrySizeMax'] => Integer, + Optional['CacheFileCleanInterval'] => Integer, + Optional['MemCacheServers'] => String, + Optional['MemCacheConnectionsHMax'] => Integer, + Optional['MemCacheConnectionsMin'] => Integer, + Optional['MemCacheConnectionsSMax'] => Integer, + Optional['MemCacheConnectionsTTL'] => Integer, + Optional['RedisCacheServer'] => String, + Optional['RedisCachePassword'] => String, + Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+\s?[0-9]*$/], + Optional['RedisCacheDatabase'] => Integer, + Optional['RedisCacheTimeout'] => Integer, + Optional['RedisCacheUsername'] => String, + Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['HTMLErrorTemplate'] => String, + Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], + Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['IDTokenIatSlack'] => Integer, + Optional['ClaimPrefix'] => String, + Optional['ClaimDelimiter'] => Pattern[/^.$/], + Optional['RemoteUserClaim'] => String, + Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], + Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], + Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], + Optional['AuthNHeader'] => String, + Optional['HTTPTimeoutLong'] => Integer, + Optional['HTTPTimeoutShort'] => Integer, + Optional['StateTimeout'] => Integer, + Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], + Optional['OutgoingProxy'] => String, + Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)\s.*/], + Optional['UnAutzAction'] => Pattern[/^(none|headers|environment|both)(\s+(latin1|base64url|none)+)?$/], + Optional['PreservePost'] => Enum['On', 'Off'], + Optional['PreservePostTemplates'] => String, + Optional['PassRefreshToken'] => Enum['On', 'Off'], + Optional['RequestObject'] => String, + Optional['ProviderMetadataRefreshInterval'] => Integer, + Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session)\s?)+$/], + Optional['BlackListedClaims'] => String, + Optional['WhiteListedClaims'] => String, + Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\s(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['XForwardedHeaders'] => String, + Optional['CABundlePath'] => String, + Optional['DefaultLoggedOutURL'] => String, + Optional['DPoPMode'] => String, + Optional['FilterClaimsExpr'] => String, + Optional['LogoutRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['LogoutXFrameOptions'] => String, + Optional['MetricsData'] => String, + Optional['MetricsPublish'] => String, + Optional['PassAccessToken'] => Enum['On', 'Off'], + Optional['ProviderPushedAuthorizationRequestEndpoint'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['ProviderSignedJwksUri'] => String, + Optional['ProviderVerifyCertFiles'] => String, + Optional['RedirectURLsAllowed'] => String, + Optional['StateCookiePrefix'] => String, + Optional['StateInputHeaders'] => Enum['user-agent', 'x-forwarded-for', 'both', 'none'], + Optional['TraceParent'] => Enum['off', 'generate', 'propagate'], + Optional['UserInfoClaimsExpr'] => String, + Optional['ValidateIssuer'] => Enum['On', 'Off'], }] ``` diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp index d3246ccdc..8a1493528 100644 --- a/types/oidcsettings.pp +++ b/types/oidcsettings.pp @@ -1,113 +1,148 @@ # https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf type Apache::OIDCSettings = Struct[ { - Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], - Optional['CryptoPassphrase'] => String, - Optional['MetadataDir'] => String, - Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, - Optional['ProviderIssuer'] => String, - Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, - Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderTokenEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'none'], - Optional['ProviderTokenEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['ProviderUserInfoEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, - Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderBackChannelLogoutSupported'] => Enum['On', 'Off'], - Optional['ProviderRegistrationEndpointJson'] => String, - Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], - Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['SSLValidateServer'] => Enum['On', 'Off'], - Optional['UserInfoRefreshInterval'] => Integer, - Optional['JWKSRefreshInterval'] => Integer, - Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], - Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST'], - Optional['PublicKeyFiles'] => String, - Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], - Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], - Optional['ClientID'] => String, - Optional['ClientSecret'] => String, - Optional['ClientTokenEndpointCert'] => String, - Optional['ClientTokenEndpointKey'] => String, - Optional['ClientName'] => String, - Optional['ClientContact'] => String, - Optional['PKCDMethod'] => Enum['plain', 'S256', 'referred_tb'], - Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], - Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, - Optional['IDTokenSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], - Optional['IDTokenEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], - Optional['IDTokenEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], - Optional['UserInfoSignedResposeAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], - Optional['UserInfoEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], - Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], - Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, - Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, - Optional['OAuthClientID'] => String, - Optional['OAuthClientSecret'] => String, - Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], - Optional['OAuthIntrospectionClientAuthBearerToken'] => String, - Optional['OAuthIntrospectionEndpointCert'] => String, - Optional['OAuthIntrospectionEndpointKey'] => String, - Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], - Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['OAuthIntrospectionTokenParamName'] => String, - Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s(absolute|relative)\s(mandatory|optional)$/], - Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], - Optional['OAuthVerifySharedKeys'] => String, - Optional['OAuthVerifyCertFiles'] => String, - Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, - Optional['OAuthRemoteUserClaim'] => String, - Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], - Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], - Optional['Cookie'] => String, - Optional['SessionCookieChunkSize'] => Integer, - Optional['CookieHTTPOnly'] => Enum['On', 'Off'], - Optional['CookieSameSite'] => Enum['On', 'Off'], - Optional['PassCookies'] => String, - Optional['StripCookies'] => String, - Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+\s(false|true)$/], - Optional['SessionInactivityTimeout'] => Integer, - Optional['SessionMaxDuration'] => Integer, - Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent)?)$/], - Optional['SessionCacheFallbackToCookie'] => Enum['On', 'Off'], - Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], - Optional['CacheEncrypt'] => Enum['On', 'Off'], - Optional['CacheShmMax'] => Integer, - Optional['CacheShmEntrySizeMax'] => Integer, - Optional['CacheFileCleanInterval'] => Integer, - Optional['MemCacheServers'] => String, - Optional['RedisCacheServer'] => String, - Optional['RedisCachePassword'] => String, - Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['HTMLErrorTemplate'] => String, - Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], - Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['IDTokenIatSlack'] => Integer, - Optional['ClaimPrefix'] => String, - Optional['ClaimDelimiter'] => Pattern[/^.$/], - Optional['RemoteUserClaim'] => String, - Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], - Optional['PassUserInfoAs'] => Pattern[/^((claims|json|jwt)\s?)+$/], - Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], - Optional['AuthNHeader'] => String, - Optional['HTTPTimeoutLong'] => Integer, - Optional['HTTPTimeoutShort'] => Integer, - Optional['StateTimeout'] => Integer, - Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], - Optional['OutgoingProxy'] => String, - Optional['UnAuthAction'] => Enum['auth', 'pass', '401', '410'], - Optional['UnAuthzAction'] => Enum['401', '403', 'auth'], - Optional['PreservePost'] => Enum['On', 'Off'], - Optional['PassRefreshToken'] => Enum['On', 'Off'], - Optional['RequestObject'] => String, - Optional['ProviderMetadataRefreshInterval'] => Integer, - Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|userinfo|refresh_token|session)\s?)+$/], - Optional['BlackListedClaims'] => String, - Optional['WhiteListedClaims'] => String, - Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\slogout_on_error)?$/], - Optional['XForwardedHeaders'] => String, + Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], + Optional['CryptoPassphrase'] => String, + Optional['MetadataDir'] => String, + Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, + Optional['ProviderIssuer'] => String, + Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'none'], + Optional['ProviderTokenEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['ProviderUserInfoEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, + Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderBackChannelLogoutSupported'] => Enum['On', 'Off'], + Optional['ProviderRegistrationEndpointJson'] => String, + Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], + Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['SSLValidateServer'] => Enum['On', 'Off'], + Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s?(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['JWKSRefreshInterval'] => Integer, + Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], + Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST', 'PAR'], + Optional['PublicKeyFiles'] => String, + Optional['PrivateKeyFiles'] => String, + Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], + Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], + Optional['ClientID'] => String, + Optional['ClientSecret'] => String, + Optional['ClientTokenEndpointCert'] => String, + Optional['ClientTokenEndpointKey'] => String, + Optional['ClientTokenEndpointKeyPassword'] => String, + Optional['ClientName'] => String, + Optional['ClientContact'] => String, + Optional['PKCEMethod'] => Enum['plain', 'S256', 'referred_tb', 'none'], + Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], + Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, + Optional['IDTokenSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], + Optional['IDTokenEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], + Optional['IDTokenEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], + Optional['UserInfoSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], + Optional['UserInfoEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], + Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], + Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, + Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, + Optional['OAuthClientID'] => String, + Optional['OAuthClientSecret'] => String, + Optional['OAuthIntrospectionEndpoint'] => String, + Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], + Optional['OAuthIntrospectionClientAuthBearerToken'] => String, + Optional['OAuthIntrospectionEndpointCert'] => String, + Optional['OAuthIntrospectionEndpointKey'] => String, + Optional['OAuthIntrospectionEndpointKeyPassword'] => String, + Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], + Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['OAuthIntrospectionTokenParamName'] => String, + Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], + Optional['OAuthTokenIntrospectionInterval'] => Integer, + Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], + Optional['OAuthVerifySharedKeys'] => String, + Optional['OAuthVerifyCertFiles'] => String, + Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, + Optional['OAuthRemoteUserClaim'] => String, + Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], + Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], + Optional['Cookie'] => String, + Optional['CookieDomain'] => String, + Optional['CookiePath'] => String, + Optional['SessionCookieChunkSize'] => Integer, + Optional['CookieHTTPOnly'] => Enum['On', 'Off'], + Optional['CookieSameSite'] => Enum['On', 'Off'], + Optional['PassCookies'] => String, + Optional['StripCookies'] => String, + Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s?(false|true))?$/], + Optional['SessionInactivityTimeout'] => Integer, + Optional['SessionMaxDuration'] => Integer, + Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent|:store_id_token|:persistent:store_id_token)?)$/], + Optional['SessionCacheFallbackToCookie'] => Enum['On', 'Off'], + Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], + Optional['CacheDir'] => String, + Optional['CacheEncrypt'] => Enum['On', 'Off'], + Optional['CacheShmMax'] => Integer, + Optional['CacheShmEntrySizeMax'] => Integer, + Optional['CacheFileCleanInterval'] => Integer, + Optional['MemCacheServers'] => String, + Optional['MemCacheConnectionsHMax'] => Integer, + Optional['MemCacheConnectionsMin'] => Integer, + Optional['MemCacheConnectionsSMax'] => Integer, + Optional['MemCacheConnectionsTTL'] => Integer, + Optional['RedisCacheServer'] => String, + Optional['RedisCachePassword'] => String, + Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+\s?[0-9]*$/], + Optional['RedisCacheDatabase'] => Integer, + Optional['RedisCacheTimeout'] => Integer, + Optional['RedisCacheUsername'] => String, + Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['HTMLErrorTemplate'] => String, + Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], + Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['IDTokenIatSlack'] => Integer, + Optional['ClaimPrefix'] => String, + Optional['ClaimDelimiter'] => Pattern[/^.$/], + Optional['RemoteUserClaim'] => String, + Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], + Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], + Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], + Optional['AuthNHeader'] => String, + Optional['HTTPTimeoutLong'] => Integer, + Optional['HTTPTimeoutShort'] => Integer, + Optional['StateTimeout'] => Integer, + Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], + Optional['OutgoingProxy'] => String, + Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)\s.*/], + Optional['UnAutzAction'] => Pattern[/^(none|headers|environment|both)(\s+(latin1|base64url|none)+)?$/], + Optional['PreservePost'] => Enum['On', 'Off'], + Optional['PreservePostTemplates'] => String, + Optional['PassRefreshToken'] => Enum['On', 'Off'], + Optional['RequestObject'] => String, + Optional['ProviderMetadataRefreshInterval'] => Integer, + Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session)\s?)+$/], + Optional['BlackListedClaims'] => String, + Optional['WhiteListedClaims'] => String, + Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\s(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['XForwardedHeaders'] => String, + Optional['CABundlePath'] => String, + Optional['DefaultLoggedOutURL'] => String, + Optional['DPoPMode'] => String, + Optional['FilterClaimsExpr'] => String, + Optional['LogoutRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['LogoutXFrameOptions'] => String, + Optional['MetricsData'] => String, + Optional['MetricsPublish'] => String, + Optional['PassAccessToken'] => Enum['On', 'Off'], + Optional['ProviderPushedAuthorizationRequestEndpoint'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['ProviderSignedJwksUri'] => String, + Optional['ProviderVerifyCertFiles'] => String, + Optional['RedirectURLsAllowed'] => String, + Optional['StateCookiePrefix'] => String, + Optional['StateInputHeaders'] => Enum['user-agent', 'x-forwarded-for', 'both', 'none'], + Optional['TraceParent'] => Enum['off', 'generate', 'propagate'], + Optional['UserInfoClaimsExpr'] => String, + Optional['ValidateIssuer'] => Enum['On', 'Off'], } ] From 99ed356ba692f52aed16561d618f9a8bca31e66d Mon Sep 17 00:00:00 2001 From: uoe-pjackson <56168566+uoe-pjackson@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:39:28 +0100 Subject: [PATCH 2/5] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Romain Tartière --- types/oidcsettings.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp index 8a1493528..0401336cf 100644 --- a/types/oidcsettings.pp +++ b/types/oidcsettings.pp @@ -20,7 +20,7 @@ Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], Optional['SSLValidateServer'] => Enum['On', 'Off'], - Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s?(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s+(logout_on_error|authenticate_on_error|502_on_error))?$/], Optional['JWKSRefreshInterval'] => Integer, Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST', 'PAR'], @@ -58,7 +58,7 @@ Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], Optional['OAuthIntrospectionTokenParamName'] => String, Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], - Optional['OAuthTokenIntrospectionInterval'] => Integer, + Optional['OAuthTokenIntrospectionInterval'] => Integer[-1], Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], Optional['OAuthVerifySharedKeys'] => String, Optional['OAuthVerifyCertFiles'] => String, @@ -74,7 +74,7 @@ Optional['CookieSameSite'] => Enum['On', 'Off'], Optional['PassCookies'] => String, Optional['StripCookies'] => String, - Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s?(false|true))?$/], + Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s(false|true))?$/], Optional['SessionInactivityTimeout'] => Integer, Optional['SessionMaxDuration'] => Integer, Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent|:store_id_token|:persistent:store_id_token)?)$/], @@ -92,7 +92,7 @@ Optional['MemCacheConnectionsTTL'] => Integer, Optional['RedisCacheServer'] => String, Optional['RedisCachePassword'] => String, - Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+\s?[0-9]*$/], + Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+(\s[0-9]+)?$/], Optional['RedisCacheDatabase'] => Integer, Optional['RedisCacheTimeout'] => Integer, Optional['RedisCacheUsername'] => String, @@ -114,8 +114,8 @@ Optional['StateTimeout'] => Integer, Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], Optional['OutgoingProxy'] => String, - Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)\s.*/], - Optional['UnAutzAction'] => Pattern[/^(none|headers|environment|both)(\s+(latin1|base64url|none)+)?$/], + Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)(\s.*)?$/], + Optional['UnAutzAction'] => Pattern[/^(401|403|302|auth)(\s.*)?$/], Optional['PreservePost'] => Enum['On', 'Off'], Optional['PreservePostTemplates'] => String, Optional['PassRefreshToken'] => Enum['On', 'Off'], @@ -130,12 +130,12 @@ Optional['DefaultLoggedOutURL'] => String, Optional['DPoPMode'] => String, Optional['FilterClaimsExpr'] => String, - Optional['LogoutRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['LogoutRequestParams'] => Pattern[/^[^=]+=[^&]+(&[^=]+=[^&]+)*$/], Optional['LogoutXFrameOptions'] => String, Optional['MetricsData'] => String, Optional['MetricsPublish'] => String, Optional['PassAccessToken'] => Enum['On', 'Off'], - Optional['ProviderPushedAuthorizationRequestEndpoint'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['ProviderPushedAuthorizationRequestEndpoint'] => Stdlib::HttpUrl, Optional['ProviderSignedJwksUri'] => String, Optional['ProviderVerifyCertFiles'] => String, Optional['RedirectURLsAllowed'] => String, From bea6661ba08220d38d352d49f493b20d2b736006 Mon Sep 17 00:00:00 2001 From: Peter Jackson Date: Mon, 23 Sep 2024 16:53:34 +0100 Subject: [PATCH 3/5] Update data types based on feedback from PR #2569 --- REFERENCE.md | 182 +++++++++++++++++++++--------------------- types/oidcsettings.pp | 166 +++++++++++++++++++------------------- 2 files changed, 174 insertions(+), 174 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5b43bcb8e..5fc4e7096 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11307,10 +11307,10 @@ Alias of ```puppet Struct[{ Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], - Optional['CryptoPassphrase'] => String, - Optional['MetadataDir'] => String, + Optional['CryptoPassphrase'] => String[1], + Optional['MetadataDir'] => String[1], Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, - Optional['ProviderIssuer'] => String, + Optional['ProviderIssuer'] => String[1], Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, @@ -11320,26 +11320,26 @@ Struct[{ Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderBackChannelLogoutSupported'] => Enum['On', 'Off'], - Optional['ProviderRegistrationEndpointJson'] => String, + Optional['ProviderBackChannelLogoutSupported'] => Apache::OnOff, + Optional['ProviderRegistrationEndpointJson'] => String[1], Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['SSLValidateServer'] => Enum['On', 'Off'], - Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s?(logout_on_error|authenticate_on_error|502_on_error))?$/], - Optional['JWKSRefreshInterval'] => Integer, + Optional['SSLValidateServer'] => Apache::OnOff , + Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s+(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['JWKSRefreshInterval'] => Integer[-1], Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST', 'PAR'], - Optional['PublicKeyFiles'] => String, - Optional['PrivateKeyFiles'] => String, + Optional['PublicKeyFiles'] => String[1], + Optional['PrivateKeyFiles'] => String[1], Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], - Optional['ClientID'] => String, - Optional['ClientSecret'] => String, - Optional['ClientTokenEndpointCert'] => String, - Optional['ClientTokenEndpointKey'] => String, - Optional['ClientTokenEndpointKeyPassword'] => String, - Optional['ClientName'] => String, - Optional['ClientContact'] => String, + Optional['ClientID'] => String[1], + Optional['ClientSecret'] => String[1], + Optional['ClientTokenEndpointCert'] => String[1], + Optional['ClientTokenEndpointKey'] => String[1], + Optional['ClientTokenEndpointKeyPassword'] => String[1], + Optional['ClientName'] => String[1], + Optional['ClientContact'] => String[1], Optional['PKCEMethod'] => Enum['plain', 'S256', 'referred_tb', 'none'], Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, @@ -11351,104 +11351,104 @@ Struct[{ Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, - Optional['OAuthClientID'] => String, - Optional['OAuthClientSecret'] => String, - Optional['OAuthIntrospectionEndpoint'] => String, + Optional['OAuthClientID'] => String[1], + Optional['OAuthClientSecret'] => String[1], + Optional['OAuthIntrospectionEndpoint'] => String[1], Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], - Optional['OAuthIntrospectionClientAuthBearerToken'] => String, - Optional['OAuthIntrospectionEndpointCert'] => String, - Optional['OAuthIntrospectionEndpointKey'] => String, - Optional['OAuthIntrospectionEndpointKeyPassword'] => String, + Optional['OAuthIntrospectionClientAuthBearerToken'] => String[1], + Optional['OAuthIntrospectionEndpointCert'] => String[1], + Optional['OAuthIntrospectionEndpointKey'] => String[1], + Optional['OAuthIntrospectionEndpointKeyPassword'] => String[1], Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['OAuthIntrospectionTokenParamName'] => String, + Optional['OAuthIntrospectionTokenParamName'] => String[1], Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], - Optional['OAuthTokenIntrospectionInterval'] => Integer, - Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], - Optional['OAuthVerifySharedKeys'] => String, - Optional['OAuthVerifyCertFiles'] => String, + Optional['OAuthTokenIntrospectionInterval'] => Integer[-1], + Optional['OAuthSSLValidateServer'] => Apache::OnOff, + Optional['OAuthVerifySharedKeys'] => String[1], + Optional['OAuthVerifyCertFiles'] => String[1], Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, - Optional['OAuthRemoteUserClaim'] => String, + Optional['OAuthRemoteUserClaim'] => String[1], Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], - Optional['Cookie'] => String, - Optional['CookieDomain'] => String, - Optional['CookiePath'] => String, - Optional['SessionCookieChunkSize'] => Integer, - Optional['CookieHTTPOnly'] => Enum['On', 'Off'], - Optional['CookieSameSite'] => Enum['On', 'Off'], - Optional['PassCookies'] => String, - Optional['StripCookies'] => String, - Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s?(false|true))?$/], - Optional['SessionInactivityTimeout'] => Integer, - Optional['SessionMaxDuration'] => Integer, + Optional['Cookie'] => String[1], + Optional['CookieDomain'] => String[1], + Optional['CookiePath'] => String[1], + Optional['SessionCookieChunkSize'] => Intege[-1], + Optional['CookieHTTPOnly'] => Apache::OnOff, + Optional['CookieSameSite'] => Apache::OnOff, + Optional['PassCookies'] => String[1], + Optional['StripCookies'] => String[1], + Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s(false|true))?$/], + Optional['SessionInactivityTimeout'] => Integer[-1], + Optional['SessionMaxDuration'] => Integer[-1], Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent|:store_id_token|:persistent:store_id_token)?)$/], - Optional['SessionCacheFallbackToCookie'] => Enum['On', 'Off'], + Optional['SessionCacheFallbackToCookie'] => Apache::OnOff, Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], - Optional['CacheDir'] => String, - Optional['CacheEncrypt'] => Enum['On', 'Off'], - Optional['CacheShmMax'] => Integer, - Optional['CacheShmEntrySizeMax'] => Integer, - Optional['CacheFileCleanInterval'] => Integer, - Optional['MemCacheServers'] => String, - Optional['MemCacheConnectionsHMax'] => Integer, - Optional['MemCacheConnectionsMin'] => Integer, - Optional['MemCacheConnectionsSMax'] => Integer, - Optional['MemCacheConnectionsTTL'] => Integer, - Optional['RedisCacheServer'] => String, + Optional['CacheDir'] => String[1], + Optional['CacheEncrypt'] => Apache::OnOff, + Optional['CacheShmMax'] => Integer[-1], + Optional['CacheShmEntrySizeMax'] => Integer[-1], + Optional['CacheFileCleanInterval'] => Integer[-1], + Optional['MemCacheServers'] => String[1], + Optional['MemCacheConnectionsHMax'] => Integer[-1], + Optional['MemCacheConnectionsMin'] => Integer[-1], + Optional['MemCacheConnectionsSMax'] => Integer[-1], + Optional['MemCacheConnectionsTTL'] => Integer[-1], + Optional['RedisCacheServer'] => String[1], Optional['RedisCachePassword'] => String, - Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+\s?[0-9]*$/], - Optional['RedisCacheDatabase'] => Integer, - Optional['RedisCacheTimeout'] => Integer, - Optional['RedisCacheUsername'] => String, + Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+(\s[0-9]+)?$/], + Optional['RedisCacheDatabase'] => Integer[-1], + Optional['RedisCacheTimeout'] => Integer[-1], + Optional['RedisCacheUsername'] => String[1], Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['HTMLErrorTemplate'] => String, + Optional['HTMLErrorTemplate'] => String[1], Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['IDTokenIatSlack'] => Integer, + Optional['IDTokenIatSlack'] => Integer[-1], Optional['ClaimPrefix'] => String, Optional['ClaimDelimiter'] => Pattern[/^.$/], - Optional['RemoteUserClaim'] => String, + Optional['RemoteUserClaim'] => String[1], Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], - Optional['AuthNHeader'] => String, - Optional['HTTPTimeoutLong'] => Integer, - Optional['HTTPTimeoutShort'] => Integer, - Optional['StateTimeout'] => Integer, - Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], - Optional['OutgoingProxy'] => String, - Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)\s.*/], - Optional['UnAutzAction'] => Pattern[/^(none|headers|environment|both)(\s+(latin1|base64url|none)+)?$/], - Optional['PreservePost'] => Enum['On', 'Off'], - Optional['PreservePostTemplates'] => String, - Optional['PassRefreshToken'] => Enum['On', 'Off'], - Optional['RequestObject'] => String, - Optional['ProviderMetadataRefreshInterval'] => Integer, + Optional['AuthNHeader'] => String[1], + Optional['HTTPTimeoutLong'] => Integer[-1], + Optional['HTTPTimeoutShort'] => Integer[-1], + Optional['StateTimeout'] => Integer[-1], + Optional['ScrubRequestHeaders'] => Apache::OnOff, + Optional['OutgoingProxy'] => String[1], + Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)(\s.*)?$/], + Optional['UnAutzAction'] => Pattern[/^(401|403|302|auth)(\s.*)?$/], + Optional['PreservePost'] => Apache::OnOff, + Optional['PreservePostTemplates'] => String[1], + Optional['PassRefreshToken'] => Apache::OnOff, + Optional['RequestObject'] => String[1], + Optional['ProviderMetadataRefreshInterval'] => Integer[-1], Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session)\s?)+$/], - Optional['BlackListedClaims'] => String, - Optional['WhiteListedClaims'] => String, + Optional['BlackListedClaims'] => String[1], + Optional['WhiteListedClaims'] => String[1], Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\s(logout_on_error|authenticate_on_error|502_on_error))?$/], - Optional['XForwardedHeaders'] => String, - Optional['CABundlePath'] => String, - Optional['DefaultLoggedOutURL'] => String, - Optional['DPoPMode'] => String, - Optional['FilterClaimsExpr'] => String, - Optional['LogoutRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['LogoutXFrameOptions'] => String, - Optional['MetricsData'] => String, - Optional['MetricsPublish'] => String, - Optional['PassAccessToken'] => Enum['On', 'Off'], - Optional['ProviderPushedAuthorizationRequestEndpoint'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['ProviderSignedJwksUri'] => String, - Optional['ProviderVerifyCertFiles'] => String, - Optional['RedirectURLsAllowed'] => String, + Optional['XForwardedHeaders'] => String[1], + Optional['CABundlePath'] => String[1], + Optional['DefaultLoggedOutURL'] => String[1], + Optional['DPoPMode'] => String[1], + Optional['FilterClaimsExpr'] => String[1], + Optional['LogoutRequestParams'] => Pattern[/^[^=]+=[^&]+(&[^=]+=[^&]+)*$/], + Optional['LogoutXFrameOptions'] => String[1], + Optional['MetricsData'] => String[1], + Optional['MetricsPublish'] => String[1], + Optional['PassAccessToken'] => Apache::OnOff, + Optional['ProviderPushedAuthorizationRequestEndpoint'] => Stdlib::HttpUrl, + Optional['ProviderSignedJwksUri'] => String[1], + Optional['ProviderVerifyCertFiles'] => String[1], + Optional['RedirectURLsAllowed'] => String[1], Optional['StateCookiePrefix'] => String, Optional['StateInputHeaders'] => Enum['user-agent', 'x-forwarded-for', 'both', 'none'], Optional['TraceParent'] => Enum['off', 'generate', 'propagate'], - Optional['UserInfoClaimsExpr'] => String, - Optional['ValidateIssuer'] => Enum['On', 'Off'], + Optional['UserInfoClaimsExpr'] => String[1], + Optional['ValidateIssuer'] => Apache::OnOff, }] ``` diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp index 0401336cf..817383165 100644 --- a/types/oidcsettings.pp +++ b/types/oidcsettings.pp @@ -2,10 +2,10 @@ type Apache::OIDCSettings = Struct[ { Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], - Optional['CryptoPassphrase'] => String, - Optional['MetadataDir'] => String, + Optional['CryptoPassphrase'] => String[1], + Optional['MetadataDir'] => String[1], Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, - Optional['ProviderIssuer'] => String, + Optional['ProviderIssuer'] => String[1], Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, @@ -15,26 +15,26 @@ Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, - Optional['ProviderBackChannelLogoutSupported'] => Enum['On', 'Off'], - Optional['ProviderRegistrationEndpointJson'] => String, + Optional['ProviderBackChannelLogoutSupported'] => Apache::OnOff, + Optional['ProviderRegistrationEndpointJson'] => String[1], Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['SSLValidateServer'] => Enum['On', 'Off'], + Optional['SSLValidateServer'] => Apache::OnOff , Optional['UserInfoRefreshInterval'] => Pattern[/^[0-9]+(\s+(logout_on_error|authenticate_on_error|502_on_error))?$/], - Optional['JWKSRefreshInterval'] => Integer, + Optional['JWKSRefreshInterval'] => Integer[-1], Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST', 'PAR'], - Optional['PublicKeyFiles'] => String, - Optional['PrivateKeyFiles'] => String, + Optional['PublicKeyFiles'] => String[1], + Optional['PrivateKeyFiles'] => String[1], Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], - Optional['ClientID'] => String, - Optional['ClientSecret'] => String, - Optional['ClientTokenEndpointCert'] => String, - Optional['ClientTokenEndpointKey'] => String, - Optional['ClientTokenEndpointKeyPassword'] => String, - Optional['ClientName'] => String, - Optional['ClientContact'] => String, + Optional['ClientID'] => String[1], + Optional['ClientSecret'] => String[1], + Optional['ClientTokenEndpointCert'] => String[1], + Optional['ClientTokenEndpointKey'] => String[1], + Optional['ClientTokenEndpointKeyPassword'] => String[1], + Optional['ClientName'] => String[1], + Optional['ClientContact'] => String[1], Optional['PKCEMethod'] => Enum['plain', 'S256', 'referred_tb', 'none'], Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, @@ -46,103 +46,103 @@ Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, - Optional['OAuthClientID'] => String, - Optional['OAuthClientSecret'] => String, - Optional['OAuthIntrospectionEndpoint'] => String, + Optional['OAuthClientID'] => String[1], + Optional['OAuthClientSecret'] => String[1], + Optional['OAuthIntrospectionEndpoint'] => String[1], Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], - Optional['OAuthIntrospectionClientAuthBearerToken'] => String, - Optional['OAuthIntrospectionEndpointCert'] => String, - Optional['OAuthIntrospectionEndpointKey'] => String, - Optional['OAuthIntrospectionEndpointKeyPassword'] => String, + Optional['OAuthIntrospectionClientAuthBearerToken'] => String[1], + Optional['OAuthIntrospectionEndpointCert'] => String[1], + Optional['OAuthIntrospectionEndpointKey'] => String[1], + Optional['OAuthIntrospectionEndpointKeyPassword'] => String[1], Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['OAuthIntrospectionTokenParamName'] => String, + Optional['OAuthIntrospectionTokenParamName'] => String[1], Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], Optional['OAuthTokenIntrospectionInterval'] => Integer[-1], - Optional['OAuthSSLValidateServer'] => Enum['On', 'Off'], - Optional['OAuthVerifySharedKeys'] => String, - Optional['OAuthVerifyCertFiles'] => String, + Optional['OAuthSSLValidateServer'] => Apache::OnOff, + Optional['OAuthVerifySharedKeys'] => String[1], + Optional['OAuthVerifyCertFiles'] => String[1], Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, - Optional['OAuthRemoteUserClaim'] => String, + Optional['OAuthRemoteUserClaim'] => String[1], Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], - Optional['Cookie'] => String, - Optional['CookieDomain'] => String, - Optional['CookiePath'] => String, - Optional['SessionCookieChunkSize'] => Integer, - Optional['CookieHTTPOnly'] => Enum['On', 'Off'], - Optional['CookieSameSite'] => Enum['On', 'Off'], - Optional['PassCookies'] => String, - Optional['StripCookies'] => String, + Optional['Cookie'] => String[1], + Optional['CookieDomain'] => String[1], + Optional['CookiePath'] => String[1], + Optional['SessionCookieChunkSize'] => Intege[-1], + Optional['CookieHTTPOnly'] => Apache::OnOff, + Optional['CookieSameSite'] => Apache::OnOff, + Optional['PassCookies'] => String[1], + Optional['StripCookies'] => String[1], Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s(false|true))?$/], - Optional['SessionInactivityTimeout'] => Integer, - Optional['SessionMaxDuration'] => Integer, + Optional['SessionInactivityTimeout'] => Integer[-1], + Optional['SessionMaxDuration'] => Integer[-1], Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent|:store_id_token|:persistent:store_id_token)?)$/], - Optional['SessionCacheFallbackToCookie'] => Enum['On', 'Off'], + Optional['SessionCacheFallbackToCookie'] => Apache::OnOff, Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], - Optional['CacheDir'] => String, - Optional['CacheEncrypt'] => Enum['On', 'Off'], - Optional['CacheShmMax'] => Integer, - Optional['CacheShmEntrySizeMax'] => Integer, - Optional['CacheFileCleanInterval'] => Integer, - Optional['MemCacheServers'] => String, - Optional['MemCacheConnectionsHMax'] => Integer, - Optional['MemCacheConnectionsMin'] => Integer, - Optional['MemCacheConnectionsSMax'] => Integer, - Optional['MemCacheConnectionsTTL'] => Integer, - Optional['RedisCacheServer'] => String, + Optional['CacheDir'] => String[1], + Optional['CacheEncrypt'] => Apache::OnOff, + Optional['CacheShmMax'] => Integer[-1], + Optional['CacheShmEntrySizeMax'] => Integer[-1], + Optional['CacheFileCleanInterval'] => Integer[-1], + Optional['MemCacheServers'] => String[1], + Optional['MemCacheConnectionsHMax'] => Integer[-1], + Optional['MemCacheConnectionsMin'] => Integer[-1], + Optional['MemCacheConnectionsSMax'] => Integer[-1], + Optional['MemCacheConnectionsTTL'] => Integer[-1], + Optional['RedisCacheServer'] => String[1], Optional['RedisCachePassword'] => String, Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+(\s[0-9]+)?$/], - Optional['RedisCacheDatabase'] => Integer, - Optional['RedisCacheTimeout'] => Integer, - Optional['RedisCacheUsername'] => String, + Optional['RedisCacheDatabase'] => Integer[-1], + Optional['RedisCacheTimeout'] => Integer[-1], + Optional['RedisCacheUsername'] => String[1], Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], - Optional['HTMLErrorTemplate'] => String, + Optional['HTMLErrorTemplate'] => String[1], Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], - Optional['IDTokenIatSlack'] => Integer, + Optional['IDTokenIatSlack'] => Integer[-1], Optional['ClaimPrefix'] => String, Optional['ClaimDelimiter'] => Pattern[/^.$/], - Optional['RemoteUserClaim'] => String, + Optional['RemoteUserClaim'] => String[1], Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], - Optional['AuthNHeader'] => String, - Optional['HTTPTimeoutLong'] => Integer, - Optional['HTTPTimeoutShort'] => Integer, - Optional['StateTimeout'] => Integer, - Optional['ScrubRequestHeaders'] => Enum['On', 'Off'], - Optional['OutgoingProxy'] => String, + Optional['AuthNHeader'] => String[1], + Optional['HTTPTimeoutLong'] => Integer[-1], + Optional['HTTPTimeoutShort'] => Integer[-1], + Optional['StateTimeout'] => Integer[-1], + Optional['ScrubRequestHeaders'] => Apache::OnOff, + Optional['OutgoingProxy'] => String[1], Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)(\s.*)?$/], Optional['UnAutzAction'] => Pattern[/^(401|403|302|auth)(\s.*)?$/], - Optional['PreservePost'] => Enum['On', 'Off'], - Optional['PreservePostTemplates'] => String, - Optional['PassRefreshToken'] => Enum['On', 'Off'], - Optional['RequestObject'] => String, - Optional['ProviderMetadataRefreshInterval'] => Integer, + Optional['PreservePost'] => Apache::OnOff, + Optional['PreservePostTemplates'] => String[1], + Optional['PassRefreshToken'] => Apache::OnOff, + Optional['RequestObject'] => String[1], + Optional['ProviderMetadataRefreshInterval'] => Integer[-1], Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session)\s?)+$/], - Optional['BlackListedClaims'] => String, - Optional['WhiteListedClaims'] => String, + Optional['BlackListedClaims'] => String[1], + Optional['WhiteListedClaims'] => String[1], Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\s(logout_on_error|authenticate_on_error|502_on_error))?$/], - Optional['XForwardedHeaders'] => String, - Optional['CABundlePath'] => String, - Optional['DefaultLoggedOutURL'] => String, - Optional['DPoPMode'] => String, - Optional['FilterClaimsExpr'] => String, + Optional['XForwardedHeaders'] => String[1], + Optional['CABundlePath'] => String[1], + Optional['DefaultLoggedOutURL'] => String[1], + Optional['DPoPMode'] => String[1], + Optional['FilterClaimsExpr'] => String[1], Optional['LogoutRequestParams'] => Pattern[/^[^=]+=[^&]+(&[^=]+=[^&]+)*$/], - Optional['LogoutXFrameOptions'] => String, - Optional['MetricsData'] => String, - Optional['MetricsPublish'] => String, - Optional['PassAccessToken'] => Enum['On', 'Off'], + Optional['LogoutXFrameOptions'] => String[1], + Optional['MetricsData'] => String[1], + Optional['MetricsPublish'] => String[1], + Optional['PassAccessToken'] => Apache::OnOff, Optional['ProviderPushedAuthorizationRequestEndpoint'] => Stdlib::HttpUrl, - Optional['ProviderSignedJwksUri'] => String, - Optional['ProviderVerifyCertFiles'] => String, - Optional['RedirectURLsAllowed'] => String, + Optional['ProviderSignedJwksUri'] => String[1], + Optional['ProviderVerifyCertFiles'] => String[1], + Optional['RedirectURLsAllowed'] => String[1], Optional['StateCookiePrefix'] => String, Optional['StateInputHeaders'] => Enum['user-agent', 'x-forwarded-for', 'both', 'none'], Optional['TraceParent'] => Enum['off', 'generate', 'propagate'], - Optional['UserInfoClaimsExpr'] => String, - Optional['ValidateIssuer'] => Enum['On', 'Off'], + Optional['UserInfoClaimsExpr'] => String[1], + Optional['ValidateIssuer'] => Apache::OnOff, } ] From 0fb9d6fb5363a5a2f6afc1a9a4c19eb6d7f1cf2a Mon Sep 17 00:00:00 2001 From: Peter Jackson Date: Tue, 24 Sep 2024 10:24:53 +0100 Subject: [PATCH 4/5] Update remaining datatypes from review feedback. --- REFERENCE.md | 4 ++-- types/oidcsettings.pp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5fc4e7096..93efdbbd4 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11362,7 +11362,7 @@ Struct[{ Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], Optional['OAuthIntrospectionTokenParamName'] => String[1], - Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], + Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+(\s(absolute|relative))?(\s(mandatory|optional))?$/], Optional['OAuthTokenIntrospectionInterval'] => Integer[-1], Optional['OAuthSSLValidateServer'] => Apache::OnOff, Optional['OAuthVerifySharedKeys'] => String[1], @@ -11412,7 +11412,7 @@ Struct[{ Optional['RemoteUserClaim'] => String[1], Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], - Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], + Optional['PassClaimsAs'] => Pattern[/^(none|headers|environment|both)?\s?(latin1|base64url|none)?$/], Optional['AuthNHeader'] => String[1], Optional['HTTPTimeoutLong'] => Integer[-1], Optional['HTTPTimeoutShort'] => Integer[-1], diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp index 817383165..4ff28ddf5 100644 --- a/types/oidcsettings.pp +++ b/types/oidcsettings.pp @@ -57,7 +57,7 @@ Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], Optional['OAuthIntrospectionTokenParamName'] => String[1], - Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s?((absolute|relative)+(\s(mandatory|optional))?)?$/], + Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+(\s(absolute|relative))?(\s(mandatory|optional))?$/], Optional['OAuthTokenIntrospectionInterval'] => Integer[-1], Optional['OAuthSSLValidateServer'] => Apache::OnOff, Optional['OAuthVerifySharedKeys'] => String[1], @@ -107,7 +107,7 @@ Optional['RemoteUserClaim'] => String[1], Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], - Optional['PassClaimsAs'] => Enum['none', 'headers', 'environment', 'both'], + Optional['PassClaimsAs'] => Pattern[/^(none|headers|environment|both)?\s?(latin1|base64url|none)?$/], Optional['AuthNHeader'] => String[1], Optional['HTTPTimeoutLong'] => Integer[-1], Optional['HTTPTimeoutShort'] => Integer[-1], From 9778de4873f888ad50c88eddf532ae99845ee426 Mon Sep 17 00:00:00 2001 From: Peter Jackson Date: Wed, 2 Oct 2024 15:46:59 +0100 Subject: [PATCH 5/5] Fix yet another typo! --- REFERENCE.md | 2 +- types/oidcsettings.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 93efdbbd4..78eea6bfc 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11374,7 +11374,7 @@ Struct[{ Optional['Cookie'] => String[1], Optional['CookieDomain'] => String[1], Optional['CookiePath'] => String[1], - Optional['SessionCookieChunkSize'] => Intege[-1], + Optional['SessionCookieChunkSize'] => Integer[-1], Optional['CookieHTTPOnly'] => Apache::OnOff, Optional['CookieSameSite'] => Apache::OnOff, Optional['PassCookies'] => String[1], diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp index 4ff28ddf5..a4e53fa43 100644 --- a/types/oidcsettings.pp +++ b/types/oidcsettings.pp @@ -69,7 +69,7 @@ Optional['Cookie'] => String[1], Optional['CookieDomain'] => String[1], Optional['CookiePath'] => String[1], - Optional['SessionCookieChunkSize'] => Intege[-1], + Optional['SessionCookieChunkSize'] => Integer[-1], Optional['CookieHTTPOnly'] => Apache::OnOff, Optional['CookieSameSite'] => Apache::OnOff, Optional['PassCookies'] => String[1],