From 6a0cdca07b0b68bec9697c92b326d4bd91d1ec96 Mon Sep 17 00:00:00 2001
From: UnicornChance <chance@defenseunicorns.com>
Date: Fri, 13 Dec 2024 10:41:22 -0700
Subject: [PATCH] fix: move auth toggles to new realm key

---
 .../chart/templates/secret-kc-realm.yaml        | 16 ++++++++--------
 src/keycloak/chart/values.schema.json           | 17 +++++++++++++++++
 src/keycloak/chart/values.yaml                  | 11 +++++++----
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index e02117658..a8e5a20b3 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -18,11 +18,11 @@ data:
   {{- end }}
   {{- end }}
 
-  SOCIAL_LOGIN_ENABLED: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }}
-  X509_LOGIN_ENABLED: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }}
-  USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
-  REGISTER_BUTTON_ENABLED: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }}
-  DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
-  RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
-  REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }}
-  OTP_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }}
+  X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
+  OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}
diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json
index f05bdc3a8..9348c158d 100644
--- a/src/keycloak/chart/values.schema.json
+++ b/src/keycloak/chart/values.schema.json
@@ -292,6 +292,23 @@
         }
       }
     },
+    "realmAuthFlows": {
+      "type": "object",
+      "properties": {
+        "USERNAME_PASSWORD_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "X509_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "SOCIAL_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "OTP_ENABLED": {
+          "type": "boolean"
+        }
+      }
+    },
     "resources": {
       "type": "object",
       "properties": {
diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
index 76b753b06..ab2e4e872 100644
--- a/src/keycloak/chart/values.yaml
+++ b/src/keycloak/chart/values.yaml
@@ -27,9 +27,6 @@ realm: uds
 # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
 realmInitEnv:
   GOOGLE_IDP_ENABLED: false
-  USERNAME_PASSWORD_AUTH_ENABLED: true
-  X509_AUTH_ENABLED: true
-  SOCIAL_AUTH_ENABLED: true
   # GOOGLE_IDP_ID: ""
   # GOOGLE_IDP_SIGNING_CERT: ""
   # GOOGLE_IDP_NAME_ID_FORMAT: ""
@@ -38,11 +35,17 @@ realmInitEnv:
   # GOOGLE_IDP_AUDITOR_GROUP: ""
   # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
   # EMAIL_VERIFICATION_ENABLED: true
-  # OTP_ENABLED: true
   # TERMS_AND_CONDITIONS_ENABLED: true
   # X509_OCSP_FAIL_OPEN: true
   # DISABLE_REGISTRATION_FIELDS: false
 
+# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
+realmAuthFlows:
+  USERNAME_PASSWORD_AUTH_ENABLED: false
+  X509_AUTH_ENABLED: true
+  SOCIAL_AUTH_ENABLED: true
+  OTP_ENABLED: false
+
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login
 insecureAdminPasswordGeneration: