From 61ff55361009698e6113c2bf75a9e8ae3ae50112 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Fri, 21 Feb 2025 11:52:32 -0500
Subject: [PATCH] Ensure tempfile ownership is correct

---
 lib/puppet/provider/keycloak_api.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/puppet/provider/keycloak_api.rb b/lib/puppet/provider/keycloak_api.rb
index 7b626f14..5fb53888 100644
--- a/lib/puppet/provider/keycloak_api.rb
+++ b/lib/puppet/provider/keycloak_api.rb
@@ -58,6 +58,8 @@ def convert_property_value(value)
 
   def self.kcadm(action, resource, realm = nil, file = nil, fields = nil, print_id = false, params = nil)
     kcadm_wrapper = '/opt/keycloak/bin/kcadm-wrapper.sh'
+    keycloak_user ||= 'keycloak'
+    keycloak_group ||= 'keycloak'
 
     arguments = [action]
 
@@ -73,6 +75,14 @@ def self.kcadm(action, resource, realm = nil, file = nil, fields = nil, print_id
       arguments << escape(realm)
     end
     if file
+      Puppet.debug("Get Keycloak user UID for #{keycloak_user}")
+      uid = Etc.getpwnam(keycloak_user).uid
+      Puppet.debug("Get Keycloak group GID for #{keycloak_group}")
+      gid = Etc.getgrnam(keycloak_group).gid
+      # Force the 0600 mode tempfile to be readable only by 'keycloak' user
+      # so that the kcadm commands can be run as 'keycloak'
+      Puppet.debug("Change ownership of #{file} to #{keycloak_user}(#{uid}):#{keycloak_group}(#{gid})")
+      File.chown(uid, gid, file)
       arguments << '-f'
       arguments << file
     end