From 93ba6a14c32638569c47a076a160027025765a5a Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Sun, 24 May 2020 03:21:44 +0200
Subject: [PATCH] keycloak: Re-order stuff to make sure that Staff and External
 Contributor rules are checked first

If they are not checked first, we will run into a situation where we ask the user twice to provide an OTP.
---
 tf-stage2/keycloak.tf | 50 +++++++++++++++++++++----------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 33f636f2b..ccf9cba13 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -270,34 +270,12 @@ resource "keycloak_authentication_execution" "username_password_form" {
   requirement = "REQUIRED"
 }
 
-resource "keycloak_authentication_subflow" "userconfigured_conditional_otp" {
-  realm_id = "archlinux"
-  alias = "User-configured Conditional OTP"
-  parent_flow_alias = keycloak_authentication_subflow.subforms.alias
-  requirement = "CONDITIONAL"
-  depends_on = [keycloak_authentication_execution.username_password_form]
-}
-
-resource "keycloak_authentication_execution" "userconfigured_conditional_otp_condition" {
-  realm_id = "archlinux"
-  parent_flow_alias = keycloak_authentication_subflow.userconfigured_conditional_otp.alias
-  authenticator = "conditional-user-configured"
-  requirement = "REQUIRED"
-}
-
-resource "keycloak_authentication_execution" "userconfigured_conditional_otp_form" {
-  realm_id = "archlinux"
-  parent_flow_alias = keycloak_authentication_subflow.userconfigured_conditional_otp.alias
-  authenticator = "auth-otp-form"
-  requirement = "REQUIRED"
-}
-
 resource "keycloak_authentication_execution" "forced_otp_for_staff" {
   realm_id = "archlinux"
   parent_flow_alias = keycloak_authentication_subflow.subforms.alias
   authenticator = "auth-conditional-otp-form"
-  requirement = "REQUIRED"
-  depends_on = [keycloak_authentication_subflow.userconfigured_conditional_otp]
+  requirement = "ALTERNATIVE"
+  depends_on = [keycloak_authentication_execution.username_password_form]
 }
 
 resource "keycloak_authentication_execution_config" "forced_otp_for_staff_config" {
@@ -314,7 +292,7 @@ resource "keycloak_authentication_execution" "forced_otp_for_externalcontributor
   realm_id = "archlinux"
   parent_flow_alias = keycloak_authentication_subflow.subforms.alias
   authenticator = "auth-conditional-otp-form"
-  requirement = "REQUIRED"
+  requirement = "ALTERNATIVE"
   depends_on = [keycloak_authentication_execution.forced_otp_for_staff]
 }
 
@@ -328,6 +306,28 @@ resource "keycloak_authentication_execution_config" "forced_otp_for_externalcont
   }
 }
 
+resource "keycloak_authentication_subflow" "userconfigured_conditional_otp" {
+  realm_id = "archlinux"
+  alias = "User-configured Conditional OTP"
+  parent_flow_alias = keycloak_authentication_subflow.subforms.alias
+  requirement = "CONDITIONAL"
+  depends_on = [keycloak_authentication_execution.forced_otp_for_externalcontributors]
+}
+
+resource "keycloak_authentication_execution" "userconfigured_conditional_otp_condition" {
+  realm_id = "archlinux"
+  parent_flow_alias = keycloak_authentication_subflow.userconfigured_conditional_otp.alias
+  authenticator = "conditional-user-configured"
+  requirement = "REQUIRED"
+}
+
+resource "keycloak_authentication_execution" "userconfigured_conditional_otp_form" {
+  realm_id = "archlinux"
+  parent_flow_alias = keycloak_authentication_subflow.userconfigured_conditional_otp.alias
+  authenticator = "auth-otp-form"
+  requirement = "REQUIRED"
+}
+
 output "gitlab_saml_configuration" {
   value = {
     issuer = keycloak_saml_client.saml_gitlab.client_id
-- 
GitLab