Keycloak set client authentification flows by name (#8428)

* first commit * Add change logs * fix sanity * Sanity 2 * Test unset flows * Update plugins/modules/keycloak_client.py Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Update plugins/modules/keycloak_client.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/8428-assign-auth-flow-by-name-keycloak-client.yaml Co-authored-by: Felix Fontein <felix@fontein.de> * Remove double traitement from "alias" * Update plugins/modules/keycloak_client.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_client.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Andre Desrosiers <andre.desrosiers@ssss.gouv.qc.ca> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de>
2024-09-14 20:13:21 +02:00 · 2024-06-17 01:06:47 -04:00 · 2024-06-17 01:06:47 -04:00 · b11da288d2
commit b11da288d2
parent df7fe19bbe
3 changed files with 240 additions and 1 deletions
--- a/changelogs/fragments/8428-assign-auth-flow-by-name-keycloak-client.yaml
+++ b/changelogs/fragments/8428-assign-auth-flow-by-name-keycloak-client.yaml
@ -0,0 +1,2 @@
 minor_changes:
  - keycloak_client - assign auth flow by name (https://github.com/ansible-collections/community.general/pull/8428).
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
@ -340,6 +340,42 @@ options:
        description:
            - Override realm authentication flow bindings.
        type: dict
        suboptions:
            browser:
                description:
                    - Flow ID of the browser authentication flow.
                    - O(authentication_flow_binding_overrides.browser)
                      and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
                type: str
            browser_name:
                description:
                    - Flow name of the browser authentication flow.
                    - O(authentication_flow_binding_overrides.browser)
                      and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
                aliases:
                    - browserName
                type: str
                version_added: 9.1.0
            direct_grant:
                description:
                    - Flow ID of the direct grant authentication flow.
                    - O(authentication_flow_binding_overrides.direct_grant)
                      and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
                aliases:
                    - directGrant
                type: str
            direct_grant_name:
                description:
                    - Flow name of the direct grant authentication flow.
                    - O(authentication_flow_binding_overrides.direct_grant)
                      and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
                aliases:
                    - directGrantName
                type: str
                version_added: 9.1.0
        aliases:
            - authenticationFlowBindingOverrides
        version_added: 3.4.0
@ -781,6 +817,64 @@ def sanitize_cr(clientrep):
    return normalise_cr(result)
 def get_authentication_flow_id(flow_name, realm, kc):
    """ Get the authentication flow ID based on the flow name, realm, and Keycloak client.
    Args:
        flow_name (str): The name of the authentication flow.
        realm (str): The name of the realm.
        kc (KeycloakClient): The Keycloak client instance.
    Returns:
        str: The ID of the authentication flow.
    Raises:
        KeycloakAPIException: If the authentication flow with the given name is not found in the realm.
    """
    flow = kc.get_authentication_flow_by_alias(flow_name, realm)
    if flow:
        return flow["id"]
    kc.module.fail_json(msg='Authentification flow %s not found in realm %s' % (flow_name, realm))
 def flow_binding_from_dict_to_model(newClientFlowBinding, realm, kc):
    """ Convert a dictionary representing client flow bindings to a model representation.
    Args:
        newClientFlowBinding (dict): A dictionary containing client flow bindings.
        realm (str): The name of the realm.
        kc (KeycloakClient): An instance of the KeycloakClient class.
    Returns:
        dict: A dictionary representing the model flow bindings. The dictionary has two keys:
            - "browser" (str or None): The ID of the browser authentication flow binding, or None if not provided.
            - "direct_grant" (str or None): The ID of the direct grant authentication flow binding, or None if not provided.
    Raises:
        KeycloakAPIException: If the authentication flow with the given name is not found in the realm.
    """
    modelFlow = {
        "browser": None,
        "direct_grant": None
    }
    for k, v in newClientFlowBinding.items():
        if not v:
            continue
        if k == "browser":
            modelFlow["browser"] = v
        elif k == "browser_name":
            modelFlow["browser"] = get_authentication_flow_id(v, realm, kc)
        elif k == "direct_grant":
            modelFlow["direct_grant"] = v
        elif k == "direct_grant_name":
            modelFlow["direct_grant"] = get_authentication_flow_id(v, realm, kc)
    return modelFlow
 def main():
    """
    Module execution
@ -799,6 +893,13 @@ def main():
        config=dict(type='dict'),
    )
    authentication_flow_spec = dict(
        browser=dict(type='str'),
        browser_name=dict(type='str', aliases=['browserName']),
        direct_grant=dict(type='str', aliases=['directGrant']),
        direct_grant_name=dict(type='str', aliases=['directGrantName']),
    )
    meta_args = dict(
        state=dict(default='present', choices=['present', 'absent']),
        realm=dict(type='str', default='master'),
@ -838,7 +939,13 @@ def main():
        use_template_scope=dict(type='bool', aliases=['useTemplateScope']),
        use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']),
        always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']),
-        authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']),
+        authentication_flow_binding_overrides=dict(
            type='dict',
            aliases=['authenticationFlowBindingOverrides'],
            options=authentication_flow_spec,
            required_one_of=[['browser', 'direct_grant', 'browser_name', 'direct_grant_name']],
            mutually_exclusive=[['browser', 'browser_name'], ['direct_grant', 'direct_grant_name']],
        ),
        protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']),
        authorization_settings=dict(type='dict', aliases=['authorizationSettings']),
        default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']),
@ -900,6 +1007,8 @@ def main():
        # they are not specified
        if client_param == 'protocol_mappers':
            new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value]
        elif client_param == 'authentication_flow_binding_overrides':
            new_param_value = flow_binding_from_dict_to_model(new_param_value, realm, kc)
        changeset[camel(client_param)] = new_param_value
--- a/tests/integration/targets/keycloak_client/tasks/main.yml
+++ b/tests/integration/targets/keycloak_client/tasks/main.yml
@ -103,3 +103,131 @@
  assert:
    that:
      - check_client_when_present_and_changed is changed
 - name: Desire client with flow binding overrides
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    state: present
    redirect_uris: '{{redirect_uris1}}'
    attributes: '{{client_attributes1}}'
    protocol_mappers: '{{protocol_mappers1}}'
    authentication_flow_binding_overrides:
      browser_name: browser
      direct_grant_name: direct grant
  register: desire_client_with_flow_binding_overrides
 - name: Assert flows are set
  assert:
    that:
      - desire_client_with_flow_binding_overrides is changed
      - "'authenticationFlowBindingOverrides' in desire_client_with_flow_binding_overrides.end_state"
      - desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.browser | length > 0
      - desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.direct_grant | length > 0
 - name: Backup flow UUIDs
  set_fact:
    flow_browser_uuid: "{{ desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.browser }}"
    flow_direct_grant_uuid: "{{ desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.direct_grant }}"
 - name: Desire client with flow binding overrides remove direct_grant_name
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    state: present
    redirect_uris: '{{redirect_uris1}}'
    attributes: '{{client_attributes1}}'
    protocol_mappers: '{{protocol_mappers1}}'
    authentication_flow_binding_overrides:
      browser_name: browser
  register: desire_client_with_flow_binding_overrides
 - name: Assert flows are updated
  assert:
    that:
      - desire_client_with_flow_binding_overrides is changed
      - "'authenticationFlowBindingOverrides' in desire_client_with_flow_binding_overrides.end_state"
      - desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.browser | length > 0
      - "'direct_grant' not in desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides"
 - name: Desire client with flow binding overrides remove browser add direct_grant
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    state: present
    redirect_uris: '{{redirect_uris1}}'
    attributes: '{{client_attributes1}}'
    protocol_mappers: '{{protocol_mappers1}}'
    authentication_flow_binding_overrides:
      direct_grant_name: direct grant
  register: desire_client_with_flow_binding_overrides
 - name: Assert flows are updated
  assert:
    that:
      - desire_client_with_flow_binding_overrides is changed
      - "'authenticationFlowBindingOverrides' in desire_client_with_flow_binding_overrides.end_state"
      - "'browser' not in desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides"
      - desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.direct_grant | length > 0
 - name: Desire client with flow binding overrides with UUIDs
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    state: present
    redirect_uris: '{{redirect_uris1}}'
    attributes: '{{client_attributes1}}'
    protocol_mappers: '{{protocol_mappers1}}'
    authentication_flow_binding_overrides:
      browser: "{{ flow_browser_uuid }}"
      direct_grant: "{{ flow_direct_grant_uuid }}"
  register: desire_client_with_flow_binding_overrides
 - name: Assert flows are updated
  assert:
    that:
      - desire_client_with_flow_binding_overrides is changed
      - "'authenticationFlowBindingOverrides' in desire_client_with_flow_binding_overrides.end_state"
      - desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.browser == flow_browser_uuid
      - desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides.direct_grant == flow_direct_grant_uuid
 - name: Unset flow binding overrides
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    state: present
    redirect_uris: '{{redirect_uris1}}'
    attributes: '{{client_attributes1}}'
    protocol_mappers: '{{protocol_mappers1}}'
    authentication_flow_binding_overrides:
      browser: "{{ None }}"
      direct_grant: null
  register: desire_client_with_flow_binding_overrides
 - name: Assert flows are removed
  assert:
    that:
      - desire_client_with_flow_binding_overrides is changed
      - "'authenticationFlowBindingOverrides' in desire_client_with_flow_binding_overrides.end_state"
      - "'browser' not in desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides"
      - "'direct_grant' not in desire_client_with_flow_binding_overrides.end_state.authenticationFlowBindingOverrides"
		`@ -0,0 +1,2 @@`
							`minor_changes:`
							`- keycloak_client - assign auth flow by name (https://github.com/ansible-collections/community.general/pull/8428).`