mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
aa384be6fe
Keycloak client role scope (#8252)
* first commit
* minor update
* fixe Copyright
* fixe sanity
* Update plugins/modules/keycloak_client_rolescope.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* fixe sanity 2
* Update plugins/modules/keycloak_client_rolescope.py
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Andre Desrosiers <andre.desrosiers@ssss.gouv.qc.ca>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit a5697da29c
)
Co-authored-by: desand01 <desrosiers.a@hotmail.com>
317 lines
No EOL
8.7 KiB
YAML
317 lines
No EOL
8.7 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
- name: Wait for Keycloak
|
|
uri:
|
|
url: "{{ url }}/admin/"
|
|
status_code: 200
|
|
validate_certs: no
|
|
register: result
|
|
until: result.status == 200
|
|
retries: 10
|
|
delay: 10
|
|
|
|
- name: Delete realm if exists
|
|
community.general.keycloak_realm:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
state: absent
|
|
|
|
- name: Create realm
|
|
community.general.keycloak_realm:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
id: "{{ realm }}"
|
|
realm: "{{ realm }}"
|
|
state: present
|
|
|
|
- name: Create a Keycloak realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
name: "{{ item }}"
|
|
realm: "{{ realm }}"
|
|
with_items:
|
|
- "{{ realm_role_admin }}"
|
|
- "{{ realm_role_user }}"
|
|
|
|
- name: Client private
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_private }}"
|
|
state: present
|
|
redirect_uris:
|
|
- "https://my-backend-api.c.org/"
|
|
fullScopeAllowed: True
|
|
attributes: '{{client_attributes1}}'
|
|
public_client: False
|
|
|
|
- name: Create a Keycloak client role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
name: "{{ item }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_private }}"
|
|
with_items:
|
|
- "{{ client_role_admin }}"
|
|
- "{{ client_role_user }}"
|
|
|
|
- name: Client public
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
redirect_uris:
|
|
- "https://my-onepage-app-frontend.c.org/"
|
|
attributes: '{{client_attributes1}}'
|
|
full_scope_allowed: False
|
|
public_client: True
|
|
|
|
|
|
- name: Map roles to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
client_scope_id: "{{ client_name_private }}"
|
|
role_names:
|
|
- "{{ client_role_admin }}"
|
|
- "{{ client_role_user }}"
|
|
register: result
|
|
|
|
- name: Assert mapping created
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 2
|
|
|
|
- name: remap role user to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
client_scope_id: "{{ client_name_private }}"
|
|
role_names:
|
|
- "{{ client_role_user }}"
|
|
register: result
|
|
|
|
- name: Assert mapping created
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
- result.end_state | length == 2
|
|
|
|
- name: Remove Map role admin to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
client_scope_id: "{{ client_name_private }}"
|
|
role_names:
|
|
- "{{ client_role_admin }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Assert mapping deleted
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 1
|
|
- result.end_state[0].name == client_role_user
|
|
|
|
- name: Map missing roles to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
client_scope_id: "{{ client_name_private }}"
|
|
role_names:
|
|
- "{{ client_role_admin }}"
|
|
- "{{ client_role_not_exists }}"
|
|
ignore_errors: true
|
|
register: result
|
|
|
|
- name: Assert failed mapping missing role
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
- name: Map roles duplicate
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
client_scope_id: "{{ client_name_private }}"
|
|
role_names:
|
|
- "{{ client_role_admin }}"
|
|
- "{{ client_role_admin }}"
|
|
register: result
|
|
|
|
- name: Assert result
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 2
|
|
|
|
- name: Map roles to private client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_private }}"
|
|
role_names:
|
|
- "{{ realm_role_admin }}"
|
|
ignore_errors: true
|
|
register: result
|
|
|
|
- name: Assert failed mapping role to full scope client
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
- name: Map realm role to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
role_names:
|
|
- "{{ realm_role_admin }}"
|
|
register: result
|
|
|
|
- name: Assert result
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 1
|
|
|
|
- name: Map two realm roles to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
role_names:
|
|
- "{{ realm_role_admin }}"
|
|
- "{{ realm_role_user }}"
|
|
register: result
|
|
|
|
- name: Assert result
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 2
|
|
|
|
- name: Unmap all realm roles to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
role_names:
|
|
- "{{ realm_role_admin }}"
|
|
- "{{ realm_role_user }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Assert result
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 0
|
|
|
|
- name: Map missing realm role to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
role_names:
|
|
- "{{ realm_role_not_exists }}"
|
|
ignore_errors: true
|
|
register: result
|
|
|
|
- name: Assert failed mapping missing realm role
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
- name: Check-mode try to Map realm roles to public client
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
role_names:
|
|
- "{{ realm_role_admin }}"
|
|
- "{{ realm_role_user }}"
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: Assert result
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | length == 2
|
|
|
|
- name: Check-mode step two, check if change where applied
|
|
community.general.keycloak_client_rolescope:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_name_public }}"
|
|
role_names: []
|
|
register: result
|
|
|
|
- name: Assert result
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
- result.end_state | length == 0 |