mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
87a079e93c
Add keycloak_realm_rolemapping module to map realm roles to groups (#7663)
* Add keycloak_realm_rolemapping module to map realm roles to groups
* Whitespace
* Description in plain English
* Casing
* Update error reporting as per #7645
* Add agross as maintainer of keycloak_realm_rolemapping module
* cid and client_id are not used here
* Credit other authors
* mhuysamen submitted #7645
* Gaetan2907 authored keycloak_client_rolemapping.py which I took as a
basis
* Add integration tests
* With Keycloak 23 realmRoles are only returned if assigned
* Remove debug statement
* Add test verifying that unmap works when no realm roles are assigned
* Add license to readme
* Change version number this module was added
* Document which versions of the docker images have been tested
* Downgrade version_added
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit f7bc6964be)
Co-authored-by: Alexander Groß <agross@therightstuff.de>
160 lines
4.2 KiB
YAML
160 lines
4.2 KiB
YAML
# Copyright (c) 2023, Alexander Groß (@agross)
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
- name: Create realm
|
|
community.general.keycloak_realm:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
id: "{{ realm }}"
|
|
realm: "{{ realm }}"
|
|
state: present
|
|
|
|
- name: Create realm roles
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
name: "{{ item }}"
|
|
state: present
|
|
loop:
|
|
- "{{ role_1 }}"
|
|
- "{{ role_2 }}"
|
|
|
|
- name: Create group
|
|
community.general.keycloak_group:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
name: "{{ group }}"
|
|
state: present
|
|
|
|
- name: Map realm roles to group
|
|
community.general.keycloak_realm_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
group_name: "{{ group }}"
|
|
roles:
|
|
- name: "{{ role_1 }}"
|
|
- name: "{{ role_2 }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Assert realm roles are assigned to group
|
|
ansible.builtin.assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | count == 2
|
|
|
|
- name: Map realm roles to group again (idempotency)
|
|
community.general.keycloak_realm_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
group_name: "{{ group }}"
|
|
roles:
|
|
- name: "{{ role_1 }}"
|
|
- name: "{{ role_2 }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Assert realm roles stay assigned to group
|
|
ansible.builtin.assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: Unmap realm role 1 from group
|
|
community.general.keycloak_realm_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
group_name: "{{ group }}"
|
|
roles:
|
|
- name: "{{ role_1 }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Assert realm role 1 is unassigned from group
|
|
ansible.builtin.assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | count == 1
|
|
- result.end_state[0] == role_2
|
|
|
|
- name: Unmap realm role 1 from group again (idempotency)
|
|
community.general.keycloak_realm_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
group_name: "{{ group }}"
|
|
roles:
|
|
- name: "{{ role_1 }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Assert realm role 1 stays unassigned from group
|
|
ansible.builtin.assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: Unmap realm role 2 from group
|
|
community.general.keycloak_realm_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
group_name: "{{ group }}"
|
|
roles:
|
|
- name: "{{ role_2 }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Assert no realm roles are assigned to group
|
|
ansible.builtin.assert:
|
|
that:
|
|
- result is changed
|
|
- result.end_state | count == 0
|
|
|
|
- name: Unmap realm role 2 from group again (idempotency)
|
|
community.general.keycloak_realm_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
|
|
realm: "{{ realm }}"
|
|
group_name: "{{ group }}"
|
|
roles:
|
|
- name: "{{ role_2 }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Assert no realm roles are assigned to group
|
|
ansible.builtin.assert:
|
|
that:
|
|
- result is not changed
|
|
- result.end_state | count == 0
|