mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
996dc617ed
* Consistent Modules - Rename updated_?? to desired_?? in all the keycloak modules.
* Consistent Modules - Rename the comments, and add whitespace so that all the modules are a lot more consistent between each other.
* Consistent Modules - Remove final elif where a final else doesn't exist.
This is to address the inconsistency between the other modules.
Whilst I can see it being more descriptive, there should be a final "else:" to cater if the values is neither 'absent' or 'present'.
* Consistent Modules - Use dict() instead of {} like most of the other keycloak modules.
* Consistent Modules - Update keycloak authentication so that the if ordering is consistent for no-item.
* Consistent Modules - Move the 'Filter and map' process to always occur before getting an existing item.
* Consistent Modules - Be consistent with how to initialse before_?? and set it to dict() if it is None.
* Consistent Modules - Add module.exit_?? in the locations as per the other modules.
* Consistent Modules - Represent result['diff'] using dict(before=.., after=...) as per all the other modules.
* Consistent Modules - Add / Move location of when result['end_state'] is getting defined.
* Consistent modules - Add result['changed'] = False where we do nothing and exit because item exists.
* Consistent Modules - Set the value result['changed'] to True earlier so it shows up when in checking mode only.
* Consistent Modules - test for equality with a dict to assert there was no realm in the first place as per the other modules.
* Consistent Modules - Address the spelling.
* Consistent Modules - keycloak_group - Remove result['group'] as result['end_state'] is the consistent value used in the other modules.
* Consistent Modules - Order the lines in the section, Do nothing and exit consistently.
* Consistent Modules - Add result['end_state'] and still add deprecated `flow` return value.
* Consistent Modules - Add missing return documentation for `msg`.
* Consistent Modules - Tweak whitespace in the RETURN variable.
* Consistent Modules - Add result['group'] in addition to deprecated result['group'] response.
* Consistent Modules - Add return property, 'contains' to address test errors.
* Consistent Modules - Rename updated_?? to desired_?? in new modules since initial PR.
* Consistent Modules - Rename the comments, and add whitespace so that all the (recently added) modules are a lot more consistent between each other.
* Consistent Modules - Make indentation consistent within the response document.
* Consistent Modules - Use B(DEPRECATED) in a seperate line in the description.
* Consistent Modules - Add a lot of full stops to sentences.
* Consistent Modules - Use C(...) and I(...) formatting methods.
* Consistent Modules - Use "on success" everywhere for end_state response documentation.
* Consistent Modules - Update the documents for RETURN.proposed, RETURN.existing, RETURN.end_state to be the same.
* Consistent Modules - Add fragment.
* Remove period after short_description.
* Update changelog fragment.
* Consistent Modules - PRFeedback - Remove `module.exit_json(**result)` within the `Delete` section of the if statement.
There's a exit_json(..) immediately after.
* Consistent Modules - PRFeedback - Use `if not x_repr` instead of `if x_repr == dict()`.
* keycloak_authentication - Add a sample of the output.
* Replace `dict()` with `{}` for all the keycloak modules.
* Add the requested deprecated notices
* Update changelogs/fragments/3280-keycloak-module-cleanup-and-consistency.yml
Co-authored-by: Pierre Dumuid <pierre@knowyourdata.com.au>
Co-authored-by: Felix Fontein <felix@fontein.de>
502 lines
20 KiB
Python
502 lines
20 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
# Copyright: (c) 2019, INSPQ <philippe.gauthier@inspq.qc.ca>
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: keycloak_authentication
|
|
|
|
short_description: Configure authentication in Keycloak
|
|
|
|
description:
|
|
- This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
|
|
- It can also delete the flow.
|
|
|
|
version_added: "3.3.0"
|
|
|
|
options:
|
|
realm:
|
|
description:
|
|
- The name of the realm in which is the authentication.
|
|
required: true
|
|
type: str
|
|
alias:
|
|
description:
|
|
- Alias for the authentication flow.
|
|
required: true
|
|
type: str
|
|
description:
|
|
description:
|
|
- Description of the flow.
|
|
type: str
|
|
providerId:
|
|
description:
|
|
- C(providerId) for the new flow when not copied from an existing flow.
|
|
type: str
|
|
copyFrom:
|
|
description:
|
|
- C(flowAlias) of the authentication flow to use for the copy.
|
|
type: str
|
|
authenticationExecutions:
|
|
description:
|
|
- Configuration structure for the executions.
|
|
type: list
|
|
elements: dict
|
|
suboptions:
|
|
providerId:
|
|
description:
|
|
- C(providerID) for the new flow when not copied from an existing flow.
|
|
type: str
|
|
displayName:
|
|
description:
|
|
- Name of the execution or subflow to create or update.
|
|
type: str
|
|
requirement:
|
|
description:
|
|
- Control status of the subflow or execution.
|
|
choices: [ "REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL" ]
|
|
type: str
|
|
flowAlias:
|
|
description:
|
|
- Alias of parent flow.
|
|
type: str
|
|
authenticationConfig:
|
|
description:
|
|
- Describe the config of the authentication.
|
|
type: dict
|
|
index:
|
|
description:
|
|
- Priority order of the execution.
|
|
type: int
|
|
state:
|
|
description:
|
|
- Control if the authentication flow must exists or not.
|
|
choices: [ "present", "absent" ]
|
|
default: present
|
|
type: str
|
|
force:
|
|
type: bool
|
|
default: false
|
|
description:
|
|
- If C(true), allows to remove the authentication flow and recreate it.
|
|
|
|
extends_documentation_fragment:
|
|
- community.general.keycloak
|
|
|
|
author:
|
|
- Philippe Gauthier (@elfelip)
|
|
- Gaëtan Daubresse (@Gaetan2907)
|
|
'''
|
|
|
|
EXAMPLES = '''
|
|
- name: Create an authentication flow from first broker login and add an execution to it.
|
|
community.general.keycloak_authentication:
|
|
auth_keycloak_url: http://localhost:8080/auth
|
|
auth_realm: master
|
|
auth_username: admin
|
|
auth_password: password
|
|
realm: master
|
|
alias: "Copy of first broker login"
|
|
copyFrom: "first broker login"
|
|
authenticationExecutions:
|
|
- providerId: "test-execution1"
|
|
requirement: "REQUIRED"
|
|
authenticationConfig:
|
|
alias: "test.execution1.property"
|
|
config:
|
|
test1.property: "value"
|
|
- providerId: "test-execution2"
|
|
requirement: "REQUIRED"
|
|
authenticationConfig:
|
|
alias: "test.execution2.property"
|
|
config:
|
|
test2.property: "value"
|
|
state: present
|
|
|
|
- name: Re-create the authentication flow
|
|
community.general.keycloak_authentication:
|
|
auth_keycloak_url: http://localhost:8080/auth
|
|
auth_realm: master
|
|
auth_username: admin
|
|
auth_password: password
|
|
realm: master
|
|
alias: "Copy of first broker login"
|
|
copyFrom: "first broker login"
|
|
authenticationExecutions:
|
|
- providerId: "test-provisioning"
|
|
requirement: "REQUIRED"
|
|
authenticationConfig:
|
|
alias: "test.provisioning.property"
|
|
config:
|
|
test.provisioning.property: "value"
|
|
state: present
|
|
force: true
|
|
|
|
- name: Create an authentication flow with subflow containing an execution.
|
|
community.general.keycloak_authentication:
|
|
auth_keycloak_url: http://localhost:8080/auth
|
|
auth_realm: master
|
|
auth_username: admin
|
|
auth_password: password
|
|
realm: master
|
|
alias: "Copy of first broker login"
|
|
copyFrom: "first broker login"
|
|
authenticationExecutions:
|
|
- providerId: "test-execution1"
|
|
requirement: "REQUIRED"
|
|
- displayName: "New Subflow"
|
|
requirement: "REQUIRED"
|
|
- providerId: "auth-cookie"
|
|
requirement: "REQUIRED"
|
|
flowAlias: "New Sublow"
|
|
state: present
|
|
|
|
- name: Remove authentication.
|
|
community.general.keycloak_authentication:
|
|
auth_keycloak_url: http://localhost:8080/auth
|
|
auth_realm: master
|
|
auth_username: admin
|
|
auth_password: password
|
|
realm: master
|
|
alias: "Copy of first broker login"
|
|
state: absent
|
|
'''
|
|
|
|
RETURN = '''
|
|
msg:
|
|
description: Message as to what action was taken.
|
|
returned: always
|
|
type: str
|
|
|
|
flow:
|
|
description:
|
|
- JSON representation for the authentication.
|
|
- Deprecated return value, it will be removed in community.general 6.0.0. Please use the return value I(end_state) instead.
|
|
returned: on success
|
|
type: dict
|
|
sample: {
|
|
"alias": "Copy of first broker login",
|
|
"authenticationExecutions": [
|
|
{
|
|
"alias": "review profile config",
|
|
"authenticationConfig": {
|
|
"alias": "review profile config",
|
|
"config": { "update.profile.on.first.login": "missing" },
|
|
"id": "6f09e4fb-aad4-496a-b873-7fa9779df6d7"
|
|
},
|
|
"configurable": true,
|
|
"displayName": "Review Profile",
|
|
"id": "8f77dab8-2008-416f-989e-88b09ccf0b4c",
|
|
"index": 0,
|
|
"level": 0,
|
|
"providerId": "idp-review-profile",
|
|
"requirement": "REQUIRED",
|
|
"requirementChoices": [ "REQUIRED", "ALTERNATIVE", "DISABLED" ]
|
|
}
|
|
],
|
|
"builtIn": false,
|
|
"description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
|
|
"id": "bc228863-5887-4297-b898-4d988f8eaa5c",
|
|
"providerId": "basic-flow",
|
|
"topLevel": true
|
|
}
|
|
|
|
end_state:
|
|
description: Representation of the authentication after module execution.
|
|
returned: on success
|
|
type: dict
|
|
sample: {
|
|
"alias": "Copy of first broker login",
|
|
"authenticationExecutions": [
|
|
{
|
|
"alias": "review profile config",
|
|
"authenticationConfig": {
|
|
"alias": "review profile config",
|
|
"config": { "update.profile.on.first.login": "missing" },
|
|
"id": "6f09e4fb-aad4-496a-b873-7fa9779df6d7"
|
|
},
|
|
"configurable": true,
|
|
"displayName": "Review Profile",
|
|
"id": "8f77dab8-2008-416f-989e-88b09ccf0b4c",
|
|
"index": 0,
|
|
"level": 0,
|
|
"providerId": "idp-review-profile",
|
|
"requirement": "REQUIRED",
|
|
"requirementChoices": [ "REQUIRED", "ALTERNATIVE", "DISABLED" ]
|
|
}
|
|
],
|
|
"builtIn": false,
|
|
"description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
|
|
"id": "bc228863-5887-4297-b898-4d988f8eaa5c",
|
|
"providerId": "basic-flow",
|
|
"topLevel": true
|
|
}
|
|
'''
|
|
|
|
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \
|
|
import KeycloakAPI, camel, keycloak_argument_spec, get_token, KeycloakError, is_struct_included
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
|
|
|
|
def find_exec_in_executions(searched_exec, executions):
|
|
"""
|
|
Search if exec is contained in the executions.
|
|
:param searched_exec: Execution to search for.
|
|
:param executions: List of executions.
|
|
:return: Index of the execution, -1 if not found..
|
|
"""
|
|
for i, existing_exec in enumerate(executions, start=0):
|
|
if ("providerId" in existing_exec and "providerId" in searched_exec and
|
|
existing_exec["providerId"] == searched_exec["providerId"] or
|
|
"displayName" in existing_exec and "displayName" in searched_exec and
|
|
existing_exec["displayName"] == searched_exec["displayName"]):
|
|
return i
|
|
return -1
|
|
|
|
|
|
def create_or_update_executions(kc, config, realm='master'):
|
|
"""
|
|
Create or update executions for an authentication flow.
|
|
:param kc: Keycloak API access.
|
|
:param config: Representation of the authentication flow including it's executions.
|
|
:param realm: Realm
|
|
:return: tuple (changed, dict(before, after)
|
|
WHERE
|
|
bool changed indicates if changes have been made
|
|
dict(str, str) shows state before and after creation/update
|
|
"""
|
|
try:
|
|
changed = False
|
|
after = ""
|
|
before = ""
|
|
if "authenticationExecutions" in config:
|
|
# Get existing executions on the Keycloak server for this alias
|
|
existing_executions = kc.get_executions_representation(config, realm=realm)
|
|
for new_exec_index, new_exec in enumerate(config["authenticationExecutions"], start=0):
|
|
if new_exec["index"] is not None:
|
|
new_exec_index = new_exec["index"]
|
|
exec_found = False
|
|
# Get flowalias parent if given
|
|
if new_exec["flowAlias"] is not None:
|
|
flow_alias_parent = new_exec["flowAlias"]
|
|
else:
|
|
flow_alias_parent = config["alias"]
|
|
# Check if same providerId or displayName name between existing and new execution
|
|
exec_index = find_exec_in_executions(new_exec, existing_executions)
|
|
if exec_index != -1:
|
|
# Remove key that doesn't need to be compared with existing_exec
|
|
exclude_key = ["flowAlias"]
|
|
for index_key, key in enumerate(new_exec, start=0):
|
|
if new_exec[key] is None:
|
|
exclude_key.append(key)
|
|
# Compare the executions to see if it need changes
|
|
if not is_struct_included(new_exec, existing_executions[exec_index], exclude_key) or exec_index != new_exec_index:
|
|
exec_found = True
|
|
before += str(existing_executions[exec_index]) + '\n'
|
|
id_to_update = existing_executions[exec_index]["id"]
|
|
# Remove exec from list in case 2 exec with same name
|
|
existing_executions[exec_index].clear()
|
|
elif new_exec["providerId"] is not None:
|
|
kc.create_execution(new_exec, flowAlias=flow_alias_parent, realm=realm)
|
|
exec_found = True
|
|
exec_index = new_exec_index
|
|
id_to_update = kc.get_executions_representation(config, realm=realm)[exec_index]["id"]
|
|
after += str(new_exec) + '\n'
|
|
elif new_exec["displayName"] is not None:
|
|
kc.create_subflow(new_exec["displayName"], flow_alias_parent, realm=realm)
|
|
exec_found = True
|
|
exec_index = new_exec_index
|
|
id_to_update = kc.get_executions_representation(config, realm=realm)[exec_index]["id"]
|
|
after += str(new_exec) + '\n'
|
|
if exec_found:
|
|
changed = True
|
|
if exec_index != -1:
|
|
# Update the existing execution
|
|
updated_exec = {
|
|
"id": id_to_update
|
|
}
|
|
# add the execution configuration
|
|
if new_exec["authenticationConfig"] is not None:
|
|
kc.add_authenticationConfig_to_execution(updated_exec["id"], new_exec["authenticationConfig"], realm=realm)
|
|
for key in new_exec:
|
|
# remove unwanted key for the next API call
|
|
if key != "flowAlias" and key != "authenticationConfig":
|
|
updated_exec[key] = new_exec[key]
|
|
if new_exec["requirement"] is not None:
|
|
kc.update_authentication_executions(flow_alias_parent, updated_exec, realm=realm)
|
|
diff = exec_index - new_exec_index
|
|
kc.change_execution_priority(updated_exec["id"], diff, realm=realm)
|
|
after += str(kc.get_executions_representation(config, realm=realm)[new_exec_index]) + '\n'
|
|
return changed, dict(before=before, after=after)
|
|
except Exception as e:
|
|
kc.module.fail_json(msg='Could not create or update executions for authentication flow %s in realm %s: %s'
|
|
% (config["alias"], realm, str(e)))
|
|
|
|
|
|
def main():
|
|
"""
|
|
Module execution
|
|
|
|
:return:
|
|
"""
|
|
argument_spec = keycloak_argument_spec()
|
|
|
|
meta_args = dict(
|
|
realm=dict(type='str', required=True),
|
|
alias=dict(type='str', required=True),
|
|
providerId=dict(type='str'),
|
|
description=dict(type='str'),
|
|
copyFrom=dict(type='str'),
|
|
authenticationExecutions=dict(type='list', elements='dict',
|
|
options=dict(
|
|
providerId=dict(type='str'),
|
|
displayName=dict(type='str'),
|
|
requirement=dict(choices=["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"], type='str'),
|
|
flowAlias=dict(type='str'),
|
|
authenticationConfig=dict(type='dict'),
|
|
index=dict(type='int'),
|
|
)),
|
|
state=dict(choices=["absent", "present"], default='present'),
|
|
force=dict(type='bool', default=False),
|
|
)
|
|
|
|
argument_spec.update(meta_args)
|
|
|
|
module = AnsibleModule(argument_spec=argument_spec,
|
|
supports_check_mode=True,
|
|
required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
|
|
required_together=([['auth_realm', 'auth_username', 'auth_password']])
|
|
)
|
|
|
|
result = dict(changed=False, msg='', flow={})
|
|
|
|
# Obtain access token, initialize API
|
|
try:
|
|
connection_header = get_token(module.params)
|
|
except KeycloakError as e:
|
|
module.fail_json(msg=str(e))
|
|
|
|
kc = KeycloakAPI(module, connection_header)
|
|
|
|
realm = module.params.get('realm')
|
|
state = module.params.get('state')
|
|
force = module.params.get('force')
|
|
|
|
new_auth_repr = {
|
|
"alias": module.params.get("alias"),
|
|
"copyFrom": module.params.get("copyFrom"),
|
|
"providerId": module.params.get("providerId"),
|
|
"authenticationExecutions": module.params.get("authenticationExecutions"),
|
|
"description": module.params.get("description"),
|
|
"builtIn": module.params.get("builtIn"),
|
|
"subflow": module.params.get("subflow"),
|
|
}
|
|
|
|
auth_repr = kc.get_authentication_flow_by_alias(alias=new_auth_repr["alias"], realm=realm)
|
|
|
|
# Cater for when it doesn't exist (an empty dict)
|
|
if not auth_repr:
|
|
if state == 'absent':
|
|
# Do nothing and exit
|
|
if module._diff:
|
|
result['diff'] = dict(before='', after='')
|
|
result['changed'] = False
|
|
result['end_state'] = {}
|
|
result['flow'] = result['end_state']
|
|
result['msg'] = new_auth_repr["alias"] + ' absent'
|
|
module.exit_json(**result)
|
|
|
|
elif state == 'present':
|
|
# Process a creation
|
|
result['changed'] = True
|
|
|
|
if module._diff:
|
|
result['diff'] = dict(before='', after=new_auth_repr)
|
|
|
|
if module.check_mode:
|
|
module.exit_json(**result)
|
|
|
|
# If copyFrom is defined, create authentication flow from a copy
|
|
if "copyFrom" in new_auth_repr and new_auth_repr["copyFrom"] is not None:
|
|
auth_repr = kc.copy_auth_flow(config=new_auth_repr, realm=realm)
|
|
else: # Create an empty authentication flow
|
|
auth_repr = kc.create_empty_auth_flow(config=new_auth_repr, realm=realm)
|
|
|
|
# If the authentication still not exist on the server, raise an exception.
|
|
if auth_repr is None:
|
|
result['msg'] = "Authentication just created not found: " + str(new_auth_repr)
|
|
module.fail_json(**result)
|
|
|
|
# Configure the executions for the flow
|
|
create_or_update_executions(kc=kc, config=new_auth_repr, realm=realm)
|
|
|
|
# Get executions created
|
|
exec_repr = kc.get_executions_representation(config=new_auth_repr, realm=realm)
|
|
if exec_repr is not None:
|
|
auth_repr["authenticationExecutions"] = exec_repr
|
|
result['end_state'] = auth_repr
|
|
result['flow'] = result['end_state']
|
|
|
|
else:
|
|
if state == 'present':
|
|
# Process an update
|
|
|
|
if force: # If force option is true
|
|
# Delete the actual authentication flow
|
|
result['changed'] = True
|
|
if module._diff:
|
|
result['diff'] = dict(before=auth_repr, after=new_auth_repr)
|
|
if module.check_mode:
|
|
module.exit_json(**result)
|
|
kc.delete_authentication_flow_by_id(id=auth_repr["id"], realm=realm)
|
|
# If copyFrom is defined, create authentication flow from a copy
|
|
if "copyFrom" in new_auth_repr and new_auth_repr["copyFrom"] is not None:
|
|
auth_repr = kc.copy_auth_flow(config=new_auth_repr, realm=realm)
|
|
else: # Create an empty authentication flow
|
|
auth_repr = kc.create_empty_auth_flow(config=new_auth_repr, realm=realm)
|
|
# If the authentication still not exist on the server, raise an exception.
|
|
if auth_repr is None:
|
|
result['msg'] = "Authentication just created not found: " + str(new_auth_repr)
|
|
module.fail_json(**result)
|
|
# Configure the executions for the flow
|
|
|
|
if module.check_mode:
|
|
module.exit_json(**result)
|
|
changed, diff = create_or_update_executions(kc=kc, config=new_auth_repr, realm=realm)
|
|
result['changed'] |= changed
|
|
|
|
if module._diff:
|
|
result['diff'] = diff
|
|
|
|
# Get executions created
|
|
exec_repr = kc.get_executions_representation(config=new_auth_repr, realm=realm)
|
|
if exec_repr is not None:
|
|
auth_repr["authenticationExecutions"] = exec_repr
|
|
result['end_state'] = auth_repr
|
|
result['flow'] = result['end_state']
|
|
|
|
else:
|
|
# Process a deletion (because state was not 'present')
|
|
result['changed'] = True
|
|
|
|
if module._diff:
|
|
result['diff'] = dict(before=auth_repr, after='')
|
|
|
|
if module.check_mode:
|
|
module.exit_json(**result)
|
|
|
|
# delete it
|
|
kc.delete_authentication_flow_by_id(id=auth_repr["id"], realm=realm)
|
|
|
|
result['msg'] = 'Authentication flow: {alias} id: {id} is deleted'.format(alias=new_auth_repr['alias'],
|
|
id=auth_repr["id"])
|
|
|
|
module.exit_json(**result)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|