mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2024-09-14 20:13:21 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			1033 lines
		
	
	
	
		
			39 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			1033 lines
		
	
	
	
		
			39 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| # Copyright (c) Ansible project
 | |
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| # SPDX-License-Identifier: GPL-3.0-or-later
 | |
| 
 | |
| from __future__ import absolute_import, division, print_function
 | |
| __metaclass__ = type
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
| ---
 | |
| module: keycloak_user_federation
 | |
| 
 | |
| short_description: Allows administration of Keycloak user federations via Keycloak API
 | |
| 
 | |
| version_added: 3.7.0
 | |
| 
 | |
| description:
 | |
|     - This module allows you to add, remove or modify Keycloak user federations via the Keycloak REST API.
 | |
|       It requires access to the REST API via OpenID Connect; the user connecting and the client being
 | |
|       used must have the requisite access rights. In a default Keycloak installation, admin-cli
 | |
|       and an admin user would work, as would a separate client definition with the scope tailored
 | |
|       to your needs and a user having the expected roles.
 | |
| 
 | |
|     - The names of module options are snake_cased versions of the camelCase ones found in the
 | |
|       Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
 | |
| 
 | |
| attributes:
 | |
|     check_mode:
 | |
|         support: full
 | |
|     diff_mode:
 | |
|         support: full
 | |
| 
 | |
| options:
 | |
|     state:
 | |
|         description:
 | |
|             - State of the user federation.
 | |
|             - On V(present), the user federation will be created if it does not yet exist, or updated with
 | |
|               the parameters you provide.
 | |
|             - On V(absent), the user federation will be removed if it exists.
 | |
|         default: 'present'
 | |
|         type: str
 | |
|         choices:
 | |
|             - present
 | |
|             - absent
 | |
| 
 | |
|     realm:
 | |
|         description:
 | |
|             - The Keycloak realm under which this user federation resides.
 | |
|         default: 'master'
 | |
|         type: str
 | |
| 
 | |
|     id:
 | |
|         description:
 | |
|             - The unique ID for this user federation. If left empty, the user federation will be searched
 | |
|               by its O(name).
 | |
|         type: str
 | |
| 
 | |
|     name:
 | |
|         description:
 | |
|             - Display name of provider when linked in admin console.
 | |
|         type: str
 | |
| 
 | |
|     provider_id:
 | |
|         description:
 | |
|             - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd).
 | |
|               Custom user storage providers can also be used.
 | |
|         aliases:
 | |
|             - providerId
 | |
|         type: str
 | |
| 
 | |
|     provider_type:
 | |
|         description:
 | |
|             - Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)).
 | |
|         aliases:
 | |
|             - providerType
 | |
|         default: org.keycloak.storage.UserStorageProvider
 | |
|         type: str
 | |
| 
 | |
|     parent_id:
 | |
|         description:
 | |
|             - Unique ID for the parent of this user federation. Realm ID will be automatically used if left blank.
 | |
|         aliases:
 | |
|             - parentId
 | |
|         type: str
 | |
| 
 | |
|     config:
 | |
|         description:
 | |
|             - Dict specifying the configuration options for the provider; the contents differ depending on
 | |
|               the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd).
 | |
|               It is easiest to obtain valid config values by dumping an already-existing user federation
 | |
|               configuration through check-mode in the RV(existing) field.
 | |
|             - The value V(sssd) has been supported since community.general 4.2.0.
 | |
|         type: dict
 | |
|         suboptions:
 | |
|             enabled:
 | |
|                 description:
 | |
|                     - Enable/disable this user federation.
 | |
|                 default: true
 | |
|                 type: bool
 | |
| 
 | |
|             priority:
 | |
|                 description:
 | |
|                     - Priority of provider when doing a user lookup. Lowest first.
 | |
|                 default: 0
 | |
|                 type: int
 | |
| 
 | |
|             importEnabled:
 | |
|                 description:
 | |
|                     - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured
 | |
|                       sync policies.
 | |
|                 default: true
 | |
|                 type: bool
 | |
| 
 | |
|             editMode:
 | |
|                 description:
 | |
|                     - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP
 | |
|                       on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP.
 | |
|                 type: str
 | |
|                 choices:
 | |
|                     - READ_ONLY
 | |
|                     - WRITABLE
 | |
|                     - UNSYNCED
 | |
| 
 | |
|             syncRegistrations:
 | |
|                 description:
 | |
|                     - Should newly created users be created within LDAP store? Priority effects which
 | |
|                       provider is chosen to sync the new user.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             vendor:
 | |
|                 description:
 | |
|                     - LDAP vendor (provider).
 | |
|                     - Use short name. For instance, write V(rhds) for "Red Hat Directory Server".
 | |
|                 type: str
 | |
| 
 | |
|             usernameLDAPAttribute:
 | |
|                 description:
 | |
|                     - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server
 | |
|                       vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn).
 | |
|                       The attribute should be filled for all LDAP user records you want to import from
 | |
|                       LDAP to Keycloak.
 | |
|                 type: str
 | |
| 
 | |
|             rdnLDAPAttribute:
 | |
|                 description:
 | |
|                     - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN.
 | |
|                       Usually it's the same as Username LDAP attribute, however it is not required. For
 | |
|                       example for Active directory, it is common to use V(cn) as RDN attribute when
 | |
|                       username attribute might be V(sAMAccountName).
 | |
|                 type: str
 | |
| 
 | |
|             uuidLDAPAttribute:
 | |
|                 description:
 | |
|                     - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects
 | |
|                       in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different.
 | |
|                       For example for Active directory it should be V(objectGUID). If your LDAP server does
 | |
|                       not support the notion of UUID, you can use any other attribute that is supposed to
 | |
|                       be unique among LDAP users in tree.
 | |
|                 type: str
 | |
| 
 | |
|             userObjectClasses:
 | |
|                 description:
 | |
|                     - All values of LDAP objectClass attribute for users in LDAP divided by comma.
 | |
|                       For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users
 | |
|                       will be written to LDAP with all those object classes and existing LDAP user records
 | |
|                       are found just if they contain all those object classes.
 | |
|                 type: str
 | |
| 
 | |
|             connectionUrl:
 | |
|                 description:
 | |
|                     - Connection URL to your LDAP server.
 | |
|                 type: str
 | |
| 
 | |
|             usersDn:
 | |
|                 description:
 | |
|                     - Full DN of LDAP tree where your users are. This DN is the parent of LDAP users.
 | |
|                 type: str
 | |
| 
 | |
|             customUserSearchFilter:
 | |
|                 description:
 | |
|                     - Additional LDAP Filter for filtering searched users. Leave this empty if you don't
 | |
|                       need additional filter.
 | |
|                 type: str
 | |
| 
 | |
|             searchScope:
 | |
|                 description:
 | |
|                     - For one level, the search applies only for users in the DNs specified by User DNs.
 | |
|                       For subtree, the search applies to the whole subtree. See LDAP documentation for
 | |
|                       more details.
 | |
|                 default: '1'
 | |
|                 type: str
 | |
|                 choices:
 | |
|                     - '1'
 | |
|                     - '2'
 | |
| 
 | |
|             authType:
 | |
|                 description:
 | |
|                     - Type of the Authentication method used during LDAP Bind operation. It is used in
 | |
|                       most of the requests sent to the LDAP server.
 | |
|                 default: 'none'
 | |
|                 type: str
 | |
|                 choices:
 | |
|                     - none
 | |
|                     - simple
 | |
| 
 | |
|             bindDn:
 | |
|                 description:
 | |
|                     - DN of LDAP user which will be used by Keycloak to access LDAP server.
 | |
|                 type: str
 | |
| 
 | |
|             bindCredential:
 | |
|                 description:
 | |
|                     - Password of LDAP admin.
 | |
|                 type: str
 | |
| 
 | |
|             startTls:
 | |
|                 description:
 | |
|                     - Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             usePasswordModifyExtendedOp:
 | |
|                 description:
 | |
|                     - Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify
 | |
|                       extended operation usually requires that LDAP user already has password in the LDAP
 | |
|                       server. So when this is used with 'Sync Registrations', it can be good to add also
 | |
|                       'Hardcoded LDAP attribute mapper' with randomly generated initial password.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             validatePasswordPolicy:
 | |
|                 description:
 | |
|                     - Determines if Keycloak should validate the password with the realm password policy
 | |
|                       before updating it.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             trustEmail:
 | |
|                 description:
 | |
|                     - If enabled, email provided by this provider is not verified even if verification is
 | |
|                       enabled for the realm.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             useTruststoreSpi:
 | |
|                 description:
 | |
|                     - Specifies whether LDAP connection will use the truststore SPI with the truststore
 | |
|                       configured in standalone.xml/domain.xml. V(always) means that it will always use it.
 | |
|                       V(never) means that it will not use it. V(ldapsOnly) means that it will use if
 | |
|                       your connection URL use ldaps. Note even if standalone.xml/domain.xml is not
 | |
|                       configured, the default Java cacerts or certificate specified by
 | |
|                       C(javax.net.ssl.trustStore) property will be used.
 | |
|                 default: ldapsOnly
 | |
|                 type: str
 | |
|                 choices:
 | |
|                     - always
 | |
|                     - ldapsOnly
 | |
|                     - never
 | |
| 
 | |
|             connectionTimeout:
 | |
|                 description:
 | |
|                     - LDAP Connection Timeout in milliseconds.
 | |
|                 type: int
 | |
| 
 | |
|             readTimeout:
 | |
|                 description:
 | |
|                     - LDAP Read Timeout in milliseconds. This timeout applies for LDAP read operations.
 | |
|                 type: int
 | |
| 
 | |
|             pagination:
 | |
|                 description:
 | |
|                     - Does the LDAP server support pagination.
 | |
|                 default: true
 | |
|                 type: bool
 | |
| 
 | |
|             connectionPooling:
 | |
|                 description:
 | |
|                     - Determines if Keycloak should use connection pooling for accessing LDAP server.
 | |
|                 default: true
 | |
|                 type: bool
 | |
| 
 | |
|             connectionPoolingAuthentication:
 | |
|                 description:
 | |
|                     - A list of space-separated authentication types of connections that may be pooled.
 | |
|                 type: str
 | |
|                 choices:
 | |
|                     - none
 | |
|                     - simple
 | |
|                     - DIGEST-MD5
 | |
| 
 | |
|             connectionPoolingDebug:
 | |
|                 description:
 | |
|                     - A string that indicates the level of debug output to produce. Example valid values are
 | |
|                       V(fine) (trace connection creation and removal) and V(all) (all debugging information).
 | |
|                 type: str
 | |
| 
 | |
|             connectionPoolingInitSize:
 | |
|                 description:
 | |
|                     - The number of connections per connection identity to create when initially creating a
 | |
|                       connection for the identity.
 | |
|                 type: int
 | |
| 
 | |
|             connectionPoolingMaxSize:
 | |
|                 description:
 | |
|                     - The maximum number of connections per connection identity that can be maintained
 | |
|                       concurrently.
 | |
|                 type: int
 | |
| 
 | |
|             connectionPoolingPrefSize:
 | |
|                 description:
 | |
|                     - The preferred number of connections per connection identity that should be maintained
 | |
|                       concurrently.
 | |
|                 type: int
 | |
| 
 | |
|             connectionPoolingProtocol:
 | |
|                 description:
 | |
|                     - A list of space-separated protocol types of connections that may be pooled.
 | |
|                       Valid types are V(plain) and V(ssl).
 | |
|                 type: str
 | |
| 
 | |
|             connectionPoolingTimeout:
 | |
|                 description:
 | |
|                     - The number of milliseconds that an idle connection may remain in the pool without
 | |
|                       being closed and removed from the pool.
 | |
|                 type: int
 | |
| 
 | |
|             allowKerberosAuthentication:
 | |
|                 description:
 | |
|                     - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data
 | |
|                       about authenticated users will be provisioned from this LDAP server.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             kerberosRealm:
 | |
|                 description:
 | |
|                     - Name of kerberos realm.
 | |
|                 type: str
 | |
| 
 | |
|             krbPrincipalAttribute:
 | |
|                 description:
 | |
|                     - Name of the LDAP attribute, which refers to Kerberos principal.
 | |
|                       This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak.
 | |
|                       When this is empty, the LDAP user will be looked based on LDAP username corresponding
 | |
|                       to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
 | |
|                       it will assume that LDAP username is V(john).
 | |
|                 type: str
 | |
|                 version_added: 8.1.0
 | |
| 
 | |
|             serverPrincipal:
 | |
|                 description:
 | |
|                     - Full name of server principal for HTTP service including server and domain name. For
 | |
|                       example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the
 | |
|                       KeyTab file.
 | |
|                 type: str
 | |
| 
 | |
|             keyTab:
 | |
|                 description:
 | |
|                     - Location of Kerberos KeyTab file containing the credentials of server principal. For
 | |
|                       example V(/etc/krb5.keytab).
 | |
|                 type: str
 | |
| 
 | |
|             debug:
 | |
|                 description:
 | |
|                     - Enable/disable debug logging to standard output for Krb5LoginModule.
 | |
|                 type: bool
 | |
| 
 | |
|             useKerberosForPasswordAuthentication:
 | |
|                 description:
 | |
|                     - Use Kerberos login module for authenticate username/password against Kerberos server
 | |
|                       instead of authenticating against LDAP server with Directory Service API.
 | |
|                 default: false
 | |
|                 type: bool
 | |
| 
 | |
|             allowPasswordAuthentication:
 | |
|                 description:
 | |
|                     - Enable/disable possibility of username/password authentication against Kerberos database.
 | |
|                 type: bool
 | |
| 
 | |
|             batchSizeForSync:
 | |
|                 description:
 | |
|                     - Count of LDAP users to be imported from LDAP to Keycloak within a single transaction.
 | |
|                 default: 1000
 | |
|                 type: int
 | |
| 
 | |
|             fullSyncPeriod:
 | |
|                 description:
 | |
|                     - Period for full synchronization in seconds.
 | |
|                 default: -1
 | |
|                 type: int
 | |
| 
 | |
|             changedSyncPeriod:
 | |
|                 description:
 | |
|                     - Period for synchronization of changed or newly created LDAP users in seconds.
 | |
|                 default: -1
 | |
|                 type: int
 | |
| 
 | |
|             updateProfileFirstLogin:
 | |
|                 description:
 | |
|                     - Update profile on first login.
 | |
|                 type: bool
 | |
| 
 | |
|             cachePolicy:
 | |
|                 description:
 | |
|                     - Cache Policy for this storage provider.
 | |
|                 type: str
 | |
|                 default: 'DEFAULT'
 | |
|                 choices:
 | |
|                     - DEFAULT
 | |
|                     - EVICT_DAILY
 | |
|                     - EVICT_WEEKLY
 | |
|                     - MAX_LIFESPAN
 | |
|                     - NO_CACHE
 | |
| 
 | |
|             evictionDay:
 | |
|                 description:
 | |
|                     - Day of the week the entry will become invalid on.
 | |
|                 type: str
 | |
| 
 | |
|             evictionHour:
 | |
|                 description:
 | |
|                     - Hour of day the entry will become invalid on.
 | |
|                 type: str
 | |
| 
 | |
|             evictionMinute:
 | |
|                 description:
 | |
|                     - Minute of day the entry will become invalid on.
 | |
|                 type: str
 | |
| 
 | |
|             maxLifespan:
 | |
|                 description:
 | |
|                     - Max lifespan of cache entry in milliseconds.
 | |
|                 type: int
 | |
| 
 | |
|     mappers:
 | |
|         description:
 | |
|             - A list of dicts defining mappers associated with this Identity Provider.
 | |
|         type: list
 | |
|         elements: dict
 | |
|         suboptions:
 | |
|             id:
 | |
|                 description:
 | |
|                     - Unique ID of this mapper.
 | |
|                 type: str
 | |
| 
 | |
|             name:
 | |
|                 description:
 | |
|                     - Name of the mapper. If no ID is given, the mapper will be searched by name.
 | |
|                 type: str
 | |
| 
 | |
|             parentId:
 | |
|                 description:
 | |
|                     - Unique ID for the parent of this mapper. ID of the user federation will automatically
 | |
|                       be used if left blank.
 | |
|                 type: str
 | |
| 
 | |
|             providerId:
 | |
|                 description:
 | |
|                     - The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)).
 | |
|                 type: str
 | |
| 
 | |
|             providerType:
 | |
|                 description:
 | |
|                     - Component type for this mapper.
 | |
|                 type: str
 | |
|                 default: org.keycloak.storage.ldap.mappers.LDAPStorageMapper
 | |
| 
 | |
|             config:
 | |
|                 description:
 | |
|                     - Dict specifying the configuration options for the mapper; the contents differ
 | |
|                       depending on the value of I(identityProviderMapper).
 | |
|                     # TODO: what is identityProviderMapper above???
 | |
|                 type: dict
 | |
| 
 | |
| extends_documentation_fragment:
 | |
|     - community.general.keycloak
 | |
|     - community.general.attributes
 | |
| 
 | |
| author:
 | |
|     - Laurent Paumier (@laurpaum)
 | |
| '''
 | |
| 
 | |
| EXAMPLES = '''
 | |
|   - name: Create LDAP user federation
 | |
|     community.general.keycloak_user_federation:
 | |
|       auth_keycloak_url: https://keycloak.example.com/auth
 | |
|       auth_realm: master
 | |
|       auth_username: admin
 | |
|       auth_password: password
 | |
|       realm: my-realm
 | |
|       name: my-ldap
 | |
|       state: present
 | |
|       provider_id: ldap
 | |
|       provider_type: org.keycloak.storage.UserStorageProvider
 | |
|       config:
 | |
|         priority: 0
 | |
|         enabled: true
 | |
|         cachePolicy: DEFAULT
 | |
|         batchSizeForSync: 1000
 | |
|         editMode: READ_ONLY
 | |
|         importEnabled: true
 | |
|         syncRegistrations: false
 | |
|         vendor: other
 | |
|         usernameLDAPAttribute: uid
 | |
|         rdnLDAPAttribute: uid
 | |
|         uuidLDAPAttribute: entryUUID
 | |
|         userObjectClasses: inetOrgPerson, organizationalPerson
 | |
|         connectionUrl: ldaps://ldap.example.com:636
 | |
|         usersDn: ou=Users,dc=example,dc=com
 | |
|         authType: simple
 | |
|         bindDn: cn=directory reader
 | |
|         bindCredential: password
 | |
|         searchScope: 1
 | |
|         validatePasswordPolicy: false
 | |
|         trustEmail: false
 | |
|         useTruststoreSpi: ldapsOnly
 | |
|         connectionPooling: true
 | |
|         pagination: true
 | |
|         allowKerberosAuthentication: false
 | |
|         debug: false
 | |
|         useKerberosForPasswordAuthentication: false
 | |
|       mappers:
 | |
|         - name: "full name"
 | |
|           providerId: "full-name-ldap-mapper"
 | |
|           providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
 | |
|           config:
 | |
|             ldap.full.name.attribute: cn
 | |
|             read.only: true
 | |
|             write.only: false
 | |
| 
 | |
|   - name: Create Kerberos user federation
 | |
|     community.general.keycloak_user_federation:
 | |
|       auth_keycloak_url: https://keycloak.example.com/auth
 | |
|       auth_realm: master
 | |
|       auth_username: admin
 | |
|       auth_password: password
 | |
|       realm: my-realm
 | |
|       name: my-kerberos
 | |
|       state: present
 | |
|       provider_id: kerberos
 | |
|       provider_type: org.keycloak.storage.UserStorageProvider
 | |
|       config:
 | |
|         priority: 0
 | |
|         enabled: true
 | |
|         cachePolicy: DEFAULT
 | |
|         kerberosRealm: EXAMPLE.COM
 | |
|         serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
 | |
|         keyTab: keytab
 | |
|         allowPasswordAuthentication: false
 | |
|         updateProfileFirstLogin: false
 | |
| 
 | |
|   - name: Create sssd user federation
 | |
|     community.general.keycloak_user_federation:
 | |
|       auth_keycloak_url: https://keycloak.example.com/auth
 | |
|       auth_realm: master
 | |
|       auth_username: admin
 | |
|       auth_password: password
 | |
|       realm: my-realm
 | |
|       name: my-sssd
 | |
|       state: present
 | |
|       provider_id: sssd
 | |
|       provider_type: org.keycloak.storage.UserStorageProvider
 | |
|       config:
 | |
|         priority: 0
 | |
|         enabled: true
 | |
|         cachePolicy: DEFAULT
 | |
| 
 | |
|   - name: Delete user federation
 | |
|     community.general.keycloak_user_federation:
 | |
|       auth_keycloak_url: https://keycloak.example.com/auth
 | |
|       auth_realm: master
 | |
|       auth_username: admin
 | |
|       auth_password: password
 | |
|       realm: my-realm
 | |
|       name: my-federation
 | |
|       state: absent
 | |
| 
 | |
| '''
 | |
| 
 | |
| RETURN = '''
 | |
| msg:
 | |
|     description: Message as to what action was taken.
 | |
|     returned: always
 | |
|     type: str
 | |
|     sample: "No changes required to user federation 164bb483-c613-482e-80fe-7f1431308799."
 | |
| 
 | |
| proposed:
 | |
|     description: Representation of proposed user federation.
 | |
|     returned: always
 | |
|     type: dict
 | |
|     sample: {
 | |
|         "config": {
 | |
|             "allowKerberosAuthentication": "false",
 | |
|             "authType": "simple",
 | |
|             "batchSizeForSync": "1000",
 | |
|             "bindCredential": "**********",
 | |
|             "bindDn": "cn=directory reader",
 | |
|             "cachePolicy": "DEFAULT",
 | |
|             "connectionPooling": "true",
 | |
|             "connectionUrl": "ldaps://ldap.example.com:636",
 | |
|             "debug": "false",
 | |
|             "editMode": "READ_ONLY",
 | |
|             "enabled": "true",
 | |
|             "importEnabled": "true",
 | |
|             "pagination": "true",
 | |
|             "priority": "0",
 | |
|             "rdnLDAPAttribute": "uid",
 | |
|             "searchScope": "1",
 | |
|             "syncRegistrations": "false",
 | |
|             "trustEmail": "false",
 | |
|             "useKerberosForPasswordAuthentication": "false",
 | |
|             "useTruststoreSpi": "ldapsOnly",
 | |
|             "userObjectClasses": "inetOrgPerson, organizationalPerson",
 | |
|             "usernameLDAPAttribute": "uid",
 | |
|             "usersDn": "ou=Users,dc=example,dc=com",
 | |
|             "uuidLDAPAttribute": "entryUUID",
 | |
|             "validatePasswordPolicy": "false",
 | |
|             "vendor": "other"
 | |
|         },
 | |
|         "name": "ldap",
 | |
|         "providerId": "ldap",
 | |
|         "providerType": "org.keycloak.storage.UserStorageProvider"
 | |
|     }
 | |
| 
 | |
| existing:
 | |
|     description: Representation of existing user federation.
 | |
|     returned: always
 | |
|     type: dict
 | |
|     sample: {
 | |
|         "config": {
 | |
|             "allowKerberosAuthentication": "false",
 | |
|             "authType": "simple",
 | |
|             "batchSizeForSync": "1000",
 | |
|             "bindCredential": "**********",
 | |
|             "bindDn": "cn=directory reader",
 | |
|             "cachePolicy": "DEFAULT",
 | |
|             "changedSyncPeriod": "-1",
 | |
|             "connectionPooling": "true",
 | |
|             "connectionUrl": "ldaps://ldap.example.com:636",
 | |
|             "debug": "false",
 | |
|             "editMode": "READ_ONLY",
 | |
|             "enabled": "true",
 | |
|             "fullSyncPeriod": "-1",
 | |
|             "importEnabled": "true",
 | |
|             "pagination": "true",
 | |
|             "priority": "0",
 | |
|             "rdnLDAPAttribute": "uid",
 | |
|             "searchScope": "1",
 | |
|             "syncRegistrations": "false",
 | |
|             "trustEmail": "false",
 | |
|             "useKerberosForPasswordAuthentication": "false",
 | |
|             "useTruststoreSpi": "ldapsOnly",
 | |
|             "userObjectClasses": "inetOrgPerson, organizationalPerson",
 | |
|             "usernameLDAPAttribute": "uid",
 | |
|             "usersDn": "ou=Users,dc=example,dc=com",
 | |
|             "uuidLDAPAttribute": "entryUUID",
 | |
|             "validatePasswordPolicy": "false",
 | |
|             "vendor": "other"
 | |
|         },
 | |
|         "id": "01122837-9047-4ae4-8ca0-6e2e891a765f",
 | |
|         "mappers": [
 | |
|             {
 | |
|                 "config": {
 | |
|                     "always.read.value.from.ldap": "false",
 | |
|                     "is.mandatory.in.ldap": "false",
 | |
|                     "ldap.attribute": "mail",
 | |
|                     "read.only": "true",
 | |
|                     "user.model.attribute": "email"
 | |
|                 },
 | |
|                 "id": "17d60ce2-2d44-4c2c-8b1f-1fba601b9a9f",
 | |
|                 "name": "email",
 | |
|                 "parentId": "01122837-9047-4ae4-8ca0-6e2e891a765f",
 | |
|                 "providerId": "user-attribute-ldap-mapper",
 | |
|                 "providerType": "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
 | |
|             }
 | |
|         ],
 | |
|         "name": "myfed",
 | |
|         "parentId": "myrealm",
 | |
|         "providerId": "ldap",
 | |
|         "providerType": "org.keycloak.storage.UserStorageProvider"
 | |
|     }
 | |
| 
 | |
| end_state:
 | |
|     description: Representation of user federation after module execution.
 | |
|     returned: on success
 | |
|     type: dict
 | |
|     sample: {
 | |
|         "config": {
 | |
|             "allowPasswordAuthentication": "false",
 | |
|             "cachePolicy": "DEFAULT",
 | |
|             "enabled": "true",
 | |
|             "kerberosRealm": "EXAMPLE.COM",
 | |
|             "keyTab": "/etc/krb5.keytab",
 | |
|             "priority": "0",
 | |
|             "serverPrincipal": "HTTP/host.example.com@EXAMPLE.COM",
 | |
|             "updateProfileFirstLogin": "false"
 | |
|         },
 | |
|         "id": "cf52ae4f-4471-4435-a0cf-bb620cadc122",
 | |
|         "mappers": [],
 | |
|         "name": "kerberos",
 | |
|         "parentId": "myrealm",
 | |
|         "providerId": "kerberos",
 | |
|         "providerType": "org.keycloak.storage.UserStorageProvider"
 | |
|     }
 | |
| '''
 | |
| 
 | |
| from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
 | |
|     keycloak_argument_spec, get_token, KeycloakError
 | |
| from ansible.module_utils.basic import AnsibleModule
 | |
| from ansible.module_utils.six.moves.urllib.parse import urlencode
 | |
| from copy import deepcopy
 | |
| 
 | |
| 
 | |
| def sanitize(comp):
 | |
|     compcopy = deepcopy(comp)
 | |
|     if 'config' in compcopy:
 | |
|         compcopy['config'] = dict((k, v[0]) for k, v in compcopy['config'].items())
 | |
|         if 'bindCredential' in compcopy['config']:
 | |
|             compcopy['config']['bindCredential'] = '**********'
 | |
|         # an empty string is valid for krbPrincipalAttribute but is filtered out in diff
 | |
|         if 'krbPrincipalAttribute' not in compcopy['config']:
 | |
|             compcopy['config']['krbPrincipalAttribute'] = ''
 | |
|     if 'mappers' in compcopy:
 | |
|         for mapper in compcopy['mappers']:
 | |
|             if 'config' in mapper:
 | |
|                 mapper['config'] = dict((k, v[0]) for k, v in mapper['config'].items())
 | |
|     return compcopy
 | |
| 
 | |
| 
 | |
| def main():
 | |
|     """
 | |
|     Module execution
 | |
| 
 | |
|     :return:
 | |
|     """
 | |
|     argument_spec = keycloak_argument_spec()
 | |
| 
 | |
|     config_spec = dict(
 | |
|         allowKerberosAuthentication=dict(type='bool', default=False),
 | |
|         allowPasswordAuthentication=dict(type='bool'),
 | |
|         authType=dict(type='str', choices=['none', 'simple'], default='none'),
 | |
|         batchSizeForSync=dict(type='int', default=1000),
 | |
|         bindCredential=dict(type='str', no_log=True),
 | |
|         bindDn=dict(type='str'),
 | |
|         cachePolicy=dict(type='str', choices=['DEFAULT', 'EVICT_DAILY', 'EVICT_WEEKLY', 'MAX_LIFESPAN', 'NO_CACHE'], default='DEFAULT'),
 | |
|         changedSyncPeriod=dict(type='int', default=-1),
 | |
|         connectionPooling=dict(type='bool', default=True),
 | |
|         connectionPoolingAuthentication=dict(type='str', choices=['none', 'simple', 'DIGEST-MD5']),
 | |
|         connectionPoolingDebug=dict(type='str'),
 | |
|         connectionPoolingInitSize=dict(type='int'),
 | |
|         connectionPoolingMaxSize=dict(type='int'),
 | |
|         connectionPoolingPrefSize=dict(type='int'),
 | |
|         connectionPoolingProtocol=dict(type='str'),
 | |
|         connectionPoolingTimeout=dict(type='int'),
 | |
|         connectionTimeout=dict(type='int'),
 | |
|         connectionUrl=dict(type='str'),
 | |
|         customUserSearchFilter=dict(type='str'),
 | |
|         debug=dict(type='bool'),
 | |
|         editMode=dict(type='str', choices=['READ_ONLY', 'WRITABLE', 'UNSYNCED']),
 | |
|         enabled=dict(type='bool', default=True),
 | |
|         evictionDay=dict(type='str'),
 | |
|         evictionHour=dict(type='str'),
 | |
|         evictionMinute=dict(type='str'),
 | |
|         fullSyncPeriod=dict(type='int', default=-1),
 | |
|         importEnabled=dict(type='bool', default=True),
 | |
|         kerberosRealm=dict(type='str'),
 | |
|         keyTab=dict(type='str', no_log=False),
 | |
|         maxLifespan=dict(type='int'),
 | |
|         pagination=dict(type='bool', default=True),
 | |
|         priority=dict(type='int', default=0),
 | |
|         rdnLDAPAttribute=dict(type='str'),
 | |
|         readTimeout=dict(type='int'),
 | |
|         searchScope=dict(type='str', choices=['1', '2'], default='1'),
 | |
|         serverPrincipal=dict(type='str'),
 | |
|         krbPrincipalAttribute=dict(type='str'),
 | |
|         startTls=dict(type='bool', default=False),
 | |
|         syncRegistrations=dict(type='bool', default=False),
 | |
|         trustEmail=dict(type='bool', default=False),
 | |
|         updateProfileFirstLogin=dict(type='bool'),
 | |
|         useKerberosForPasswordAuthentication=dict(type='bool', default=False),
 | |
|         usePasswordModifyExtendedOp=dict(type='bool', default=False, no_log=False),
 | |
|         useTruststoreSpi=dict(type='str', choices=['always', 'ldapsOnly', 'never'], default='ldapsOnly'),
 | |
|         userObjectClasses=dict(type='str'),
 | |
|         usernameLDAPAttribute=dict(type='str'),
 | |
|         usersDn=dict(type='str'),
 | |
|         uuidLDAPAttribute=dict(type='str'),
 | |
|         validatePasswordPolicy=dict(type='bool', default=False),
 | |
|         vendor=dict(type='str'),
 | |
|     )
 | |
| 
 | |
|     mapper_spec = dict(
 | |
|         id=dict(type='str'),
 | |
|         name=dict(type='str'),
 | |
|         parentId=dict(type='str'),
 | |
|         providerId=dict(type='str'),
 | |
|         providerType=dict(type='str', default='org.keycloak.storage.ldap.mappers.LDAPStorageMapper'),
 | |
|         config=dict(type='dict'),
 | |
|     )
 | |
| 
 | |
|     meta_args = dict(
 | |
|         config=dict(type='dict', options=config_spec),
 | |
|         state=dict(type='str', default='present', choices=['present', 'absent']),
 | |
|         realm=dict(type='str', default='master'),
 | |
|         id=dict(type='str'),
 | |
|         name=dict(type='str'),
 | |
|         provider_id=dict(type='str', aliases=['providerId']),
 | |
|         provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'),
 | |
|         parent_id=dict(type='str', aliases=['parentId']),
 | |
|         mappers=dict(type='list', elements='dict', options=mapper_spec),
 | |
|     )
 | |
| 
 | |
|     argument_spec.update(meta_args)
 | |
| 
 | |
|     module = AnsibleModule(argument_spec=argument_spec,
 | |
|                            supports_check_mode=True,
 | |
|                            required_one_of=([['id', 'name'],
 | |
|                                              ['token', 'auth_realm', 'auth_username', 'auth_password']]),
 | |
|                            required_together=([['auth_realm', 'auth_username', 'auth_password']]))
 | |
| 
 | |
|     result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
 | |
| 
 | |
|     # Obtain access token, initialize API
 | |
|     try:
 | |
|         connection_header = get_token(module.params)
 | |
|     except KeycloakError as e:
 | |
|         module.fail_json(msg=str(e))
 | |
| 
 | |
|     kc = KeycloakAPI(module, connection_header)
 | |
| 
 | |
|     realm = module.params.get('realm')
 | |
|     state = module.params.get('state')
 | |
|     config = module.params.get('config')
 | |
|     mappers = module.params.get('mappers')
 | |
|     cid = module.params.get('id')
 | |
|     name = module.params.get('name')
 | |
| 
 | |
|     # Keycloak API expects config parameters to be arrays containing a single string element
 | |
|     if config is not None:
 | |
|         module.params['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v])
 | |
|                                        for k, v in config.items() if config[k] is not None)
 | |
| 
 | |
|     if mappers is not None:
 | |
|         for mapper in mappers:
 | |
|             if mapper.get('config') is not None:
 | |
|                 mapper['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v])
 | |
|                                         for k, v in mapper['config'].items() if mapper['config'][k] is not None)
 | |
| 
 | |
|     # Filter and map the parameters names that apply
 | |
|     comp_params = [x for x in module.params
 | |
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'mappers'] and
 | |
|                    module.params.get(x) is not None]
 | |
| 
 | |
|     # See if it already exists in Keycloak
 | |
|     if cid is None:
 | |
|         found = kc.get_components(urlencode(dict(type='org.keycloak.storage.UserStorageProvider', name=name)), realm)
 | |
|         if len(found) > 1:
 | |
|             module.fail_json(msg='No ID given and found multiple user federations with name `{name}`. Cannot continue.'.format(name=name))
 | |
|         before_comp = next(iter(found), None)
 | |
|         if before_comp is not None:
 | |
|             cid = before_comp['id']
 | |
|     else:
 | |
|         before_comp = kc.get_component(cid, realm)
 | |
| 
 | |
|     if before_comp is None:
 | |
|         before_comp = {}
 | |
| 
 | |
|     # if user federation exists, get associated mappers
 | |
|     if cid is not None and before_comp:
 | |
|         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name'))
 | |
| 
 | |
|     # Build a proposed changeset from parameters given to this module
 | |
|     changeset = {}
 | |
| 
 | |
|     for param in comp_params:
 | |
|         new_param_value = module.params.get(param)
 | |
|         old_value = before_comp[camel(param)] if camel(param) in before_comp else None
 | |
|         if param == 'mappers':
 | |
|             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value]
 | |
|         if new_param_value != old_value:
 | |
|             changeset[camel(param)] = new_param_value
 | |
| 
 | |
|     # special handling of mappers list to allow change detection
 | |
|     if module.params.get('mappers') is not None:
 | |
|         if module.params['provider_id'] in ['kerberos', 'sssd']:
 | |
|             module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id']))
 | |
|         for change in module.params['mappers']:
 | |
|             change = dict((k, v) for k, v in change.items() if change[k] is not None)
 | |
|             if change.get('id') is None and change.get('name') is None:
 | |
|                 module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.')
 | |
|             if cid is None:
 | |
|                 old_mapper = {}
 | |
|             elif change.get('id') is not None:
 | |
|                 old_mapper = kc.get_component(change['id'], realm)
 | |
|                 if old_mapper is None:
 | |
|                     old_mapper = {}
 | |
|             else:
 | |
|                 found = kc.get_components(urlencode(dict(parent=cid, name=change['name'])), realm)
 | |
|                 if len(found) > 1:
 | |
|                     module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name']))
 | |
|                 if len(found) == 1:
 | |
|                     old_mapper = found[0]
 | |
|                 else:
 | |
|                     old_mapper = {}
 | |
|             new_mapper = old_mapper.copy()
 | |
|             new_mapper.update(change)
 | |
|             if new_mapper != old_mapper:
 | |
|                 if changeset.get('mappers') is None:
 | |
|                     changeset['mappers'] = list()
 | |
|                 changeset['mappers'].append(new_mapper)
 | |
| 
 | |
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
 | |
|     desired_comp = before_comp.copy()
 | |
|     desired_comp.update(changeset)
 | |
| 
 | |
|     result['proposed'] = sanitize(changeset)
 | |
|     result['existing'] = sanitize(before_comp)
 | |
| 
 | |
|     # Cater for when it doesn't exist (an empty dict)
 | |
|     if not before_comp:
 | |
|         if state == 'absent':
 | |
|             # Do nothing and exit
 | |
|             if module._diff:
 | |
|                 result['diff'] = dict(before='', after='')
 | |
|             result['changed'] = False
 | |
|             result['end_state'] = {}
 | |
|             result['msg'] = 'User federation does not exist; doing nothing.'
 | |
|             module.exit_json(**result)
 | |
| 
 | |
|         # Process a creation
 | |
|         result['changed'] = True
 | |
| 
 | |
|         if module._diff:
 | |
|             result['diff'] = dict(before='', after=sanitize(desired_comp))
 | |
| 
 | |
|         if module.check_mode:
 | |
|             module.exit_json(**result)
 | |
| 
 | |
|         # create it
 | |
|         desired_comp = desired_comp.copy()
 | |
|         updated_mappers = desired_comp.pop('mappers', [])
 | |
|         after_comp = kc.create_component(desired_comp, realm)
 | |
| 
 | |
|         cid = after_comp['id']
 | |
| 
 | |
|         for mapper in updated_mappers:
 | |
|             found = kc.get_components(urlencode(dict(parent=cid, name=mapper['name'])), realm)
 | |
|             if len(found) > 1:
 | |
|                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=mapper['name']))
 | |
|             if len(found) == 1:
 | |
|                 old_mapper = found[0]
 | |
|             else:
 | |
|                 old_mapper = {}
 | |
| 
 | |
|             new_mapper = old_mapper.copy()
 | |
|             new_mapper.update(mapper)
 | |
| 
 | |
|             if new_mapper.get('id') is not None:
 | |
|                 kc.update_component(new_mapper, realm)
 | |
|             else:
 | |
|                 if new_mapper.get('parentId') is None:
 | |
|                     new_mapper['parentId'] = after_comp['id']
 | |
|                 mapper = kc.create_component(new_mapper, realm)
 | |
| 
 | |
|         after_comp['mappers'] = updated_mappers
 | |
|         result['end_state'] = sanitize(after_comp)
 | |
| 
 | |
|         result['msg'] = "User federation {id} has been created".format(id=after_comp['id'])
 | |
|         module.exit_json(**result)
 | |
| 
 | |
|     else:
 | |
|         if state == 'present':
 | |
|             # Process an update
 | |
| 
 | |
|             # no changes
 | |
|             if desired_comp == before_comp:
 | |
|                 result['changed'] = False
 | |
|                 result['end_state'] = sanitize(desired_comp)
 | |
|                 result['msg'] = "No changes required to user federation {id}.".format(id=cid)
 | |
|                 module.exit_json(**result)
 | |
| 
 | |
|             # doing an update
 | |
|             result['changed'] = True
 | |
| 
 | |
|             if module._diff:
 | |
|                 result['diff'] = dict(before=sanitize(before_comp), after=sanitize(desired_comp))
 | |
| 
 | |
|             if module.check_mode:
 | |
|                 module.exit_json(**result)
 | |
| 
 | |
|             # do the update
 | |
|             desired_comp = desired_comp.copy()
 | |
|             updated_mappers = desired_comp.pop('mappers', [])
 | |
|             kc.update_component(desired_comp, realm)
 | |
|             after_comp = kc.get_component(cid, realm)
 | |
| 
 | |
|             for mapper in updated_mappers:
 | |
|                 if mapper.get('id') is not None:
 | |
|                     kc.update_component(mapper, realm)
 | |
|                 else:
 | |
|                     if mapper.get('parentId') is None:
 | |
|                         mapper['parentId'] = desired_comp['id']
 | |
|                     mapper = kc.create_component(mapper, realm)
 | |
| 
 | |
|             after_comp['mappers'] = updated_mappers
 | |
|             result['end_state'] = sanitize(after_comp)
 | |
| 
 | |
|             result['msg'] = "User federation {id} has been updated".format(id=cid)
 | |
|             module.exit_json(**result)
 | |
| 
 | |
|         elif state == 'absent':
 | |
|             # Process a deletion
 | |
|             result['changed'] = True
 | |
| 
 | |
|             if module._diff:
 | |
|                 result['diff'] = dict(before=sanitize(before_comp), after='')
 | |
| 
 | |
|             if module.check_mode:
 | |
|                 module.exit_json(**result)
 | |
| 
 | |
|             # delete it
 | |
|             kc.delete_component(cid, realm)
 | |
| 
 | |
|             result['end_state'] = {}
 | |
| 
 | |
|             result['msg'] = "User federation {id} has been deleted".format(id=cid)
 | |
| 
 | |
|     module.exit_json(**result)
 | |
| 
 | |
| 
 | |
| if __name__ == '__main__':
 | |
|     main()
 |