[PR #7126/721108d9 backport][stable-7] Add keycloak_authz_custom_policy module (#7290)

Add keycloak_authz_custom_policy module (#7126)

* Add keycloak_authz_custom_policy module

* keycloak.py: add linefeed to keep linter happy

* keycloak_authz_custom_policy: add basic integration tests

* keycloak_authz_custom_policy: add support for check_mode

* keycloak_authz_custom_policy: add check_mode-specific integration tests

Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>

* keycloak_authz_custom_policy: improve logging

Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>

* keycloak_authz_custom_policy: fix typo

* keycloak_authz_custom_policy: add licensing information

This should make this module REUSE compliant

* keycloak_authz_custom_policy: remove comment markers from license files

* keycloak_authz_custom_policy: fix typo in the example

* keycloak_authz_custom_policy: fix typos in metadata

* keycloak_authz_custom_policy: change version_added to 7.5.0

* Update plugins/modules/keycloak_authz_custom_policy.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 721108d92e)

Co-authored-by: Samuli Seppänen <samuli.seppanen@gmail.com>

tests/integration/targets/keycloak_authz_custom_policy/aliases

@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+unsupported

tests/integration/targets/keycloak_authz_custom_policy/policy/Containerfile

@@ -0,0 +1,4 @@
+FROM quay.io/keycloak/keycloak:20.0.2
+
+COPY policy.jar /opt/keycloak/providers/
+RUN /opt/keycloak/bin/kc.sh build

tests/integration/targets/keycloak_authz_custom_policy/policy/Containerfile.license

@@ -0,0 +1,3 @@
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later

tests/integration/targets/keycloak_authz_custom_policy/policy/META-INF/keycloak-scripts.json

@@ -0,0 +1,14 @@
+{
+    "policies": [
+        {
+            "name": "MyPolicy1",
+            "fileName": "policy-1.js",
+            "description": "My Policy 1"
+        },
+        {
+            "name": "MyPolicy2",
+            "fileName": "policy-2.js",
+            "description": "My Policy 2"
+        }
+    ]
+}

tests/integration/targets/keycloak_authz_custom_policy/policy/META-INF/keycloak-scripts.json.license

@@ -0,0 +1,3 @@
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later

tests/integration/targets/keycloak_authz_custom_policy/policy/build-policy.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+zip -r policy.jar META-INF/keycloak-scripts.json policy-1.js policy-2.js

tests/integration/targets/keycloak_authz_custom_policy/policy/build-policy.sh.license

@@ -0,0 +1,3 @@
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later

tests/integration/targets/keycloak_authz_custom_policy/policy/policy-1.js

@@ -0,0 +1 @@
+$evaluation.grant();

tests/integration/targets/keycloak_authz_custom_policy/policy/policy-1.js.license

@@ -0,0 +1,3 @@
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later

tests/integration/targets/keycloak_authz_custom_policy/policy/policy-2.js

@@ -0,0 +1 @@
+$evaluation.grant();

tests/integration/targets/keycloak_authz_custom_policy/policy/policy-2.js.license

@@ -0,0 +1,3 @@
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later

tests/integration/targets/keycloak_authz_custom_policy/readme.adoc

@@ -0,0 +1,27 @@
+// Copyright (c) Ansible Project
+// GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+To be able to run these integration tests a keycloak server must be
+reachable under a specific url with a specific admin user and password.
+The exact values expected for these parameters can be found in
+'vars/main.yml' file. A vanilla Keycloak server will not be sufficient:
+you will need to deploy a custom JAR file with two policies:
+
+* _MyPolicy1:_ policy-1.js
+* _MyPolicy2:_ policy-2.js
+
+To create a customized Keycloak test instance running on Podman first
+install the "zip" command, go to the policy subdirectory and then do
+
+[source,shell]
+----
+./build-policy.sh
+podman build --tag keycloak_authz_custom_policy_test:1.0.0 .
+podman rm mykeycloak && podman run --name mykeycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password -e KC_HTTP_RELATIVE_PATH=/auth localhost/keycloak_authz_custom_policy_test:1.0.0  start-dev
+----
+
+This process probably also work with Docker just by replacing _podman_ with
+_docker_. Modify the FROM argument in Containerfile to change Keycloak version
+to test against. Quarkus versions of Keycloak should work - older versions
+will not.

tests/integration/targets/keycloak_authz_custom_policy/tasks/main.yml

@@ -0,0 +1,168 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+- name: Remove keycloak client to avoid failures from previous failed runs
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    state: absent
+
+- name: Create keycloak client with authorization services enabled
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    state: present
+    enabled: true
+    public_client: false
+    service_accounts_enabled: true
+    authorization_services_enabled: true
+
+- name: Create first custom policy (check_mode)
+  community.general.keycloak_authz_custom_policy:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: FirstCustomPolicy
+    state: present
+    policy_type: script-policy-1.js
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+  check_mode: true
+  register: result
+
+- name: Assert that first custom policy was not created
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - result.end_state.name == "FirstCustomPolicy"
+      - result.end_state.type == "script-policy-1.js"
+      - result.msg == 'Would create custom policy FirstCustomPolicy'
+
+- name: Create first custom policy
+  community.general.keycloak_authz_custom_policy:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: FirstCustomPolicy
+    state: present
+    policy_type: script-policy-1.js
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+  register: result
+
+- name: Assert that first custom policy was created
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - result.end_state.name == "FirstCustomPolicy"
+      - result.end_state.type == "script-policy-1.js"
+      - result.msg == 'Custom policy FirstCustomPolicy created'
+
+- name: Attempt to update first custom policy (not possible)
+  community.general.keycloak_authz_custom_policy:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: FirstCustomPolicy
+    state: present
+    policy_type: script-policy-2.js
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+  register: result
+
+- name: Assert that first custom policy was not modified
+  assert:
+    that:
+      - result is not changed
+      - result.end_state != {}
+      - result.end_state.name == "FirstCustomPolicy"
+      - result.end_state.type == "script-policy-2.js"
+      - result.msg == 'Custom policy FirstCustomPolicy already exists'
+
+# Ensure that we can create multiple instances of the custom policy 
+- name: Create second instance of the custom policy
+  community.general.keycloak_authz_custom_policy:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: SecondCustomPolicy
+    state: present
+    policy_type: script-policy-1.js
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+  register: result
+
+- name: Assert that second instance of the custom policy was created
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - result.end_state.name == "SecondCustomPolicy"
+      - result.end_state.type == "script-policy-1.js"
+      - result.msg == 'Custom policy SecondCustomPolicy created'
+
+- name: Remove second instance of the custom policy (check_mode)
+  community.general.keycloak_authz_custom_policy:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: SecondCustomPolicy
+    state: absent
+    policy_type: script-policy-1.js
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+  check_mode: true
+  register: result
+
+- name: Assert that second custom policy was not removed
+  assert:
+    that:
+      - result is changed
+      - result.end_state == {}
+      - result.msg == 'Would remove custom policy SecondCustomPolicy'
+
+- name: Remove second instance of the custom policy
+  community.general.keycloak_authz_custom_policy:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: SecondCustomPolicy
+    state: absent
+    policy_type: script-policy-1.js
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+  register: result
+
+- name: Assert that second custom policy was removed
+  assert:
+    that:
+      - result is changed
+      - result.end_state == {}
+      - result.msg == 'Custom policy SecondCustomPolicy removed'
+
+- name: Remove keycloak client
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    state: absent

tests/integration/targets/keycloak_authz_custom_policy/vars/main.yml

@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+url: http://localhost:8080/auth
+admin_realm: master
+admin_user: admin
+admin_password: password
+realm: master
+client_id: authz