diff --git a/plugins/modules/kdeconfig.py b/plugins/modules/kdeconfig.py index 96d7df8b8d..334db3aee4 100644 --- a/plugins/modules/kdeconfig.py +++ b/plugins/modules/kdeconfig.py @@ -7,15 +7,13 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -DOCUMENTATION = r''' ---- +DOCUMENTATION = r""" module: kdeconfig short_description: Manage KDE configuration files version_added: "6.5.0" description: - Add or change individual settings in KDE configuration files. - It uses B(kwriteconfig) under the hood. - options: path: description: @@ -24,8 +22,7 @@ options: required: true kwriteconfig_path: description: - - Path to the kwriteconfig executable. If not specified, Ansible will try - to discover it. + - Path to the kwriteconfig executable. If not specified, Ansible will try to discover it. type: path values: description: @@ -74,9 +71,9 @@ requirements: - kwriteconfig author: - Salvatore Mesoraca (@smeso) -''' +""" -EXAMPLES = r''' +EXAMPLES = r""" - name: Ensure "Homepage=https://www.ansible.com/" in group "Branding" community.general.kdeconfig: path: /etc/xdg/kickoffrc @@ -97,9 +94,9 @@ EXAMPLES = r''' key: KEY value: VALUE backup: true -''' +""" -RETURN = r''' # ''' +RETURN = r""" # """ import os import shutil diff --git a/plugins/modules/kernel_blacklist.py b/plugins/modules/kernel_blacklist.py index 224b5bba8c..1dbf94f629 100644 --- a/plugins/modules/kernel_blacklist.py +++ b/plugins/modules/kernel_blacklist.py @@ -9,47 +9,45 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: kernel_blacklist author: - - Matthias Vogelgesang (@matze) + - Matthias Vogelgesang (@matze) short_description: Blacklist kernel modules description: - - Add or remove kernel modules from blacklist. + - Add or remove kernel modules from blacklist. extends_documentation_fragment: - - community.general.attributes + - community.general.attributes attributes: - check_mode: - support: full - diff_mode: - support: full + check_mode: + support: full + diff_mode: + support: full options: - name: - type: str - description: - - Name of kernel module to black- or whitelist. - required: true - state: - type: str - description: - - Whether the module should be present in the blacklist or absent. - choices: [ absent, present ] - default: present - blacklist_file: - type: str - description: - - If specified, use this blacklist file instead of - C(/etc/modprobe.d/blacklist-ansible.conf). - default: /etc/modprobe.d/blacklist-ansible.conf -''' + name: + type: str + description: + - Name of kernel module to black- or whitelist. + required: true + state: + type: str + description: + - Whether the module should be present in the blacklist or absent. + choices: [absent, present] + default: present + blacklist_file: + type: str + description: + - If specified, use this blacklist file instead of C(/etc/modprobe.d/blacklist-ansible.conf). + default: /etc/modprobe.d/blacklist-ansible.conf +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Blacklist the nouveau driver module community.general.kernel_blacklist: name: nouveau state: present -''' +""" import os import re diff --git a/plugins/modules/keycloak_authentication.py b/plugins/modules/keycloak_authentication.py index fa2ae1e974..1b47542bb3 100644 --- a/plugins/modules/keycloak_authentication.py +++ b/plugins/modules/keycloak_authentication.py @@ -7,112 +7,109 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_authentication short_description: Configure authentication in Keycloak description: - - This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it. - - It can also delete the flow. - + - This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it. + - It can also delete the flow. version_added: "3.3.0" attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - realm: - description: - - The name of the realm in which is the authentication. - required: true - type: str - alias: - description: - - Alias for the authentication flow. - required: true - type: str + realm: description: + - The name of the realm in which is the authentication. + required: true + type: str + alias: + description: + - Alias for the authentication flow. + required: true + type: str + description: + description: + - Description of the flow. + type: str + providerId: + description: + - C(providerId) for the new flow when not copied from an existing flow. + choices: ["basic-flow", "client-flow"] + type: str + copyFrom: + description: + - C(flowAlias) of the authentication flow to use for the copy. + type: str + authenticationExecutions: + description: + - Configuration structure for the executions. + type: list + elements: dict + suboptions: + providerId: description: - - Description of the flow. + - C(providerID) for the new flow when not copied from an existing flow. type: str - providerId: + displayName: description: - - C(providerId) for the new flow when not copied from an existing flow. - choices: [ "basic-flow", "client-flow" ] + - Name of the execution or subflow to create or update. type: str - copyFrom: + requirement: description: - - C(flowAlias) of the authentication flow to use for the copy. + - Control status of the subflow or execution. + choices: ["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"] type: str - authenticationExecutions: + flowAlias: description: - - Configuration structure for the executions. - type: list - elements: dict - suboptions: - providerId: - description: - - C(providerID) for the new flow when not copied from an existing flow. - type: str - displayName: - description: - - Name of the execution or subflow to create or update. - type: str - requirement: - description: - - Control status of the subflow or execution. - choices: [ "REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL" ] - type: str - flowAlias: - description: - - Alias of parent flow. - type: str - authenticationConfig: - description: - - Describe the config of the authentication. - type: dict - index: - description: - - Priority order of the execution. - type: int - subFlowType: - description: - - For new subflows, optionally specify the type. - - Is only used at creation. - choices: ["basic-flow", "form-flow"] - default: "basic-flow" - type: str - version_added: 6.6.0 - state: - description: - - Control if the authentication flow must exists or not. - choices: [ "present", "absent" ] - default: present + - Alias of parent flow. type: str - force: - type: bool - default: false + authenticationConfig: description: - - If V(true), allows to remove the authentication flow and recreate it. - + - Describe the config of the authentication. + type: dict + index: + description: + - Priority order of the execution. + type: int + subFlowType: + description: + - For new subflows, optionally specify the type. + - Is only used at creation. + choices: ["basic-flow", "form-flow"] + default: "basic-flow" + type: str + version_added: 6.6.0 + state: + description: + - Control if the authentication flow must exists or not. + choices: ["present", "absent"] + default: present + type: str + force: + type: bool + default: false + description: + - If V(true), allows to remove the authentication flow and recreate it. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Philippe Gauthier (@elfelip) - - Gaëtan Daubresse (@Gaetan2907) -''' + - Philippe Gauthier (@elfelip) + - Gaëtan Daubresse (@Gaetan2907) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create an authentication flow from first broker login and add an execution to it. community.general.keycloak_authentication: auth_keycloak_url: http://localhost:8080/auth @@ -126,15 +123,15 @@ EXAMPLES = ''' - providerId: "test-execution1" requirement: "REQUIRED" authenticationConfig: - alias: "test.execution1.property" - config: - test1.property: "value" + alias: "test.execution1.property" + config: + test1.property: "value" - providerId: "test-execution2" requirement: "REQUIRED" authenticationConfig: - alias: "test.execution2.property" - config: - test2.property: "value" + alias: "test.execution2.property" + config: + test2.property: "value" state: present - name: Re-create the authentication flow @@ -150,9 +147,9 @@ EXAMPLES = ''' - providerId: "test-provisioning" requirement: "REQUIRED" authenticationConfig: - alias: "test.provisioning.property" - config: - test.provisioning.property: "value" + alias: "test.provisioning.property" + config: + test.provisioning.property: "value" state: present force: true @@ -184,13 +181,13 @@ EXAMPLES = ''' realm: master alias: "Copy of first broker login" state: absent -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: description: Representation of the authentication after module execution. @@ -222,7 +219,7 @@ end_state: "providerId": "basic-flow", "topLevel": true } -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \ import KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, is_struct_included diff --git a/plugins/modules/keycloak_authentication_required_actions.py b/plugins/modules/keycloak_authentication_required_actions.py index c992e05d2d..60b47d7a6a 100644 --- a/plugins/modules/keycloak_authentication_required_actions.py +++ b/plugins/modules/keycloak_authentication_required_actions.py @@ -9,84 +9,82 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_authentication_required_actions short_description: Allows administration of Keycloak authentication required actions description: - - This module can register, update and delete required actions. - - It also filters out any duplicate required actions by their alias. The first occurrence is preserved. - + - This module can register, update and delete required actions. + - It also filters out any duplicate required actions by their alias. The first occurrence is preserved. version_added: 7.1.0 attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - realm: + realm: + description: + - The name of the realm in which are the authentication required actions. + required: true + type: str + required_actions: + elements: dict + description: + - Authentication required action. + suboptions: + alias: description: - - The name of the realm in which are the authentication required actions. + - Unique name of the required action. required: true type: str - required_actions: - elements: dict + config: description: - - Authentication required action. - suboptions: - alias: - description: - - Unique name of the required action. - required: true - type: str - config: - description: - - Configuration for the required action. - type: dict - defaultAction: - description: - - Indicates, if any new user will have the required action assigned to it. - type: bool - enabled: - description: - - Indicates, if the required action is enabled or not. - type: bool - name: - description: - - Displayed name of the required action. Required for registration. - type: str - priority: - description: - - Priority of the required action. - type: int - providerId: - description: - - Provider ID of the required action. Required for registration. - type: str - type: list - state: - choices: [ "absent", "present" ] + - Configuration for the required action. + type: dict + defaultAction: description: - - Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)). - required: true + - Indicates, if any new user will have the required action assigned to it. + type: bool + enabled: + description: + - Indicates, if the required action is enabled or not. + type: bool + name: + description: + - Displayed name of the required action. Required for registration. type: str + priority: + description: + - Priority of the required action. + type: int + providerId: + description: + - Provider ID of the required action. Required for registration. + type: str + type: list + state: + choices: ["absent", "present"] + description: + - Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)). + required: true + type: str extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Skrekulko (@Skrekulko) -''' + - Skrekulko (@Skrekulko) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Register a new required action. community.general.keycloak_authentication_required_actions: auth_client_id: "admin-cli" @@ -126,56 +124,55 @@ EXAMPLES = ''' required_action: - alias: "TERMS_AND_CONDITIONS" state: "absent" -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: - description: Representation of the authentication required actions after module execution. - returned: on success - type: complex - contains: - alias: - description: - - Unique name of the required action. - sample: test-provider-id - type: str - config: - description: - - Configuration for the required action. - sample: {} - type: dict - defaultAction: - description: - - Indicates, if any new user will have the required action assigned to it. - sample: false - type: bool - enabled: - description: - - Indicates, if the required action is enabled or not. - sample: false - type: bool - name: - description: - - Displayed name of the required action. Required for registration. - sample: Test provider ID - type: str - priority: - description: - - Priority of the required action. - sample: 90 - type: int - providerId: - description: - - Provider ID of the required action. Required for registration. - sample: test-provider-id - type: str - -''' + description: Representation of the authentication required actions after module execution. + returned: on success + type: complex + contains: + alias: + description: + - Unique name of the required action. + sample: test-provider-id + type: str + config: + description: + - Configuration for the required action. + sample: {} + type: dict + defaultAction: + description: + - Indicates, if any new user will have the required action assigned to it. + sample: false + type: bool + enabled: + description: + - Indicates, if the required action is enabled or not. + sample: false + type: bool + name: + description: + - Displayed name of the required action. Required for registration. + sample: Test provider ID + type: str + priority: + description: + - Priority of the required action. + sample: 90 + type: int + providerId: + description: + - Provider ID of the required action. Required for registration. + sample: test-provider-id + type: str +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_authz_authorization_scope.py b/plugins/modules/keycloak_authz_authorization_scope.py index 146a37bf51..cd1ff57afc 100644 --- a/plugins/modules/keycloak_authz_authorization_scope.py +++ b/plugins/modules/keycloak_authz_authorization_scope.py @@ -9,81 +9,75 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_authz_authorization_scope -short_description: Allows administration of Keycloak client authorization scopes via Keycloak API +short_description: Allows administration of Keycloak client authorization scopes using Keycloak API version_added: 6.6.0 description: - - This module allows the administration of Keycloak client Authorization Scopes via the Keycloak REST - API. Authorization Scopes are only available if a client has Authorization enabled. - - - This module requires access to the REST API via OpenID Connect; the user connecting and the realm - being used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase options used by Keycloak. - The Authorization Services paths and payloads have not officially been documented by the Keycloak project. - U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/) - + - This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization Scopes are only available + if a client has Authorization enabled. + - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access + rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored + to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads + have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the authorization scope. - - On V(present), the authorization scope will be created (or updated if it exists already). - - On V(absent), the authorization scope will be removed if it exists. - choices: ['present', 'absent'] - default: 'present' - type: str - name: - description: - - Name of the authorization scope to create. - type: str - required: true - display_name: - description: - - The display name of the authorization scope. - type: str - required: false - icon_uri: - description: - - The icon URI for the authorization scope. - type: str - required: false - client_id: - description: - - The C(clientId) of the Keycloak client that should have the authorization scope. - - This is usually a human-readable name of the Keycloak client. - type: str - required: true - realm: - description: - - The name of the Keycloak realm the Keycloak client is in. - type: str - required: true + state: + description: + - State of the authorization scope. + - On V(present), the authorization scope will be created (or updated if it exists already). + - On V(absent), the authorization scope will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + name: + description: + - Name of the authorization scope to create. + type: str + required: true + display_name: + description: + - The display name of the authorization scope. + type: str + required: false + icon_uri: + description: + - The icon URI for the authorization scope. + type: str + required: false + client_id: + description: + - The C(clientId) of the Keycloak client that should have the authorization scope. + - This is usually a human-readable name of the Keycloak client. + type: str + required: true + realm: + description: + - The name of the Keycloak realm the Keycloak client is in. + type: str + required: true extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Samuli Seppänen (@mattock) -''' + - Samuli Seppänen (@mattock) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Manage Keycloak file:delete authorization scope keycloak_authz_authorization_scope: name: file:delete @@ -95,41 +89,40 @@ EXAMPLES = ''' auth_username: keycloak auth_password: keycloak auth_realm: master -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: - description: Representation of the authorization scope after module execution. - returned: on success - type: complex - contains: - id: - description: ID of the authorization scope. - type: str - returned: when O(state=present) - sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41 - name: - description: Name of the authorization scope. - type: str - returned: when O(state=present) - sample: file:delete - display_name: - description: Display name of the authorization scope. - type: str - returned: when O(state=present) - sample: File delete - icon_uri: - description: Icon URI for the authorization scope. - type: str - returned: when O(state=present) - sample: http://localhost/icon.png - -''' + description: Representation of the authorization scope after module execution. + returned: on success + type: complex + contains: + id: + description: ID of the authorization scope. + type: str + returned: when O(state=present) + sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41 + name: + description: Name of the authorization scope. + type: str + returned: when O(state=present) + sample: file:delete + display_name: + description: Display name of the authorization scope. + type: str + returned: when O(state=present) + sample: File delete + icon_uri: + description: Icon URI for the authorization scope. + type: str + returned: when O(state=present) + sample: http://localhost/icon.png +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_authz_custom_policy.py b/plugins/modules/keycloak_authz_custom_policy.py index 2205a184f5..ef6c9b0973 100644 --- a/plugins/modules/keycloak_authz_custom_policy.py +++ b/plugins/modules/keycloak_authz_custom_policy.py @@ -9,78 +9,71 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_authz_custom_policy -short_description: Allows administration of Keycloak client custom Javascript policies via Keycloak API +short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API version_added: 7.5.0 description: - - This module allows the administration of Keycloak client custom Javascript via the Keycloak REST - API. Custom Javascript policies are only available if a client has Authorization enabled and if - they have been deployed to the Keycloak server as JAR files. - - - This module requires access to the REST API via OpenID Connect; the user connecting and the realm - being used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase options used by Keycloak. - The Authorization Services paths and payloads have not officially been documented by the Keycloak project. - U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/) - + - This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only + available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files. + - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access + rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored + to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads + have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). attributes: - check_mode: - support: full - diff_mode: - support: none - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: none + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the custom policy. - - On V(present), the custom policy will be created (or updated if it exists already). - - On V(absent), the custom policy will be removed if it exists. - choices: ['present', 'absent'] - default: 'present' - type: str - name: - description: - - Name of the custom policy to create. - type: str - required: true - policy_type: - description: - - The type of the policy. This must match the name of the custom policy deployed to the server. - - Multiple policies pointing to the same policy type can be created, but their names have to differ. - type: str - required: true - client_id: - description: - - The V(clientId) of the Keycloak client that should have the custom policy attached to it. - - This is usually a human-readable name of the Keycloak client. - type: str - required: true - realm: - description: - - The name of the Keycloak realm the Keycloak client is in. - type: str - required: true + state: + description: + - State of the custom policy. + - On V(present), the custom policy will be created (or updated if it exists already). + - On V(absent), the custom policy will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + name: + description: + - Name of the custom policy to create. + type: str + required: true + policy_type: + description: + - The type of the policy. This must match the name of the custom policy deployed to the server. + - Multiple policies pointing to the same policy type can be created, but their names have to differ. + type: str + required: true + client_id: + description: + - The V(clientId) of the Keycloak client that should have the custom policy attached to it. + - This is usually a human-readable name of the Keycloak client. + type: str + required: true + realm: + description: + - The name of the Keycloak realm the Keycloak client is in. + type: str + required: true extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Samuli Seppänen (@mattock) -''' + - Samuli Seppänen (@mattock) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Manage Keycloak custom authorization policy community.general.keycloak_authz_custom_policy: name: OnlyOwner @@ -92,31 +85,30 @@ EXAMPLES = ''' auth_username: keycloak auth_password: keycloak auth_realm: master -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: - description: Representation of the custom policy after module execution. - returned: on success - type: dict - contains: - name: - description: Name of the custom policy. - type: str - returned: when I(state=present) - sample: file:delete - policy_type: - description: Type of custom policy. - type: str - returned: when I(state=present) - sample: File delete - -''' + description: Representation of the custom policy after module execution. + returned: on success + type: dict + contains: + name: + description: Name of the custom policy. + type: str + returned: when I(state=present) + sample: file:delete + policy_type: + description: Type of custom policy. + type: str + returned: when I(state=present) + sample: File delete +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_authz_permission.py b/plugins/modules/keycloak_authz_permission.py index 08b5ae6295..e4ab9fe14d 100644 --- a/plugins/modules/keycloak_authz_permission.py +++ b/plugins/modules/keycloak_authz_permission.py @@ -9,128 +9,119 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_authz_permission version_added: 7.2.0 -short_description: Allows administration of Keycloak client authorization permissions via Keycloak API +short_description: Allows administration of Keycloak client authorization permissions using Keycloak API description: - - This module allows the administration of Keycloak client authorization permissions via the Keycloak REST - API. Authorization permissions are only available if a client has Authorization enabled. - - - There are some peculiarities in JSON paths and payloads for authorization permissions. In particular - POST and PUT operations are targeted at permission endpoints, whereas GET requests go to policies - endpoint. To make matters more interesting the JSON responses from GET requests return data in a - different format than what is expected for POST and PUT. The end result is that it is not possible to - detect changes to things like policies, scopes or resources - at least not without a large number of - additional API calls. Therefore this module always updates authorization permissions instead of - attempting to determine if changes are truly needed. - - - This module requires access to the REST API via OpenID Connect; the user connecting and the realm - being used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase options used by Keycloak. - The Authorization Services paths and payloads have not officially been documented by the Keycloak project. - U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/) - + - This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization permissions are + only available if a client has Authorization enabled. + - There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations are targeted + at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the JSON responses from GET requests + return data in a different format than what is expected for POST and PUT. The end result is that it is not possible to detect changes to things + like policies, scopes or resources - at least not without a large number of additional API calls. Therefore this module always updates authorization + permissions instead of attempting to determine if changes are truly needed. + - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access + rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored + to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads + have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). attributes: - check_mode: - support: full - diff_mode: - support: none - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: none + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the authorization permission. - - On V(present), the authorization permission will be created (or updated if it exists already). - - On V(absent), the authorization permission will be removed if it exists. - choices: ['present', 'absent'] - default: 'present' - type: str - name: - description: - - Name of the authorization permission to create. - type: str - required: true + state: description: - description: - - The description of the authorization permission. - type: str - required: false - permission_type: - description: - - The type of authorization permission. - - On V(scope) create a scope-based permission. - - On V(resource) create a resource-based permission. - type: str - required: true - choices: - - resource - - scope - decision_strategy: - description: - - The decision strategy to use with this permission. - type: str - default: UNANIMOUS - required: false - choices: - - UNANIMOUS - - AFFIRMATIVE - - CONSENSUS - resources: - description: - - Resource names to attach to this permission. - - Scope-based permissions can only include one resource. - - Resource-based permissions can include multiple resources. - type: list - elements: str - default: [] - required: false - scopes: - description: - - Scope names to attach to this permission. - - Resource-based permissions cannot have scopes attached to them. - type: list - elements: str - default: [] - required: false - policies: - description: - - Policy names to attach to this permission. - type: list - elements: str - default: [] - required: false - client_id: - description: - - The clientId of the keycloak client that should have the authorization scope. - - This is usually a human-readable name of the Keycloak client. - type: str - required: true - realm: - description: - - The name of the Keycloak realm the Keycloak client is in. - type: str - required: true + - State of the authorization permission. + - On V(present), the authorization permission will be created (or updated if it exists already). + - On V(absent), the authorization permission will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + name: + description: + - Name of the authorization permission to create. + type: str + required: true + description: + description: + - The description of the authorization permission. + type: str + required: false + permission_type: + description: + - The type of authorization permission. + - On V(scope) create a scope-based permission. + - On V(resource) create a resource-based permission. + type: str + required: true + choices: + - resource + - scope + decision_strategy: + description: + - The decision strategy to use with this permission. + type: str + default: UNANIMOUS + required: false + choices: + - UNANIMOUS + - AFFIRMATIVE + - CONSENSUS + resources: + description: + - Resource names to attach to this permission. + - Scope-based permissions can only include one resource. + - Resource-based permissions can include multiple resources. + type: list + elements: str + default: [] + required: false + scopes: + description: + - Scope names to attach to this permission. + - Resource-based permissions cannot have scopes attached to them. + type: list + elements: str + default: [] + required: false + policies: + description: + - Policy names to attach to this permission. + type: list + elements: str + default: [] + required: false + client_id: + description: + - The clientId of the keycloak client that should have the authorization scope. + - This is usually a human-readable name of the Keycloak client. + type: str + required: true + realm: + description: + - The name of the Keycloak realm the Keycloak client is in. + type: str + required: true extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Samuli Seppänen (@mattock) -''' + - Samuli Seppänen (@mattock) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Manage scope-based Keycloak authorization permission community.general.keycloak_authz_permission: name: ScopePermission @@ -164,68 +155,68 @@ EXAMPLES = ''' auth_username: keycloak auth_password: keycloak auth_realm: master -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: - description: Representation of the authorization permission after module execution. - returned: on success - type: complex - contains: - id: - description: ID of the authorization permission. - type: str - returned: when O(state=present) - sample: 9da05cd2-b273-4354-bbd8-0c133918a454 - name: - description: Name of the authorization permission. - type: str - returned: when O(state=present) - sample: ResourcePermission - description: - description: Description of the authorization permission. - type: str - returned: when O(state=present) - sample: Resource Permission - type: - description: Type of the authorization permission. - type: str - returned: when O(state=present) - sample: resource - decisionStrategy: - description: The decision strategy to use. - type: str - returned: when O(state=present) - sample: UNANIMOUS - logic: - description: The logic used for the permission (part of the payload, but has a fixed value). - type: str - returned: when O(state=present) - sample: POSITIVE - resources: - description: IDs of resources attached to this permission. - type: list - returned: when O(state=present) - sample: - - 49e052ff-100d-4b79-a9dd-52669ed3c11d - scopes: - description: IDs of scopes attached to this permission. - type: list - returned: when O(state=present) - sample: - - 9da05cd2-b273-4354-bbd8-0c133918a454 - policies: - description: IDs of policies attached to this permission. - type: list - returned: when O(state=present) - sample: - - 9da05cd2-b273-4354-bbd8-0c133918a454 -''' + description: Representation of the authorization permission after module execution. + returned: on success + type: complex + contains: + id: + description: ID of the authorization permission. + type: str + returned: when O(state=present) + sample: 9da05cd2-b273-4354-bbd8-0c133918a454 + name: + description: Name of the authorization permission. + type: str + returned: when O(state=present) + sample: ResourcePermission + description: + description: Description of the authorization permission. + type: str + returned: when O(state=present) + sample: Resource Permission + type: + description: Type of the authorization permission. + type: str + returned: when O(state=present) + sample: resource + decisionStrategy: + description: The decision strategy to use. + type: str + returned: when O(state=present) + sample: UNANIMOUS + logic: + description: The logic used for the permission (part of the payload, but has a fixed value). + type: str + returned: when O(state=present) + sample: POSITIVE + resources: + description: IDs of resources attached to this permission. + type: list + returned: when O(state=present) + sample: + - 49e052ff-100d-4b79-a9dd-52669ed3c11d + scopes: + description: IDs of scopes attached to this permission. + type: list + returned: when O(state=present) + sample: + - 9da05cd2-b273-4354-bbd8-0c133918a454 + policies: + description: IDs of policies attached to this permission. + type: list + returned: when O(state=present) + sample: + - 9da05cd2-b273-4354-bbd8-0c133918a454 +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_authz_permission_info.py b/plugins/modules/keycloak_authz_permission_info.py index 4c1a6ddf66..6851abb311 100644 --- a/plugins/modules/keycloak_authz_permission_info.py +++ b/plugins/modules/keycloak_authz_permission_info.py @@ -9,8 +9,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_authz_permission_info version_added: 7.2.0 @@ -18,52 +17,46 @@ version_added: 7.2.0 short_description: Query Keycloak client authorization permissions information description: - - This module allows querying information about Keycloak client authorization permissions from the - resources endpoint via the Keycloak REST API. Authorization permissions are only available if a - client has Authorization enabled. - - - This module requires access to the REST API via OpenID Connect; the user connecting and the realm - being used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase options used by Keycloak. - The Authorization Services paths and payloads have not officially been documented by the Keycloak project. - U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/) - + - This module allows querying information about Keycloak client authorization permissions from the resources endpoint using the Keycloak REST + API. Authorization permissions are only available if a client has Authorization enabled. + - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access + rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored + to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads + have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). attributes: - action_group: - version_added: 10.2.0 + action_group: + version_added: 10.2.0 options: - name: - description: - - Name of the authorization permission to create. - type: str - required: true - client_id: - description: - - The clientId of the keycloak client that should have the authorization scope. - - This is usually a human-readable name of the Keycloak client. - type: str - required: true - realm: - description: - - The name of the Keycloak realm the Keycloak client is in. - type: str - required: true + name: + description: + - Name of the authorization permission to create. + type: str + required: true + client_id: + description: + - The clientId of the keycloak client that should have the authorization scope. + - This is usually a human-readable name of the Keycloak client. + type: str + required: true + realm: + description: + - The name of the Keycloak realm the Keycloak client is in. + type: str + required: true extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes - - community.general.attributes.info_module + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes + - community.general.attributes.info_module author: - - Samuli Seppänen (@mattock) -''' + - Samuli Seppänen (@mattock) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Query Keycloak authorization permission community.general.keycloak_authz_permission_info: name: ScopePermission @@ -73,48 +66,48 @@ EXAMPLES = ''' auth_username: keycloak auth_password: keycloak auth_realm: master -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str queried_state: - description: State of the resource (a policy) as seen by Keycloak. - returned: on success - type: complex - contains: - id: - description: ID of the authorization permission. - type: str - sample: 9da05cd2-b273-4354-bbd8-0c133918a454 - name: - description: Name of the authorization permission. - type: str - sample: ResourcePermission - description: - description: Description of the authorization permission. - type: str - sample: Resource Permission - type: - description: Type of the authorization permission. - type: str - sample: resource - decisionStrategy: - description: The decision strategy. - type: str - sample: UNANIMOUS - logic: - description: The logic used for the permission (part of the payload, but has a fixed value). - type: str - sample: POSITIVE - config: - description: Configuration of the permission (empty in all observed cases). - type: dict - sample: {} -''' + description: State of the resource (a policy) as seen by Keycloak. + returned: on success + type: complex + contains: + id: + description: ID of the authorization permission. + type: str + sample: 9da05cd2-b273-4354-bbd8-0c133918a454 + name: + description: Name of the authorization permission. + type: str + sample: ResourcePermission + description: + description: Description of the authorization permission. + type: str + sample: Resource Permission + type: + description: Type of the authorization permission. + type: str + sample: resource + decisionStrategy: + description: The decision strategy. + type: str + sample: UNANIMOUS + logic: + description: The logic used for the permission (part of the payload, but has a fixed value). + type: str + sample: POSITIVE + config: + description: Configuration of the permission (empty in all observed cases). + type: dict + sample: {} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index c65105ec23..6b19711e3d 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -8,603 +8,532 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_client -short_description: Allows administration of Keycloak clients via Keycloak API +short_description: Allows administration of Keycloak clients using Keycloak API description: - - This module allows the administration of Keycloak clients via the Keycloak REST API. It - requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - Aliases are provided so camelCased versions can be used as well. - - - The Keycloak API does not always sanity check inputs e.g. you can set - SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. - If you do not specify a setting, usually a sensible default is chosen. - + - This module allows the administration of Keycloak clients using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an + admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + Aliases are provided so camelCased versions can be used as well. + - The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and + the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the client - - On V(present), the client will be created (or updated if it exists already). - - On V(absent), the client will be removed if it exists - choices: ['present', 'absent'] - default: 'present' - type: str - - realm: - description: - - The realm to create the client in. - type: str - default: master - - client_id: - description: - - Client id of client to be worked on. This is usually an alphanumeric name chosen by - you. Either this or O(id) is required. If you specify both, O(id) takes precedence. - This is 'clientId' in the Keycloak REST API. - aliases: - - clientId - type: str - - id: - description: - - Id of client to be worked on. This is usually an UUID. Either this or O(client_id) - is required. If you specify both, this takes precedence. - type: str - - name: - description: - - Name of the client (this is not the same as O(client_id)). - type: str - + state: description: + - State of the client. + - On V(present), the client will be created (or updated if it exists already). + - On V(absent), the client will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + + realm: + description: + - The realm to create the client in. + type: str + default: master + + client_id: + description: + - Client id of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or O(id) is required. If you specify + both, O(id) takes precedence. This is C(clientId) in the Keycloak REST API. + aliases: + - clientId + type: str + + id: + description: + - Id of client to be worked on. This is usually an UUID. Either this or O(client_id) is required. If you specify both, this takes precedence. + type: str + + name: + description: + - Name of the client (this is not the same as O(client_id)). + type: str + + description: + description: + - Description of the client in Keycloak. + type: str + + root_url: + description: + - Root URL appended to relative URLs for this client. This is C(rootUrl) in the Keycloak REST API. + aliases: + - rootUrl + type: str + + admin_url: + description: + - URL to the admin interface of the client. This is C(adminUrl) in the Keycloak REST API. + aliases: + - adminUrl + type: str + + base_url: + description: + - Default URL to use when the auth server needs to redirect or link back to the client This is C(baseUrl) in the Keycloak REST API. + aliases: + - baseUrl + type: str + + enabled: + description: + - Is this client enabled or not? + type: bool + + client_authenticator_type: + description: + - How do clients authenticate with the auth server? Either V(client-secret), V(client-jwt), or V(client-x509) can be chosen. When using + V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and + C(jwt.credential.certificate) in the O(attributes) module parameter to configure its behavior. For V(client-x509) you can use the keys + C(x509.allow.regex.pattern.comparison) and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to + accept. + - This is C(clientAuthenticatorType) in the Keycloak REST API. + choices: ['client-secret', 'client-jwt', 'client-x509'] + aliases: + - clientAuthenticatorType + type: str + + secret: + description: + - When using O(client_authenticator_type=client-secret) (the default), you can specify a secret here (otherwise one will be generated if + it does not exit). If changing this secret, the module will not register a change currently (but the changed secret will be saved). + type: str + + registration_access_token: + description: + - The registration access token provides access for clients to the client registration service. This is C(registrationAccessToken) in the + Keycloak REST API. + aliases: + - registrationAccessToken + type: str + + default_roles: + description: + - List of default roles for this client. If the client roles referenced do not exist yet, they will be created. This is C(defaultRoles) in + the Keycloak REST API. + aliases: + - defaultRoles + type: list + elements: str + + redirect_uris: + description: + - Acceptable redirect URIs for this client. This is C(redirectUris) in the Keycloak REST API. + aliases: + - redirectUris + type: list + elements: str + + web_origins: + description: + - List of allowed CORS origins. This is C(webOrigins) in the Keycloak REST API. + aliases: + - webOrigins + type: list + elements: str + + not_before: + description: + - Revoke any tokens issued before this date for this client (this is a UNIX timestamp). This is C(notBefore) in the Keycloak REST API. + type: int + aliases: + - notBefore + + bearer_only: + description: + - The access type of this client is bearer-only. This is C(bearerOnly) in the Keycloak REST API. + aliases: + - bearerOnly + type: bool + + consent_required: + description: + - If enabled, users have to consent to client access. This is C(consentRequired) in the Keycloak REST API. + aliases: + - consentRequired + type: bool + + standard_flow_enabled: + description: + - Enable standard flow for this client or not (OpenID connect). This is C(standardFlowEnabled) in the Keycloak REST API. + aliases: + - standardFlowEnabled + type: bool + + implicit_flow_enabled: + description: + - Enable implicit flow for this client or not (OpenID connect). This is C(implicitFlowEnabled) in the Keycloak REST API. + aliases: + - implicitFlowEnabled + type: bool + + direct_access_grants_enabled: + description: + - Are direct access grants enabled for this client or not (OpenID connect). This is C(directAccessGrantsEnabled) in the Keycloak REST API. + aliases: + - directAccessGrantsEnabled + type: bool + + service_accounts_enabled: + description: + - Are service accounts enabled for this client or not (OpenID connect). This is C(serviceAccountsEnabled) in the Keycloak REST API. + aliases: + - serviceAccountsEnabled + type: bool + + authorization_services_enabled: + description: + - Are authorization services enabled for this client or not (OpenID connect). This is C(authorizationServicesEnabled) in the Keycloak REST + API. + aliases: + - authorizationServicesEnabled + type: bool + + public_client: + description: + - Is the access type for this client public or not. This is C(publicClient) in the Keycloak REST API. + aliases: + - publicClient + type: bool + + frontchannel_logout: + description: + - Is frontchannel logout enabled for this client or not. This is C(frontchannelLogout) in the Keycloak REST API. + aliases: + - frontchannelLogout + type: bool + + protocol: + description: + - Type of client. + - At creation only, default value will be V(openid-connect) if O(protocol) is omitted. + - The V(docker-v2) value was added in community.general 8.6.0. + type: str + choices: ['openid-connect', 'saml', 'docker-v2'] + + full_scope_allowed: + description: + - Is the "Full Scope Allowed" feature set for this client or not. This is C(fullScopeAllowed) in the Keycloak REST API. + aliases: + - fullScopeAllowed + type: bool + + node_re_registration_timeout: + description: + - Cluster node re-registration timeout for this client. This is C(nodeReRegistrationTimeout) in the Keycloak REST API. + type: int + aliases: + - nodeReRegistrationTimeout + + registered_nodes: + description: + - Dict of registered cluster nodes (with C(nodename) as the key and last registration time as the value). This is C(registeredNodes) in the + Keycloak REST API. + type: dict + aliases: + - registeredNodes + + client_template: + description: + - Client template to use for this client. If it does not exist this field will silently be dropped. This is C(clientTemplate) in the Keycloak + REST API. + type: str + aliases: + - clientTemplate + + use_template_config: + description: + - Whether or not to use configuration from the O(client_template). This is C(useTemplateConfig) in the Keycloak REST API. + aliases: + - useTemplateConfig + type: bool + + use_template_scope: + description: + - Whether or not to use scope configuration from the O(client_template). This is C(useTemplateScope) in the Keycloak REST API. + aliases: + - useTemplateScope + type: bool + + use_template_mappers: + description: + - Whether or not to use mapper configuration from the O(client_template). This is C(useTemplateMappers) in the Keycloak REST API. + aliases: + - useTemplateMappers + type: bool + + always_display_in_console: + description: + - Whether or not to display this client in account console, even if the user does not have an active session. + aliases: + - alwaysDisplayInConsole + type: bool + version_added: 4.7.0 + + surrogate_auth_required: + description: + - Whether or not surrogate auth is required. This is C(surrogateAuthRequired) in the Keycloak REST API. + aliases: + - surrogateAuthRequired + type: bool + + authorization_settings: + description: + - A data structure defining the authorization settings for this client. For reference, please see the Keycloak API docs at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation). + This is C(authorizationSettings) in the Keycloak REST API. + type: dict + aliases: + - authorizationSettings + + authentication_flow_binding_overrides: + description: + - Override realm authentication flow bindings. + type: dict + suboptions: + browser: description: - - Description of the client in Keycloak. + - Flow ID of the browser authentication flow. + - O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. type: str - root_url: + browser_name: description: - - Root URL appended to relative URLs for this client. - This is 'rootUrl' in the Keycloak REST API. + - Flow name of the browser authentication flow. + - O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. aliases: - - rootUrl + - browserName + type: str + version_added: 9.1.0 + + direct_grant: + description: + - Flow ID of the direct grant authentication flow. + - O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually + exclusive. + aliases: + - directGrant type: str - admin_url: + direct_grant_name: description: - - URL to the admin interface of the client. - This is 'adminUrl' in the Keycloak REST API. + - Flow name of the direct grant authentication flow. + - O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually + exclusive. aliases: - - adminUrl + - directGrantName + type: str + version_added: 9.1.0 + aliases: + - authenticationFlowBindingOverrides + version_added: 3.4.0 + + default_client_scopes: + description: + - List of default client scopes. + aliases: + - defaultClientScopes + type: list + elements: str + version_added: 4.7.0 + + optional_client_scopes: + description: + - List of optional client scopes. + aliases: + - optionalClientScopes + type: list + elements: str + version_added: 4.7.0 + + protocol_mappers: + description: + - A list of dicts defining protocol mappers for this client. This is C(protocolMappers) in the Keycloak REST API. + aliases: + - protocolMappers + type: list + elements: dict + suboptions: + consentRequired: + description: + - Specifies whether a user needs to provide consent to a client for this mapper to be active. + type: bool + + consentText: + description: + - The human-readable name of the consent the user is presented to accept. type: str - base_url: + id: description: - - Default URL to use when the auth server needs to redirect or link back to the client - This is 'baseUrl' in the Keycloak REST API. - aliases: - - baseUrl + - Usually a UUID specifying the internal ID of this protocol mapper instance. type: str - enabled: + name: description: - - Is this client enabled or not? - type: bool - - client_authenticator_type: - description: - - How do clients authenticate with the auth server? Either V(client-secret), - V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter - O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), - C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter - to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) - and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. - - This is 'clientAuthenticatorType' in the Keycloak REST API. - choices: ['client-secret', 'client-jwt', 'client-x509'] - aliases: - - clientAuthenticatorType + - The name of this protocol mapper. type: str - secret: + protocol: description: - - When using O(client_authenticator_type=client-secret) (the default), you can - specify a secret here (otherwise one will be generated if it does not exit). If - changing this secret, the module will not register a change currently (but the - changed secret will be saved). - type: str - - registration_access_token: - description: - - The registration access token provides access for clients to the client registration - service. - This is 'registrationAccessToken' in the Keycloak REST API. - aliases: - - registrationAccessToken - type: str - - default_roles: - description: - - list of default roles for this client. If the client roles referenced do not exist - yet, they will be created. - This is 'defaultRoles' in the Keycloak REST API. - aliases: - - defaultRoles - type: list - elements: str - - redirect_uris: - description: - - Acceptable redirect URIs for this client. - This is 'redirectUris' in the Keycloak REST API. - aliases: - - redirectUris - type: list - elements: str - - web_origins: - description: - - List of allowed CORS origins. - This is 'webOrigins' in the Keycloak REST API. - aliases: - - webOrigins - type: list - elements: str - - not_before: - description: - - Revoke any tokens issued before this date for this client (this is a UNIX timestamp). - This is 'notBefore' in the Keycloak REST API. - type: int - aliases: - - notBefore - - bearer_only: - description: - - The access type of this client is bearer-only. - This is 'bearerOnly' in the Keycloak REST API. - aliases: - - bearerOnly - type: bool - - consent_required: - description: - - If enabled, users have to consent to client access. - This is 'consentRequired' in the Keycloak REST API. - aliases: - - consentRequired - type: bool - - standard_flow_enabled: - description: - - Enable standard flow for this client or not (OpenID connect). - This is 'standardFlowEnabled' in the Keycloak REST API. - aliases: - - standardFlowEnabled - type: bool - - implicit_flow_enabled: - description: - - Enable implicit flow for this client or not (OpenID connect). - This is 'implicitFlowEnabled' in the Keycloak REST API. - aliases: - - implicitFlowEnabled - type: bool - - direct_access_grants_enabled: - description: - - Are direct access grants enabled for this client or not (OpenID connect). - This is 'directAccessGrantsEnabled' in the Keycloak REST API. - aliases: - - directAccessGrantsEnabled - type: bool - - service_accounts_enabled: - description: - - Are service accounts enabled for this client or not (OpenID connect). - This is 'serviceAccountsEnabled' in the Keycloak REST API. - aliases: - - serviceAccountsEnabled - type: bool - - authorization_services_enabled: - description: - - Are authorization services enabled for this client or not (OpenID connect). - This is 'authorizationServicesEnabled' in the Keycloak REST API. - aliases: - - authorizationServicesEnabled - type: bool - - public_client: - description: - - Is the access type for this client public or not. - This is 'publicClient' in the Keycloak REST API. - aliases: - - publicClient - type: bool - - frontchannel_logout: - description: - - Is frontchannel logout enabled for this client or not. - This is 'frontchannelLogout' in the Keycloak REST API. - aliases: - - frontchannelLogout - type: bool - - protocol: - description: - - Type of client. - - At creation only, default value will be V(openid-connect) if O(protocol) is omitted. - - The V(docker-v2) value was added in community.general 8.6.0. - type: str + - This specifies for which protocol this protocol mapper is active. choices: ['openid-connect', 'saml', 'docker-v2'] - - full_scope_allowed: - description: - - Is the "Full Scope Allowed" feature set for this client or not. - This is 'fullScopeAllowed' in the Keycloak REST API. - aliases: - - fullScopeAllowed - type: bool - - node_re_registration_timeout: - description: - - Cluster node re-registration timeout for this client. - This is 'nodeReRegistrationTimeout' in the Keycloak REST API. - type: int - aliases: - - nodeReRegistrationTimeout - - registered_nodes: - description: - - dict of registered cluster nodes (with C(nodename) as the key and last registration - time as the value). - This is 'registeredNodes' in the Keycloak REST API. - type: dict - aliases: - - registeredNodes - - client_template: - description: - - Client template to use for this client. If it does not exist this field will silently - be dropped. - This is 'clientTemplate' in the Keycloak REST API. type: str - aliases: - - clientTemplate - use_template_config: + protocolMapper: description: - - Whether or not to use configuration from the O(client_template). - This is 'useTemplateConfig' in the Keycloak REST API. - aliases: - - useTemplateConfig - type: bool + - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may + be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:' + - V(docker-v2-allow-all-mapper). + - V(oidc-address-mapper). + - V(oidc-full-name-mapper). + - V(oidc-group-membership-mapper). + - V(oidc-hardcoded-claim-mapper). + - V(oidc-hardcoded-role-mapper). + - V(oidc-role-name-mapper). + - V(oidc-script-based-protocol-mapper). + - V(oidc-sha256-pairwise-sub-mapper). + - V(oidc-usermodel-attribute-mapper). + - V(oidc-usermodel-client-role-mapper). + - V(oidc-usermodel-property-mapper). + - V(oidc-usermodel-realm-role-mapper). + - V(oidc-usersessionmodel-note-mapper). + - V(saml-group-membership-mapper). + - V(saml-hardcode-attribute-mapper). + - V(saml-hardcode-role-mapper). + - V(saml-role-list-mapper). + - V(saml-role-name-mapper). + - V(saml-user-attribute-mapper). + - V(saml-user-property-mapper). + - V(saml-user-session-note-mapper). + - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers + and looking under 'protocol-mapper'. + type: str - use_template_scope: + config: description: - - Whether or not to use scope configuration from the O(client_template). - This is 'useTemplateScope' in the Keycloak REST API. - aliases: - - useTemplateScope - type: bool - - use_template_mappers: - description: - - Whether or not to use mapper configuration from the O(client_template). - This is 'useTemplateMappers' in the Keycloak REST API. - aliases: - - useTemplateMappers - type: bool - - always_display_in_console: - description: - - Whether or not to display this client in account console, even if the - user does not have an active session. - aliases: - - alwaysDisplayInConsole - type: bool - version_added: 4.7.0 - - surrogate_auth_required: - description: - - Whether or not surrogate auth is required. - This is 'surrogateAuthRequired' in the Keycloak REST API. - aliases: - - surrogateAuthRequired - type: bool - - authorization_settings: - description: - - a data structure defining the authorization settings for this client. For reference, - please see the Keycloak API docs at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation). - This is 'authorizationSettings' in the Keycloak REST API. + - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of + O(protocol_mappers[].protocolMapper) + and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest + to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing) + field. type: dict - aliases: - - authorizationSettings - authentication_flow_binding_overrides: + attributes: + description: + - A dict of further attributes for this client. This can contain various configuration settings; an example is given in the examples section. + While an exhaustive list of permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak API + does not validate whether a given option is appropriate for the protocol used; if specified anyway, Keycloak will simply not use it. + type: dict + suboptions: + saml.authnstatement: description: - - Override realm authentication flow bindings. - type: dict - suboptions: - browser: - description: - - Flow ID of the browser authentication flow. - - O(authentication_flow_binding_overrides.browser) - and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. - type: str - - browser_name: - description: - - Flow name of the browser authentication flow. - - O(authentication_flow_binding_overrides.browser) - and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. - aliases: - - browserName - type: str - version_added: 9.1.0 - - direct_grant: - description: - - Flow ID of the direct grant authentication flow. - - O(authentication_flow_binding_overrides.direct_grant) - and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. - aliases: - - directGrant - type: str - - direct_grant_name: - description: - - Flow name of the direct grant authentication flow. - - O(authentication_flow_binding_overrides.direct_grant) - and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. - aliases: - - directGrantName - type: str - version_added: 9.1.0 - aliases: - - authenticationFlowBindingOverrides - version_added: 3.4.0 - - default_client_scopes: + - For SAML clients, boolean specifying whether or not a statement containing method and timestamp should be included in the login response. + saml.client.signature: description: - - List of default client scopes. - aliases: - - defaultClientScopes - type: list - elements: str - version_added: 4.7.0 - - optional_client_scopes: + - For SAML clients, boolean specifying whether a client signature is required and validated. + saml.encrypt: description: - - List of optional client scopes. - aliases: - - optionalClientScopes - type: list - elements: str - version_added: 4.7.0 - - protocol_mappers: + - Boolean specifying whether SAML assertions should be encrypted with the client's public key. + saml.force.post.binding: description: - - a list of dicts defining protocol mappers for this client. - This is 'protocolMappers' in the Keycloak REST API. - aliases: - - protocolMappers - type: list - elements: dict - suboptions: - consentRequired: - description: - - Specifies whether a user needs to provide consent to a client for this mapper to be active. - type: bool - - consentText: - description: - - The human-readable name of the consent the user is presented to accept. - type: str - - id: - description: - - Usually a UUID specifying the internal ID of this protocol mapper instance. - type: str - - name: - description: - - The name of this protocol mapper. - type: str - - protocol: - description: - - This specifies for which protocol this protocol mapper is active. - choices: ['openid-connect', 'saml', 'docker-v2'] - type: str - - protocolMapper: - description: - - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is - impossible to provide since this may be extended through SPIs by the user of Keycloak, - by default Keycloak as of 3.4 ships with at least:" - - V(docker-v2-allow-all-mapper) - - V(oidc-address-mapper) - - V(oidc-full-name-mapper) - - V(oidc-group-membership-mapper) - - V(oidc-hardcoded-claim-mapper) - - V(oidc-hardcoded-role-mapper) - - V(oidc-role-name-mapper) - - V(oidc-script-based-protocol-mapper) - - V(oidc-sha256-pairwise-sub-mapper) - - V(oidc-usermodel-attribute-mapper) - - V(oidc-usermodel-client-role-mapper) - - V(oidc-usermodel-property-mapper) - - V(oidc-usermodel-realm-role-mapper) - - V(oidc-usersessionmodel-note-mapper) - - V(saml-group-membership-mapper) - - V(saml-hardcode-attribute-mapper) - - V(saml-hardcode-role-mapper) - - V(saml-role-list-mapper) - - V(saml-role-name-mapper) - - V(saml-user-attribute-mapper) - - V(saml-user-property-mapper) - - V(saml-user-session-note-mapper) - - An exhaustive list of available mappers on your installation can be obtained on - the admin console by going to Server Info -> Providers and looking under - 'protocol-mapper'. - type: str - - config: - description: - - Dict specifying the configuration options for the protocol mapper; the - contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented - other than by the source of the mappers and its parent class(es). An example is given - below. It is easiest to obtain valid config values by dumping an already-existing - protocol mapper configuration through check-mode in the RV(existing) field. - type: dict - - attributes: + - For SAML clients, boolean specifying whether always to use POST binding for responses. + saml.onetimeuse.condition: description: - - A dict of further attributes for this client. This can contain various configuration - settings; an example is given in the examples section. While an exhaustive list of - permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak - API does not validate whether a given option is appropriate for the protocol used; if specified - anyway, Keycloak will simply not use it. - type: dict - suboptions: - saml.authnstatement: - description: - - For SAML clients, boolean specifying whether or not a statement containing method and timestamp - should be included in the login response. + - For SAML clients, boolean specifying whether a OneTimeUse condition should be included in login responses. + saml.server.signature: + description: + - Boolean specifying whether SAML documents should be signed by the realm. + saml.server.signature.keyinfo.ext: + description: + - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion of the signing key + id in the SAML Extensions element. + saml.signature.algorithm: + description: + - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). + saml.signing.certificate: + description: + - SAML signing key certificate, base64-encoded. + saml.signing.private.key: + description: + - SAML signing key private key, base64-encoded. + saml_assertion_consumer_url_post: + description: + - SAML POST Binding URL for the client's assertion consumer service (login responses). + saml_assertion_consumer_url_redirect: + description: + - SAML Redirect Binding URL for the client's assertion consumer service (login responses). + saml_force_name_id_format: + description: + - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. + saml_name_id_format: + description: + - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)). + saml_signature_canonicalization_method: + description: + - SAML signature canonicalization method. This is one of four values, namely V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, + V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) + for INCLUSIVE, and V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. + saml_single_logout_service_url_post: + description: + - SAML POST binding url for the client's single logout service. + saml_single_logout_service_url_redirect: + description: + - SAML redirect binding url for the client's single logout service. + user.info.response.signature.alg: + description: + - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). + request.object.signature.alg: + description: + - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One of V(any), V(none), + V(RS256). + use.jwks.url: + description: + - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client public keys. + jwks.url: + description: + - For OpenID-Connect clients, URL where client keys in JWK are stored. + jwt.credential.certificate: + description: + - For OpenID-Connect clients, client certificate for validating JWT issued by client and signed by its key, base64-encoded. + x509.subjectdn: + description: + - For OpenID-Connect clients, subject which will be used to authenticate the client. + type: str + version_added: 9.5.0 - saml.client.signature: - description: - - For SAML clients, boolean specifying whether a client signature is required and validated. - - saml.encrypt: - description: - - Boolean specifying whether SAML assertions should be encrypted with the client's public key. - - saml.force.post.binding: - description: - - For SAML clients, boolean specifying whether always to use POST binding for responses. - - saml.onetimeuse.condition: - description: - - For SAML clients, boolean specifying whether a OneTimeUse condition should be included in login responses. - - saml.server.signature: - description: - - Boolean specifying whether SAML documents should be signed by the realm. - - saml.server.signature.keyinfo.ext: - description: - - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion - of the signing key id in the SAML Extensions element. - - saml.signature.algorithm: - description: - - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). - - saml.signing.certificate: - description: - - SAML signing key certificate, base64-encoded. - - saml.signing.private.key: - description: - - SAML signing key private key, base64-encoded. - - saml_assertion_consumer_url_post: - description: - - SAML POST Binding URL for the client's assertion consumer service (login responses). - - saml_assertion_consumer_url_redirect: - description: - - SAML Redirect Binding URL for the client's assertion consumer service (login responses). - - saml_force_name_id_format: - description: - - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. - - saml_name_id_format: - description: - - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)) - - saml_signature_canonicalization_method: - description: - - SAML signature canonicalization method. This is one of four values, namely - V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, - V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, - V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and - V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. - - saml_single_logout_service_url_post: - description: - - SAML POST binding url for the client's single logout service. - - saml_single_logout_service_url_redirect: - description: - - SAML redirect binding url for the client's single logout service. - - user.info.response.signature.alg: - description: - - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). - - request.object.signature.alg: - description: - - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending - OIDC request object. One of V(any), V(none), V(RS256). - - use.jwks.url: - description: - - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client - public keys. - - jwks.url: - description: - - For OpenID-Connect clients, URL where client keys in JWK are stored. - - jwt.credential.certificate: - description: - - For OpenID-Connect clients, client certificate for validating JWT issued by - client and signed by its key, base64-encoded. - - x509.subjectdn: - description: - - For OpenID-Connect clients, subject which will be used to authenticate the client. - type: str - version_added: 9.5.0 - - x509.allow.regex.pattern.comparison: - description: - - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. - type: bool - version_added: 9.5.0 + x509.allow.regex.pattern.comparison: + description: + - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. + type: bool + version_added: 9.5.0 extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Eike Frost (@eikef) -''' + - Eike Frost (@eikef) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create or update Keycloak client (minimal example), authentication with credentials community.general.keycloak_client: auth_keycloak_url: https://auth.example.com/auth @@ -705,7 +634,7 @@ EXAMPLES = ''' - test01 - test02 authentication_flow_binding_overrides: - browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb + browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb protocol_mappers: - config: access.token.claim: true @@ -744,45 +673,33 @@ EXAMPLES = ''' jwks.url: JWKS_URL_FOR_CLIENT_AUTH_JWT jwt.credential.certificate: JWT_CREDENTIAL_CERTIFICATE_FOR_CLIENT_AUTH delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Client testclient has been updated" + description: Message as to what action was taken. + returned: always + type: str + sample: "Client testclient has been updated" proposed: - description: Representation of proposed client. - returned: always - type: dict - sample: { - clientId: "test" - } + description: Representation of proposed client. + returned: always + type: dict + sample: {clientId: "test"} existing: - description: Representation of existing client (sample is truncated). - returned: always - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } + description: Representation of existing client (sample is truncated). + returned: always + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} end_state: - description: Representation of client after module execution (sample is truncated). - returned: on success - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } -''' + description: Representation of client after module execution (sample is truncated). + returned: on success + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError, is_struct_included diff --git a/plugins/modules/keycloak_client_rolemapping.py b/plugins/modules/keycloak_client_rolemapping.py index ebc60b9fd0..23dad803d7 100644 --- a/plugins/modules/keycloak_client_rolemapping.py +++ b/plugins/modules/keycloak_client_rolemapping.py @@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_client_rolemapping short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API @@ -17,129 +16,113 @@ short_description: Allows administration of Keycloak client_rolemapping with the version_added: 3.5.0 description: - - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - - - When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup - to the API to translate the name into the role ID. - + - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access to the REST API + using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, + admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the + expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. + - When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name + into the role ID. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the client_rolemapping. - - On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - - On V(absent), the client_rolemapping will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the client_rolemapping. + - On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the client_rolemapping will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - realm: + realm: + type: str + description: + - They Keycloak realm under which this role_representation resides. + default: 'master' + + group_name: + type: str + description: + - Name of the group to be mapped. + - This parameter is required (can be replaced by gid for less API call). + parents: + version_added: "7.1.0" + type: list + description: + - List of parent groups for the group to handle sorted top to bottom. + - Set this if your group is a subgroup and you do not provide the GID in O(gid). + elements: dict + suboptions: + id: type: str description: - - They Keycloak realm under which this role_representation resides. - default: 'master' - - group_name: + - Identify parent by ID. + - Needs less API calls than using O(parents[].name). + - A deep parent chain can be started at any point when first given parent is given as ID. + - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, + with ID being preferred. + name: type: str description: - - Name of the group to be mapped. - - This parameter is required (can be replaced by gid for less API call). - - parents: - version_added: "7.1.0" - type: list - description: - - List of parent groups for the group to handle sorted top to bottom. - - >- - Set this if your group is a subgroup and you do not provide the GID in O(gid). - elements: dict - suboptions: - id: - type: str - description: - - Identify parent by ID. - - Needs less API calls than using O(parents[].name). - - A deep parent chain can be started at any point when first given parent is given as ID. - - Note that in principle both ID and name can be specified at the same time - but current implementation only always use just one of them, with ID - being preferred. - name: - type: str - description: - - Identify parent by name. - - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. - - When giving a parent chain with only names it must be complete up to the top. - - Note that in principle both ID and name can be specified at the same time - but current implementation only always use just one of them, with ID - being preferred. - gid: + - Identify parent by name. + - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. + - When giving a parent chain with only names it must be complete up to the top. + - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, + with ID being preferred. + gid: + type: str + description: + - Id of the group to be mapped. + - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. + client_id: + type: str + description: + - Name of the client to be mapped (different than O(cid)). + - This parameter is required (can be replaced by cid for less API call). + cid: + type: str + description: + - Id of the client to be mapped. + - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. + roles: + description: + - Roles to be mapped to the group. + type: list + elements: dict + suboptions: + name: type: str description: - - Id of the group to be mapped. - - This parameter is not required for updating or deleting the rolemapping but - providing it will reduce the number of API calls required. - - client_id: + - Name of the role_representation. + - This parameter is required only when creating or updating the role_representation. + id: type: str description: - - Name of the client to be mapped (different than O(cid)). - - This parameter is required (can be replaced by cid for less API call). - - cid: - type: str - description: - - Id of the client to be mapped. - - This parameter is not required for updating or deleting the rolemapping but - providing it will reduce the number of API calls required. - - roles: - description: - - Roles to be mapped to the group. - type: list - elements: dict - suboptions: - name: - type: str - description: - - Name of the role_representation. - - This parameter is required only when creating or updating the role_representation. - id: - type: str - description: - - The unique identifier for this role_representation. - - This parameter is not required for updating or deleting a role_representation but - providing it will reduce the number of API calls required. - + - The unique identifier for this role_representation. + - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls + required. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Gaëtan Daubresse (@Gaetan2907) -''' + - Gaëtan Daubresse (@Gaetan2907) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Map a client role to a group, authentication with credentials community.general.keycloak_client_rolemapping: realm: MyCustomRealm @@ -209,50 +192,37 @@ EXAMPLES = ''' - name: role_name2 id: role_id2 delegate_to: localhost +""" -''' - -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Role role1 assigned to group group1." + description: Message as to what action was taken. + returned: always + type: str + sample: "Role role1 assigned to group group1." proposed: - description: Representation of proposed client role mapping. - returned: always - type: dict - sample: { - clientId: "test" - } + description: Representation of proposed client role mapping. + returned: always + type: dict + sample: {clientId: "test"} existing: - description: - - Representation of existing client role mapping. - - The sample is truncated. - returned: always - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } + description: + - Representation of existing client role mapping. + - The sample is truncated. + returned: always + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} end_state: - description: - - Representation of client role mapping after module execution. - - The sample is truncated. - returned: on success - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } -''' + description: + - Representation of client role mapping after module execution. + - The sample is truncated. + returned: on success + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, diff --git a/plugins/modules/keycloak_client_rolescope.py b/plugins/modules/keycloak_client_rolescope.py index cd4f0fa80e..ff91a0fe78 100644 --- a/plugins/modules/keycloak_client_rolescope.py +++ b/plugins/modules/keycloak_client_rolescope.py @@ -8,84 +8,74 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_client_rolescope -short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications. +short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications version_added: 8.6.0 description: - - This module allows you to add or remove Keycloak roles from clients scope via the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - + - This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access to the REST API using + OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli + and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the role mapping. - - On V(present), all roles in O(role_names) will be mapped if not exists yet. - - On V(absent), all roles mapping in O(role_names) will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent - - realm: - type: str - description: - - The Keycloak realm under which clients resides. - default: 'master' - - client_id: - type: str - required: true - description: - - Roles provided in O(role_names) while be added to this client scope. - - client_scope_id: - type: str - description: - - If the O(role_names) are client role, the client ID under which it resides. - - If this parameter is absent, the roles are considered a realm role. - role_names: - required: true - type: list - elements: str - description: - - Names of roles to manipulate. - - If O(client_scope_id) is present, all roles must be under this client. - - If O(client_scope_id) is absent, all roles must be under the realm. + state: + description: + - State of the role mapping. + - On V(present), all roles in O(role_names) will be mapped if not exists yet. + - On V(absent), all roles mapping in O(role_names) will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent + realm: + type: str + description: + - The Keycloak realm under which clients resides. + default: 'master' + client_id: + type: str + required: true + description: + - Roles provided in O(role_names) while be added to this client scope. + client_scope_id: + type: str + description: + - If the O(role_names) are client role, the client ID under which it resides. + - If this parameter is absent, the roles are considered a realm role. + role_names: + required: true + type: list + elements: str + description: + - Names of roles to manipulate. + - If O(client_scope_id) is present, all roles must be under this client. + - If O(client_scope_id) is absent, all roles must be under the realm. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Andre Desrosiers (@desand01) -''' + - Andre Desrosiers (@desand01) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Add roles to public client scope community.general.keycloak_client_rolescope: auth_keycloak_url: https://auth.example.com/auth @@ -96,8 +86,8 @@ EXAMPLES = ''' client_id: frontend-client-public client_scope_id: backend-client-private role_names: - - backend-role-admin - - backend-role-user + - backend-role-admin + - backend-role-user - name: Remove roles from public client scope community.general.keycloak_client_rolescope: @@ -109,7 +99,7 @@ EXAMPLES = ''' client_id: frontend-client-public client_scope_id: backend-client-private role_names: - - backend-role-admin + - backend-role-admin state: absent - name: Add realm roles to public client scope @@ -121,16 +111,16 @@ EXAMPLES = ''' realm: MyCustomRealm client_id: frontend-client-public role_names: - - realm-role-admin - - realm-role-user -''' + - realm-role-admin + - realm-role-user +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Client role scope for frontend-client-public has been updated" + description: Message as to what action was taken. + returned: always + type: str + sample: "Client role scope for frontend-client-public has been updated" end_state: description: Representation of role role scope after module execution. @@ -138,22 +128,22 @@ end_state: type: list elements: dict sample: [ - { - "clientRole": false, - "composite": false, - "containerId": "MyCustomRealm", - "id": "47293104-59a6-46f0-b460-2e9e3c9c424c", - "name": "backend-role-admin" - }, - { - "clientRole": false, - "composite": false, - "containerId": "MyCustomRealm", - "id": "39c62a6d-542c-4715-92d2-41021eb33967", - "name": "backend-role-user" - } + { + "clientRole": false, + "composite": false, + "containerId": "MyCustomRealm", + "id": "47293104-59a6-46f0-b460-2e9e3c9c424c", + "name": "backend-role-admin" + }, + { + "clientRole": false, + "composite": false, + "containerId": "MyCustomRealm", + "id": "39c62a6d-542c-4715-92d2-41021eb33967", + "name": "backend-role-user" + } ] -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_clientscope.py b/plugins/modules/keycloak_clientscope.py index 87437b6df0..ed82e0c0f7 100644 --- a/plugins/modules/keycloak_clientscope.py +++ b/plugins/modules/keycloak_clientscope.py @@ -8,166 +8,151 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_clientscope -short_description: Allows administration of Keycloak client_scopes via Keycloak API +short_description: Allows administration of Keycloak client_scopes using Keycloak API version_added: 3.4.0 description: - - This module allows you to add, remove or modify Keycloak client_scopes via the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - - - When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup - to the API to translate the name into the client_scope ID. - + - This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access to the REST API using OpenID + Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli + and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. + - When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API to translate the + name into the client_scope ID. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the client_scope. - - On V(present), the client_scope will be created if it does not yet exist, or updated with the parameters you provide. - - On V(absent), the client_scope will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent - - name: - type: str - description: - - Name of the client_scope. - - This parameter is required only when creating or updating the client_scope. - - realm: - type: str - description: - - They Keycloak realm under which this client_scope resides. - default: 'master' - - id: - type: str - description: - - The unique identifier for this client_scope. - - This parameter is not required for updating or deleting a client_scope but - providing it will reduce the number of API calls required. - + state: description: - type: str - description: - - Description for this client_scope. - - This parameter is not required for updating or deleting a client_scope. + - State of the client_scope. + - On V(present), the client_scope will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the client_scope will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - protocol: + name: + type: str + description: + - Name of the client_scope. + - This parameter is required only when creating or updating the client_scope. + realm: + type: str + description: + - They Keycloak realm under which this client_scope resides. + default: 'master' + + id: + type: str + description: + - The unique identifier for this client_scope. + - This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of API calls required. + description: + type: str + description: + - Description for this client_scope. + - This parameter is not required for updating or deleting a client_scope. + protocol: + description: + - Type of client. + - The V(docker-v2) value was added in community.general 8.6.0. + choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2'] + type: str + + protocol_mappers: + description: + - A list of dicts defining protocol mappers for this client. + - This is C(protocolMappers) in the Keycloak REST API. + aliases: + - protocolMappers + type: list + elements: dict + suboptions: + protocol: description: - - Type of client. - - The V(docker-v2) value was added in community.general 8.6.0. + - This specifies for which protocol this protocol mapper. + - Is active. choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2'] type: str - protocol_mappers: + protocolMapper: description: - - A list of dicts defining protocol mappers for this client. - - This is 'protocolMappers' in the Keycloak REST API. - aliases: - - protocolMappers - type: list - elements: dict - suboptions: - protocol: - description: - - This specifies for which protocol this protocol mapper. - - is active. - choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2'] - type: str + - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may + be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:' + - V(docker-v2-allow-all-mapper). + - V(oidc-address-mapper). + - V(oidc-full-name-mapper). + - V(oidc-group-membership-mapper). + - V(oidc-hardcoded-claim-mapper). + - V(oidc-hardcoded-role-mapper). + - V(oidc-role-name-mapper). + - V(oidc-script-based-protocol-mapper). + - V(oidc-sha256-pairwise-sub-mapper). + - V(oidc-usermodel-attribute-mapper). + - V(oidc-usermodel-client-role-mapper). + - V(oidc-usermodel-property-mapper). + - V(oidc-usermodel-realm-role-mapper). + - V(oidc-usersessionmodel-note-mapper). + - V(saml-group-membership-mapper). + - V(saml-hardcode-attribute-mapper). + - V(saml-hardcode-role-mapper). + - V(saml-role-list-mapper). + - V(saml-role-name-mapper). + - V(saml-user-attribute-mapper). + - V(saml-user-property-mapper). + - V(saml-user-session-note-mapper). + - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers + and looking under 'protocol-mapper'. + type: str - protocolMapper: - description: - - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is - impossible to provide since this may be extended through SPIs by the user of Keycloak, - by default Keycloak as of 3.4 ships with at least:" - - V(docker-v2-allow-all-mapper) - - V(oidc-address-mapper) - - V(oidc-full-name-mapper) - - V(oidc-group-membership-mapper) - - V(oidc-hardcoded-claim-mapper) - - V(oidc-hardcoded-role-mapper) - - V(oidc-role-name-mapper) - - V(oidc-script-based-protocol-mapper) - - V(oidc-sha256-pairwise-sub-mapper) - - V(oidc-usermodel-attribute-mapper) - - V(oidc-usermodel-client-role-mapper) - - V(oidc-usermodel-property-mapper) - - V(oidc-usermodel-realm-role-mapper) - - V(oidc-usersessionmodel-note-mapper) - - V(saml-group-membership-mapper) - - V(saml-hardcode-attribute-mapper) - - V(saml-hardcode-role-mapper) - - V(saml-role-list-mapper) - - V(saml-role-name-mapper) - - V(saml-user-attribute-mapper) - - V(saml-user-property-mapper) - - V(saml-user-session-note-mapper) - - An exhaustive list of available mappers on your installation can be obtained on - the admin console by going to Server Info -> Providers and looking under - 'protocol-mapper'. - type: str + name: + description: + - The name of this protocol mapper. + type: str - name: - description: - - The name of this protocol mapper. - type: str + id: + description: + - Usually a UUID specifying the internal ID of this protocol mapper instance. + type: str - id: - description: - - Usually a UUID specifying the internal ID of this protocol mapper instance. - type: str - - config: - description: - - Dict specifying the configuration options for the protocol mapper; the - contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented - other than by the source of the mappers and its parent class(es). An example is given - below. It is easiest to obtain valid config values by dumping an already-existing - protocol mapper configuration through check-mode in the RV(existing) return value. - type: dict - - attributes: + config: + description: + - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of + O(protocol_mappers[].protocolMapper) + and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest + to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing) + return value. type: dict - description: - - A dict of key/value pairs to set as custom attributes for the client_scope. - - Values may be single values (for example a string) or a list of strings. + attributes: + type: dict + description: + - A dict of key/value pairs to set as custom attributes for the client_scope. + - Values may be single values (for example a string) or a list of strings. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Gaëtan Daubresse (@Gaetan2907) -''' + - Gaëtan Daubresse (@Gaetan2907) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create a Keycloak client_scopes, authentication with credentials community.general.keycloak_clientscope: name: my-new-kc-clientscope @@ -254,54 +239,42 @@ EXAMPLES = ''' protocol: saml protocolMapper: saml-role-list-mapper attributes: - attrib1: value1 - attrib2: value2 - attrib3: - - with - - numerous - - individual - - list - - items + attrib1: value1 + attrib2: value2 + attrib3: + - with + - numerous + - individual + - list + - items delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Client_scope testclientscope has been updated" + description: Message as to what action was taken. + returned: always + type: str + sample: "Client_scope testclientscope has been updated" proposed: - description: Representation of proposed client scope. - returned: always - type: dict - sample: { - clientId: "test" - } + description: Representation of proposed client scope. + returned: always + type: dict + sample: {clientId: "test"} existing: - description: Representation of existing client scope (sample is truncated). - returned: always - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } + description: Representation of existing client scope (sample is truncated). + returned: always + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} end_state: - description: Representation of client scope after module execution (sample is truncated). - returned: on success - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } -''' + description: Representation of client scope after module execution (sample is truncated). + returned: on success + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError, is_struct_included diff --git a/plugins/modules/keycloak_clientscope_type.py b/plugins/modules/keycloak_clientscope_type.py index d95ab0b44d..ef4233fea4 100644 --- a/plugins/modules/keycloak_clientscope_type.py +++ b/plugins/modules/keycloak_clientscope_type.py @@ -9,29 +9,24 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_clientscope_type -short_description: Set the type of aclientscope in realm or client via Keycloak API +short_description: Set the type of aclientscope in realm or client using Keycloak API version_added: 6.6.0 description: - - This module allows you to set the type (optional, default) of clientscopes - via the Keycloak REST API. It requires access to the REST API via OpenID - Connect; the user connecting and the client being used must have the - requisite access rights. In a default Keycloak installation, admin-cli and - an admin user would work, as would a separate client definition with the - scope tailored to your needs and a user having the expected roles. - + - This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access to the REST API using + OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli + and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: realm: @@ -66,9 +61,9 @@ extends_documentation_fragment: author: - Simon Pahl (@simonpahl) -''' +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Set default client scopes on realm level community.general.keycloak_clientscope_type: auth_client_id: admin-cli @@ -91,42 +86,33 @@ EXAMPLES = ''' default_clientscopes: ['profile', 'roles'] optional_clientscopes: ['phone'] delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "" + description: Message as to what action was taken. + returned: always + type: str + sample: "" proposed: - description: Representation of proposed client-scope types mapping. - returned: always - type: dict - sample: { - default_clientscopes: ["profile", "role"], - optional_clientscopes: [] - } + description: Representation of proposed client-scope types mapping. + returned: always + type: dict + sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []} existing: - description: - - Representation of client scopes before module execution. - returned: always - type: dict - sample: { - default_clientscopes: ["profile", "role"], - optional_clientscopes: ["phone"] - } + description: + - Representation of client scopes before module execution. + returned: always + type: dict + sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: ["phone"]} end_state: - description: - - Representation of client scopes after module execution. - - The sample is truncated. - returned: on success - type: dict - sample: { - default_clientscopes: ["profile", "role"], - optional_clientscopes: [] - } -''' + description: + - Representation of client scopes after module execution. + - The sample is truncated. + returned: on success + type: dict + sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []} +""" from ansible.module_utils.basic import AnsibleModule diff --git a/plugins/modules/keycloak_clientsecret_info.py b/plugins/modules/keycloak_clientsecret_info.py index 58786a5364..d0f6297037 100644 --- a/plugins/modules/keycloak_clientsecret_info.py +++ b/plugins/modules/keycloak_clientsecret_info.py @@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_clientsecret_info -short_description: Retrieve client secret via Keycloak API +short_description: Retrieve client secret using Keycloak API version_added: 6.1.0 description: - - This module allows you to get a Keycloak client secret via the Keycloak - REST API. It requires access to the REST API via OpenID Connect; the user - connecting and the client being used must have the requisite access rights. - In a default Keycloak installation, admin-cli and an admin user would work, - as would a separate client definition with the scope tailored to your needs - and a user having the expected roles. - - - When retrieving a new client secret, where possible provide the client's - O(id) (not O(client_id)) to the module. This removes a lookup to the API to - translate the O(client_id) into the client ID. - - - "Note that this module returns the client secret. To avoid this showing up in the logs, - please add C(no_log: true) to the task." - + - This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the + user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin + user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This removes a lookup to + the API to translate the O(client_id) into the client ID. + - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.' attributes: action_group: version_added: 10.2.0 @@ -46,14 +37,12 @@ options: id: description: - The unique identifier for this client. - - This parameter is not required for getting or generating a client secret but - providing it will reduce the number of API calls required. + - This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required. type: str client_id: description: - - The O(client_id) of the client. Passing this instead of O(id) results in an - extra API call. + - The O(client_id) of the client. Passing this instead of O(id) results in an extra API call. aliases: - clientId type: str @@ -68,9 +57,9 @@ extends_documentation_fragment: author: - Fynn Chen (@fynncfchen) - John Cant (@johncant) -''' +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Get a Keycloak client secret, authentication with credentials community.general.keycloak_clientsecret_info: id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd' @@ -102,16 +91,16 @@ EXAMPLES = ''' token: TOKEN delegate_to: localhost no_log: true -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Textual description of whether we succeeded or failed + description: Textual description of whether we succeeded or failed. returned: always type: str clientsecret_info: - description: Representation of the client secret + description: Representation of the client secret. returned: on success type: complex contains: @@ -125,7 +114,7 @@ clientsecret_info: type: str returned: always sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1 -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( KeycloakAPI, KeycloakError, get_token) diff --git a/plugins/modules/keycloak_clientsecret_regenerate.py b/plugins/modules/keycloak_clientsecret_regenerate.py index fc279f6a9d..4bd48e90ad 100644 --- a/plugins/modules/keycloak_clientsecret_regenerate.py +++ b/plugins/modules/keycloak_clientsecret_regenerate.py @@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_clientsecret_regenerate -short_description: Regenerate Keycloak client secret via Keycloak API +short_description: Regenerate Keycloak client secret using Keycloak API version_added: 6.1.0 description: - - This module allows you to regenerate a Keycloak client secret via the - Keycloak REST API. It requires access to the REST API via OpenID Connect; - the user connecting and the client being used must have the requisite access - rights. In a default Keycloak installation, admin-cli and an admin user - would work, as would a separate client definition with the scope tailored to - your needs and a user having the expected roles. - - - When regenerating a client secret, where possible provide the client's id - (not client_id) to the module. This removes a lookup to the API to - translate the client_id into the client ID. - - - "Note that this module returns the client secret. To avoid this showing up in the logs, - please add C(no_log: true) to the task." - + - This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an + admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - When regenerating a client secret, where possible provide the client's id (not client_id) to the module. This removes a lookup to the API + to translate the client_id into the client ID. + - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.' attributes: check_mode: support: full @@ -50,14 +41,12 @@ options: id: description: - The unique identifier for this client. - - This parameter is not required for getting or generating a client secret but - providing it will reduce the number of API calls required. + - This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required. type: str client_id: description: - - The client_id of the client. Passing this instead of id results in an - extra API call. + - The client_id of the client. Passing this instead of id results in an extra API call. aliases: - clientId type: str @@ -71,9 +60,9 @@ extends_documentation_fragment: author: - Fynn Chen (@fynncfchen) - John Cant (@johncant) -''' +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Regenerate a Keycloak client secret, authentication with credentials community.general.keycloak_clientsecret_regenerate: id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd' @@ -105,16 +94,16 @@ EXAMPLES = ''' token: TOKEN delegate_to: localhost no_log: true -''' +""" -RETURN = ''' +RETURN = r""" msg: description: Message as to what action was taken. returned: always type: str end_state: - description: Representation of the client credential after module execution + description: Representation of the client credential after module execution. returned: on success type: complex contains: @@ -128,8 +117,7 @@ end_state: type: str returned: always sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1 - -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( KeycloakAPI, KeycloakError, get_token) diff --git a/plugins/modules/keycloak_clienttemplate.py b/plugins/modules/keycloak_clienttemplate.py index 63bb32f972..bfd138c3f2 100644 --- a/plugins/modules/keycloak_clienttemplate.py +++ b/plugins/modules/keycloak_clienttemplate.py @@ -8,176 +8,163 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_clienttemplate -short_description: Allows administration of Keycloak client templates via Keycloak API +short_description: Allows administration of Keycloak client templates using Keycloak API description: - - This module allows the administration of Keycloak client templates via the Keycloak REST API. It - requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html) - - - The Keycloak API does not always enforce for only sensible settings to be used -- you can set - SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. - If you do not specify a setting, usually a sensible default is chosen. - + - This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to the REST API using OpenID + Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli + and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + - The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on an OpenID Connect + client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the client template. - - On V(present), the client template will be created (or updated if it exists already). - - On V(absent), the client template will be removed if it exists - choices: ['present', 'absent'] - default: 'present' - type: str - - id: - description: - - Id of client template to be worked on. This is usually a UUID. - type: str - - realm: - description: - - Realm this client template is found in. - type: str - default: master - - name: - description: - - Name of the client template. - type: str - + state: description: + - State of the client template. + - On V(present), the client template will be created (or updated if it exists already). + - On V(absent), the client template will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + + id: + description: + - Id of client template to be worked on. This is usually a UUID. + type: str + + realm: + description: + - Realm this client template is found in. + type: str + default: master + + name: + description: + - Name of the client template. + type: str + + description: + description: + - Description of the client template in Keycloak. + type: str + + protocol: + description: + - Type of client template. + - The V(docker-v2) value was added in community.general 8.6.0. + choices: ['openid-connect', 'saml', 'docker-v2'] + type: str + + full_scope_allowed: + description: + - Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak REST API. + type: bool + + protocol_mappers: + description: + - A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST API. + type: list + elements: dict + suboptions: + consentRequired: description: - - Description of the client template in Keycloak. + - Specifies whether a user needs to provide consent to a client for this mapper to be active. + type: bool + + consentText: + description: + - The human-readable name of the consent the user is presented to accept. type: str - protocol: + id: description: - - Type of client template. - - The V(docker-v2) value was added in community.general 8.6.0. + - Usually a UUID specifying the internal ID of this protocol mapper instance. + type: str + + name: + description: + - The name of this protocol mapper. + type: str + + protocol: + description: + - This specifies for which protocol this protocol mapper is active. choices: ['openid-connect', 'saml', 'docker-v2'] type: str - full_scope_allowed: + protocolMapper: description: - - Is the "Full Scope Allowed" feature set for this client template or not. - This is 'fullScopeAllowed' in the Keycloak REST API. - type: bool + - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may + be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:' + - V(docker-v2-allow-all-mapper). + - V(oidc-address-mapper). + - V(oidc-full-name-mapper). + - V(oidc-group-membership-mapper). + - V(oidc-hardcoded-claim-mapper). + - V(oidc-hardcoded-role-mapper). + - V(oidc-role-name-mapper). + - V(oidc-script-based-protocol-mapper). + - V(oidc-sha256-pairwise-sub-mapper). + - V(oidc-usermodel-attribute-mapper). + - V(oidc-usermodel-client-role-mapper). + - V(oidc-usermodel-property-mapper). + - V(oidc-usermodel-realm-role-mapper). + - V(oidc-usersessionmodel-note-mapper). + - V(saml-group-membership-mapper). + - V(saml-hardcode-attribute-mapper). + - V(saml-hardcode-role-mapper). + - V(saml-role-list-mapper). + - V(saml-role-name-mapper). + - V(saml-user-attribute-mapper). + - V(saml-user-property-mapper). + - V(saml-user-session-note-mapper). + - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers + and looking under 'protocol-mapper'. + type: str - protocol_mappers: + config: description: - - a list of dicts defining protocol mappers for this client template. - This is 'protocolMappers' in the Keycloak REST API. - type: list - elements: dict - suboptions: - consentRequired: - description: - - Specifies whether a user needs to provide consent to a client for this mapper to be active. - type: bool - - consentText: - description: - - The human-readable name of the consent the user is presented to accept. - type: str - - id: - description: - - Usually a UUID specifying the internal ID of this protocol mapper instance. - type: str - - name: - description: - - The name of this protocol mapper. - type: str - - protocol: - description: - - This specifies for which protocol this protocol mapper is active. - choices: ['openid-connect', 'saml', 'docker-v2'] - type: str - - protocolMapper: - description: - - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is - impossible to provide since this may be extended through SPIs by the user of Keycloak, - by default Keycloak as of 3.4 ships with at least:" - - V(docker-v2-allow-all-mapper) - - V(oidc-address-mapper) - - V(oidc-full-name-mapper) - - V(oidc-group-membership-mapper) - - V(oidc-hardcoded-claim-mapper) - - V(oidc-hardcoded-role-mapper) - - V(oidc-role-name-mapper) - - V(oidc-script-based-protocol-mapper) - - V(oidc-sha256-pairwise-sub-mapper) - - V(oidc-usermodel-attribute-mapper) - - V(oidc-usermodel-client-role-mapper) - - V(oidc-usermodel-property-mapper) - - V(oidc-usermodel-realm-role-mapper) - - V(oidc-usersessionmodel-note-mapper) - - V(saml-group-membership-mapper) - - V(saml-hardcode-attribute-mapper) - - V(saml-hardcode-role-mapper) - - V(saml-role-list-mapper) - - V(saml-role-name-mapper) - - V(saml-user-attribute-mapper) - - V(saml-user-property-mapper) - - V(saml-user-session-note-mapper) - - An exhaustive list of available mappers on your installation can be obtained on - the admin console by going to Server Info -> Providers and looking under - 'protocol-mapper'. - type: str - - config: - description: - - Dict specifying the configuration options for the protocol mapper; the - contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented - other than by the source of the mappers and its parent class(es). An example is given - below. It is easiest to obtain valid config values by dumping an already-existing - protocol mapper configuration through check-mode in the RV(existing) field. - type: dict - - attributes: - description: - - A dict of further attributes for this client template. This can contain various - configuration settings, though in the default installation of Keycloak as of 3.4, none - are documented or known, so this is usually empty. + - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of + O(protocol_mappers[].protocolMapper) + and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest + to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing) + field. type: dict -notes: - - The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), - C(implicitFlowEnabled), C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and - C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect on - Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, - they are not available through this module. + attributes: + description: + - A dict of further attributes for this client template. This can contain various configuration settings, though in the default installation + of Keycloak as of 3.4, none are documented or known, so this is usually empty. + type: dict +notes: + - The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled), + C(directAccessGrantsEnabled), + C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect + on Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, they are not available + through this module. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Eike Frost (@eikef) -''' + - Eike Frost (@eikef) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create or update Keycloak client template (minimal), authentication with credentials community.general.keycloak_client: auth_client_id: admin-cli @@ -236,47 +223,33 @@ EXAMPLES = ''' full_scope_allowed: false id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Client template testclient has been updated" + description: Message as to what action was taken. + returned: always + type: str + sample: "Client template testclient has been updated" proposed: - description: Representation of proposed client template. - returned: always - type: dict - sample: { - name: "test01" - } + description: Representation of proposed client template. + returned: always + type: dict + sample: {name: "test01"} existing: - description: Representation of existing client template (sample is truncated). - returned: always - type: dict - sample: { - "description": "test01", - "fullScopeAllowed": false, - "id": "9c3712ab-decd-481e-954f-76da7b006e5f", - "name": "test01", - "protocol": "saml" - } + description: Representation of existing client template (sample is truncated). + returned: always + type: dict + sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"} end_state: - description: Representation of client template after module execution (sample is truncated). - returned: on success - type: dict - sample: { - "description": "test01", - "fullScopeAllowed": false, - "id": "9c3712ab-decd-481e-954f-76da7b006e5f", - "name": "test01", - "protocol": "saml" - } -''' + description: Representation of client template after module execution (sample is truncated). + returned: on success + type: dict + sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_component.py b/plugins/modules/keycloak_component.py index 6c345700ae..2b402ddb62 100644 --- a/plugins/modules/keycloak_component.py +++ b/plugins/modules/keycloak_component.py @@ -8,80 +8,75 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_component -short_description: Allows administration of Keycloak components via Keycloak API +short_description: Allows administration of Keycloak components using Keycloak API version_added: 10.0.0 description: - - This module allows the administration of Keycloak components via the Keycloak REST API. It - requires access to the REST API via OpenID Connect; the user connecting and the realm being - used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) - and an C(admin) user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). - Aliases are provided so camelCased versions can be used as well. - + - This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) and an + C(admin) user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). + Aliases are provided so camelCased versions can be used as well. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the Keycloak component. - - On V(present), the component will be created (or updated if it exists already). - - On V(absent), the component will be removed if it exists. - choices: ['present', 'absent'] - default: 'present' - type: str - name: - description: - - Name of the component to create. - type: str - required: true - parent_id: - description: - - The parent_id of the component. In practice the ID (name) of the realm. - type: str - required: true - provider_id: - description: - - The name of the "provider ID" for the key. - type: str - required: true - provider_type: - description: - - The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), - V(org.keycloak.userprofile.UserProfileProvider), ... - - See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers). - type: str - required: true - config: - description: - - Configuration properties for the provider. - - Contents vary depending on the provider type. - type: dict + state: + description: + - State of the Keycloak component. + - On V(present), the component will be created (or updated if it exists already). + - On V(absent), the component will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + name: + description: + - Name of the component to create. + type: str + required: true + parent_id: + description: + - The parent_id of the component. In practice the ID (name) of the realm. + type: str + required: true + provider_id: + description: + - The name of the "provider ID" for the key. + type: str + required: true + provider_type: + description: + - The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.userprofile.UserProfileProvider), + ... + - See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers). + type: str + required: true + config: + description: + - Configuration properties for the provider. + - Contents vary depending on the provider type. + type: dict extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Björn Bösel (@fivetide) -''' + - Björn Bösel (@fivetide) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Manage Keycloak User Storage Provider community.general.keycloak_component: auth_keycloak_url: http://localhost:8080/auth @@ -97,42 +92,42 @@ EXAMPLES = ''' myCustomKey: "my_custom_key" cachePolicy: "NO_CACHE" enabled: true -''' +""" -RETURN = ''' +RETURN = r""" end_state: - description: Representation of the keycloak_component after module execution. - returned: on success - type: dict - contains: - id: - description: ID of the component. - type: str - returned: when O(state=present) - sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4 - name: - description: Name of the component. - type: str - returned: when O(state=present) - sample: mykey - parentId: - description: ID of the realm this key belongs to. - type: str - returned: when O(state=present) - sample: myrealm - providerId: - description: The ID of the key provider. - type: str - returned: when O(state=present) - sample: rsa - providerType: - description: The type of provider. - type: str - returned: when O(state=present) - config: - description: component configuration. - type: dict -''' + description: Representation of the keycloak_component after module execution. + returned: on success + type: dict + contains: + id: + description: ID of the component. + type: str + returned: when O(state=present) + sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4 + name: + description: Name of the component. + type: str + returned: when O(state=present) + sample: mykey + parentId: + description: ID of the realm this key belongs to. + type: str + returned: when O(state=present) + sample: myrealm + providerId: + description: The ID of the key provider. + type: str + returned: when O(state=present) + sample: rsa + providerType: + description: The type of provider. + type: str + returned: when O(state=present) + config: + description: Component configuration. + type: dict +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_component_info.py b/plugins/modules/keycloak_component_info.py index cc0c4d31d9..a1f2c1f0ef 100644 --- a/plugins/modules/keycloak_component_info.py +++ b/plugins/modules/keycloak_component_info.py @@ -8,106 +8,100 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_component_info -short_description: Retrive component info in Keycloak +short_description: Retrieve component info in Keycloak version_added: 8.2.0 description: - - This module retrive information on component from Keycloak. - + - This module retrieve information on component from Keycloak. attributes: - action_group: - version_added: 10.2.0 + action_group: + version_added: 10.2.0 options: - realm: - description: - - The name of the realm. - required: true - type: str - name: - description: - - Name of the Component. - type: str - provider_type: - description: - - Provider type of components. - - "Example: - V(org.keycloak.storage.UserStorageProvider), - V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), - V(org.keycloak.keys.KeyProvider), - V(org.keycloak.userprofile.UserProfileProvider), - V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper)." - type: str - parent_id: - description: - - Container ID of the components. - type: str + realm: + description: + - The name of the realm. + required: true + type: str + name: + description: + - Name of the Component. + type: str + provider_type: + description: + - Provider type of components. + - 'Examples: V(org.keycloak.storage.UserStorageProvider), + V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.keys.KeyProvider), + V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).' + type: str + parent_id: + description: + - Container ID of the components. + type: str extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes - - community.general.attributes.info_module + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes + - community.general.attributes.info_module author: - - Andre Desrosiers (@desand01) -''' + - Andre Desrosiers (@desand01) +""" -EXAMPLES = ''' - - name: Retrive info of a UserStorageProvider named myldap - community.general.keycloak_component_info: - auth_keycloak_url: http://localhost:8080/auth - auth_sername: admin - auth_password: password - auth_realm: master - realm: myrealm - name: myldap - provider_type: org.keycloak.storage.UserStorageProvider +EXAMPLES = r""" +- name: Retrive info of a UserStorageProvider named myldap + community.general.keycloak_component_info: + auth_keycloak_url: http://localhost:8080/auth + auth_sername: admin + auth_password: password + auth_realm: master + realm: myrealm + name: myldap + provider_type: org.keycloak.storage.UserStorageProvider - - name: Retrive key info component - community.general.keycloak_component_info: - auth_keycloak_url: http://localhost:8080/auth - auth_sername: admin - auth_password: password - auth_realm: master - realm: myrealm - name: rsa-enc-generated - provider_type: org.keycloak.keys.KeyProvider +- name: Retrive key info component + community.general.keycloak_component_info: + auth_keycloak_url: http://localhost:8080/auth + auth_sername: admin + auth_password: password + auth_realm: master + realm: myrealm + name: rsa-enc-generated + provider_type: org.keycloak.keys.KeyProvider - - name: Retrive all component from realm master - community.general.keycloak_component_info: - auth_keycloak_url: http://localhost:8080/auth - auth_sername: admin - auth_password: password - auth_realm: master - realm: myrealm +- name: Retrive all component from realm master + community.general.keycloak_component_info: + auth_keycloak_url: http://localhost:8080/auth + auth_sername: admin + auth_password: password + auth_realm: master + realm: myrealm - - name: Retrive all sub components of parent component filter by type - community.general.keycloak_component_info: - auth_keycloak_url: http://localhost:8080/auth - auth_sername: admin - auth_password: password - auth_realm: master - realm: myrealm - parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2" - provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" +- name: Retrive all sub components of parent component filter by type + community.general.keycloak_component_info: + auth_keycloak_url: http://localhost:8080/auth + auth_sername: admin + auth_password: password + auth_realm: master + realm: myrealm + parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2" + provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" +""" -''' - -RETURN = ''' +RETURN = r""" components: description: JSON representation of components. returned: always type: list elements: dict -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_group.py b/plugins/modules/keycloak_group.py index 24564f2d4d..796f5fc56f 100644 --- a/plugins/modules/keycloak_group.py +++ b/plugins/modules/keycloak_group.py @@ -8,122 +8,102 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_group -short_description: Allows administration of Keycloak groups via Keycloak API +short_description: Allows administration of Keycloak groups using Keycloak API description: - - This module allows you to add, remove or modify Keycloak groups via the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - - - When updating a group, where possible provide the group ID to the module. This removes a lookup - to the API to translate the name into the group ID. - + - This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an + admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. + - When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate the name into the + group ID. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the group. - - On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide. - - >- - On V(absent), the group will be removed if it exists. Be aware that absenting - a group with subgroups will automatically delete all its subgroups too. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the group. + - On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically delete all its + subgroups too. + default: 'present' + type: str + choices: + - present + - absent - name: + name: + type: str + description: + - Name of the group. + - This parameter is required only when creating or updating the group. + realm: + type: str + description: + - They Keycloak realm under which this group resides. + default: 'master' + + id: + type: str + description: + - The unique identifier for this group. + - This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls required. + attributes: + type: dict + description: + - A dict of key/value pairs to set as custom attributes for the group. + - Values may be single values (for example a string) or a list of strings. + parents: + version_added: "6.4.0" + type: list + description: + - List of parent groups for the group to handle sorted top to bottom. + - Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup by name. + - Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly queried without necessarily + knowing its parent(s). + elements: dict + suboptions: + id: type: str description: - - Name of the group. - - This parameter is required only when creating or updating the group. - - realm: + - Identify parent by ID. + - Needs less API calls than using O(parents[].name). + - A deep parent chain can be started at any point when first given parent is given as ID. + - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, + with ID being preferred. + name: type: str description: - - They Keycloak realm under which this group resides. - default: 'master' - - id: - type: str - description: - - The unique identifier for this group. - - This parameter is not required for updating or deleting a group but - providing it will reduce the number of API calls required. - - attributes: - type: dict - description: - - A dict of key/value pairs to set as custom attributes for the group. - - Values may be single values (e.g. a string) or a list of strings. - - parents: - version_added: "6.4.0" - type: list - description: - - List of parent groups for the group to handle sorted top to bottom. - - >- - Set this to create a group as a subgroup of another group or groups (parents) or - when accessing an existing subgroup by name. - - >- - Not necessary to set when accessing an existing subgroup by its C(ID) because in - that case the group can be directly queried without necessarily knowing its parent(s). - elements: dict - suboptions: - id: - type: str - description: - - Identify parent by ID. - - Needs less API calls than using O(parents[].name). - - A deep parent chain can be started at any point when first given parent is given as ID. - - Note that in principle both ID and name can be specified at the same time - but current implementation only always use just one of them, with ID - being preferred. - name: - type: str - description: - - Identify parent by name. - - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. - - When giving a parent chain with only names it must be complete up to the top. - - Note that in principle both ID and name can be specified at the same time - but current implementation only always use just one of them, with ID - being preferred. - + - Identify parent by name. + - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. + - When giving a parent chain with only names it must be complete up to the top. + - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, + with ID being preferred. notes: - - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API - are read-only for groups. This limitation will be removed in a later version of this module. - + - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API are read-only + for groups. This limitation will be removed in a later version of this module. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Adam Goossens (@adamgoossens) -''' + - Adam Goossens (@adamgoossens) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create a Keycloak group, authentication with credentials community.general.keycloak_group: name: my-new-kc-group @@ -191,14 +171,14 @@ EXAMPLES = ''' auth_password: PASSWORD name: my-new_group attributes: - attrib1: value1 - attrib2: value2 - attrib3: - - with - - numerous - - individual - - list - - items + attrib1: value1 + attrib2: value2 + attrib3: + - with + - numerous + - individual + - list + - items delegate_to: localhost - name: Create a Keycloak subgroup of a base group (using parent name) @@ -258,64 +238,63 @@ EXAMPLES = ''' parents: - id: "{{ result_new_kcgrp_sub.end_state.id }}" delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: - description: Representation of the group after module execution (sample is truncated). - returned: on success - type: complex - contains: - id: - description: GUID that identifies the group. - type: str - returned: always - sample: 23f38145-3195-462c-97e7-97041ccea73e - name: - description: Name of the group. - type: str - returned: always - sample: grp-test-123 - attributes: - description: Attributes applied to this group. - type: dict - returned: always - sample: - attr1: ["val1", "val2", "val3"] - path: - description: URI path to the group. - type: str - returned: always - sample: /grp-test-123 - realmRoles: - description: An array of the realm-level roles granted to this group. - type: list - returned: always - sample: [] - subGroups: - description: A list of groups that are children of this group. These groups will have the same parameters as - documented here. - type: list - returned: always - clientRoles: - description: A list of client-level roles granted to this group. - type: list - returned: always - sample: [] - access: - description: A dict describing the accesses you have to this group based on the credentials used. - type: dict - returned: always - sample: - manage: true - manageMembership: true - view: true -''' + description: Representation of the group after module execution (sample is truncated). + returned: on success + type: complex + contains: + id: + description: GUID that identifies the group. + type: str + returned: always + sample: 23f38145-3195-462c-97e7-97041ccea73e + name: + description: Name of the group. + type: str + returned: always + sample: grp-test-123 + attributes: + description: Attributes applied to this group. + type: dict + returned: always + sample: + attr1: ["val1", "val2", "val3"] + path: + description: URI path to the group. + type: str + returned: always + sample: /grp-test-123 + realmRoles: + description: An array of the realm-level roles granted to this group. + type: list + returned: always + sample: [] + subGroups: + description: A list of groups that are children of this group. These groups will have the same parameters as documented here. + type: list + returned: always + clientRoles: + description: A list of client-level roles granted to this group. + type: list + returned: always + sample: [] + access: + description: A dict describing the accesses you have to this group based on the credentials used. + type: dict + returned: always + sample: + manage: true + manageMembership: true + view: true +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError @@ -372,7 +351,7 @@ def main(): parents = module.params.get('parents') # attributes in Keycloak have their values returned as lists - # via the API. attributes is a dict, so we'll transparently convert + # using the API. attributes is a dict, so we'll transparently convert # the values to lists. if attributes is not None: for key, val in module.params['attributes'].items(): diff --git a/plugins/modules/keycloak_identity_provider.py b/plugins/modules/keycloak_identity_provider.py index 0ef67ee385..ee631bf19c 100644 --- a/plugins/modules/keycloak_identity_provider.py +++ b/plugins/modules/keycloak_identity_provider.py @@ -8,285 +8,280 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_identity_provider -short_description: Allows administration of Keycloak identity providers via Keycloak API +short_description: Allows administration of Keycloak identity providers using Keycloak API version_added: 3.6.0 description: - - This module allows you to add, remove or modify Keycloak identity providers via the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html). - + - This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access to the REST API + using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, + admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the + expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html). attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the identity provider. - - On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide. - - On V(absent), the identity provider will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the identity provider. + - On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the identity provider will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - realm: - description: - - The Keycloak realm under which this identity provider resides. - default: 'master' - type: str + realm: + description: + - The Keycloak realm under which this identity provider resides. + default: 'master' + type: str - alias: - description: - - The alias uniquely identifies an identity provider and it is also used to build the redirect URI. - required: true - type: str + alias: + description: + - The alias uniquely identifies an identity provider and it is also used to build the redirect URI. + required: true + type: str - display_name: + display_name: + description: + - Friendly name for identity provider. + aliases: + - displayName + type: str + + enabled: + description: + - Enable/disable this identity provider. + type: bool + + store_token: + description: + - Enable/disable whether tokens must be stored after authenticating users. + aliases: + - storeToken + type: bool + + add_read_token_role_on_create: + description: + - Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role. + aliases: + - addReadTokenRoleOnCreate + type: bool + + trust_email: + description: + - If enabled, email provided by this provider is not verified even if verification is enabled for the realm. + aliases: + - trustEmail + type: bool + + link_only: + description: + - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login + from the provider, but want to integrate with a provider. + aliases: + - linkOnly + type: bool + + first_broker_login_flow_alias: + description: + - Alias of authentication flow, which is triggered after first login with this identity provider. + aliases: + - firstBrokerLoginFlowAlias + type: str + + post_broker_login_flow_alias: + description: + - Alias of authentication flow, which is triggered after each login with this identity provider. + aliases: + - postBrokerLoginFlowAlias + type: str + + authenticate_by_default: + description: + - Specifies if this identity provider should be used by default for authentication even before displaying login screen. + aliases: + - authenticateByDefault + type: bool + + provider_id: + description: + - Protocol used by this provider (supported values are V(oidc) or V(saml)). + aliases: + - providerId + type: str + + config: + description: + - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are + given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing identity provider configuration + through check-mode in the RV(existing) field. + type: dict + suboptions: + hide_on_login_page: description: - - Friendly name for identity provider. + - If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter. aliases: - - displayName - type: str - - enabled: - description: - - Enable/disable this identity provider. + - hideOnLoginPage type: bool - store_token: + gui_order: description: - - Enable/disable whether tokens must be stored after authenticating users. + - Number defining order of the provider in GUI (for example, on Login page). aliases: - - storeToken - type: bool + - guiOrder + type: int - add_read_token_role_on_create: + sync_mode: description: - - Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role. + - Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. aliases: - - addReadTokenRoleOnCreate - type: bool - - trust_email: - description: - - If enabled, email provided by this provider is not verified even if verification is enabled for the realm. - aliases: - - trustEmail - type: bool - - link_only: - description: - - If true, users cannot log in through this provider. They can only link to this provider. - This is useful if you don't want to allow login from the provider, but want to integrate with a provider. - aliases: - - linkOnly - type: bool - - first_broker_login_flow_alias: - description: - - Alias of authentication flow, which is triggered after first login with this identity provider. - aliases: - - firstBrokerLoginFlowAlias + - syncMode type: str - post_broker_login_flow_alias: + issuer: description: - - Alias of authentication flow, which is triggered after each login with this identity provider. - aliases: - - postBrokerLoginFlowAlias + - The issuer identifier for the issuer of the response. If not provided, no validation will be performed. type: str - authenticate_by_default: + authorizationUrl: description: - - Specifies if this identity provider should be used by default for authentication even before displaying login screen. - aliases: - - authenticateByDefault + - The Authorization URL. + type: str + + tokenUrl: + description: + - The Token URL. + type: str + + logoutUrl: + description: + - End session endpoint to use to logout user from external IDP. + type: str + + userInfoUrl: + description: + - The User Info URL. + type: str + + clientAuthMethod: + description: + - The client authentication method. + type: str + + clientId: + description: + - The client or client identifier registered within the identity provider. + type: str + + clientSecret: + description: + - The client or client secret registered within the identity provider. + type: str + + defaultScope: + description: + - The scopes to be sent when asking for authorization. + type: str + + validateSignature: + description: + - Enable/disable signature validation of external IDP signatures. type: bool - provider_id: + useJwksUrl: description: - - Protocol used by this provider (supported values are V(oidc) or V(saml)). - aliases: - - providerId + - If the switch is on, identity provider public keys will be downloaded from given JWKS URL. + type: bool + + jwksUrl: + description: + - URL where identity provider keys in JWK format are stored. See JWK specification for more details. type: str - config: + entityId: description: - - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). - Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing - identity provider configuration through check-mode in the RV(existing) field. + - The Entity ID that will be used to uniquely identify this SAML Service Provider. + type: str + + singleSignOnServiceUrl: + description: + - The URL that must be used to send authentication requests (SAML AuthnRequest). + type: str + + singleLogoutServiceUrl: + description: + - The URL that must be used to send logout requests. + type: str + + backchannelSupported: + description: + - Does the external IDP support backchannel logout? + type: str + + nameIDPolicyFormat: + description: + - Specifies the URI reference corresponding to a name identifier format. + type: str + + principalType: + description: + - Way to identify and track external users from the assertion. + type: str + + mappers: + description: + - A list of dicts defining mappers associated with this Identity Provider. + type: list + elements: dict + suboptions: + id: + description: + - Unique ID of this mapper. + type: str + + name: + description: + - Name of the mapper. + type: str + + identityProviderAlias: + description: + - Alias of the identity provider for this mapper. + type: str + + identityProviderMapper: + description: + - Type of mapper. + type: str + + config: + description: + - Dict specifying the configuration options for the mapper; the contents differ depending on the value of O(mappers[].identityProviderMapper). type: dict - suboptions: - hide_on_login_page: - description: - - If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter. - aliases: - - hideOnLoginPage - type: bool - - gui_order: - description: - - Number defining order of the provider in GUI (for example, on Login page). - aliases: - - guiOrder - type: int - - sync_mode: - description: - - Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. - aliases: - - syncMode - type: str - - issuer: - description: - - The issuer identifier for the issuer of the response. If not provided, no validation will be performed. - type: str - - authorizationUrl: - description: - - The Authorization URL. - type: str - - tokenUrl: - description: - - The Token URL. - type: str - - logoutUrl: - description: - - End session endpoint to use to logout user from external IDP. - type: str - - userInfoUrl: - description: - - The User Info URL. - type: str - - clientAuthMethod: - description: - - The client authentication method. - type: str - - clientId: - description: - - The client or client identifier registered within the identity provider. - type: str - - clientSecret: - description: - - The client or client secret registered within the identity provider. - type: str - - defaultScope: - description: - - The scopes to be sent when asking for authorization. - type: str - - validateSignature: - description: - - Enable/disable signature validation of external IDP signatures. - type: bool - - useJwksUrl: - description: - - If the switch is on, identity provider public keys will be downloaded from given JWKS URL. - type: bool - - jwksUrl: - description: - - URL where identity provider keys in JWK format are stored. See JWK specification for more details. - type: str - - entityId: - description: - - The Entity ID that will be used to uniquely identify this SAML Service Provider. - type: str - - singleSignOnServiceUrl: - description: - - The URL that must be used to send authentication requests (SAML AuthnRequest). - type: str - - singleLogoutServiceUrl: - description: - - The URL that must be used to send logout requests. - type: str - - backchannelSupported: - description: - - Does the external IDP support backchannel logout? - type: str - - nameIDPolicyFormat: - description: - - Specifies the URI reference corresponding to a name identifier format. - type: str - - principalType: - description: - - Way to identify and track external users from the assertion. - type: str - - mappers: - description: - - A list of dicts defining mappers associated with this Identity Provider. - type: list - elements: dict - suboptions: - id: - description: - - Unique ID of this mapper. - type: str - - name: - description: - - Name of the mapper. - type: str - - identityProviderAlias: - description: - - Alias of the identity provider for this mapper. - type: str - - identityProviderMapper: - description: - - Type of mapper. - type: str - - config: - description: - - Dict specifying the configuration options for the mapper; the contents differ depending on the value of - O(mappers[].identityProviderMapper). - type: dict extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Laurent Paumier (@laurpaum) -''' + - Laurent Paumier (@laurpaum) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create OIDC identity provider, authentication with credentials community.general.keycloak_identity_provider: state: present @@ -347,14 +342,14 @@ EXAMPLES = ''' attribute.friendly.name: User Roles attribute.name: roles syncMode: INHERIT -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Identity provider my-idp has been created" + description: Message as to what action was taken. + returned: always + type: str + sample: "Identity provider my-idp has been created" proposed: description: Representation of proposed identity provider. @@ -428,7 +423,7 @@ end_state: "storeToken": false, "trustEmail": false, } -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_realm.py b/plugins/modules/keycloak_realm.py index e190e7ad7b..d2ae4f33c8 100644 --- a/plugins/modules/keycloak_realm.py +++ b/plugins/modules/keycloak_realm.py @@ -9,523 +9,516 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_realm -short_description: Allows administration of Keycloak realm via Keycloak API +short_description: Allows administration of Keycloak realm using Keycloak API version_added: 3.0.0 description: - - This module allows the administration of Keycloak realm via the Keycloak REST API. It - requires access to the REST API via OpenID Connect; the user connecting and the realm being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - Aliases are provided so camelCased versions can be used as well. - - - The Keycloak API does not always sanity check inputs e.g. you can set - SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. - If you do not specify a setting, usually a sensible default is chosen. - + - This module allows the administration of Keycloak realm using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin + user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + Aliases are provided so camelCased versions can be used as well. + - The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and + also the other way around. B(Be careful). If you do not specify a setting, usually a sensible default is chosen. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the realm. - - On V(present), the realm will be created (or updated if it exists already). - - On V(absent), the realm will be removed if it exists. - choices: ['present', 'absent'] - default: 'present' - type: str + state: + description: + - State of the realm. + - On V(present), the realm will be created (or updated if it exists already). + - On V(absent), the realm will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str - id: - description: - - The realm to create. - type: str - realm: - description: - - The realm name. - type: str - access_code_lifespan: - description: - - The realm access code lifespan. - aliases: - - accessCodeLifespan - type: int - access_code_lifespan_login: - description: - - The realm access code lifespan login. - aliases: - - accessCodeLifespanLogin - type: int - access_code_lifespan_user_action: - description: - - The realm access code lifespan user action. - aliases: - - accessCodeLifespanUserAction - type: int - access_token_lifespan: - description: - - The realm access token lifespan. - aliases: - - accessTokenLifespan - type: int - access_token_lifespan_for_implicit_flow: - description: - - The realm access token lifespan for implicit flow. - aliases: - - accessTokenLifespanForImplicitFlow - type: int - account_theme: - description: - - The realm account theme. - aliases: - - accountTheme - type: str - action_token_generated_by_admin_lifespan: - description: - - The realm action token generated by admin lifespan. - aliases: - - actionTokenGeneratedByAdminLifespan - type: int - action_token_generated_by_user_lifespan: - description: - - The realm action token generated by user lifespan. - aliases: - - actionTokenGeneratedByUserLifespan - type: int - admin_events_details_enabled: - description: - - The realm admin events details enabled. - aliases: - - adminEventsDetailsEnabled - type: bool - admin_events_enabled: - description: - - The realm admin events enabled. - aliases: - - adminEventsEnabled - type: bool - admin_theme: - description: - - The realm admin theme. - aliases: - - adminTheme - type: str - attributes: - description: - - The realm attributes. - type: dict - browser_flow: - description: - - The realm browser flow. - aliases: - - browserFlow - type: str - browser_security_headers: - description: - - The realm browser security headers. - aliases: - - browserSecurityHeaders - type: dict - brute_force_protected: - description: - - The realm brute force protected. - aliases: - - bruteForceProtected - type: bool - client_authentication_flow: - description: - - The realm client authentication flow. - aliases: - - clientAuthenticationFlow - type: str - client_scope_mappings: - description: - - The realm client scope mappings. - aliases: - - clientScopeMappings - type: dict - default_default_client_scopes: - description: - - The realm default default client scopes. - aliases: - - defaultDefaultClientScopes - type: list - elements: str - default_groups: - description: - - The realm default groups. - aliases: - - defaultGroups - type: list - elements: str - default_locale: - description: - - The realm default locale. - aliases: - - defaultLocale - type: str - default_optional_client_scopes: - description: - - The realm default optional client scopes. - aliases: - - defaultOptionalClientScopes - type: list - elements: str - default_roles: - description: - - The realm default roles. - aliases: - - defaultRoles - type: list - elements: str - default_signature_algorithm: - description: - - The realm default signature algorithm. - aliases: - - defaultSignatureAlgorithm - type: str - direct_grant_flow: - description: - - The realm direct grant flow. - aliases: - - directGrantFlow - type: str - display_name: - description: - - The realm display name. - aliases: - - displayName - type: str - display_name_html: - description: - - The realm display name HTML. - aliases: - - displayNameHtml - type: str - docker_authentication_flow: - description: - - The realm docker authentication flow. - aliases: - - dockerAuthenticationFlow - type: str - duplicate_emails_allowed: - description: - - The realm duplicate emails allowed option. - aliases: - - duplicateEmailsAllowed - type: bool - edit_username_allowed: - description: - - The realm edit username allowed option. - aliases: - - editUsernameAllowed - type: bool - email_theme: - description: - - The realm email theme. - aliases: - - emailTheme - type: str - enabled: - description: - - The realm enabled option. - type: bool - enabled_event_types: - description: - - The realm enabled event types. - aliases: - - enabledEventTypes - type: list - elements: str - events_enabled: - description: - - Enables or disables login events for this realm. - aliases: - - eventsEnabled - type: bool - version_added: 3.6.0 - events_expiration: - description: - - The realm events expiration. - aliases: - - eventsExpiration - type: int - events_listeners: - description: - - The realm events listeners. - aliases: - - eventsListeners - type: list - elements: str - failure_factor: - description: - - The realm failure factor. - aliases: - - failureFactor - type: int - internationalization_enabled: - description: - - The realm internationalization enabled option. - aliases: - - internationalizationEnabled - type: bool - login_theme: - description: - - The realm login theme. - aliases: - - loginTheme - type: str - login_with_email_allowed: - description: - - The realm login with email allowed option. - aliases: - - loginWithEmailAllowed - type: bool - max_delta_time_seconds: - description: - - The realm max delta time in seconds. - aliases: - - maxDeltaTimeSeconds - type: int - max_failure_wait_seconds: - description: - - The realm max failure wait in seconds. - aliases: - - maxFailureWaitSeconds - type: int - minimum_quick_login_wait_seconds: - description: - - The realm minimum quick login wait in seconds. - aliases: - - minimumQuickLoginWaitSeconds - type: int - not_before: - description: - - The realm not before. - aliases: - - notBefore - type: int - offline_session_idle_timeout: - description: - - The realm offline session idle timeout. - aliases: - - offlineSessionIdleTimeout - type: int - offline_session_max_lifespan: - description: - - The realm offline session max lifespan. - aliases: - - offlineSessionMaxLifespan - type: int - offline_session_max_lifespan_enabled: - description: - - The realm offline session max lifespan enabled option. - aliases: - - offlineSessionMaxLifespanEnabled - type: bool - otp_policy_algorithm: - description: - - The realm otp policy algorithm. - aliases: - - otpPolicyAlgorithm - type: str - otp_policy_digits: - description: - - The realm otp policy digits. - aliases: - - otpPolicyDigits - type: int - otp_policy_initial_counter: - description: - - The realm otp policy initial counter. - aliases: - - otpPolicyInitialCounter - type: int - otp_policy_look_ahead_window: - description: - - The realm otp policy look ahead window. - aliases: - - otpPolicyLookAheadWindow - type: int - otp_policy_period: - description: - - The realm otp policy period. - aliases: - - otpPolicyPeriod - type: int - otp_policy_type: - description: - - The realm otp policy type. - aliases: - - otpPolicyType - type: str - otp_supported_applications: - description: - - The realm otp supported applications. - aliases: - - otpSupportedApplications - type: list - elements: str - password_policy: - description: - - The realm password policy. - aliases: - - passwordPolicy - type: str - organizations_enabled: - description: - - Enables support for experimental organization feature. - aliases: - - organizationsEnabled - type: bool - version_added: 10.0.0 - permanent_lockout: - description: - - The realm permanent lockout. - aliases: - - permanentLockout - type: bool - quick_login_check_milli_seconds: - description: - - The realm quick login check in milliseconds. - aliases: - - quickLoginCheckMilliSeconds - type: int - refresh_token_max_reuse: - description: - - The realm refresh token max reuse. - aliases: - - refreshTokenMaxReuse - type: int - registration_allowed: - description: - - The realm registration allowed option. - aliases: - - registrationAllowed - type: bool - registration_email_as_username: - description: - - The realm registration email as username option. - aliases: - - registrationEmailAsUsername - type: bool - registration_flow: - description: - - The realm registration flow. - aliases: - - registrationFlow - type: str - remember_me: - description: - - The realm remember me option. - aliases: - - rememberMe - type: bool - reset_credentials_flow: - description: - - The realm reset credentials flow. - aliases: - - resetCredentialsFlow - type: str - reset_password_allowed: - description: - - The realm reset password allowed option. - aliases: - - resetPasswordAllowed - type: bool - revoke_refresh_token: - description: - - The realm revoke refresh token option. - aliases: - - revokeRefreshToken - type: bool - smtp_server: - description: - - The realm smtp server. - aliases: - - smtpServer - type: dict - ssl_required: - description: - - The realm ssl required option. - choices: ['all', 'external', 'none'] - aliases: - - sslRequired - type: str - sso_session_idle_timeout: - description: - - The realm sso session idle timeout. - aliases: - - ssoSessionIdleTimeout - type: int - sso_session_idle_timeout_remember_me: - description: - - The realm sso session idle timeout remember me. - aliases: - - ssoSessionIdleTimeoutRememberMe - type: int - sso_session_max_lifespan: - description: - - The realm sso session max lifespan. - aliases: - - ssoSessionMaxLifespan - type: int - sso_session_max_lifespan_remember_me: - description: - - The realm sso session max lifespan remember me. - aliases: - - ssoSessionMaxLifespanRememberMe - type: int - supported_locales: - description: - - The realm supported locales. - aliases: - - supportedLocales - type: list - elements: str - user_managed_access_allowed: - description: - - The realm user managed access allowed option. - aliases: - - userManagedAccessAllowed - type: bool - verify_email: - description: - - The realm verify email option. - aliases: - - verifyEmail - type: bool - wait_increment_seconds: - description: - - The realm wait increment in seconds. - aliases: - - waitIncrementSeconds - type: int + id: + description: + - The realm to create. + type: str + realm: + description: + - The realm name. + type: str + access_code_lifespan: + description: + - The realm access code lifespan. + aliases: + - accessCodeLifespan + type: int + access_code_lifespan_login: + description: + - The realm access code lifespan login. + aliases: + - accessCodeLifespanLogin + type: int + access_code_lifespan_user_action: + description: + - The realm access code lifespan user action. + aliases: + - accessCodeLifespanUserAction + type: int + access_token_lifespan: + description: + - The realm access token lifespan. + aliases: + - accessTokenLifespan + type: int + access_token_lifespan_for_implicit_flow: + description: + - The realm access token lifespan for implicit flow. + aliases: + - accessTokenLifespanForImplicitFlow + type: int + account_theme: + description: + - The realm account theme. + aliases: + - accountTheme + type: str + action_token_generated_by_admin_lifespan: + description: + - The realm action token generated by admin lifespan. + aliases: + - actionTokenGeneratedByAdminLifespan + type: int + action_token_generated_by_user_lifespan: + description: + - The realm action token generated by user lifespan. + aliases: + - actionTokenGeneratedByUserLifespan + type: int + admin_events_details_enabled: + description: + - The realm admin events details enabled. + aliases: + - adminEventsDetailsEnabled + type: bool + admin_events_enabled: + description: + - The realm admin events enabled. + aliases: + - adminEventsEnabled + type: bool + admin_theme: + description: + - The realm admin theme. + aliases: + - adminTheme + type: str + attributes: + description: + - The realm attributes. + type: dict + browser_flow: + description: + - The realm browser flow. + aliases: + - browserFlow + type: str + browser_security_headers: + description: + - The realm browser security headers. + aliases: + - browserSecurityHeaders + type: dict + brute_force_protected: + description: + - The realm brute force protected. + aliases: + - bruteForceProtected + type: bool + client_authentication_flow: + description: + - The realm client authentication flow. + aliases: + - clientAuthenticationFlow + type: str + client_scope_mappings: + description: + - The realm client scope mappings. + aliases: + - clientScopeMappings + type: dict + default_default_client_scopes: + description: + - The realm default default client scopes. + aliases: + - defaultDefaultClientScopes + type: list + elements: str + default_groups: + description: + - The realm default groups. + aliases: + - defaultGroups + type: list + elements: str + default_locale: + description: + - The realm default locale. + aliases: + - defaultLocale + type: str + default_optional_client_scopes: + description: + - The realm default optional client scopes. + aliases: + - defaultOptionalClientScopes + type: list + elements: str + default_roles: + description: + - The realm default roles. + aliases: + - defaultRoles + type: list + elements: str + default_signature_algorithm: + description: + - The realm default signature algorithm. + aliases: + - defaultSignatureAlgorithm + type: str + direct_grant_flow: + description: + - The realm direct grant flow. + aliases: + - directGrantFlow + type: str + display_name: + description: + - The realm display name. + aliases: + - displayName + type: str + display_name_html: + description: + - The realm display name HTML. + aliases: + - displayNameHtml + type: str + docker_authentication_flow: + description: + - The realm docker authentication flow. + aliases: + - dockerAuthenticationFlow + type: str + duplicate_emails_allowed: + description: + - The realm duplicate emails allowed option. + aliases: + - duplicateEmailsAllowed + type: bool + edit_username_allowed: + description: + - The realm edit username allowed option. + aliases: + - editUsernameAllowed + type: bool + email_theme: + description: + - The realm email theme. + aliases: + - emailTheme + type: str + enabled: + description: + - The realm enabled option. + type: bool + enabled_event_types: + description: + - The realm enabled event types. + aliases: + - enabledEventTypes + type: list + elements: str + events_enabled: + description: + - Enables or disables login events for this realm. + aliases: + - eventsEnabled + type: bool + version_added: 3.6.0 + events_expiration: + description: + - The realm events expiration. + aliases: + - eventsExpiration + type: int + events_listeners: + description: + - The realm events listeners. + aliases: + - eventsListeners + type: list + elements: str + failure_factor: + description: + - The realm failure factor. + aliases: + - failureFactor + type: int + internationalization_enabled: + description: + - The realm internationalization enabled option. + aliases: + - internationalizationEnabled + type: bool + login_theme: + description: + - The realm login theme. + aliases: + - loginTheme + type: str + login_with_email_allowed: + description: + - The realm login with email allowed option. + aliases: + - loginWithEmailAllowed + type: bool + max_delta_time_seconds: + description: + - The realm max delta time in seconds. + aliases: + - maxDeltaTimeSeconds + type: int + max_failure_wait_seconds: + description: + - The realm max failure wait in seconds. + aliases: + - maxFailureWaitSeconds + type: int + minimum_quick_login_wait_seconds: + description: + - The realm minimum quick login wait in seconds. + aliases: + - minimumQuickLoginWaitSeconds + type: int + not_before: + description: + - The realm not before. + aliases: + - notBefore + type: int + offline_session_idle_timeout: + description: + - The realm offline session idle timeout. + aliases: + - offlineSessionIdleTimeout + type: int + offline_session_max_lifespan: + description: + - The realm offline session max lifespan. + aliases: + - offlineSessionMaxLifespan + type: int + offline_session_max_lifespan_enabled: + description: + - The realm offline session max lifespan enabled option. + aliases: + - offlineSessionMaxLifespanEnabled + type: bool + otp_policy_algorithm: + description: + - The realm otp policy algorithm. + aliases: + - otpPolicyAlgorithm + type: str + otp_policy_digits: + description: + - The realm otp policy digits. + aliases: + - otpPolicyDigits + type: int + otp_policy_initial_counter: + description: + - The realm otp policy initial counter. + aliases: + - otpPolicyInitialCounter + type: int + otp_policy_look_ahead_window: + description: + - The realm otp policy look ahead window. + aliases: + - otpPolicyLookAheadWindow + type: int + otp_policy_period: + description: + - The realm otp policy period. + aliases: + - otpPolicyPeriod + type: int + otp_policy_type: + description: + - The realm otp policy type. + aliases: + - otpPolicyType + type: str + otp_supported_applications: + description: + - The realm otp supported applications. + aliases: + - otpSupportedApplications + type: list + elements: str + password_policy: + description: + - The realm password policy. + aliases: + - passwordPolicy + type: str + organizations_enabled: + description: + - Enables support for experimental organization feature. + aliases: + - organizationsEnabled + type: bool + version_added: 10.0.0 + permanent_lockout: + description: + - The realm permanent lockout. + aliases: + - permanentLockout + type: bool + quick_login_check_milli_seconds: + description: + - The realm quick login check in milliseconds. + aliases: + - quickLoginCheckMilliSeconds + type: int + refresh_token_max_reuse: + description: + - The realm refresh token max reuse. + aliases: + - refreshTokenMaxReuse + type: int + registration_allowed: + description: + - The realm registration allowed option. + aliases: + - registrationAllowed + type: bool + registration_email_as_username: + description: + - The realm registration email as username option. + aliases: + - registrationEmailAsUsername + type: bool + registration_flow: + description: + - The realm registration flow. + aliases: + - registrationFlow + type: str + remember_me: + description: + - The realm remember me option. + aliases: + - rememberMe + type: bool + reset_credentials_flow: + description: + - The realm reset credentials flow. + aliases: + - resetCredentialsFlow + type: str + reset_password_allowed: + description: + - The realm reset password allowed option. + aliases: + - resetPasswordAllowed + type: bool + revoke_refresh_token: + description: + - The realm revoke refresh token option. + aliases: + - revokeRefreshToken + type: bool + smtp_server: + description: + - The realm smtp server. + aliases: + - smtpServer + type: dict + ssl_required: + description: + - The realm ssl required option. + choices: ['all', 'external', 'none'] + aliases: + - sslRequired + type: str + sso_session_idle_timeout: + description: + - The realm sso session idle timeout. + aliases: + - ssoSessionIdleTimeout + type: int + sso_session_idle_timeout_remember_me: + description: + - The realm sso session idle timeout remember me. + aliases: + - ssoSessionIdleTimeoutRememberMe + type: int + sso_session_max_lifespan: + description: + - The realm sso session max lifespan. + aliases: + - ssoSessionMaxLifespan + type: int + sso_session_max_lifespan_remember_me: + description: + - The realm sso session max lifespan remember me. + aliases: + - ssoSessionMaxLifespanRememberMe + type: int + supported_locales: + description: + - The realm supported locales. + aliases: + - supportedLocales + type: list + elements: str + user_managed_access_allowed: + description: + - The realm user managed access allowed option. + aliases: + - userManagedAccessAllowed + type: bool + verify_email: + description: + - The realm verify email option. + aliases: + - verifyEmail + type: bool + wait_increment_seconds: + description: + - The realm wait increment in seconds. + aliases: + - waitIncrementSeconds + type: int extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Christophe Gilles (@kris2kris) -''' + - Christophe Gilles (@kris2kris) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create or update Keycloak realm (minimal example) community.general.keycloak_realm: auth_client_id: admin-cli @@ -546,46 +539,33 @@ EXAMPLES = ''' auth_password: PASSWORD id: test state: absent +""" -''' - -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Realm testrealm has been updated" + description: Message as to what action was taken. + returned: always + type: str + sample: "Realm testrealm has been updated" proposed: - description: Representation of proposed realm. - returned: always - type: dict - sample: { - id: "test" - } + description: Representation of proposed realm. + returned: always + type: dict + sample: {id: "test"} existing: - description: Representation of existing realm (sample is truncated). - returned: always - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } + description: Representation of existing realm (sample is truncated). + returned: always + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} end_state: - description: Representation of realm after module execution (sample is truncated). - returned: on success - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } -''' + description: Representation of realm after module execution (sample is truncated). + returned: on success + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_realm_info.py b/plugins/modules/keycloak_realm_info.py index 5c2ebb4c9e..e3e4f08248 100644 --- a/plugins/modules/keycloak_realm_info.py +++ b/plugins/modules/keycloak_realm_info.py @@ -8,98 +8,93 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_realm_info -short_description: Allows obtaining Keycloak realm public information via Keycloak API +short_description: Allows obtaining Keycloak realm public information using Keycloak API version_added: 4.3.0 description: - - This module allows you to get Keycloak realm public information via the Keycloak REST API. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - + - This module allows you to get Keycloak realm public information using the Keycloak REST API. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. extends_documentation_fragment: - - community.general.attributes - - community.general.attributes.info_module + - community.general.attributes + - community.general.attributes.info_module options: - auth_keycloak_url: - description: - - URL to the Keycloak instance. - type: str - required: true - aliases: - - url - validate_certs: - description: - - Verify TLS certificates (do not disable this in production). - type: bool - default: true + auth_keycloak_url: + description: + - URL to the Keycloak instance. + type: str + required: true + aliases: + - url + validate_certs: + description: + - Verify TLS certificates (do not disable this in production). + type: bool + default: true - realm: - type: str - description: - - They Keycloak realm ID. - default: 'master' + realm: + type: str + description: + - They Keycloak realm ID. + default: 'master' author: - - Fynn Chen (@fynncfchen) -''' + - Fynn Chen (@fynncfchen) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Get a Keycloak public key community.general.keycloak_realm_info: realm: MyCustomRealm auth_keycloak_url: https://auth.example.com/auth delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str realm_info: - description: - - Representation of the realm public information. - returned: always - type: dict - contains: - realm: - description: Realm ID. - type: str - returned: always - sample: MyRealm - public_key: - description: Public key of the realm. - type: str - returned: always - sample: MIIBIjANBgkqhkiG9w0BAQEFAAO... - token-service: - description: Token endpoint URL. - type: str - returned: always - sample: https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect - account-service: - description: Account console URL. - type: str - returned: always - sample: https://auth.example.com/auth/realms/MyRealm/account - tokens-not-before: - description: The token not before. - type: int - returned: always - sample: 0 -''' + description: + - Representation of the realm public information. + returned: always + type: dict + contains: + realm: + description: Realm ID. + type: str + returned: always + sample: MyRealm + public_key: + description: Public key of the realm. + type: str + returned: always + sample: MIIBIjANBgkqhkiG9w0BAQEFAAO... + token-service: + description: Token endpoint URL. + type: str + returned: always + sample: https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect + account-service: + description: Account console URL. + type: str + returned: always + sample: https://auth.example.com/auth/realms/MyRealm/account + tokens-not-before: + description: The token not before. + type: int + returned: always + sample: 0 +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI from ansible.module_utils.basic import AnsibleModule diff --git a/plugins/modules/keycloak_realm_key.py b/plugins/modules/keycloak_realm_key.py index 159fb77d4b..0f7c5ae114 100644 --- a/plugins/modules/keycloak_realm_key.py +++ b/plugins/modules/keycloak_realm_key.py @@ -9,145 +9,123 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_realm_key -short_description: Allows administration of Keycloak realm keys via Keycloak API +short_description: Allows administration of Keycloak realm keys using Keycloak API version_added: 7.5.0 description: - - This module allows the administration of Keycloak realm keys via the Keycloak REST API. It - requires access to the REST API via OpenID Connect; the user connecting and the realm being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate realm definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - Aliases are provided so camelCased versions can be used as well. - - - This module is unable to detect changes to the actual cryptographic key after importing it. - However, if some other property is changed alongside the cryptographic key, then the key - will also get changed as a side-effect, as the JSON payload needs to include the private key. - This can be considered either a bug or a feature, as the alternative would be to always - update the realm key whether it has changed or not. - - - If certificate is not explicitly provided it will be dynamically created by Keycloak. - Therefore comparing the current state of the certificate to the desired state (which may be - empty) is not possible. - + - This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin + user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + Aliases are provided so camelCased versions can be used as well. + - This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside + the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can + be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not. + - If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate + to the desired state (which may be empty) is not possible. attributes: - check_mode: - support: full - diff_mode: - support: partial - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: partial + action_group: + version_added: 10.2.0 options: - state: + state: + description: + - State of the keycloak realm key. + - On V(present), the realm key will be created (or updated if it exists already). + - On V(absent), the realm key will be removed if it exists. + choices: ['present', 'absent'] + default: 'present' + type: str + name: + description: + - Name of the realm key to create. + type: str + required: true + force: + description: + - Enforce the state of the private key and certificate. This is not automatically the case as this module is unable to determine the current + state of the private key and thus cannot trigger an update based on an actual divergence. That said, a private key update may happen even + if force is false as a side-effect of other changes. + default: false + type: bool + parent_id: + description: + - The parent_id of the realm key. In practice the name of the realm. + type: str + required: true + provider_id: + description: + - The name of the "provider ID" for the key. + - The value V(rsa-enc) has been added in community.general 8.2.0. + choices: ['rsa', 'rsa-enc'] + default: 'rsa' + type: str + config: + description: + - Dict specifying the key and its properties. + type: dict + suboptions: + active: description: - - State of the keycloak realm key. - - On V(present), the realm key will be created (or updated if it exists already). - - On V(absent), the realm key will be removed if it exists. - choices: ['present', 'absent'] - default: 'present' - type: str - name: - description: - - Name of the realm key to create. - type: str - required: true - force: - description: - - Enforce the state of the private key and certificate. This is not automatically the - case as this module is unable to determine the current state of the private key and - thus cannot trigger an update based on an actual divergence. That said, a private key - update may happen even if force is false as a side-effect of other changes. - default: false + - Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the O(state) parameter. + default: true type: bool - parent_id: + enabled: description: - - The parent_id of the realm key. In practice the name of the realm. - type: str + - Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the O(state) parameter. + default: true + type: bool + priority: + description: + - The priority of the key. + type: int required: true - provider_id: + algorithm: description: - - The name of the "provider ID" for the key. - - The value V(rsa-enc) has been added in community.general 8.2.0. - choices: ['rsa', 'rsa-enc'] - default: 'rsa' + - Key algorithm. + - The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general + 8.2.0. + default: RS256 + choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256'] type: str - config: + private_key: description: - - Dict specifying the key and its properties. - type: dict - suboptions: - active: - description: - - Whether they key is active or inactive. Not to be confused with the state - of the Ansible resource managed by the O(state) parameter. - default: true - type: bool - enabled: - description: - - Whether the key is enabled or disabled. Not to be confused with the state - of the Ansible resource managed by the O(state) parameter. - default: true - type: bool - priority: - description: - - The priority of the key. - type: int - required: true - algorithm: - description: - - Key algorithm. - - The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), - V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general 8.2.0. - default: RS256 - choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256'] - type: str - private_key: - description: - - The private key as an ASCII string. Contents of the key must match O(config.algorithm) - and O(provider_id). - - Please note that the module cannot detect whether the private key specified differs from the - current state's private key. Use O(force=true) to force the module to update the private key - if you expect it to be updated. - required: true - type: str - certificate: - description: - - A certificate signed with the private key as an ASCII string. Contents of the - key must match O(config.algorithm) and O(provider_id). - - If you want Keycloak to automatically generate a certificate using your private key - then set this to an empty string. - required: true - type: str + - The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id). + - Please note that the module cannot detect whether the private key specified differs from the current state's private key. Use O(force=true) + to force the module to update the private key if you expect it to be updated. + required: true + type: str + certificate: + description: + - A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id). + - If you want Keycloak to automatically generate a certificate using your private key then set this to an empty string. + required: true + type: str notes: - - Current value of the private key cannot be fetched from Keycloak. - Therefore comparing its desired state to the current state is not - possible. - - If certificate is not explicitly provided it will be dynamically created - by Keycloak. Therefore comparing the current state of the certificate to - the desired state (which may be empty) is not possible. - - Due to the private key and certificate options the module is - B(not fully idempotent). You can use O(force=true) to force the module - to always update if you know that the private key might have changed. - + - Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current state is not possible. + - If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate + to the desired state (which may be empty) is not possible. + - Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force the module to always + update if you know that the private key might have changed. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Samuli Seppänen (@mattock) -''' + - Samuli Seppänen (@mattock) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Manage Keycloak realm key (certificate autogenerated by Keycloak) community.general.keycloak_realm_key: name: custom @@ -182,54 +160,49 @@ EXAMPLES = ''' active: true priority: 120 algorithm: RS256 -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str end_state: - description: Representation of the keycloak_realm_key after module execution. - returned: on success - type: dict - contains: - id: - description: ID of the realm key. - type: str - returned: when O(state=present) - sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4 - name: - description: Name of the realm key. - type: str - returned: when O(state=present) - sample: mykey - parentId: - description: ID of the realm this key belongs to. - type: str - returned: when O(state=present) - sample: myrealm - providerId: - description: The ID of the key provider. - type: str - returned: when O(state=present) - sample: rsa - providerType: - description: The type of provider. - type: str - returned: when O(state=present) - config: - description: Realm key configuration. - type: dict - returned: when O(state=present) - sample: { - "active": ["true"], - "algorithm": ["RS256"], - "enabled": ["true"], - "priority": ["140"] - } -''' + description: Representation of the keycloak_realm_key after module execution. + returned: on success + type: dict + contains: + id: + description: ID of the realm key. + type: str + returned: when O(state=present) + sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4 + name: + description: Name of the realm key. + type: str + returned: when O(state=present) + sample: mykey + parentId: + description: ID of the realm this key belongs to. + type: str + returned: when O(state=present) + sample: myrealm + providerId: + description: The ID of the key provider. + type: str + returned: when O(state=present) + sample: rsa + providerType: + description: The type of provider. + type: str + returned: when O(state=present) + config: + description: Realm key configuration. + type: dict + returned: when O(state=present) + sample: {"active": ["true"], "algorithm": ["RS256"], "enabled": ["true"], "priority": ["140"]} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_realm_keys_metadata_info.py b/plugins/modules/keycloak_realm_keys_metadata_info.py index 9b490fad58..d116e3435b 100644 --- a/plugins/modules/keycloak_realm_keys_metadata_info.py +++ b/plugins/modules/keycloak_realm_keys_metadata_info.py @@ -9,42 +9,39 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = """ ---- +DOCUMENTATION = r""" module: keycloak_realm_keys_metadata_info -short_description: Allows obtaining Keycloak realm keys metadata via Keycloak API +short_description: Allows obtaining Keycloak realm keys metadata using Keycloak API version_added: 9.3.0 description: - - This module allows you to get Keycloak realm keys metadata via the Keycloak REST API. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). - + - This module allows you to get Keycloak realm keys metadata using the Keycloak REST API. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). attributes: - action_group: - version_added: 10.2.0 + action_group: + version_added: 10.2.0 options: - realm: - type: str - description: - - They Keycloak realm to fetch keys metadata. - default: 'master' + realm: + type: str + description: + - They Keycloak realm to fetch keys metadata. + default: 'master' extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes - - community.general.attributes.info_module + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes + - community.general.attributes.info_module author: - - Thomas Bach (@thomasbach-dev) + - Thomas Bach (@thomasbach-dev) """ -EXAMPLES = """ +EXAMPLES = r""" - name: Fetch Keys metadata community.general.keycloak_realm_keys_metadata_info: auth_keycloak_url: https://auth.example.com/auth @@ -67,30 +64,28 @@ EXAMPLES = """ delegate_to: localhost """ -RETURN = """ +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str + description: Message as to what action was taken. + returned: always + type: str keys_metadata: - description: + description: - - Representation of the realm keys metadata (see - U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)). - - returned: always - type: dict - contains: - active: - description: A mapping (that is, a dict) from key algorithms to UUIDs. - type: dict - returned: always - keys: - description: A list of dicts providing detailed information on the keys. - type: list - elements: dict - returned: always + - Representation of the realm keys metadata (see U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)). + returned: always + type: dict + contains: + active: + description: A mapping (that is, a dict) from key algorithms to UUIDs. + type: dict + returned: always + keys: + description: A list of dicts providing detailed information on the keys. + type: list + elements: dict + returned: always """ from ansible.module_utils.basic import AnsibleModule diff --git a/plugins/modules/keycloak_realm_rolemapping.py b/plugins/modules/keycloak_realm_rolemapping.py index 0c24b2f949..bed65057a4 100644 --- a/plugins/modules/keycloak_realm_rolemapping.py +++ b/plugins/modules/keycloak_realm_rolemapping.py @@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_realm_rolemapping short_description: Allows administration of Keycloak realm role mappings into groups with the Keycloak API @@ -17,119 +16,104 @@ short_description: Allows administration of Keycloak realm role mappings into gr version_added: 8.2.0 description: - - This module allows you to add, remove or modify Keycloak realm role - mappings into groups with the Keycloak REST API. It requires access to the - REST API via OpenID Connect; the user connecting and the client being used - must have the requisite access rights. In a default Keycloak installation, - admin-cli and an admin user would work, as would a separate client - definition with the scope tailored to your needs and a user having the - expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - - - When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup - to the API to translate the name into the role ID. - + - This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It requires access to + the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak + installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user + having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. + - When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name + into the role ID. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the realm_rolemapping. - - On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - - On C(absent), the realm_rolemapping will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the realm_rolemapping. + - On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. + - On C(absent), the realm_rolemapping will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - realm: + realm: + type: str + description: + - They Keycloak realm under which this role_representation resides. + default: 'master' + + group_name: + type: str + description: + - Name of the group to be mapped. + - This parameter is required (can be replaced by gid for less API call). + parents: + type: list + description: + - List of parent groups for the group to handle sorted top to bottom. + - Set this if your group is a subgroup and you do not provide the GID in O(gid). + elements: dict + suboptions: + id: type: str description: - - They Keycloak realm under which this role_representation resides. - default: 'master' - - group_name: + - Identify parent by ID. + - Needs less API calls than using O(parents[].name). + - A deep parent chain can be started at any point when first given parent is given as ID. + - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, + with ID being preferred. + name: type: str description: - - Name of the group to be mapped. - - This parameter is required (can be replaced by gid for less API call). - - parents: - type: list - description: - - List of parent groups for the group to handle sorted top to bottom. - - >- - Set this if your group is a subgroup and you do not provide the GID in O(gid). - elements: dict - suboptions: - id: - type: str - description: - - Identify parent by ID. - - Needs less API calls than using O(parents[].name). - - A deep parent chain can be started at any point when first given parent is given as ID. - - Note that in principle both ID and name can be specified at the same time - but current implementation only always use just one of them, with ID - being preferred. - name: - type: str - description: - - Identify parent by name. - - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. - - When giving a parent chain with only names it must be complete up to the top. - - Note that in principle both ID and name can be specified at the same time - but current implementation only always use just one of them, with ID - being preferred. - gid: + - Identify parent by name. + - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. + - When giving a parent chain with only names it must be complete up to the top. + - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, + with ID being preferred. + gid: + type: str + description: + - ID of the group to be mapped. + - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. + roles: + description: + - Roles to be mapped to the group. + type: list + elements: dict + suboptions: + name: type: str description: - - ID of the group to be mapped. - - This parameter is not required for updating or deleting the rolemapping but - providing it will reduce the number of API calls required. - - roles: + - Name of the role_representation. + - This parameter is required only when creating or updating the role_representation. + id: + type: str description: - - Roles to be mapped to the group. - type: list - elements: dict - suboptions: - name: - type: str - description: - - Name of the role_representation. - - This parameter is required only when creating or updating the role_representation. - id: - type: str - description: - - The unique identifier for this role_representation. - - This parameter is not required for updating or deleting a role_representation but - providing it will reduce the number of API calls required. - + - The unique identifier for this role_representation. + - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls + required. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Gaëtan Daubresse (@Gaetan2907) - - Marius Huysamen (@mhuysamen) - - Alexander Groß (@agross) -''' + - Gaëtan Daubresse (@Gaetan2907) + - Marius Huysamen (@mhuysamen) + - Alexander Groß (@agross) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Map a client role to a group, authentication with credentials community.general.keycloak_realm_rolemapping: realm: MyCustomRealm @@ -195,49 +179,37 @@ EXAMPLES = ''' - name: role_name2 id: role_id2 delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Role role1 assigned to group group1." + description: Message as to what action was taken. + returned: always + type: str + sample: "Role role1 assigned to group group1." proposed: - description: Representation of proposed client role mapping. - returned: always - type: dict - sample: { - clientId: "test" - } + description: Representation of proposed client role mapping. + returned: always + type: dict + sample: {clientId: "test"} existing: - description: - - Representation of existing client role mapping. - - The sample is truncated. - returned: always - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } + description: + - Representation of existing client role mapping. + - The sample is truncated. + returned: always + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} end_state: - description: - - Representation of client role mapping after module execution. - - The sample is truncated. - returned: on success - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } -''' + description: + - Representation of client role mapping after module execution. + - The sample is truncated. + returned: on success + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, diff --git a/plugins/modules/keycloak_role.py b/plugins/modules/keycloak_role.py index 3978260189..3e7644bf6c 100644 --- a/plugins/modules/keycloak_role.py +++ b/plugins/modules/keycloak_role.py @@ -8,124 +8,114 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_role -short_description: Allows administration of Keycloak roles via Keycloak API +short_description: Allows administration of Keycloak roles using Keycloak API version_added: 3.4.0 description: - - This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - + - This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the REST API using OpenID Connect; + the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an + admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the role. - - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. - - On V(absent), the role will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the role. + - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the role will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - name: + name: + type: str + required: true + description: + - Name of the role. + - This parameter is required. + description: + type: str + description: + - The role description. + realm: + type: str + description: + - The Keycloak realm under which this role resides. + default: 'master' + + client_id: + type: str + description: + - If the role is a client role, the client id under which it resides. + - If this parameter is absent, the role is considered a realm role. + attributes: + type: dict + description: + - A dict of key/value pairs to set as custom attributes for the role. + - Values may be single values (for example a string) or a list of strings. + composite: + description: + - If V(true), the role is a composition of other realm and/or client role. + default: false + type: bool + version_added: 7.1.0 + composites: + description: + - List of roles to include to the composite realm role. + - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified. + default: [] + type: list + elements: dict + version_added: 7.1.0 + suboptions: + name: + description: + - Name of the role. This can be the name of a REALM role or a client role. type: str required: true + client_id: description: - - Name of the role. - - This parameter is required. - - description: + - Client ID if the role is a client role. Do not include this option for a REALM role. + - Use the client ID you can see in the Keycloak console, not the technical ID of the client. type: str + required: false + aliases: + - clientId + state: description: - - The role description. - - realm: + - Create the composite if present, remove it if absent. type: str - description: - - The Keycloak realm under which this role resides. - default: 'master' - - client_id: - type: str - description: - - If the role is a client role, the client id under which it resides. - - If this parameter is absent, the role is considered a realm role. - - attributes: - type: dict - description: - - A dict of key/value pairs to set as custom attributes for the role. - - Values may be single values (e.g. a string) or a list of strings. - composite: - description: - - If V(true), the role is a composition of other realm and/or client role. - default: false - type: bool - version_added: 7.1.0 - composites: - description: - - List of roles to include to the composite realm role. - - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified. - default: [] - type: list - elements: dict - version_added: 7.1.0 - suboptions: - name: - description: - - Name of the role. This can be the name of a REALM role or a client role. - type: str - required: true - client_id: - description: - - Client ID if the role is a client role. Do not include this option for a REALM role. - - Use the client ID you can see in the Keycloak console, not the technical ID of the client. - type: str - required: false - aliases: - - clientId - state: - description: - - Create the composite if present, remove it if absent. - type: str - choices: - - present - - absent - default: present + choices: + - present + - absent + default: present extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Laurent Paumier (@laurpaum) -''' + - Laurent Paumier (@laurpaum) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create a Keycloak realm role, authentication with credentials community.general.keycloak_role: name: my-new-kc-role @@ -181,60 +171,44 @@ EXAMPLES = ''' auth_password: PASSWORD name: my-new-role attributes: - attrib1: value1 - attrib2: value2 - attrib3: - - with - - numerous - - individual - - list - - items + attrib1: value1 + attrib2: value2 + attrib3: + - with + - numerous + - individual + - list + - items delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Role myrole has been updated" + description: Message as to what action was taken. + returned: always + type: str + sample: "Role myrole has been updated" proposed: - description: Representation of proposed role. - returned: always - type: dict - sample: { - "description": "My updated test description" - } + description: Representation of proposed role. + returned: always + type: dict + sample: {"description": "My updated test description"} existing: - description: Representation of existing role. - returned: always - type: dict - sample: { - "attributes": {}, - "clientRole": true, - "composite": false, - "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", - "description": "My client test role", - "id": "561703dd-0f38-45ff-9a5a-0c978f794547", - "name": "myrole" - } + description: Representation of existing role. + returned: always + type: dict + sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My + client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"} end_state: - description: Representation of role after module execution (sample is truncated). - returned: on success - type: dict - sample: { - "attributes": {}, - "clientRole": true, - "composite": false, - "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", - "description": "My updated client test role", - "id": "561703dd-0f38-45ff-9a5a-0c978f794547", - "name": "myrole" - } -''' + description: Representation of role after module execution (sample is truncated). + returned: on success + type: dict + sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My + updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError, is_struct_included @@ -290,7 +264,7 @@ def main(): state = module.params.get('state') # attributes in Keycloak have their values returned as lists - # via the API. attributes is a dict, so we'll transparently convert + # using the API. attributes is a dict, so we'll transparently convert # the values to lists. if module.params.get('attributes') is not None: for key, val in module.params['attributes'].items(): diff --git a/plugins/modules/keycloak_user.py b/plugins/modules/keycloak_user.py index cb63707402..65880548ab 100644 --- a/plugins/modules/keycloak_user.py +++ b/plugins/modules/keycloak_user.py @@ -9,225 +9,224 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_user short_description: Create and configure a user in Keycloak description: - - This module creates, removes, or updates Keycloak users. + - This module creates, removes, or updates Keycloak users. version_added: 7.1.0 options: - auth_username: - aliases: [] - realm: + auth_username: + aliases: [] + realm: + description: + - The name of the realm in which is the client. + default: master + type: str + username: + description: + - Username for the user. + required: true + type: str + id: + description: + - ID of the user on the Keycloak server if known. + type: str + enabled: + description: + - Enabled user. + type: bool + email_verified: + description: + - Check the validity of user email. + default: false + type: bool + aliases: + - emailVerified + first_name: + description: + - The user's first name. + required: false + type: str + aliases: + - firstName + last_name: + description: + - The user's last name. + required: false + type: str + aliases: + - lastName + email: + description: + - User email. + required: false + type: str + federation_link: + description: + - Federation Link. + required: false + type: str + aliases: + - federationLink + service_account_client_id: + description: + - Description of the client Application. + required: false + type: str + aliases: + - serviceAccountClientId + client_consents: + description: + - Client Authenticator Type. + type: list + elements: dict + default: [] + aliases: + - clientConsents + suboptions: + client_id: description: - - The name of the realm in which is the client. - default: master + - Client ID of the client role. Not the technical ID of the client. type: str - username: - description: - - Username for the user. required: true - type: str - id: - description: - - ID of the user on the Keycloak server if known. - type: str - enabled: - description: - - Enabled user. - type: bool - email_verified: - description: - - Check the validity of user email. - default: false - type: bool aliases: - - emailVerified - first_name: + - clientId + roles: description: - - The user's first name. - required: false - type: str - aliases: - - firstName - last_name: - description: - - The user's last name. - required: false - type: str - aliases: - - lastName - email: - description: - - User email. - required: false - type: str - federation_link: - description: - - Federation Link. - required: false - type: str - aliases: - - federationLink - service_account_client_id: - description: - - Description of the client Application. - required: false - type: str - aliases: - - serviceAccountClientId - client_consents: - description: - - Client Authenticator Type. - type: list - elements: dict - default: [] - aliases: - - clientConsents - suboptions: - client_id: - description: - - Client ID of the client role. Not the technical ID of the client. - type: str - required: true - aliases: - - clientId - roles: - description: - - List of client roles to assign to the user. - type: list - required: true - elements: str - groups: - description: - - List of groups for the user. - type: list - elements: dict - default: [] - suboptions: - name: - description: - - Name of the group. - type: str - state: - description: - - Control whether the user must be member of this group or not. - choices: [ "present", "absent" ] - default: present - type: str - credentials: - description: - - User credentials. - default: [] - type: list - elements: dict - suboptions: - type: - description: - - Credential type. - type: str - required: true - value: - description: - - Value of the credential. - type: str - required: true - temporary: - description: - - If V(true), the users are required to reset their credentials at next login. - type: bool - default: false - required_actions: - description: - - RequiredActions user Auth. - default: [] + - List of client roles to assign to the user. type: list + required: true elements: str - aliases: - - requiredActions - federated_identities: + groups: + description: + - List of groups for the user. + type: list + elements: dict + default: [] + suboptions: + name: description: - - List of IDPs of user. - default: [] - type: list - elements: str - aliases: - - federatedIdentities - attributes: - description: - - List of user attributes. - required: false - type: list - elements: dict - suboptions: - name: - description: - - Name of the attribute. - type: str - values: - description: - - Values for the attribute as list. - type: list - elements: str - state: - description: - - Control whether the attribute must exists or not. - choices: [ "present", "absent" ] - default: present - type: str - access: - description: - - list user access. - required: false - type: dict - disableable_credential_types: - description: - - list user Credential Type. - default: [] - type: list - elements: str - aliases: - - disableableCredentialTypes - origin: - description: - - user origin. - required: false + - Name of the group. type: str - self: + state: description: - - user self administration. - required: false - type: str - state: - description: - - Control whether the user should exists or not. - choices: [ "present", "absent" ] + - Control whether the user must be member of this group or not. + choices: ["present", "absent"] default: present type: str - force: + credentials: + description: + - User credentials. + default: [] + type: list + elements: dict + suboptions: + type: description: - - If V(true), allows to remove user and recreate it. + - Credential type. + type: str + required: true + value: + description: + - Value of the credential. + type: str + required: true + temporary: + description: + - If V(true), the users are required to reset their credentials at next login. type: bool default: false + required_actions: + description: + - RequiredActions user Auth. + default: [] + type: list + elements: str + aliases: + - requiredActions + federated_identities: + description: + - List of IDPs of user. + default: [] + type: list + elements: str + aliases: + - federatedIdentities + attributes: + description: + - List of user attributes. + required: false + type: list + elements: dict + suboptions: + name: + description: + - Name of the attribute. + type: str + values: + description: + - Values for the attribute as list. + type: list + elements: str + state: + description: + - Control whether the attribute must exists or not. + choices: ["present", "absent"] + default: present + type: str + access: + description: + - List user access. + required: false + type: dict + disableable_credential_types: + description: + - List user Credential Type. + default: [] + type: list + elements: str + aliases: + - disableableCredentialTypes + origin: + description: + - User origin. + required: false + type: str + self: + description: + - User self administration. + required: false + type: str + state: + description: + - Control whether the user should exists or not. + choices: ["present", "absent"] + default: present + type: str + force: + description: + - If V(true), allows to remove user and recreate it. + type: bool + default: false extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 notes: - - The module does not modify the user ID of an existing user. + - The module does not modify the user ID of an existing user. author: - - Philippe Gauthier (@elfelip) -''' + - Philippe Gauthier (@elfelip) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create a user user1 community.general.keycloak_user: auth_keycloak_url: http://localhost:8080/auth @@ -241,21 +240,21 @@ EXAMPLES = ''' enabled: true emailVerified: false credentials: - - type: password - value: password - temporary: false + - type: password + value: password + temporary: false attributes: - - name: attr1 - values: - - value1 - state: present - - name: attr2 - values: - - value2 - state: absent + - name: attr1 + values: + - value1 + state: present + - name: attr2 + values: + - value2 + state: absent groups: - - name: group1 - state: present + - name: group1 + state: present state: present - name: Re-create a User @@ -271,21 +270,21 @@ EXAMPLES = ''' enabled: true emailVerified: false credentials: - - type: password - value: password - temporary: false + - type: password + value: password + temporary: false attributes: - - name: attr1 - values: - - value1 - state: present - - name: attr2 - values: - - value2 - state: absent + - name: attr1 + values: + - value1 + state: present + - name: attr2 + values: + - value2 + state: absent groups: - - name: group1 - state: present + - name: group1 + state: present state: present - name: Re-create a User @@ -301,21 +300,21 @@ EXAMPLES = ''' enabled: true emailVerified: false credentials: - - type: password - value: password - temporary: false + - type: password + value: password + temporary: false attributes: - - name: attr1 - values: - - value1 - state: present - - name: attr2 - values: - - value2 - state: absent + - name: attr1 + values: + - value1 + state: present + - name: attr2 + values: + - value2 + state: absent groups: - - name: group1 - state: present + - name: group1 + state: present state: present force: true @@ -327,9 +326,9 @@ EXAMPLES = ''' realm: master username: user1 state: absent -''' +""" -RETURN = ''' +RETURN = r""" msg: description: Message as to what action was taken. returned: always @@ -344,14 +343,15 @@ existing: returned: on success type: dict end_state: - description: Representation of the user after module execution + description: Representation of the user after module execution. returned: on success type: dict changed: description: Return V(true) if the operation changed the user on the keycloak server, V(false) otherwise. returned: always type: bool -''' +""" + from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError, is_struct_included from ansible.module_utils.basic import AnsibleModule diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index 4533fa800d..7c49510fd6 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -8,623 +8,583 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_user_federation -short_description: Allows administration of Keycloak user federations via Keycloak API +short_description: Allows administration of Keycloak user federations using Keycloak API version_added: 3.7.0 description: - - This module allows you to add, remove or modify Keycloak user federations via the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). - + - This module allows you to add, remove or modify Keycloak user federations using the Keycloak REST API. It requires access to the REST API using + OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli + and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the user federation. - - On V(present), the user federation will be created if it does not yet exist, or updated with - the parameters you provide. - - On V(absent), the user federation will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the user federation. + - On V(present), the user federation will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the user federation will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - realm: - description: - - The Keycloak realm under which this user federation resides. - default: 'master' - type: str + realm: + description: + - The Keycloak realm under which this user federation resides. + default: 'master' + type: str - id: - description: - - The unique ID for this user federation. If left empty, the user federation will be searched - by its O(name). - type: str + id: + description: + - The unique ID for this user federation. If left empty, the user federation will be searched by its O(name). + type: str - name: - description: - - Display name of provider when linked in admin console. - type: str + name: + description: + - Display name of provider when linked in admin console. + type: str - provider_id: - description: - - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). - Custom user storage providers can also be used. - aliases: - - providerId - type: str + provider_id: + description: + - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). Custom user storage providers can also be + used. + aliases: + - providerId + type: str - provider_type: - description: - - Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)). - aliases: - - providerType - default: org.keycloak.storage.UserStorageProvider - type: str + provider_type: + description: + - Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)). + aliases: + - providerType + default: org.keycloak.storage.UserStorageProvider + type: str - parent_id: - description: - - Unique ID for the parent of this user federation. Realm ID will be automatically used if left blank. - aliases: - - parentId - type: str + parent_id: + description: + - Unique ID for the parent of this user federation. Realm ID will be automatically used if left blank. + aliases: + - parentId + type: str - remove_unspecified_mappers: + remove_unspecified_mappers: + description: + - Remove mappers that are not specified in the configuration for this federation. + - Set to V(false) to keep mappers that are not listed in O(mappers). + type: bool + default: true + version_added: 9.4.0 + + bind_credential_update_mode: + description: + - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. Comparing the redacted value with the + desired value always evaluates to not equal. This means the before and desired states are never equal if the parameter is set. + - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. Because of the redacted value returned + by Keycloak the module will always detect a change and make an update if a O(config.bindCredential) value is set. + - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the desired state. + The value of O(config.bindCredential) will only be updated if there are other changes to the user federation that require an update. + type: str + default: always + choices: + - always + - only_indirect + version_added: 9.5.0 + + config: + description: + - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are + given below for V(ldap), V(kerberos) and V(sssd). It is easiest to obtain valid config values by dumping an already-existing user federation + configuration through check-mode in the RV(existing) field. + - The value V(sssd) has been supported since community.general 4.2.0. + type: dict + suboptions: + enabled: description: - - Remove mappers that are not specified in the configuration for this federation. - - Set to V(false) to keep mappers that are not listed in O(mappers). - type: bool + - Enable/disable this user federation. default: true - version_added: 9.4.0 + type: bool - bind_credential_update_mode: + priority: description: - - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. - Comparing the redacted value with the desired value always evaluates to not equal. This means - the before and desired states are never equal if the parameter is set. - - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. - Because of the redacted value returned by Keycloak the module will always detect a change - and make an update if a O(config.bindCredential) value is set. - - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the - desired state. The value of O(config.bindCredential) will only be updated if there are other changes - to the user federation that require an update. + - Priority of provider when doing a user lookup. Lowest first. + default: 0 + type: int + + importEnabled: + description: + - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured sync policies. + default: true + type: bool + + editMode: + description: + - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP on demand. V(UNSYNCED) means user data + will be imported, but not synced back to LDAP. type: str - default: always choices: - - always - - only_indirect + - READ_ONLY + - WRITABLE + - UNSYNCED + + syncRegistrations: + description: + - Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. + default: false + type: bool + + vendor: + description: + - LDAP vendor (provider). + - Use short name. For instance, write V(rhds) for "Red Hat Directory Server". + type: str + + usernameLDAPAttribute: + description: + - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be V(uid). For Active directory + it can be V(sAMAccountName) or V(cn). The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak. + type: str + + rdnLDAPAttribute: + description: + - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute, + however it is not required. For example for Active directory, it is common to use V(cn) as RDN attribute when username attribute might + be V(sAMAccountName). + type: str + + uuidLDAPAttribute: + description: + - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is + V(entryUUID); however some are different. For example for Active directory it should be V(objectGUID). If your LDAP server does not + support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. + type: str + + userObjectClasses: + description: + - All values of LDAP objectClass attribute for users in LDAP divided by comma. For example V(inetOrgPerson, organizationalPerson). Newly + created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they + contain all those object classes. + type: str + + connectionUrl: + description: + - Connection URL to your LDAP server. + type: str + + usersDn: + description: + - Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. + type: str + + customUserSearchFilter: + description: + - Additional LDAP Filter for filtering searched users. Leave this empty if you do not need additional filter. + type: str + + searchScope: + description: + - For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. + See LDAP documentation for more details. + default: '1' + type: str + choices: + - '1' + - '2' + + authType: + description: + - Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to the LDAP server. + default: 'none' + type: str + choices: + - none + - simple + + bindDn: + description: + - DN of LDAP user which will be used by Keycloak to access LDAP server. + type: str + + bindCredential: + description: + - Password of LDAP admin. + type: str + + startTls: + description: + - Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling. + default: false + type: bool + + usePasswordModifyExtendedOp: + description: + - Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user + already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP + attribute mapper' with randomly generated initial password. + default: false + type: bool + + validatePasswordPolicy: + description: + - Determines if Keycloak should validate the password with the realm password policy before updating it. + default: false + type: bool + + trustEmail: + description: + - If enabled, email provided by this provider is not verified even if verification is enabled for the realm. + default: false + type: bool + + useTruststoreSpi: + description: + - Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. V(always) + means that it will always use it. V(never) means that it will not use it. V(ldapsOnly) means that it will use if your connection URL + use ldaps. + - Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by C(javax.net.ssl.trustStore) + property will be used. + default: ldapsOnly + type: str + choices: + - always + - ldapsOnly + - never + + connectionTimeout: + description: + - LDAP Connection Timeout in milliseconds. + type: int + + readTimeout: + description: + - LDAP Read Timeout in milliseconds. This timeout applies for LDAP read operations. + type: int + + pagination: + description: + - Does the LDAP server support pagination. + default: true + type: bool + + connectionPooling: + description: + - Determines if Keycloak should use connection pooling for accessing LDAP server. + default: true + type: bool + + connectionPoolingAuthentication: + description: + - A list of space-separated authentication types of connections that may be pooled. + type: str + choices: + - none + - simple + - DIGEST-MD5 + + connectionPoolingDebug: + description: + - A string that indicates the level of debug output to produce. Example valid values are V(fine) (trace connection creation and removal) + and V(all) (all debugging information). + type: str + + connectionPoolingInitSize: + description: + - The number of connections per connection identity to create when initially creating a connection for the identity. + type: int + + connectionPoolingMaxSize: + description: + - The maximum number of connections per connection identity that can be maintained concurrently. + type: int + + connectionPoolingPrefSize: + description: + - The preferred number of connections per connection identity that should be maintained concurrently. + type: int + + connectionPoolingProtocol: + description: + - A list of space-separated protocol types of connections that may be pooled. Valid types are V(plain) and V(ssl). + type: str + + connectionPoolingTimeout: + description: + - The number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool. + type: int + + allowKerberosAuthentication: + description: + - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from + this LDAP server. + default: false + type: bool + + kerberosRealm: + description: + - Name of kerberos realm. + type: str + + krbPrincipalAttribute: + description: + - Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO + authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding to the first part + of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), it will assume that LDAP username is V(john). + type: str + version_added: 8.1.0 + + serverPrincipal: + description: + - Full name of server principal for HTTP service including server and domain name. For example V(HTTP/host.foo.org@FOO.ORG). Use V(*) + to accept any service principal in the KeyTab file. + type: str + + keyTab: + description: + - Location of Kerberos KeyTab file containing the credentials of server principal. For example V(/etc/krb5.keytab). + type: str + + debug: + description: + - Enable/disable debug logging to standard output for Krb5LoginModule. + type: bool + + useKerberosForPasswordAuthentication: + description: + - Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server + with Directory Service API. + default: false + type: bool + + allowPasswordAuthentication: + description: + - Enable/disable possibility of username/password authentication against Kerberos database. + type: bool + + batchSizeForSync: + description: + - Count of LDAP users to be imported from LDAP to Keycloak within a single transaction. + default: 1000 + type: int + + fullSyncPeriod: + description: + - Period for full synchronization in seconds. + default: -1 + type: int + + changedSyncPeriod: + description: + - Period for synchronization of changed or newly created LDAP users in seconds. + default: -1 + type: int + + updateProfileFirstLogin: + description: + - Update profile on first login. + type: bool + + cachePolicy: + description: + - Cache Policy for this storage provider. + type: str + default: 'DEFAULT' + choices: + - DEFAULT + - EVICT_DAILY + - EVICT_WEEKLY + - MAX_LIFESPAN + - NO_CACHE + + evictionDay: + description: + - Day of the week the entry will become invalid on. + type: str + + evictionHour: + description: + - Hour of day the entry will become invalid on. + type: str + + evictionMinute: + description: + - Minute of day the entry will become invalid on. + type: str + + maxLifespan: + description: + - Max lifespan of cache entry in milliseconds. + type: int + + referral: + description: + - Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication as it + allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted servers. + type: str + choices: + - ignore + - follow version_added: 9.5.0 - config: + mappers: + description: + - A list of dicts defining mappers associated with this Identity Provider. + type: list + elements: dict + suboptions: + id: description: - - Dict specifying the configuration options for the provider; the contents differ depending on - the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd). - It is easiest to obtain valid config values by dumping an already-existing user federation - configuration through check-mode in the RV(existing) field. - - The value V(sssd) has been supported since community.general 4.2.0. + - Unique ID of this mapper. + type: str + + name: + description: + - Name of the mapper. If no ID is given, the mapper will be searched by name. + type: str + + parentId: + description: + - Unique ID for the parent of this mapper. ID of the user federation will automatically be used if left blank. + type: str + + providerId: + description: + - The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)). + type: str + + providerType: + description: + - Component type for this mapper. + type: str + default: org.keycloak.storage.ldap.mappers.LDAPStorageMapper + + config: + description: + - Dict specifying the configuration options for the mapper; the contents differ depending on the value of I(identityProviderMapper). type: dict - suboptions: - enabled: - description: - - Enable/disable this user federation. - default: true - type: bool - - priority: - description: - - Priority of provider when doing a user lookup. Lowest first. - default: 0 - type: int - - importEnabled: - description: - - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured - sync policies. - default: true - type: bool - - editMode: - description: - - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP - on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP. - type: str - choices: - - READ_ONLY - - WRITABLE - - UNSYNCED - - syncRegistrations: - description: - - Should newly created users be created within LDAP store? Priority effects which - provider is chosen to sync the new user. - default: false - type: bool - - vendor: - description: - - LDAP vendor (provider). - - Use short name. For instance, write V(rhds) for "Red Hat Directory Server". - type: str - - usernameLDAPAttribute: - description: - - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server - vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn). - The attribute should be filled for all LDAP user records you want to import from - LDAP to Keycloak. - type: str - - rdnLDAPAttribute: - description: - - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. - Usually it's the same as Username LDAP attribute, however it is not required. For - example for Active directory, it is common to use V(cn) as RDN attribute when - username attribute might be V(sAMAccountName). - type: str - - uuidLDAPAttribute: - description: - - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects - in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different. - For example for Active directory it should be V(objectGUID). If your LDAP server does - not support the notion of UUID, you can use any other attribute that is supposed to - be unique among LDAP users in tree. - type: str - - userObjectClasses: - description: - - All values of LDAP objectClass attribute for users in LDAP divided by comma. - For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users - will be written to LDAP with all those object classes and existing LDAP user records - are found just if they contain all those object classes. - type: str - - connectionUrl: - description: - - Connection URL to your LDAP server. - type: str - - usersDn: - description: - - Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. - type: str - - customUserSearchFilter: - description: - - Additional LDAP Filter for filtering searched users. Leave this empty if you don't - need additional filter. - type: str - - searchScope: - description: - - For one level, the search applies only for users in the DNs specified by User DNs. - For subtree, the search applies to the whole subtree. See LDAP documentation for - more details. - default: '1' - type: str - choices: - - '1' - - '2' - - authType: - description: - - Type of the Authentication method used during LDAP Bind operation. It is used in - most of the requests sent to the LDAP server. - default: 'none' - type: str - choices: - - none - - simple - - bindDn: - description: - - DN of LDAP user which will be used by Keycloak to access LDAP server. - type: str - - bindCredential: - description: - - Password of LDAP admin. - type: str - - startTls: - description: - - Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling. - default: false - type: bool - - usePasswordModifyExtendedOp: - description: - - Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify - extended operation usually requires that LDAP user already has password in the LDAP - server. So when this is used with 'Sync Registrations', it can be good to add also - 'Hardcoded LDAP attribute mapper' with randomly generated initial password. - default: false - type: bool - - validatePasswordPolicy: - description: - - Determines if Keycloak should validate the password with the realm password policy - before updating it. - default: false - type: bool - - trustEmail: - description: - - If enabled, email provided by this provider is not verified even if verification is - enabled for the realm. - default: false - type: bool - - useTruststoreSpi: - description: - - Specifies whether LDAP connection will use the truststore SPI with the truststore - configured in standalone.xml/domain.xml. V(always) means that it will always use it. - V(never) means that it will not use it. V(ldapsOnly) means that it will use if - your connection URL use ldaps. Note even if standalone.xml/domain.xml is not - configured, the default Java cacerts or certificate specified by - C(javax.net.ssl.trustStore) property will be used. - default: ldapsOnly - type: str - choices: - - always - - ldapsOnly - - never - - connectionTimeout: - description: - - LDAP Connection Timeout in milliseconds. - type: int - - readTimeout: - description: - - LDAP Read Timeout in milliseconds. This timeout applies for LDAP read operations. - type: int - - pagination: - description: - - Does the LDAP server support pagination. - default: true - type: bool - - connectionPooling: - description: - - Determines if Keycloak should use connection pooling for accessing LDAP server. - default: true - type: bool - - connectionPoolingAuthentication: - description: - - A list of space-separated authentication types of connections that may be pooled. - type: str - choices: - - none - - simple - - DIGEST-MD5 - - connectionPoolingDebug: - description: - - A string that indicates the level of debug output to produce. Example valid values are - V(fine) (trace connection creation and removal) and V(all) (all debugging information). - type: str - - connectionPoolingInitSize: - description: - - The number of connections per connection identity to create when initially creating a - connection for the identity. - type: int - - connectionPoolingMaxSize: - description: - - The maximum number of connections per connection identity that can be maintained - concurrently. - type: int - - connectionPoolingPrefSize: - description: - - The preferred number of connections per connection identity that should be maintained - concurrently. - type: int - - connectionPoolingProtocol: - description: - - A list of space-separated protocol types of connections that may be pooled. - Valid types are V(plain) and V(ssl). - type: str - - connectionPoolingTimeout: - description: - - The number of milliseconds that an idle connection may remain in the pool without - being closed and removed from the pool. - type: int - - allowKerberosAuthentication: - description: - - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data - about authenticated users will be provisioned from this LDAP server. - default: false - type: bool - - kerberosRealm: - description: - - Name of kerberos realm. - type: str - - krbPrincipalAttribute: - description: - - Name of the LDAP attribute, which refers to Kerberos principal. - This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. - When this is empty, the LDAP user will be looked based on LDAP username corresponding - to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), - it will assume that LDAP username is V(john). - type: str - version_added: 8.1.0 - - serverPrincipal: - description: - - Full name of server principal for HTTP service including server and domain name. For - example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the - KeyTab file. - type: str - - keyTab: - description: - - Location of Kerberos KeyTab file containing the credentials of server principal. For - example V(/etc/krb5.keytab). - type: str - - debug: - description: - - Enable/disable debug logging to standard output for Krb5LoginModule. - type: bool - - useKerberosForPasswordAuthentication: - description: - - Use Kerberos login module for authenticate username/password against Kerberos server - instead of authenticating against LDAP server with Directory Service API. - default: false - type: bool - - allowPasswordAuthentication: - description: - - Enable/disable possibility of username/password authentication against Kerberos database. - type: bool - - batchSizeForSync: - description: - - Count of LDAP users to be imported from LDAP to Keycloak within a single transaction. - default: 1000 - type: int - - fullSyncPeriod: - description: - - Period for full synchronization in seconds. - default: -1 - type: int - - changedSyncPeriod: - description: - - Period for synchronization of changed or newly created LDAP users in seconds. - default: -1 - type: int - - updateProfileFirstLogin: - description: - - Update profile on first login. - type: bool - - cachePolicy: - description: - - Cache Policy for this storage provider. - type: str - default: 'DEFAULT' - choices: - - DEFAULT - - EVICT_DAILY - - EVICT_WEEKLY - - MAX_LIFESPAN - - NO_CACHE - - evictionDay: - description: - - Day of the week the entry will become invalid on. - type: str - - evictionHour: - description: - - Hour of day the entry will become invalid on. - type: str - - evictionMinute: - description: - - Minute of day the entry will become invalid on. - type: str - - maxLifespan: - description: - - Max lifespan of cache entry in milliseconds. - type: int - - referral: - description: - - Specifies if LDAP referrals should be followed or ignored. Please note that enabling - referrals can slow down authentication as it allows the LDAP server to decide which other - LDAP servers to use. This could potentially include untrusted servers. - type: str - choices: - - ignore - - follow - version_added: 9.5.0 - - mappers: - description: - - A list of dicts defining mappers associated with this Identity Provider. - type: list - elements: dict - suboptions: - id: - description: - - Unique ID of this mapper. - type: str - - name: - description: - - Name of the mapper. If no ID is given, the mapper will be searched by name. - type: str - - parentId: - description: - - Unique ID for the parent of this mapper. ID of the user federation will automatically - be used if left blank. - type: str - - providerId: - description: - - The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)). - type: str - - providerType: - description: - - Component type for this mapper. - type: str - default: org.keycloak.storage.ldap.mappers.LDAPStorageMapper - - config: - description: - - Dict specifying the configuration options for the mapper; the contents differ - depending on the value of I(identityProviderMapper). - # TODO: what is identityProviderMapper above??? - type: dict extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Laurent Paumier (@laurpaum) -''' + - Laurent Paumier (@laurpaum) +""" -EXAMPLES = ''' - - name: Create LDAP user federation - community.general.keycloak_user_federation: - auth_keycloak_url: https://keycloak.example.com/auth - auth_realm: master - auth_username: admin - auth_password: password - realm: my-realm - name: my-ldap - state: present - provider_id: ldap - provider_type: org.keycloak.storage.UserStorageProvider - config: - priority: 0 - enabled: true - cachePolicy: DEFAULT - batchSizeForSync: 1000 - editMode: READ_ONLY - importEnabled: true - syncRegistrations: false - vendor: other - usernameLDAPAttribute: uid - rdnLDAPAttribute: uid - uuidLDAPAttribute: entryUUID - userObjectClasses: inetOrgPerson, organizationalPerson - connectionUrl: ldaps://ldap.example.com:636 - usersDn: ou=Users,dc=example,dc=com - authType: simple - bindDn: cn=directory reader - bindCredential: password - searchScope: 1 - validatePasswordPolicy: false - trustEmail: false - useTruststoreSpi: ldapsOnly - connectionPooling: true - pagination: true - allowKerberosAuthentication: false - debug: false - useKerberosForPasswordAuthentication: false - mappers: - - name: "full name" - providerId: "full-name-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.full.name.attribute: cn - read.only: true - write.only: false +EXAMPLES = r""" +- name: Create LDAP user federation + community.general.keycloak_user_federation: + auth_keycloak_url: https://keycloak.example.com/auth + auth_realm: master + auth_username: admin + auth_password: password + realm: my-realm + name: my-ldap + state: present + provider_id: ldap + provider_type: org.keycloak.storage.UserStorageProvider + config: + priority: 0 + enabled: true + cachePolicy: DEFAULT + batchSizeForSync: 1000 + editMode: READ_ONLY + importEnabled: true + syncRegistrations: false + vendor: other + usernameLDAPAttribute: uid + rdnLDAPAttribute: uid + uuidLDAPAttribute: entryUUID + userObjectClasses: inetOrgPerson, organizationalPerson + connectionUrl: ldaps://ldap.example.com:636 + usersDn: ou=Users,dc=example,dc=com + authType: simple + bindDn: cn=directory reader + bindCredential: password + searchScope: 1 + validatePasswordPolicy: false + trustEmail: false + useTruststoreSpi: ldapsOnly + connectionPooling: true + pagination: true + allowKerberosAuthentication: false + debug: false + useKerberosForPasswordAuthentication: false + mappers: + - name: "full name" + providerId: "full-name-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.full.name.attribute: cn + read.only: true + write.only: false - - name: Create Kerberos user federation - community.general.keycloak_user_federation: - auth_keycloak_url: https://keycloak.example.com/auth - auth_realm: master - auth_username: admin - auth_password: password - realm: my-realm - name: my-kerberos - state: present - provider_id: kerberos - provider_type: org.keycloak.storage.UserStorageProvider - config: - priority: 0 - enabled: true - cachePolicy: DEFAULT - kerberosRealm: EXAMPLE.COM - serverPrincipal: HTTP/host.example.com@EXAMPLE.COM - keyTab: keytab - allowPasswordAuthentication: false - updateProfileFirstLogin: false +- name: Create Kerberos user federation + community.general.keycloak_user_federation: + auth_keycloak_url: https://keycloak.example.com/auth + auth_realm: master + auth_username: admin + auth_password: password + realm: my-realm + name: my-kerberos + state: present + provider_id: kerberos + provider_type: org.keycloak.storage.UserStorageProvider + config: + priority: 0 + enabled: true + cachePolicy: DEFAULT + kerberosRealm: EXAMPLE.COM + serverPrincipal: HTTP/host.example.com@EXAMPLE.COM + keyTab: keytab + allowPasswordAuthentication: false + updateProfileFirstLogin: false - - name: Create sssd user federation - community.general.keycloak_user_federation: - auth_keycloak_url: https://keycloak.example.com/auth - auth_realm: master - auth_username: admin - auth_password: password - realm: my-realm - name: my-sssd - state: present - provider_id: sssd - provider_type: org.keycloak.storage.UserStorageProvider - config: - priority: 0 - enabled: true - cachePolicy: DEFAULT +- name: Create sssd user federation + community.general.keycloak_user_federation: + auth_keycloak_url: https://keycloak.example.com/auth + auth_realm: master + auth_username: admin + auth_password: password + realm: my-realm + name: my-sssd + state: present + provider_id: sssd + provider_type: org.keycloak.storage.UserStorageProvider + config: + priority: 0 + enabled: true + cachePolicy: DEFAULT - - name: Delete user federation - community.general.keycloak_user_federation: - auth_keycloak_url: https://keycloak.example.com/auth - auth_realm: master - auth_username: admin - auth_password: password - realm: my-realm - name: my-federation - state: absent +- name: Delete user federation + community.general.keycloak_user_federation: + auth_keycloak_url: https://keycloak.example.com/auth + auth_realm: master + auth_username: admin + auth_password: password + realm: my-realm + name: my-federation + state: absent +""" -''' - -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "No changes required to user federation 164bb483-c613-482e-80fe-7f1431308799." + description: Message as to what action was taken. + returned: always + type: str + sample: "No changes required to user federation 164bb483-c613-482e-80fe-7f1431308799." proposed: description: Representation of proposed user federation. @@ -744,7 +704,7 @@ end_state: "providerId": "kerberos", "providerType": "org.keycloak.storage.UserStorageProvider" } -''' +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_user_rolemapping.py b/plugins/modules/keycloak_user_rolemapping.py index 40e3b38d5c..319aa5350b 100644 --- a/plugins/modules/keycloak_user_rolemapping.py +++ b/plugins/modules/keycloak_user_rolemapping.py @@ -7,8 +7,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_user_rolemapping short_description: Allows administration of Keycloak user_rolemapping with the Keycloak API @@ -16,110 +15,93 @@ short_description: Allows administration of Keycloak user_rolemapping with the K version_added: 5.7.0 description: - - This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. - It requires access to the REST API via OpenID Connect; the user connecting and the client being - used must have the requisite access rights. In a default Keycloak installation, admin-cli - and an admin user would work, as would a separate client definition with the scope tailored - to your needs and a user having the expected roles. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - - - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will - be returned that way by this module. You may pass single values for attributes when calling the module, - and this will be translated into a list suitable for the API. - - - When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup - to the API to translate the name into the role ID. - + - This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access to the REST API using + OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli + and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). + - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. + You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. + - When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name + into the role ID. attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the user_rolemapping. - - On V(present), the user_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - - On V(absent), the user_rolemapping will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the user_rolemapping. + - On V(present), the user_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the user_rolemapping will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - realm: + realm: + type: str + description: + - They Keycloak realm under which this role_representation resides. + default: 'master' + + target_username: + type: str + description: + - Username of the user roles are mapped to. + - This parameter is not required (can be replaced by uid for less API call). + uid: + type: str + description: + - ID of the user to be mapped. + - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. + service_account_user_client_id: + type: str + description: + - Client ID of the service-account-user to be mapped. + - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. + client_id: + type: str + description: + - Name of the client to be mapped (different than O(cid)). + - This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls that must be made). + cid: + type: str + description: + - ID of the client to be mapped. + - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. + roles: + description: + - Roles to be mapped to the user. + type: list + elements: dict + suboptions: + name: type: str description: - - They Keycloak realm under which this role_representation resides. - default: 'master' - - target_username: + - Name of the role representation. + - This parameter is required only when creating or updating the role_representation. + id: type: str description: - - Username of the user roles are mapped to. - - This parameter is not required (can be replaced by uid for less API call). - - uid: - type: str - description: - - ID of the user to be mapped. - - This parameter is not required for updating or deleting the rolemapping but - providing it will reduce the number of API calls required. - - service_account_user_client_id: - type: str - description: - - Client ID of the service-account-user to be mapped. - - This parameter is not required for updating or deleting the rolemapping but - providing it will reduce the number of API calls required. - - client_id: - type: str - description: - - Name of the client to be mapped (different than O(cid)). - - This parameter is required if O(cid) is not provided (can be replaced by O(cid) - to reduce the number of API calls that must be made). - - cid: - type: str - description: - - ID of the client to be mapped. - - This parameter is not required for updating or deleting the rolemapping but - providing it will reduce the number of API calls required. - - roles: - description: - - Roles to be mapped to the user. - type: list - elements: dict - suboptions: - name: - type: str - description: - - Name of the role representation. - - This parameter is required only when creating or updating the role_representation. - id: - type: str - description: - - The unique identifier for this role_representation. - - This parameter is not required for updating or deleting a role_representation but - providing it will reduce the number of API calls required. - + - The unique identifier for this role_representation. + - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls + required. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - - Dušan Marković (@bratwurzt) -''' + - Dušan Marković (@bratwurzt) +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Map a client role to a user, authentication with credentials community.general.keycloak_user_rolemapping: realm: MyCustomRealm @@ -189,49 +171,37 @@ EXAMPLES = ''' - name: role_name2 id: role_id2 delegate_to: localhost -''' +""" -RETURN = ''' +RETURN = r""" msg: - description: Message as to what action was taken. - returned: always - type: str - sample: "Role role1 assigned to user user1." + description: Message as to what action was taken. + returned: always + type: str + sample: "Role role1 assigned to user user1." proposed: - description: Representation of proposed client role mapping. - returned: always - type: dict - sample: { - clientId: "test" - } + description: Representation of proposed client role mapping. + returned: always + type: dict + sample: {clientId: "test"} existing: - description: - - Representation of existing client role mapping. - - The sample is truncated. - returned: always - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } + description: + - Representation of existing client role mapping. + - The sample is truncated. + returned: always + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} end_state: - description: - - Representation of client role mapping after module execution. - - The sample is truncated. - returned: on success - type: dict - sample: { - "adminUrl": "http://www.example.com/admin_url", - "attributes": { - "request.object.signature.alg": "RS256", - } - } -''' + description: + - Representation of client role mapping after module execution. + - The sample is truncated. + returned: on success + type: dict + sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keycloak_userprofile.py b/plugins/modules/keycloak_userprofile.py index ba9cae8554..1338c8154b 100644 --- a/plugins/modules/keycloak_userprofile.py +++ b/plugins/modules/keycloak_userprofile.py @@ -8,278 +8,274 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: keycloak_userprofile short_description: Allows managing Keycloak User Profiles description: - - This module allows you to create, update, or delete Keycloak User Profiles via Keycloak API. You can also customize the "Unmanaged Attributes" with it. - - - The names of module options are snake_cased versions of the camelCase ones found in the - Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html). + - This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize the "Unmanaged Attributes" + with it. + - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at + U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html). For compatibility reasons, the module also accepts the camelCase versions of the options. - version_added: "9.4.0" attributes: - check_mode: - support: full - diff_mode: - support: full - action_group: - version_added: 10.2.0 + check_mode: + support: full + diff_mode: + support: full + action_group: + version_added: 10.2.0 options: - state: - description: - - State of the User Profile provider. - - On V(present), the User Profile provider will be created if it does not yet exist, or updated with - the parameters you provide. - - On V(absent), the User Profile provider will be removed if it exists. - default: 'present' - type: str - choices: - - present - - absent + state: + description: + - State of the User Profile provider. + - On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters you provide. + - On V(absent), the User Profile provider will be removed if it exists. + default: 'present' + type: str + choices: + - present + - absent - parent_id: + parent_id: + description: + - The parent ID of the realm key. In practice the ID (name) of the realm. + aliases: + - parentId + - realm + type: str + required: true + + provider_id: + description: + - The name of the provider ID for the key (supported value is V(declarative-user-profile)). + aliases: + - providerId + choices: ['declarative-user-profile'] + default: 'declarative-user-profile' + type: str + + provider_type: + description: + - Component type for User Profile (only supported value is V(org.keycloak.userprofile.UserProfileProvider)). + aliases: + - providerType + choices: ['org.keycloak.userprofile.UserProfileProvider'] + default: org.keycloak.userprofile.UserProfileProvider + type: str + + config: + description: + - The configuration of the User Profile Provider. + type: dict + required: false + suboptions: + kc_user_profile_config: description: - - The parent ID of the realm key. In practice the ID (name) of the realm. + - Define a declarative User Profile. See EXAMPLES for more context. aliases: - - parentId - - realm - type: str - required: true - - provider_id: - description: - - The name of the provider ID for the key (supported value is V(declarative-user-profile)). - aliases: - - providerId - choices: ['declarative-user-profile'] - default: 'declarative-user-profile' - type: str - - provider_type: - description: - - Component type for User Profile (only supported value is V(org.keycloak.userprofile.UserProfileProvider)). - aliases: - - providerType - choices: ['org.keycloak.userprofile.UserProfileProvider'] - default: org.keycloak.userprofile.UserProfileProvider - type: str - - config: - description: - - The configuration of the User Profile Provider. - type: dict - required: false + - kcUserProfileConfig + type: list + elements: dict suboptions: - kc_user_profile_config: + attributes: + description: + - A list of attributes to be included in the User Profile. + type: list + elements: dict + suboptions: + name: description: - - Define a declarative User Profile. See EXAMPLES for more context. + - The name of the attribute. + type: str + required: true + + display_name: + description: + - The display name of the attribute. aliases: - - kcUserProfileConfig - type: list - elements: dict + - displayName + type: str + required: true + + validations: + description: + - The validations to be applied to the attribute. + type: dict suboptions: - attributes: + length: + description: + - The length validation for the attribute. + type: dict + suboptions: + min: description: - - A list of attributes to be included in the User Profile. - type: list - elements: dict - suboptions: - name: - description: - - The name of the attribute. - type: str - required: true - - display_name: - description: - - The display name of the attribute. - aliases: - - displayName - type: str - required: true - - validations: - description: - - The validations to be applied to the attribute. - type: dict - suboptions: - length: - description: - - The length validation for the attribute. - type: dict - suboptions: - min: - description: - - The minimum length of the attribute. - type: int - max: - description: - - The maximum length of the attribute. - type: int - required: true - - email: - description: - - The email validation for the attribute. - type: dict - - username_prohibited_characters: - description: - - The prohibited characters validation for the username attribute. - type: dict - aliases: - - usernameProhibitedCharacters - - up_username_not_idn_homograph: - description: - - The validation to prevent IDN homograph attacks in usernames. - type: dict - aliases: - - upUsernameNotIdnHomograph - - person_name_prohibited_characters: - description: - - The prohibited characters validation for person name attributes. - type: dict - aliases: - - personNameProhibitedCharacters - - uri: - description: - - The URI validation for the attribute. - type: dict - - pattern: - description: - - The pattern validation for the attribute using regular expressions. - type: dict - - options: - description: - - Validation to ensure the attribute matches one of the provided options. - type: dict - - annotations: - description: - - Annotations for the attribute. - type: dict - - group: - description: - - Specifies the User Profile group where this attribute will be added. - type: str - - permissions: - description: - - The permissions for viewing and editing the attribute. - type: dict - suboptions: - view: - description: - - The roles that can view the attribute. - - Supported values are V(admin) and V(user). - type: list - elements: str - default: - - admin - - user - - edit: - description: - - The roles that can edit the attribute. - - Supported values are V(admin) and V(user). - type: list - elements: str - default: - - admin - - user - - multivalued: - description: - - Whether the attribute can have multiple values. - type: bool - default: false - - required: - description: - - The roles that require this attribute. - type: dict - suboptions: - roles: - description: - - The roles for which this attribute is required. - - Supported values are V(admin) and V(user). - type: list - elements: str - default: - - user - - groups: + - The minimum length of the attribute. + type: int + max: description: - - A list of attribute groups to be included in the User Profile. - type: list - elements: dict - suboptions: - name: - description: - - The name of the group. - type: str - required: true + - The maximum length of the attribute. + type: int + required: true - display_header: - description: - - The display header for the group. - aliases: - - displayHeader - type: str - required: true + email: + description: + - The email validation for the attribute. + type: dict - display_description: - description: - - The display description for the group. - aliases: - - displayDescription - type: str - required: false + username_prohibited_characters: + description: + - The prohibited characters validation for the username attribute. + type: dict + aliases: + - usernameProhibitedCharacters - annotations: - description: - - The annotations included in the group. - type: dict - required: false + up_username_not_idn_homograph: + description: + - The validation to prevent IDN homograph attacks in usernames. + type: dict + aliases: + - upUsernameNotIdnHomograph - unmanaged_attribute_policy: - description: - - Policy for unmanaged attributes. - aliases: - - unmanagedAttributePolicy - type: str - choices: - - ENABLED - - ADMIN_EDIT - - ADMIN_VIEW + person_name_prohibited_characters: + description: + - The prohibited characters validation for person name attributes. + type: dict + aliases: + - personNameProhibitedCharacters + + uri: + description: + - The URI validation for the attribute. + type: dict + + pattern: + description: + - The pattern validation for the attribute using regular expressions. + type: dict + + options: + description: + - Validation to ensure the attribute matches one of the provided options. + type: dict + + annotations: + description: + - Annotations for the attribute. + type: dict + + group: + description: + - Specifies the User Profile group where this attribute will be added. + type: str + + permissions: + description: + - The permissions for viewing and editing the attribute. + type: dict + suboptions: + view: + description: + - The roles that can view the attribute. + - Supported values are V(admin) and V(user). + type: list + elements: str + default: + - admin + - user + + edit: + description: + - The roles that can edit the attribute. + - Supported values are V(admin) and V(user). + type: list + elements: str + default: + - admin + - user + + multivalued: + description: + - Whether the attribute can have multiple values. + type: bool + default: false + + required: + description: + - The roles that require this attribute. + type: dict + suboptions: + roles: + description: + - The roles for which this attribute is required. + - Supported values are V(admin) and V(user). + type: list + elements: str + default: + - user + + groups: + description: + - A list of attribute groups to be included in the User Profile. + type: list + elements: dict + suboptions: + name: + description: + - The name of the group. + type: str + required: true + + display_header: + description: + - The display header for the group. + aliases: + - displayHeader + type: str + required: true + + display_description: + description: + - The display description for the group. + aliases: + - displayDescription + type: str + required: false + + annotations: + description: + - The annotations included in the group. + type: dict + required: false + + unmanaged_attribute_policy: + description: + - Policy for unmanaged attributes. + aliases: + - unmanagedAttributePolicy + type: str + choices: + - ENABLED + - ADMIN_EDIT + - ADMIN_VIEW notes: - - Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). - However, there can be multiple O(config.kc_user_profile_config[].attributes[]) entries. - + - Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). However, there can + be multiple O(config.kc_user_profile_config[].attributes[]) entries. extends_documentation_fragment: - - community.general.keycloak - - community.general.keycloak.actiongroup_keycloak - - community.general.attributes + - community.general.keycloak + - community.general.keycloak.actiongroup_keycloak + - community.general.attributes author: - Eike Waldt (@yeoldegrove) -''' +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Create a Declarative User Profile with default settings community.general.keycloak_userprofile: state: present @@ -397,9 +393,9 @@ EXAMPLES = ''' config: kc_user_profile_config: - unmanagedAttributePolicy: ADMIN_VIEW -''' +""" -RETURN = ''' +RETURN = r""" msg: description: The output message generated by the module. returned: always @@ -409,8 +405,8 @@ data: description: The data returned by the Keycloak API. returned: when state is present type: dict - sample: {...} -''' + sample: {'...': '...'} +""" from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ keycloak_argument_spec, get_token, KeycloakError diff --git a/plugins/modules/keyring.py b/plugins/modules/keyring.py index 8329b727bd..e96d01ac44 100644 --- a/plugins/modules/keyring.py +++ b/plugins/modules/keyring.py @@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type DOCUMENTATION = r""" ---- module: keyring version_added: 5.2.0 author: - Alexander Hussey (@ahussey-redhat) short_description: Set or delete a passphrase using the Operating System's native keyring description: >- - This module uses the L(keyring Python library, https://pypi.org/project/keyring/) - to set or delete passphrases for a given service and username from the OS' native keyring. + This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given service and username + from the OS' native keyring. requirements: - keyring (Python library) - gnome-keyring (application - required for headless Gnome keyring access) diff --git a/plugins/modules/keyring_info.py b/plugins/modules/keyring_info.py index 5c41ecc4d0..9fcd4d5d92 100644 --- a/plugins/modules/keyring_info.py +++ b/plugins/modules/keyring_info.py @@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type DOCUMENTATION = r""" ---- module: keyring_info version_added: 5.2.0 author: - Alexander Hussey (@ahussey-redhat) short_description: Get a passphrase using the Operating System's native keyring description: >- - This module uses the L(keyring Python library, https://pypi.org/project/keyring/) - to retrieve passphrases for a given service and username from the OS' native keyring. + This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service and username from + the OS' native keyring. requirements: - keyring (Python library) - gnome-keyring (application - required for headless Linux keyring access) @@ -45,24 +44,24 @@ options: """ EXAMPLES = r""" - - name: Retrieve password for service_name/user_name - community.general.keyring_info: - service: test - username: test1 - keyring_password: "{{ keyring_password }}" - register: test_password +- name: Retrieve password for service_name/user_name + community.general.keyring_info: + service: test + username: test1 + keyring_password: "{{ keyring_password }}" + register: test_password - - name: Display password - ansible.builtin.debug: - msg: "{{ test_password.passphrase }}" +- name: Display password + ansible.builtin.debug: + msg: "{{ test_password.passphrase }}" """ RETURN = r""" - passphrase: - description: A string containing the password. - returned: success and the password exists - type: str - sample: Password123 +passphrase: + description: A string containing the password. + returned: success and the password exists + type: str + sample: Password123 """ try: diff --git a/plugins/modules/kibana_plugin.py b/plugins/modules/kibana_plugin.py index f6744b3960..3d5b4d6413 100644 --- a/plugins/modules/kibana_plugin.py +++ b/plugins/modules/kibana_plugin.py @@ -11,71 +11,70 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = ''' ---- +DOCUMENTATION = r""" module: kibana_plugin short_description: Manage Kibana plugins description: - - This module can be used to manage Kibana plugins. + - This module can be used to manage Kibana plugins. author: Thierno IB. BARRY (@barryib) extends_documentation_fragment: - - community.general.attributes + - community.general.attributes attributes: - check_mode: - support: full - diff_mode: - support: none + check_mode: + support: full + diff_mode: + support: none options: - name: - description: + name: + description: - Name of the plugin to install. - required: true - type: str - state: - description: + required: true + type: str + state: + description: - Desired state of a plugin. - choices: ["present", "absent"] - default: present - type: str - url: - description: + choices: ["present", "absent"] + default: present + type: str + url: + description: - Set exact URL to download the plugin from. - - For local file, prefix its absolute path with file:// - type: str - timeout: - description: - - "Timeout setting: 30s, 1m, 1h etc." - default: 1m - type: str - plugin_bin: - description: + - For local file, prefix its absolute path with file://. + type: str + timeout: + description: + - 'Timeout setting: V(30s), V(1m), V(1h) and so on.' + default: 1m + type: str + plugin_bin: + description: - Location of the Kibana binary. - default: /opt/kibana/bin/kibana - type: path - plugin_dir: - description: + default: /opt/kibana/bin/kibana + type: path + plugin_dir: + description: - Your configured plugin directory specified in Kibana. - default: /opt/kibana/installedPlugins/ - type: path - version: - description: + default: /opt/kibana/installedPlugins/ + type: path + version: + description: - Version of the plugin to be installed. - If plugin exists with previous version, plugin will B(not) be updated unless O(force) is set to V(true). - type: str - force: - description: + type: str + force: + description: - Delete and re-install the plugin. Can be useful for plugins update. - type: bool - default: false - allow_root: - description: + type: bool + default: false + allow_root: + description: - Whether to allow C(kibana) and C(kibana-plugin) to be run as root. Passes the C(--allow-root) flag to these commands. - type: bool - default: false - version_added: 2.3.0 -''' + type: bool + default: false + version_added: 2.3.0 +""" -EXAMPLES = ''' +EXAMPLES = r""" - name: Install Elasticsearch head plugin community.general.kibana_plugin: state: present @@ -91,38 +90,38 @@ EXAMPLES = ''' community.general.kibana_plugin: state: absent name: elasticsearch/marvel -''' +""" -RETURN = ''' +RETURN = r""" cmd: - description: the launched command during plugin management (install / remove) - returned: success - type: str + description: The launched command during plugin management (install / remove). + returned: success + type: str name: - description: the plugin name to install or remove - returned: success - type: str + description: The plugin name to install or remove. + returned: success + type: str url: - description: the url from where the plugin is installed from - returned: success - type: str + description: The url from where the plugin is installed from. + returned: success + type: str timeout: - description: the timeout for plugin download - returned: success - type: str + description: The timeout for plugin download. + returned: success + type: str stdout: - description: the command stdout - returned: success - type: str + description: The command stdout. + returned: success + type: str stderr: - description: the command stderr - returned: success - type: str + description: The command stderr. + returned: success + type: str state: - description: the state for the managed plugin - returned: success - type: str -''' + description: The state for the managed plugin. + returned: success + type: str +""" import os from ansible.module_utils.basic import AnsibleModule diff --git a/plugins/modules/krb_ticket.py b/plugins/modules/krb_ticket.py index 8894a64ef6..d93966e501 100644 --- a/plugins/modules/krb_ticket.py +++ b/plugins/modules/krb_ticket.py @@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -DOCUMENTATION = r''' ---- +DOCUMENTATION = r""" module: krb_ticket short_description: Kerberos utils for managing tickets version_added: 10.0.0 @@ -56,8 +55,9 @@ options: lifetime: description: - Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used. - - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. - - "The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days." + - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum + ticket lifetime. + - 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.' - You cannot mix units; a value of V(3h30m) will result in an error. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. type: str @@ -73,7 +73,8 @@ options: renewable: description: - Requests renewable tickets, with a total lifetime equal to O(renewable). - - "The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days." + - 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - + days.' - You cannot mix units; a value of V(3h30m) will result in an error. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. type: str @@ -125,9 +126,9 @@ requirements: - krb5-user and krb5-config packages extends_documentation_fragment: - community.general.attributes -''' +""" -EXAMPLES = r''' +EXAMPLES = r""" - name: Get Kerberos ticket using default principal community.general.krb_ticket: password: some_password @@ -179,7 +180,7 @@ EXAMPLES = r''' community.general.krb_ticket: state: absent kdestroy_all: true -''' +""" from ansible.module_utils.basic import AnsibleModule, env_fallback from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt