ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-05 10:10:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

k*.py: normalize docs (#9391)

Browse source 
* k*.py: normalize docs

* Update plugins/modules/keycloak_realm_keys_metadata_info.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/kibana_plugin.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
Alexei Znamensky 2024-12-27 01:42:44 +13:00 committed by GitHub
parent 6aadcc72d1
commit 49ed3d4acf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
34 changed files with 4402 additions and 4882 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
plugins/modules/kdeconfig.py
View file

@ -7,15 +7,13 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = r''' DOCUMENTATION = r"""
---
module: kdeconfig module: kdeconfig
short_description: Manage KDE configuration files short_description: Manage KDE configuration files
version_added: "6.5.0" version_added: "6.5.0"
description: description:
- Add or change individual settings in KDE configuration files. - Add or change individual settings in KDE configuration files.
- It uses B(kwriteconfig) under the hood. - It uses B(kwriteconfig) under the hood.
options: options:
path: path:
description: description:
@ -24,8 +22,7 @@ options:
required: true required: true
kwriteconfig_path: kwriteconfig_path:
description: description:
- Path to the kwriteconfig executable. If not specified, Ansible will try - Path to the kwriteconfig executable. If not specified, Ansible will try to discover it.
to discover it.
type: path type: path
values: values:
description: description:
@ -74,9 +71,9 @@ requirements:
- kwriteconfig - kwriteconfig
author: author:
- Salvatore Mesoraca (@smeso) - Salvatore Mesoraca (@smeso)
''' """
EXAMPLES = r''' EXAMPLES = r"""
- name: Ensure "Homepage=https://www.ansible.com/" in group "Branding" - name: Ensure "Homepage=https://www.ansible.com/" in group "Branding"
community.general.kdeconfig: community.general.kdeconfig:
path: /etc/xdg/kickoffrc path: /etc/xdg/kickoffrc
@ -97,9 +94,9 @@ EXAMPLES = r'''
key: KEY key: KEY
value: VALUE value: VALUE
backup: true backup: true
''' """
RETURN = r''' # ''' RETURN = r""" # """
import os import os
import shutil import shutil

56
plugins/modules/kernel_blacklist.py
View file

@ -9,47 +9,45 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: kernel_blacklist module: kernel_blacklist
author: author:
- Matthias Vogelgesang (@matze) - Matthias Vogelgesang (@matze)
short_description: Blacklist kernel modules short_description: Blacklist kernel modules
description: description:
- Add or remove kernel modules from blacklist. - Add or remove kernel modules from blacklist.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.attributes - community.general.attributes
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
options: options:
name: name:
type: str type: str
description: description:
- Name of kernel module to black- or whitelist. - Name of kernel module to black- or whitelist.
required: true required: true
state: state:
type: str type: str
description: description:
- Whether the module should be present in the blacklist or absent. - Whether the module should be present in the blacklist or absent.
choices: [ absent, present ] choices: [absent, present]
default: present default: present
blacklist_file: blacklist_file:
type: str type: str
description: description:
- If specified, use this blacklist file instead of - If specified, use this blacklist file instead of C(/etc/modprobe.d/blacklist-ansible.conf).
C(/etc/modprobe.d/blacklist-ansible.conf). default: /etc/modprobe.d/blacklist-ansible.conf
default: /etc/modprobe.d/blacklist-ansible.conf """
'''
EXAMPLES = ''' EXAMPLES = r"""
- name: Blacklist the nouveau driver module - name: Blacklist the nouveau driver module
community.general.kernel_blacklist: community.general.kernel_blacklist:
name: nouveau name: nouveau
state: present state: present
''' """
import os import os
import re import re

191
plugins/modules/keycloak_authentication.py
View file

@ -7,112 +7,109 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_authentication module: keycloak_authentication
short_description: Configure authentication in Keycloak short_description: Configure authentication in Keycloak
description: description:
- This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it. - This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
- It can also delete the flow. - It can also delete the flow.
version_added: "3.3.0" version_added: "3.3.0"
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
realm: realm:
description:
- The name of the realm in which is the authentication.
required: true
type: str
alias:
description:
- Alias for the authentication flow.
required: true
type: str
description: description:
- The name of the realm in which is the authentication.
required: true
type: str
alias:
description:
- Alias for the authentication flow.
required: true
type: str
description:
description:
- Description of the flow.
type: str
providerId:
description:
- C(providerId) for the new flow when not copied from an existing flow.
choices: ["basic-flow", "client-flow"]
type: str
copyFrom:
description:
- C(flowAlias) of the authentication flow to use for the copy.
type: str
authenticationExecutions:
description:
- Configuration structure for the executions.
type: list
elements: dict
suboptions:
providerId:
description: description:
- Description of the flow. - C(providerID) for the new flow when not copied from an existing flow.
type: str type: str
providerId: displayName:
description: description:
- C(providerId) for the new flow when not copied from an existing flow. - Name of the execution or subflow to create or update.
choices: [ "basic-flow", "client-flow" ]
type: str type: str
copyFrom: requirement:
description: description:
- C(flowAlias) of the authentication flow to use for the copy. - Control status of the subflow or execution.
choices: ["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"]
type: str type: str
authenticationExecutions: flowAlias:
description: description:
- Configuration structure for the executions. - Alias of parent flow.
type: list
elements: dict
suboptions:
providerId:
description:
- C(providerID) for the new flow when not copied from an existing flow.
type: str
displayName:
description:
- Name of the execution or subflow to create or update.
type: str
requirement:
description:
- Control status of the subflow or execution.
choices: [ "REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL" ]
type: str
flowAlias:
description:
- Alias of parent flow.
type: str
authenticationConfig:
description:
- Describe the config of the authentication.
type: dict
index:
description:
- Priority order of the execution.
type: int
subFlowType:
description:
- For new subflows, optionally specify the type.
- Is only used at creation.
choices: ["basic-flow", "form-flow"]
default: "basic-flow"
type: str
version_added: 6.6.0
state:
description:
- Control if the authentication flow must exists or not.
choices: [ "present", "absent" ]
default: present
type: str type: str
force: authenticationConfig:
type: bool
default: false
description: description:
- If V(true), allows to remove the authentication flow and recreate it. - Describe the config of the authentication.
type: dict
index:
description:
- Priority order of the execution.
type: int
subFlowType:
description:
- For new subflows, optionally specify the type.
- Is only used at creation.
choices: ["basic-flow", "form-flow"]
default: "basic-flow"
type: str
version_added: 6.6.0
state:
description:
- Control if the authentication flow must exists or not.
choices: ["present", "absent"]
default: present
type: str
force:
type: bool
default: false
description:
- If V(true), allows to remove the authentication flow and recreate it.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Philippe Gauthier (@elfelip) - Philippe Gauthier (@elfelip)
- Gaëtan Daubresse (@Gaetan2907) - Gaëtan Daubresse (@Gaetan2907)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create an authentication flow from first broker login and add an execution to it. - name: Create an authentication flow from first broker login and add an execution to it.
community.general.keycloak_authentication: community.general.keycloak_authentication:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
@ -126,15 +123,15 @@ EXAMPLES = '''
- providerId: "test-execution1" - providerId: "test-execution1"
requirement: "REQUIRED" requirement: "REQUIRED"
authenticationConfig: authenticationConfig:
alias: "test.execution1.property" alias: "test.execution1.property"
config: config:
test1.property: "value" test1.property: "value"
- providerId: "test-execution2" - providerId: "test-execution2"
requirement: "REQUIRED" requirement: "REQUIRED"
authenticationConfig: authenticationConfig:
alias: "test.execution2.property" alias: "test.execution2.property"
config: config:
test2.property: "value" test2.property: "value"
state: present state: present
- name: Re-create the authentication flow - name: Re-create the authentication flow
@ -150,9 +147,9 @@ EXAMPLES = '''
- providerId: "test-provisioning" - providerId: "test-provisioning"
requirement: "REQUIRED" requirement: "REQUIRED"
authenticationConfig: authenticationConfig:
alias: "test.provisioning.property" alias: "test.provisioning.property"
config: config:
test.provisioning.property: "value" test.provisioning.property: "value"
state: present state: present
force: true force: true
@ -184,13 +181,13 @@ EXAMPLES = '''
realm: master realm: master
alias: "Copy of first broker login" alias: "Copy of first broker login"
state: absent state: absent
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the authentication after module execution. description: Representation of the authentication after module execution.
@ -222,7 +219,7 @@ end_state:
"providerId": "basic-flow", "providerId": "basic-flow",
"topLevel": true "topLevel": true
} }
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \
import KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, is_struct_included import KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, is_struct_included

203
plugins/modules/keycloak_authentication_required_actions.py
View file

@ -9,84 +9,82 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_authentication_required_actions module: keycloak_authentication_required_actions
short_description: Allows administration of Keycloak authentication required actions short_description: Allows administration of Keycloak authentication required actions
description: description:
- This module can register, update and delete required actions. - This module can register, update and delete required actions.
- It also filters out any duplicate required actions by their alias. The first occurrence is preserved. - It also filters out any duplicate required actions by their alias. The first occurrence is preserved.
version_added: 7.1.0 version_added: 7.1.0
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
realm: realm:
description:
- The name of the realm in which are the authentication required actions.
required: true
type: str
required_actions:
elements: dict
description:
- Authentication required action.
suboptions:
alias:
description: description:
- The name of the realm in which are the authentication required actions. - Unique name of the required action.
required: true required: true
type: str type: str
required_actions: config:
elements: dict
description: description:
- Authentication required action. - Configuration for the required action.
suboptions: type: dict
alias: defaultAction:
description:
- Unique name of the required action.
required: true
type: str
config:
description:
- Configuration for the required action.
type: dict
defaultAction:
description:
- Indicates, if any new user will have the required action assigned to it.
type: bool
enabled:
description:
- Indicates, if the required action is enabled or not.
type: bool
name:
description:
- Displayed name of the required action. Required for registration.
type: str
priority:
description:
- Priority of the required action.
type: int
providerId:
description:
- Provider ID of the required action. Required for registration.
type: str
type: list
state:
choices: [ "absent", "present" ]
description: description:
- Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)). - Indicates, if any new user will have the required action assigned to it.
required: true type: bool
enabled:
description:
- Indicates, if the required action is enabled or not.
type: bool
name:
description:
- Displayed name of the required action. Required for registration.
type: str type: str
priority:
description:
- Priority of the required action.
type: int
providerId:
description:
- Provider ID of the required action. Required for registration.
type: str
type: list
state:
choices: ["absent", "present"]
description:
- Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)).
required: true
type: str
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Skrekulko (@Skrekulko) - Skrekulko (@Skrekulko)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Register a new required action. - name: Register a new required action.
community.general.keycloak_authentication_required_actions: community.general.keycloak_authentication_required_actions:
auth_client_id: "admin-cli" auth_client_id: "admin-cli"
@ -126,56 +124,55 @@ EXAMPLES = '''
required_action: required_action:
- alias: "TERMS_AND_CONDITIONS" - alias: "TERMS_AND_CONDITIONS"
state: "absent" state: "absent"
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the authentication required actions after module execution. description: Representation of the authentication required actions after module execution.
returned: on success returned: on success
type: complex type: complex
contains: contains:
alias: alias:
description: description:
- Unique name of the required action. - Unique name of the required action.
sample: test-provider-id sample: test-provider-id
type: str type: str
config: config:
description: description:
- Configuration for the required action. - Configuration for the required action.
sample: {} sample: {}
type: dict type: dict
defaultAction: defaultAction:
description: description:
- Indicates, if any new user will have the required action assigned to it. - Indicates, if any new user will have the required action assigned to it.
sample: false sample: false
type: bool type: bool
enabled: enabled:
description: description:
- Indicates, if the required action is enabled or not. - Indicates, if the required action is enabled or not.
sample: false sample: false
type: bool type: bool
name: name:
description: description:
- Displayed name of the required action. Required for registration. - Displayed name of the required action. Required for registration.
sample: Test provider ID sample: Test provider ID
type: str type: str
priority: priority:
description: description:
- Priority of the required action. - Priority of the required action.
sample: 90 sample: 90
type: int type: int
providerId: providerId:
description: description:
- Provider ID of the required action. Required for registration. - Provider ID of the required action. Required for registration.
sample: test-provider-id sample: test-provider-id
type: str type: str
"""
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

177
plugins/modules/keycloak_authz_authorization_scope.py
View file

@ -9,81 +9,75 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_authz_authorization_scope module: keycloak_authz_authorization_scope
short_description: Allows administration of Keycloak client authorization scopes via Keycloak API short_description: Allows administration of Keycloak client authorization scopes using Keycloak API
version_added: 6.6.0 version_added: 6.6.0
description: description:
- This module allows the administration of Keycloak client Authorization Scopes via the Keycloak REST - This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization Scopes are only available
API. Authorization Scopes are only available if a client has Authorization enabled. if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
being used must have the requisite access rights. In a default Keycloak installation, admin-cli to your needs and a user having the expected roles.
and an admin user would work, as would a separate realm definition with the scope tailored - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
to your needs and a user having the expected roles. have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the authorization scope. - State of the authorization scope.
- On V(present), the authorization scope will be created (or updated if it exists already). - On V(present), the authorization scope will be created (or updated if it exists already).
- On V(absent), the authorization scope will be removed if it exists. - On V(absent), the authorization scope will be removed if it exists.
choices: ['present', 'absent'] choices: ['present', 'absent']
default: 'present' default: 'present'
type: str type: str
name: name:
description: description:
- Name of the authorization scope to create. - Name of the authorization scope to create.
type: str type: str
required: true required: true
display_name: display_name:
description: description:
- The display name of the authorization scope. - The display name of the authorization scope.
type: str type: str
required: false required: false
icon_uri: icon_uri:
description: description:
- The icon URI for the authorization scope. - The icon URI for the authorization scope.
type: str type: str
required: false required: false
client_id: client_id:
description: description:
- The C(clientId) of the Keycloak client that should have the authorization scope. - The C(clientId) of the Keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client. - This is usually a human-readable name of the Keycloak client.
type: str type: str
required: true required: true
realm: realm:
description: description:
- The name of the Keycloak realm the Keycloak client is in. - The name of the Keycloak realm the Keycloak client is in.
type: str type: str
required: true required: true
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Samuli Seppänen (@mattock) - Samuli Seppänen (@mattock)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Manage Keycloak file:delete authorization scope - name: Manage Keycloak file:delete authorization scope
keycloak_authz_authorization_scope: keycloak_authz_authorization_scope:
name: file:delete name: file:delete
@ -95,41 +89,40 @@ EXAMPLES = '''
auth_username: keycloak auth_username: keycloak
auth_password: keycloak auth_password: keycloak
auth_realm: master auth_realm: master
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the authorization scope after module execution. description: Representation of the authorization scope after module execution.
returned: on success returned: on success
type: complex type: complex
contains: contains:
id: id:
description: ID of the authorization scope. description: ID of the authorization scope.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41 sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41
name: name:
description: Name of the authorization scope. description: Name of the authorization scope.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: file:delete sample: file:delete
display_name: display_name:
description: Display name of the authorization scope. description: Display name of the authorization scope.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: File delete sample: File delete
icon_uri: icon_uri:
description: Icon URI for the authorization scope. description: Icon URI for the authorization scope.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: http://localhost/icon.png sample: http://localhost/icon.png
"""
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

150
plugins/modules/keycloak_authz_custom_policy.py
View file

@ -9,78 +9,71 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_authz_custom_policy module: keycloak_authz_custom_policy
short_description: Allows administration of Keycloak client custom Javascript policies via Keycloak API short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API
version_added: 7.5.0 version_added: 7.5.0
description: description:
- This module allows the administration of Keycloak client custom Javascript via the Keycloak REST - This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only
API. Custom Javascript policies are only available if a client has Authorization enabled and if available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
they have been deployed to the Keycloak server as JAR files. - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm to your needs and a user having the expected roles.
being used must have the requisite access rights. In a default Keycloak installation, admin-cli - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
and an admin user would work, as would a separate realm definition with the scope tailored have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: none support: none
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the custom policy. - State of the custom policy.
- On V(present), the custom policy will be created (or updated if it exists already). - On V(present), the custom policy will be created (or updated if it exists already).
- On V(absent), the custom policy will be removed if it exists. - On V(absent), the custom policy will be removed if it exists.
choices: ['present', 'absent'] choices: ['present', 'absent']
default: 'present' default: 'present'
type: str type: str
name: name:
description: description:
- Name of the custom policy to create. - Name of the custom policy to create.
type: str type: str
required: true required: true
policy_type: policy_type:
description: description:
- The type of the policy. This must match the name of the custom policy deployed to the server. - The type of the policy. This must match the name of the custom policy deployed to the server.
- Multiple policies pointing to the same policy type can be created, but their names have to differ. - Multiple policies pointing to the same policy type can be created, but their names have to differ.
type: str type: str
required: true required: true
client_id: client_id:
description: description:
- The V(clientId) of the Keycloak client that should have the custom policy attached to it. - The V(clientId) of the Keycloak client that should have the custom policy attached to it.
- This is usually a human-readable name of the Keycloak client. - This is usually a human-readable name of the Keycloak client.
type: str type: str
required: true required: true
realm: realm:
description: description:
- The name of the Keycloak realm the Keycloak client is in. - The name of the Keycloak realm the Keycloak client is in.
type: str type: str
required: true required: true
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Samuli Seppänen (@mattock) - Samuli Seppänen (@mattock)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Manage Keycloak custom authorization policy - name: Manage Keycloak custom authorization policy
community.general.keycloak_authz_custom_policy: community.general.keycloak_authz_custom_policy:
name: OnlyOwner name: OnlyOwner
@ -92,31 +85,30 @@ EXAMPLES = '''
auth_username: keycloak auth_username: keycloak
auth_password: keycloak auth_password: keycloak
auth_realm: master auth_realm: master
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the custom policy after module execution. description: Representation of the custom policy after module execution.
returned: on success returned: on success
type: dict type: dict
contains: contains:
name: name:
description: Name of the custom policy. description: Name of the custom policy.
type: str type: str
returned: when I(state=present) returned: when I(state=present)
sample: file:delete sample: file:delete
policy_type: policy_type:
description: Type of custom policy. description: Type of custom policy.
type: str type: str
returned: when I(state=present) returned: when I(state=present)
sample: File delete sample: File delete
"""
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

321
plugins/modules/keycloak_authz_permission.py
View file

@ -9,128 +9,119 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_authz_permission module: keycloak_authz_permission
version_added: 7.2.0 version_added: 7.2.0
short_description: Allows administration of Keycloak client authorization permissions via Keycloak API short_description: Allows administration of Keycloak client authorization permissions using Keycloak API
description: description:
- This module allows the administration of Keycloak client authorization permissions via the Keycloak REST - This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization permissions are
API. Authorization permissions are only available if a client has Authorization enabled. only available if a client has Authorization enabled.
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations are targeted
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the JSON responses from GET requests
POST and PUT operations are targeted at permission endpoints, whereas GET requests go to policies return data in a different format than what is expected for POST and PUT. The end result is that it is not possible to detect changes to things
endpoint. To make matters more interesting the JSON responses from GET requests return data in a like policies, scopes or resources - at least not without a large number of additional API calls. Therefore this module always updates authorization
different format than what is expected for POST and PUT. The end result is that it is not possible to permissions instead of attempting to determine if changes are truly needed.
detect changes to things like policies, scopes or resources - at least not without a large number of - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
additional API calls. Therefore this module always updates authorization permissions instead of rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
attempting to determine if changes are truly needed. to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: none support: none
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description:
- State of the authorization permission.
- On V(present), the authorization permission will be created (or updated if it exists already).
- On V(absent), the authorization permission will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the authorization permission to create.
type: str
required: true
description: description:
description: - State of the authorization permission.
- The description of the authorization permission. - On V(present), the authorization permission will be created (or updated if it exists already).
type: str - On V(absent), the authorization permission will be removed if it exists.
required: false choices: ['present', 'absent']
permission_type: default: 'present'
description: type: str
- The type of authorization permission. name:
- On V(scope) create a scope-based permission. description:
- On V(resource) create a resource-based permission. - Name of the authorization permission to create.
type: str type: str
required: true required: true
choices: description:
- resource description:
- scope - The description of the authorization permission.
decision_strategy: type: str
description: required: false
- The decision strategy to use with this permission. permission_type:
type: str description:
default: UNANIMOUS - The type of authorization permission.
required: false - On V(scope) create a scope-based permission.
choices: - On V(resource) create a resource-based permission.
- UNANIMOUS type: str
- AFFIRMATIVE required: true
- CONSENSUS choices:
resources: - resource
description: - scope
- Resource names to attach to this permission. decision_strategy:
- Scope-based permissions can only include one resource. description:
- Resource-based permissions can include multiple resources. - The decision strategy to use with this permission.
type: list type: str
elements: str default: UNANIMOUS
default: [] required: false
required: false choices:
scopes: - UNANIMOUS
description: - AFFIRMATIVE
- Scope names to attach to this permission. - CONSENSUS
- Resource-based permissions cannot have scopes attached to them. resources:
type: list description:
elements: str - Resource names to attach to this permission.
default: [] - Scope-based permissions can only include one resource.
required: false - Resource-based permissions can include multiple resources.
policies: type: list
description: elements: str
- Policy names to attach to this permission. default: []
type: list required: false
elements: str scopes:
default: [] description:
required: false - Scope names to attach to this permission.
client_id: - Resource-based permissions cannot have scopes attached to them.
description: type: list
- The clientId of the keycloak client that should have the authorization scope. elements: str
- This is usually a human-readable name of the Keycloak client. default: []
type: str required: false
required: true policies:
realm: description:
description: - Policy names to attach to this permission.
- The name of the Keycloak realm the Keycloak client is in. type: list
type: str elements: str
required: true default: []
required: false
client_id:
description:
- The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Samuli Seppänen (@mattock) - Samuli Seppänen (@mattock)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Manage scope-based Keycloak authorization permission - name: Manage scope-based Keycloak authorization permission
community.general.keycloak_authz_permission: community.general.keycloak_authz_permission:
name: ScopePermission name: ScopePermission
@ -164,68 +155,68 @@ EXAMPLES = '''
auth_username: keycloak auth_username: keycloak
auth_password: keycloak auth_password: keycloak
auth_realm: master auth_realm: master
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the authorization permission after module execution. description: Representation of the authorization permission after module execution.
returned: on success returned: on success
type: complex type: complex
contains: contains:
id: id:
description: ID of the authorization permission. description: ID of the authorization permission.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: 9da05cd2-b273-4354-bbd8-0c133918a454 sample: 9da05cd2-b273-4354-bbd8-0c133918a454
name: name:
description: Name of the authorization permission. description: Name of the authorization permission.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: ResourcePermission sample: ResourcePermission
description: description:
description: Description of the authorization permission. description: Description of the authorization permission.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: Resource Permission sample: Resource Permission
type: type:
description: Type of the authorization permission. description: Type of the authorization permission.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: resource sample: resource
decisionStrategy: decisionStrategy:
description: The decision strategy to use. description: The decision strategy to use.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: UNANIMOUS sample: UNANIMOUS
logic: logic:
description: The logic used for the permission (part of the payload, but has a fixed value). description: The logic used for the permission (part of the payload, but has a fixed value).
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: POSITIVE sample: POSITIVE
resources: resources:
description: IDs of resources attached to this permission. description: IDs of resources attached to this permission.
type: list type: list
returned: when O(state=present) returned: when O(state=present)
sample: sample:
- 49e052ff-100d-4b79-a9dd-52669ed3c11d - 49e052ff-100d-4b79-a9dd-52669ed3c11d
scopes: scopes:
description: IDs of scopes attached to this permission. description: IDs of scopes attached to this permission.
type: list type: list
returned: when O(state=present) returned: when O(state=present)
sample: sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454 - 9da05cd2-b273-4354-bbd8-0c133918a454
policies: policies:
description: IDs of policies attached to this permission. description: IDs of policies attached to this permission.
type: list type: list
returned: when O(state=present) returned: when O(state=present)
sample: sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454 - 9da05cd2-b273-4354-bbd8-0c133918a454
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

149
plugins/modules/keycloak_authz_permission_info.py
View file

@ -9,8 +9,7 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_authz_permission_info module: keycloak_authz_permission_info
version_added: 7.2.0 version_added: 7.2.0
@ -18,52 +17,46 @@ version_added: 7.2.0
short_description: Query Keycloak client authorization permissions information short_description: Query Keycloak client authorization permissions information
description: description:
- This module allows querying information about Keycloak client authorization permissions from the - This module allows querying information about Keycloak client authorization permissions from the resources endpoint using the Keycloak REST
resources endpoint via the Keycloak REST API. Authorization permissions are only available if a API. Authorization permissions are only available if a client has Authorization enabled.
client has Authorization enabled. - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm to your needs and a user having the expected roles.
being used must have the requisite access rights. In a default Keycloak installation, admin-cli - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
and an admin user would work, as would a separate realm definition with the scope tailored have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
name: name:
description: description:
- Name of the authorization permission to create. - Name of the authorization permission to create.
type: str type: str
required: true required: true
client_id: client_id:
description: description:
- The clientId of the keycloak client that should have the authorization scope. - The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client. - This is usually a human-readable name of the Keycloak client.
type: str type: str
required: true required: true
realm: realm:
description: description:
- The name of the Keycloak realm the Keycloak client is in. - The name of the Keycloak realm the Keycloak client is in.
type: str type: str
required: true required: true
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
- community.general.attributes.info_module - community.general.attributes.info_module
author: author:
- Samuli Seppänen (@mattock) - Samuli Seppänen (@mattock)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Query Keycloak authorization permission - name: Query Keycloak authorization permission
community.general.keycloak_authz_permission_info: community.general.keycloak_authz_permission_info:
name: ScopePermission name: ScopePermission
@ -73,48 +66,48 @@ EXAMPLES = '''
auth_username: keycloak auth_username: keycloak
auth_password: keycloak auth_password: keycloak
auth_realm: master auth_realm: master
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
queried_state: queried_state:
description: State of the resource (a policy) as seen by Keycloak. description: State of the resource (a policy) as seen by Keycloak.
returned: on success returned: on success
type: complex type: complex
contains: contains:
id: id:
description: ID of the authorization permission. description: ID of the authorization permission.
type: str type: str
sample: 9da05cd2-b273-4354-bbd8-0c133918a454 sample: 9da05cd2-b273-4354-bbd8-0c133918a454
name: name:
description: Name of the authorization permission. description: Name of the authorization permission.
type: str type: str
sample: ResourcePermission sample: ResourcePermission
description: description:
description: Description of the authorization permission. description: Description of the authorization permission.
type: str type: str
sample: Resource Permission sample: Resource Permission
type: type:
description: Type of the authorization permission. description: Type of the authorization permission.
type: str type: str
sample: resource sample: resource
decisionStrategy: decisionStrategy:
description: The decision strategy. description: The decision strategy.
type: str type: str
sample: UNANIMOUS sample: UNANIMOUS
logic: logic:
description: The logic used for the permission (part of the payload, but has a fixed value). description: The logic used for the permission (part of the payload, but has a fixed value).
type: str type: str
sample: POSITIVE sample: POSITIVE
config: config:
description: Configuration of the permission (empty in all observed cases). description: Configuration of the permission (empty in all observed cases).
type: dict type: dict
sample: {} sample: {}
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

1083
plugins/modules/keycloak_client.py
View file

File diff suppressed because it is too large Load diff

260
plugins/modules/keycloak_client_rolemapping.py
View file

@ -8,8 +8,7 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_client_rolemapping module: keycloak_client_rolemapping
short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API
@ -17,129 +16,113 @@ short_description: Allows administration of Keycloak client_rolemapping with the
version_added: 3.5.0 version_added: 3.5.0
description: description:
- This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access to the REST API
It requires access to the REST API via OpenID Connect; the user connecting and the client being using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
used must have the requisite access rights. In a default Keycloak installation, admin-cli admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
and an admin user would work, as would a separate client definition with the scope tailored expected roles.
to your needs and a user having the expected roles. - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- The names of module options are snake_cased versions of the camelCase ones found in the - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will into the role ID.
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the client_rolemapping. - State of the client_rolemapping.
- On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the client_rolemapping will be removed if it exists. - On V(absent), the client_rolemapping will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
- present - present
- absent - absent
realm: realm:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
group_name:
type: str
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
version_added: "7.1.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
type: str type: str
description: description:
- They Keycloak realm under which this role_representation resides. - Identify parent by ID.
default: 'master' - Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
group_name: - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str type: str
description: description:
- Name of the group to be mapped. - Identify parent by name.
- This parameter is required (can be replaced by gid for less API call). - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
parents: - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
version_added: "7.1.0" with ID being preferred.
type: list gid:
description: type: str
- List of parent groups for the group to handle sorted top to bottom. description:
- >- - Id of the group to be mapped.
Set this if your group is a subgroup and you do not provide the GID in O(gid). - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
elements: dict client_id:
suboptions: type: str
id: description:
type: str - Name of the client to be mapped (different than O(cid)).
description: - This parameter is required (can be replaced by cid for less API call).
- Identify parent by ID. cid:
- Needs less API calls than using O(parents[].name). type: str
- A deep parent chain can be started at any point when first given parent is given as ID. description:
- Note that in principle both ID and name can be specified at the same time - Id of the client to be mapped.
but current implementation only always use just one of them, with ID - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
being preferred. roles:
name: description:
type: str - Roles to be mapped to the group.
description: type: list
- Identify parent by name. elements: dict
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. suboptions:
- When giving a parent chain with only names it must be complete up to the top. name:
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
gid:
type: str type: str
description: description:
- Id of the group to be mapped. - Name of the role_representation.
- This parameter is not required for updating or deleting the rolemapping but - This parameter is required only when creating or updating the role_representation.
providing it will reduce the number of API calls required. id:
client_id:
type: str type: str
description: description:
- Name of the client to be mapped (different than O(cid)). - The unique identifier for this role_representation.
- This parameter is required (can be replaced by cid for less API call). - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
cid:
type: str
description:
- Id of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the group.
type: list
elements: dict
suboptions:
name:
type: str
description:
- Name of the role_representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Gaëtan Daubresse (@Gaetan2907) - Gaëtan Daubresse (@Gaetan2907)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Map a client role to a group, authentication with credentials - name: Map a client role to a group, authentication with credentials
community.general.keycloak_client_rolemapping: community.general.keycloak_client_rolemapping:
realm: MyCustomRealm realm: MyCustomRealm
@ -209,50 +192,37 @@ EXAMPLES = '''
- name: role_name2 - name: role_name2
id: role_id2 id: role_id2
delegate_to: localhost delegate_to: localhost
"""
''' RETURN = r"""
RETURN = '''
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Role role1 assigned to group group1." sample: "Role role1 assigned to group group1."
proposed: proposed:
description: Representation of proposed client role mapping. description: Representation of proposed client role mapping.
returned: always returned: always
type: dict type: dict
sample: { sample: {clientId: "test"}
clientId: "test"
}
existing: existing:
description: description:
- Representation of existing client role mapping. - Representation of existing client role mapping.
- The sample is truncated. - The sample is truncated.
returned: always returned: always
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
end_state: end_state:
description: description:
- Representation of client role mapping after module execution. - Representation of client role mapping after module execution.
- The sample is truncated. - The sample is truncated.
returned: on success returned: on success
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url", """
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,

168
plugins/modules/keycloak_client_rolescope.py
View file

@ -8,84 +8,74 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_client_rolescope module: keycloak_client_rolescope
short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications. short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications
version_added: 8.6.0 version_added: 8.6.0
description: description:
- This module allows you to add or remove Keycloak roles from clients scope via the Keycloak REST API. - This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access to the REST API using
It requires access to the REST API via OpenID Connect; the user connecting and the client being OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate client definition with the scope tailored - Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
to your needs and a user having the expected roles. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the role mapping. - State of the role mapping.
- On V(present), all roles in O(role_names) will be mapped if not exists yet. - On V(present), all roles in O(role_names) will be mapped if not exists yet.
- On V(absent), all roles mapping in O(role_names) will be removed if it exists. - On V(absent), all roles mapping in O(role_names) will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
- present - present
- absent - absent
realm:
type: str
description:
- The Keycloak realm under which clients resides.
default: 'master'
client_id:
type: str
required: true
description:
- Roles provided in O(role_names) while be added to this client scope.
client_scope_id:
type: str
description:
- If the O(role_names) are client role, the client ID under which it resides.
- If this parameter is absent, the roles are considered a realm role.
role_names:
required: true
type: list
elements: str
description:
- Names of roles to manipulate.
- If O(client_scope_id) is present, all roles must be under this client.
- If O(client_scope_id) is absent, all roles must be under the realm.
realm:
type: str
description:
- The Keycloak realm under which clients resides.
default: 'master'
client_id:
type: str
required: true
description:
- Roles provided in O(role_names) while be added to this client scope.
client_scope_id:
type: str
description:
- If the O(role_names) are client role, the client ID under which it resides.
- If this parameter is absent, the roles are considered a realm role.
role_names:
required: true
type: list
elements: str
description:
- Names of roles to manipulate.
- If O(client_scope_id) is present, all roles must be under this client.
- If O(client_scope_id) is absent, all roles must be under the realm.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Andre Desrosiers (@desand01) - Andre Desrosiers (@desand01)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Add roles to public client scope - name: Add roles to public client scope
community.general.keycloak_client_rolescope: community.general.keycloak_client_rolescope:
auth_keycloak_url: https://auth.example.com/auth auth_keycloak_url: https://auth.example.com/auth
@ -96,8 +86,8 @@ EXAMPLES = '''
client_id: frontend-client-public client_id: frontend-client-public
client_scope_id: backend-client-private client_scope_id: backend-client-private
role_names: role_names:
- backend-role-admin - backend-role-admin
- backend-role-user - backend-role-user
- name: Remove roles from public client scope - name: Remove roles from public client scope
community.general.keycloak_client_rolescope: community.general.keycloak_client_rolescope:
@ -109,7 +99,7 @@ EXAMPLES = '''
client_id: frontend-client-public client_id: frontend-client-public
client_scope_id: backend-client-private client_scope_id: backend-client-private
role_names: role_names:
- backend-role-admin - backend-role-admin
state: absent state: absent
- name: Add realm roles to public client scope - name: Add realm roles to public client scope
@ -121,16 +111,16 @@ EXAMPLES = '''
realm: MyCustomRealm realm: MyCustomRealm
client_id: frontend-client-public client_id: frontend-client-public
role_names: role_names:
- realm-role-admin - realm-role-admin
- realm-role-user - realm-role-user
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Client role scope for frontend-client-public has been updated" sample: "Client role scope for frontend-client-public has been updated"
end_state: end_state:
description: Representation of role role scope after module execution. description: Representation of role role scope after module execution.
@ -138,22 +128,22 @@ end_state:
type: list type: list
elements: dict elements: dict
sample: [ sample: [
{ {
"clientRole": false, "clientRole": false,
"composite": false, "composite": false,
"containerId": "MyCustomRealm", "containerId": "MyCustomRealm",
"id": "47293104-59a6-46f0-b460-2e9e3c9c424c", "id": "47293104-59a6-46f0-b460-2e9e3c9c424c",
"name": "backend-role-admin" "name": "backend-role-admin"
}, },
{ {
"clientRole": false, "clientRole": false,
"composite": false, "composite": false,
"containerId": "MyCustomRealm", "containerId": "MyCustomRealm",
"id": "39c62a6d-542c-4715-92d2-41021eb33967", "id": "39c62a6d-542c-4715-92d2-41021eb33967",
"name": "backend-role-user" "name": "backend-role-user"
} }
] ]
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

321
plugins/modules/keycloak_clientscope.py
View file

@ -8,166 +8,151 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_clientscope module: keycloak_clientscope
short_description: Allows administration of Keycloak client_scopes via Keycloak API short_description: Allows administration of Keycloak client_scopes using Keycloak API
version_added: 3.4.0 version_added: 3.4.0
description: description:
- This module allows you to add, remove or modify Keycloak client_scopes via the Keycloak REST API. - This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access to the REST API using OpenID
It requires access to the REST API via OpenID Connect; the user connecting and the client being Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate client definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
- The names of module options are snake_cased versions of the camelCase ones found in the You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API to translate the
name into the client_scope ID.
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup
to the API to translate the name into the client_scope ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description:
- State of the client_scope.
- On V(present), the client_scope will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the client_scope will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
name:
type: str
description:
- Name of the client_scope.
- This parameter is required only when creating or updating the client_scope.
realm:
type: str
description:
- They Keycloak realm under which this client_scope resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this client_scope.
- This parameter is not required for updating or deleting a client_scope but
providing it will reduce the number of API calls required.
description: description:
type: str - State of the client_scope.
description: - On V(present), the client_scope will be created if it does not yet exist, or updated with the parameters you provide.
- Description for this client_scope. - On V(absent), the client_scope will be removed if it exists.
- This parameter is not required for updating or deleting a client_scope. default: 'present'
type: str
choices:
- present
- absent
protocol: name:
type: str
description:
- Name of the client_scope.
- This parameter is required only when creating or updating the client_scope.
realm:
type: str
description:
- They Keycloak realm under which this client_scope resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this client_scope.
- This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of API calls required.
description:
type: str
description:
- Description for this client_scope.
- This parameter is not required for updating or deleting a client_scope.
protocol:
description:
- Type of client.
- The V(docker-v2) value was added in community.general 8.6.0.
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
type: str
protocol_mappers:
description:
- A list of dicts defining protocol mappers for this client.
- This is C(protocolMappers) in the Keycloak REST API.
aliases:
- protocolMappers
type: list
elements: dict
suboptions:
protocol:
description: description:
- Type of client. - This specifies for which protocol this protocol mapper.
- The V(docker-v2) value was added in community.general 8.6.0. - Is active.
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2'] choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
type: str type: str
protocol_mappers: protocolMapper:
description: description:
- A list of dicts defining protocol mappers for this client. - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
- This is 'protocolMappers' in the Keycloak REST API. be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
aliases: - V(docker-v2-allow-all-mapper).
- protocolMappers - V(oidc-address-mapper).
type: list - V(oidc-full-name-mapper).
elements: dict - V(oidc-group-membership-mapper).
suboptions: - V(oidc-hardcoded-claim-mapper).
protocol: - V(oidc-hardcoded-role-mapper).
description: - V(oidc-role-name-mapper).
- This specifies for which protocol this protocol mapper. - V(oidc-script-based-protocol-mapper).
- is active. - V(oidc-sha256-pairwise-sub-mapper).
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2'] - V(oidc-usermodel-attribute-mapper).
type: str - V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
protocolMapper: name:
description: description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is - The name of this protocol mapper.
impossible to provide since this may be extended through SPIs by the user of Keycloak, type: str
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
type: str
name: id:
description: description:
- The name of this protocol mapper. - Usually a UUID specifying the internal ID of this protocol mapper instance.
type: str type: str
id: config:
description: description:
- Usually a UUID specifying the internal ID of this protocol mapper instance. - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
type: str O(protocol_mappers[].protocolMapper)
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
config: to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
description: return value.
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) return value.
type: dict
attributes:
type: dict type: dict
description:
- A dict of key/value pairs to set as custom attributes for the client_scope.
- Values may be single values (for example a string) or a list of strings.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the client_scope.
- Values may be single values (for example a string) or a list of strings.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Gaëtan Daubresse (@Gaetan2907) - Gaëtan Daubresse (@Gaetan2907)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create a Keycloak client_scopes, authentication with credentials - name: Create a Keycloak client_scopes, authentication with credentials
community.general.keycloak_clientscope: community.general.keycloak_clientscope:
name: my-new-kc-clientscope name: my-new-kc-clientscope
@ -254,54 +239,42 @@ EXAMPLES = '''
protocol: saml protocol: saml
protocolMapper: saml-role-list-mapper protocolMapper: saml-role-list-mapper
attributes: attributes:
attrib1: value1 attrib1: value1
attrib2: value2 attrib2: value2
attrib3: attrib3:
- with - with
- numerous - numerous
- individual - individual
- list - list
- items - items
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Client_scope testclientscope has been updated" sample: "Client_scope testclientscope has been updated"
proposed: proposed:
description: Representation of proposed client scope. description: Representation of proposed client scope.
returned: always returned: always
type: dict type: dict
sample: { sample: {clientId: "test"}
clientId: "test"
}
existing: existing:
description: Representation of existing client scope (sample is truncated). description: Representation of existing client scope (sample is truncated).
returned: always returned: always
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
end_state: end_state:
description: Representation of client scope after module execution (sample is truncated). description: Representation of client scope after module execution (sample is truncated).
returned: on success returned: on success
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url", """
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included keycloak_argument_spec, get_token, KeycloakError, is_struct_included

84
plugins/modules/keycloak_clientscope_type.py
View file

@ -9,29 +9,24 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_clientscope_type module: keycloak_clientscope_type
short_description: Set the type of aclientscope in realm or client via Keycloak API short_description: Set the type of aclientscope in realm or client using Keycloak API
version_added: 6.6.0 version_added: 6.6.0
description: description:
- This module allows you to set the type (optional, default) of clientscopes - This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access to the REST API using
via the Keycloak REST API. It requires access to the REST API via OpenID OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
Connect; the user connecting and the client being used must have the and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
requisite access rights. In a default Keycloak installation, admin-cli and
an admin user would work, as would a separate client definition with the
scope tailored to your needs and a user having the expected roles.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
realm: realm:
@ -66,9 +61,9 @@ extends_documentation_fragment:
author: author:
- Simon Pahl (@simonpahl) - Simon Pahl (@simonpahl)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Set default client scopes on realm level - name: Set default client scopes on realm level
community.general.keycloak_clientscope_type: community.general.keycloak_clientscope_type:
auth_client_id: admin-cli auth_client_id: admin-cli
@ -91,42 +86,33 @@ EXAMPLES = '''
default_clientscopes: ['profile', 'roles'] default_clientscopes: ['profile', 'roles']
optional_clientscopes: ['phone'] optional_clientscopes: ['phone']
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "" sample: ""
proposed: proposed:
description: Representation of proposed client-scope types mapping. description: Representation of proposed client-scope types mapping.
returned: always returned: always
type: dict type: dict
sample: { sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
default_clientscopes: ["profile", "role"],
optional_clientscopes: []
}
existing: existing:
description: description:
- Representation of client scopes before module execution. - Representation of client scopes before module execution.
returned: always returned: always
type: dict type: dict
sample: { sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: ["phone"]}
default_clientscopes: ["profile", "role"],
optional_clientscopes: ["phone"]
}
end_state: end_state:
description: description:
- Representation of client scopes after module execution. - Representation of client scopes after module execution.
- The sample is truncated. - The sample is truncated.
returned: on success returned: on success
type: dict type: dict
sample: { sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
default_clientscopes: ["profile", "role"], """
optional_clientscopes: []
}
'''
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule

45
plugins/modules/keycloak_clientsecret_info.py
View file

@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_clientsecret_info module: keycloak_clientsecret_info
short_description: Retrieve client secret via Keycloak API short_description: Retrieve client secret using Keycloak API
version_added: 6.1.0 version_added: 6.1.0
description: description:
- This module allows you to get a Keycloak client secret via the Keycloak - This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the
REST API. It requires access to the REST API via OpenID Connect; the user user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
connecting and the client being used must have the requisite access rights. user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
In a default Keycloak installation, admin-cli and an admin user would work, - When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This removes a lookup to
as would a separate client definition with the scope tailored to your needs the API to translate the O(client_id) into the client ID.
and a user having the expected roles. - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
- When retrieving a new client secret, where possible provide the client's
O(id) (not O(client_id)) to the module. This removes a lookup to the API to
translate the O(client_id) into the client ID.
- "Note that this module returns the client secret. To avoid this showing up in the logs,
please add C(no_log: true) to the task."
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
@ -46,14 +37,12 @@ options:
id: id:
description: description:
- The unique identifier for this client. - The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but - This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
providing it will reduce the number of API calls required.
type: str type: str
client_id: client_id:
description: description:
- The O(client_id) of the client. Passing this instead of O(id) results in an - The O(client_id) of the client. Passing this instead of O(id) results in an extra API call.
extra API call.
aliases: aliases:
- clientId - clientId
type: str type: str
@ -68,9 +57,9 @@ extends_documentation_fragment:
author: author:
- Fynn Chen (@fynncfchen) - Fynn Chen (@fynncfchen)
- John Cant (@johncant) - John Cant (@johncant)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Get a Keycloak client secret, authentication with credentials - name: Get a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_info: community.general.keycloak_clientsecret_info:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd' id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -102,16 +91,16 @@ EXAMPLES = '''
token: TOKEN token: TOKEN
delegate_to: localhost delegate_to: localhost
no_log: true no_log: true
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Textual description of whether we succeeded or failed description: Textual description of whether we succeeded or failed.
returned: always returned: always
type: str type: str
clientsecret_info: clientsecret_info:
description: Representation of the client secret description: Representation of the client secret.
returned: on success returned: on success
type: complex type: complex
contains: contains:
@ -125,7 +114,7 @@ clientsecret_info:
type: str type: str
returned: always returned: always
sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1 sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, KeycloakError, get_token) KeycloakAPI, KeycloakError, get_token)

44
plugins/modules/keycloak_clientsecret_regenerate.py
View file

@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_clientsecret_regenerate module: keycloak_clientsecret_regenerate
short_description: Regenerate Keycloak client secret via Keycloak API short_description: Regenerate Keycloak client secret using Keycloak API
version_added: 6.1.0 version_added: 6.1.0
description: description:
- This module allows you to regenerate a Keycloak client secret via the - This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
the user connecting and the client being used must have the requisite access admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
rights. In a default Keycloak installation, admin-cli and an admin user - When regenerating a client secret, where possible provide the client's id (not client_id) to the module. This removes a lookup to the API
would work, as would a separate client definition with the scope tailored to to translate the client_id into the client ID.
your needs and a user having the expected roles. - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
- When regenerating a client secret, where possible provide the client's id
(not client_id) to the module. This removes a lookup to the API to
translate the client_id into the client ID.
- "Note that this module returns the client secret. To avoid this showing up in the logs,
please add C(no_log: true) to the task."
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -50,14 +41,12 @@ options:
id: id:
description: description:
- The unique identifier for this client. - The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but - This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
providing it will reduce the number of API calls required.
type: str type: str
client_id: client_id:
description: description:
- The client_id of the client. Passing this instead of id results in an - The client_id of the client. Passing this instead of id results in an extra API call.
extra API call.
aliases: aliases:
- clientId - clientId
type: str type: str
@ -71,9 +60,9 @@ extends_documentation_fragment:
author: author:
- Fynn Chen (@fynncfchen) - Fynn Chen (@fynncfchen)
- John Cant (@johncant) - John Cant (@johncant)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Regenerate a Keycloak client secret, authentication with credentials - name: Regenerate a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_regenerate: community.general.keycloak_clientsecret_regenerate:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd' id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -105,16 +94,16 @@ EXAMPLES = '''
token: TOKEN token: TOKEN
delegate_to: localhost delegate_to: localhost
no_log: true no_log: true
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the client credential after module execution description: Representation of the client credential after module execution.
returned: on success returned: on success
type: complex type: complex
contains: contains:
@ -128,8 +117,7 @@ end_state:
type: str type: str
returned: always returned: always
sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1 sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
"""
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, KeycloakError, get_token) KeycloakAPI, KeycloakError, get_token)

329
plugins/modules/keycloak_clienttemplate.py
View file

@ -8,176 +8,163 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_clienttemplate module: keycloak_clienttemplate
short_description: Allows administration of Keycloak client templates via Keycloak API short_description: Allows administration of Keycloak client templates using Keycloak API
description: description:
- This module allows the administration of Keycloak client templates via the Keycloak REST API. It - This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to the REST API using OpenID
requires access to the REST API via OpenID Connect; the user connecting and the client being Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate client definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on an OpenID Connect
- The names of module options are snake_cased versions of the camelCase ones found in the client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen.
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html)
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set
SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
If you do not specify a setting, usually a sensible default is chosen.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description:
- State of the client template.
- On V(present), the client template will be created (or updated if it exists already).
- On V(absent), the client template will be removed if it exists
choices: ['present', 'absent']
default: 'present'
type: str
id:
description:
- Id of client template to be worked on. This is usually a UUID.
type: str
realm:
description:
- Realm this client template is found in.
type: str
default: master
name:
description:
- Name of the client template.
type: str
description: description:
- State of the client template.
- On V(present), the client template will be created (or updated if it exists already).
- On V(absent), the client template will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
id:
description:
- Id of client template to be worked on. This is usually a UUID.
type: str
realm:
description:
- Realm this client template is found in.
type: str
default: master
name:
description:
- Name of the client template.
type: str
description:
description:
- Description of the client template in Keycloak.
type: str
protocol:
description:
- Type of client template.
- The V(docker-v2) value was added in community.general 8.6.0.
choices: ['openid-connect', 'saml', 'docker-v2']
type: str
full_scope_allowed:
description:
- Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak REST API.
type: bool
protocol_mappers:
description:
- A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST API.
type: list
elements: dict
suboptions:
consentRequired:
description: description:
- Description of the client template in Keycloak. - Specifies whether a user needs to provide consent to a client for this mapper to be active.
type: bool
consentText:
description:
- The human-readable name of the consent the user is presented to accept.
type: str type: str
protocol: id:
description: description:
- Type of client template. - Usually a UUID specifying the internal ID of this protocol mapper instance.
- The V(docker-v2) value was added in community.general 8.6.0. type: str
name:
description:
- The name of this protocol mapper.
type: str
protocol:
description:
- This specifies for which protocol this protocol mapper is active.
choices: ['openid-connect', 'saml', 'docker-v2'] choices: ['openid-connect', 'saml', 'docker-v2']
type: str type: str
full_scope_allowed: protocolMapper:
description: description:
- Is the "Full Scope Allowed" feature set for this client template or not. - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
This is 'fullScopeAllowed' in the Keycloak REST API. be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
type: bool - V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper).
- V(oidc-full-name-mapper).
- V(oidc-group-membership-mapper).
- V(oidc-hardcoded-claim-mapper).
- V(oidc-hardcoded-role-mapper).
- V(oidc-role-name-mapper).
- V(oidc-script-based-protocol-mapper).
- V(oidc-sha256-pairwise-sub-mapper).
- V(oidc-usermodel-attribute-mapper).
- V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
protocol_mappers: config:
description: description:
- a list of dicts defining protocol mappers for this client template. - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
This is 'protocolMappers' in the Keycloak REST API. O(protocol_mappers[].protocolMapper)
type: list and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
elements: dict to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
suboptions: field.
consentRequired:
description:
- Specifies whether a user needs to provide consent to a client for this mapper to be active.
type: bool
consentText:
description:
- The human-readable name of the consent the user is presented to accept.
type: str
id:
description:
- Usually a UUID specifying the internal ID of this protocol mapper instance.
type: str
name:
description:
- The name of this protocol mapper.
type: str
protocol:
description:
- This specifies for which protocol this protocol mapper is active.
choices: ['openid-connect', 'saml', 'docker-v2']
type: str
protocolMapper:
description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
type: str
config:
description:
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) field.
type: dict
attributes:
description:
- A dict of further attributes for this client template. This can contain various
configuration settings, though in the default installation of Keycloak as of 3.4, none
are documented or known, so this is usually empty.
type: dict type: dict
notes: attributes:
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), description:
C(implicitFlowEnabled), C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and - A dict of further attributes for this client template. This can contain various configuration settings, though in the default installation
C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect on of Keycloak as of 3.4, none are documented or known, so this is usually empty.
Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, type: dict
they are not available through this module.
notes:
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled),
C(directAccessGrantsEnabled),
C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect
on Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, they are not available
through this module.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Eike Frost (@eikef) - Eike Frost (@eikef)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create or update Keycloak client template (minimal), authentication with credentials - name: Create or update Keycloak client template (minimal), authentication with credentials
community.general.keycloak_client: community.general.keycloak_client:
auth_client_id: admin-cli auth_client_id: admin-cli
@ -236,47 +223,33 @@ EXAMPLES = '''
full_scope_allowed: false full_scope_allowed: false
id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Client template testclient has been updated" sample: "Client template testclient has been updated"
proposed: proposed:
description: Representation of proposed client template. description: Representation of proposed client template.
returned: always returned: always
type: dict type: dict
sample: { sample: {name: "test01"}
name: "test01"
}
existing: existing:
description: Representation of existing client template (sample is truncated). description: Representation of existing client template (sample is truncated).
returned: always returned: always
type: dict type: dict
sample: { sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
"description": "test01",
"fullScopeAllowed": false,
"id": "9c3712ab-decd-481e-954f-76da7b006e5f",
"name": "test01",
"protocol": "saml"
}
end_state: end_state:
description: Representation of client template after module execution (sample is truncated). description: Representation of client template after module execution (sample is truncated).
returned: on success returned: on success
type: dict type: dict
sample: { sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
"description": "test01", """
"fullScopeAllowed": false,
"id": "9c3712ab-decd-481e-954f-76da7b006e5f",
"name": "test01",
"protocol": "saml"
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

183
plugins/modules/keycloak_component.py
View file

@ -8,80 +8,75 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_component module: keycloak_component
short_description: Allows administration of Keycloak components via Keycloak API short_description: Allows administration of Keycloak components using Keycloak API
version_added: 10.0.0 version_added: 10.0.0
description: description:
- This module allows the administration of Keycloak components via the Keycloak REST API. It - This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
requires access to the REST API via OpenID Connect; the user connecting and the realm being the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) and an
used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) C(admin) user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
and an C(admin) user would work, as would a separate realm definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the Keycloak component. - State of the Keycloak component.
- On V(present), the component will be created (or updated if it exists already). - On V(present), the component will be created (or updated if it exists already).
- On V(absent), the component will be removed if it exists. - On V(absent), the component will be removed if it exists.
choices: ['present', 'absent'] choices: ['present', 'absent']
default: 'present' default: 'present'
type: str type: str
name: name:
description: description:
- Name of the component to create. - Name of the component to create.
type: str type: str
required: true required: true
parent_id: parent_id:
description: description:
- The parent_id of the component. In practice the ID (name) of the realm. - The parent_id of the component. In practice the ID (name) of the realm.
type: str type: str
required: true required: true
provider_id: provider_id:
description: description:
- The name of the "provider ID" for the key. - The name of the "provider ID" for the key.
type: str type: str
required: true required: true
provider_type: provider_type:
description: description:
- The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), - The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.userprofile.UserProfileProvider),
V(org.keycloak.userprofile.UserProfileProvider), ... ...
- See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers). - See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers).
type: str type: str
required: true required: true
config: config:
description: description:
- Configuration properties for the provider. - Configuration properties for the provider.
- Contents vary depending on the provider type. - Contents vary depending on the provider type.
type: dict type: dict
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Björn Bösel (@fivetide) - Björn Bösel (@fivetide)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Manage Keycloak User Storage Provider - name: Manage Keycloak User Storage Provider
community.general.keycloak_component: community.general.keycloak_component:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
@ -97,42 +92,42 @@ EXAMPLES = '''
myCustomKey: "my_custom_key" myCustomKey: "my_custom_key"
cachePolicy: "NO_CACHE" cachePolicy: "NO_CACHE"
enabled: true enabled: true
''' """
RETURN = ''' RETURN = r"""
end_state: end_state:
description: Representation of the keycloak_component after module execution. description: Representation of the keycloak_component after module execution.
returned: on success returned: on success
type: dict type: dict
contains: contains:
id: id:
description: ID of the component. description: ID of the component.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4 sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
name: name:
description: Name of the component. description: Name of the component.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: mykey sample: mykey
parentId: parentId:
description: ID of the realm this key belongs to. description: ID of the realm this key belongs to.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: myrealm sample: myrealm
providerId: providerId:
description: The ID of the key provider. description: The ID of the key provider.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: rsa sample: rsa
providerType: providerType:
description: The type of provider. description: The type of provider.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
config: config:
description: component configuration. description: Component configuration.
type: dict type: dict
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

144
plugins/modules/keycloak_component_info.py
View file

@ -8,106 +8,100 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_component_info module: keycloak_component_info
short_description: Retrive component info in Keycloak short_description: Retrieve component info in Keycloak
version_added: 8.2.0 version_added: 8.2.0
description: description:
- This module retrive information on component from Keycloak. - This module retrieve information on component from Keycloak.
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
realm: realm:
description: description:
- The name of the realm. - The name of the realm.
required: true required: true
type: str type: str
name: name:
description: description:
- Name of the Component. - Name of the Component.
type: str type: str
provider_type: provider_type:
description: description:
- Provider type of components. - Provider type of components.
- "Example: - 'Examples: V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.keys.KeyProvider),
V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
V(org.keycloak.keys.KeyProvider), type: str
V(org.keycloak.userprofile.UserProfileProvider), parent_id:
V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper)." description:
type: str - Container ID of the components.
parent_id: type: str
description:
- Container ID of the components.
type: str
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
- community.general.attributes.info_module - community.general.attributes.info_module
author: author:
- Andre Desrosiers (@desand01) - Andre Desrosiers (@desand01)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Retrive info of a UserStorageProvider named myldap - name: Retrive info of a UserStorageProvider named myldap
community.general.keycloak_component_info: community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin auth_sername: admin
auth_password: password auth_password: password
auth_realm: master auth_realm: master
realm: myrealm realm: myrealm
name: myldap name: myldap
provider_type: org.keycloak.storage.UserStorageProvider provider_type: org.keycloak.storage.UserStorageProvider
- name: Retrive key info component - name: Retrive key info component
community.general.keycloak_component_info: community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin auth_sername: admin
auth_password: password auth_password: password
auth_realm: master auth_realm: master
realm: myrealm realm: myrealm
name: rsa-enc-generated name: rsa-enc-generated
provider_type: org.keycloak.keys.KeyProvider provider_type: org.keycloak.keys.KeyProvider
- name: Retrive all component from realm master - name: Retrive all component from realm master
community.general.keycloak_component_info: community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin auth_sername: admin
auth_password: password auth_password: password
auth_realm: master auth_realm: master
realm: myrealm realm: myrealm
- name: Retrive all sub components of parent component filter by type - name: Retrive all sub components of parent component filter by type
community.general.keycloak_component_info: community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin auth_sername: admin
auth_password: password auth_password: password
auth_realm: master auth_realm: master
realm: myrealm realm: myrealm
parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2" parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
"""
''' RETURN = r"""
RETURN = '''
components: components:
description: JSON representation of components. description: JSON representation of components.
returned: always returned: always
type: list type: list
elements: dict elements: dict
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

303
plugins/modules/keycloak_group.py
View file

@ -8,122 +8,102 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_group module: keycloak_group
short_description: Allows administration of Keycloak groups via Keycloak API short_description: Allows administration of Keycloak groups using Keycloak API
description: description:
- This module allows you to add, remove or modify Keycloak groups via the Keycloak REST API. - This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
It requires access to the REST API via OpenID Connect; the user connecting and the client being the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
used must have the requisite access rights. In a default Keycloak installation, admin-cli admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate client definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
- The names of module options are snake_cased versions of the camelCase ones found in the You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). - When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate the name into the
group ID.
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a group, where possible provide the group ID to the module. This removes a lookup
to the API to translate the name into the group ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the group. - State of the group.
- On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide.
- >- - On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically delete all its
On V(absent), the group will be removed if it exists. Be aware that absenting subgroups too.
a group with subgroups will automatically delete all its subgroups too. default: 'present'
default: 'present' type: str
type: str choices:
choices: - present
- present - absent
- absent
name: name:
type: str
description:
- Name of the group.
- This parameter is required only when creating or updating the group.
realm:
type: str
description:
- They Keycloak realm under which this group resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this group.
- This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls required.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the group.
- Values may be single values (for example a string) or a list of strings.
parents:
version_added: "6.4.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup by name.
- Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly queried without necessarily
knowing its parent(s).
elements: dict
suboptions:
id:
type: str type: str
description: description:
- Name of the group. - Identify parent by ID.
- This parameter is required only when creating or updating the group. - Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
realm: - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str type: str
description: description:
- They Keycloak realm under which this group resides. - Identify parent by name.
default: 'master' - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
id: - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
type: str with ID being preferred.
description:
- The unique identifier for this group.
- This parameter is not required for updating or deleting a group but
providing it will reduce the number of API calls required.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the group.
- Values may be single values (e.g. a string) or a list of strings.
parents:
version_added: "6.4.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this to create a group as a subgroup of another group or groups (parents) or
when accessing an existing subgroup by name.
- >-
Not necessary to set when accessing an existing subgroup by its C(ID) because in
that case the group can be directly queried without necessarily knowing its parent(s).
elements: dict
suboptions:
id:
type: str
description:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
notes: notes:
- Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API are read-only
are read-only for groups. This limitation will be removed in a later version of this module. for groups. This limitation will be removed in a later version of this module.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Adam Goossens (@adamgoossens) - Adam Goossens (@adamgoossens)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create a Keycloak group, authentication with credentials - name: Create a Keycloak group, authentication with credentials
community.general.keycloak_group: community.general.keycloak_group:
name: my-new-kc-group name: my-new-kc-group
@ -191,14 +171,14 @@ EXAMPLES = '''
auth_password: PASSWORD auth_password: PASSWORD
name: my-new_group name: my-new_group
attributes: attributes:
attrib1: value1 attrib1: value1
attrib2: value2 attrib2: value2
attrib3: attrib3:
- with - with
- numerous - numerous
- individual - individual
- list - list
- items - items
delegate_to: localhost delegate_to: localhost
- name: Create a Keycloak subgroup of a base group (using parent name) - name: Create a Keycloak subgroup of a base group (using parent name)
@ -258,64 +238,63 @@ EXAMPLES = '''
parents: parents:
- id: "{{ result_new_kcgrp_sub.end_state.id }}" - id: "{{ result_new_kcgrp_sub.end_state.id }}"
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the group after module execution (sample is truncated). description: Representation of the group after module execution (sample is truncated).
returned: on success returned: on success
type: complex type: complex
contains: contains:
id: id:
description: GUID that identifies the group. description: GUID that identifies the group.
type: str type: str
returned: always returned: always
sample: 23f38145-3195-462c-97e7-97041ccea73e sample: 23f38145-3195-462c-97e7-97041ccea73e
name: name:
description: Name of the group. description: Name of the group.
type: str type: str
returned: always returned: always
sample: grp-test-123 sample: grp-test-123
attributes: attributes:
description: Attributes applied to this group. description: Attributes applied to this group.
type: dict type: dict
returned: always returned: always
sample: sample:
attr1: ["val1", "val2", "val3"] attr1: ["val1", "val2", "val3"]
path: path:
description: URI path to the group. description: URI path to the group.
type: str type: str
returned: always returned: always
sample: /grp-test-123 sample: /grp-test-123
realmRoles: realmRoles:
description: An array of the realm-level roles granted to this group. description: An array of the realm-level roles granted to this group.
type: list type: list
returned: always returned: always
sample: [] sample: []
subGroups: subGroups:
description: A list of groups that are children of this group. These groups will have the same parameters as description: A list of groups that are children of this group. These groups will have the same parameters as documented here.
documented here. type: list
type: list returned: always
returned: always clientRoles:
clientRoles: description: A list of client-level roles granted to this group.
description: A list of client-level roles granted to this group. type: list
type: list returned: always
returned: always sample: []
sample: [] access:
access: description: A dict describing the accesses you have to this group based on the credentials used.
description: A dict describing the accesses you have to this group based on the credentials used. type: dict
type: dict returned: always
returned: always sample:
sample: manage: true
manage: true manageMembership: true
manageMembership: true view: true
view: true """
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError
@ -372,7 +351,7 @@ def main():
parents = module.params.get('parents') parents = module.params.get('parents')
# attributes in Keycloak have their values returned as lists # attributes in Keycloak have their values returned as lists
# via the API. attributes is a dict, so we'll transparently convert # using the API. attributes is a dict, so we'll transparently convert
# the values to lists. # the values to lists.
if attributes is not None: if attributes is not None:
for key, val in module.params['attributes'].items(): for key, val in module.params['attributes'].items():

489
plugins/modules/keycloak_identity_provider.py
View file

@ -8,285 +8,280 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_identity_provider module: keycloak_identity_provider
short_description: Allows administration of Keycloak identity providers via Keycloak API short_description: Allows administration of Keycloak identity providers using Keycloak API
version_added: 3.6.0 version_added: 3.6.0
description: description:
- This module allows you to add, remove or modify Keycloak identity providers via the Keycloak REST API. - This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access to the REST API
It requires access to the REST API via OpenID Connect; the user connecting and the client being using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
used must have the requisite access rights. In a default Keycloak installation, admin-cli admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
and an admin user would work, as would a separate client definition with the scope tailored expected roles.
to your needs and a user having the expected roles. - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the identity provider. - State of the identity provider.
- On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the identity provider will be removed if it exists. - On V(absent), the identity provider will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
- present - present
- absent - absent
realm: realm:
description: description:
- The Keycloak realm under which this identity provider resides. - The Keycloak realm under which this identity provider resides.
default: 'master' default: 'master'
type: str type: str
alias: alias:
description: description:
- The alias uniquely identifies an identity provider and it is also used to build the redirect URI. - The alias uniquely identifies an identity provider and it is also used to build the redirect URI.
required: true required: true
type: str type: str
display_name: display_name:
description:
- Friendly name for identity provider.
aliases:
- displayName
type: str
enabled:
description:
- Enable/disable this identity provider.
type: bool
store_token:
description:
- Enable/disable whether tokens must be stored after authenticating users.
aliases:
- storeToken
type: bool
add_read_token_role_on_create:
description:
- Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role.
aliases:
- addReadTokenRoleOnCreate
type: bool
trust_email:
description:
- If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
aliases:
- trustEmail
type: bool
link_only:
description:
- If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login
from the provider, but want to integrate with a provider.
aliases:
- linkOnly
type: bool
first_broker_login_flow_alias:
description:
- Alias of authentication flow, which is triggered after first login with this identity provider.
aliases:
- firstBrokerLoginFlowAlias
type: str
post_broker_login_flow_alias:
description:
- Alias of authentication flow, which is triggered after each login with this identity provider.
aliases:
- postBrokerLoginFlowAlias
type: str
authenticate_by_default:
description:
- Specifies if this identity provider should be used by default for authentication even before displaying login screen.
aliases:
- authenticateByDefault
type: bool
provider_id:
description:
- Protocol used by this provider (supported values are V(oidc) or V(saml)).
aliases:
- providerId
type: str
config:
description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are
given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing identity provider configuration
through check-mode in the RV(existing) field.
type: dict
suboptions:
hide_on_login_page:
description: description:
- Friendly name for identity provider. - If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter.
aliases: aliases:
- displayName - hideOnLoginPage
type: str
enabled:
description:
- Enable/disable this identity provider.
type: bool type: bool
store_token: gui_order:
description: description:
- Enable/disable whether tokens must be stored after authenticating users. - Number defining order of the provider in GUI (for example, on Login page).
aliases: aliases:
- storeToken - guiOrder
type: bool type: int
add_read_token_role_on_create: sync_mode:
description: description:
- Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role. - Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers.
aliases: aliases:
- addReadTokenRoleOnCreate - syncMode
type: bool
trust_email:
description:
- If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
aliases:
- trustEmail
type: bool
link_only:
description:
- If true, users cannot log in through this provider. They can only link to this provider.
This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
aliases:
- linkOnly
type: bool
first_broker_login_flow_alias:
description:
- Alias of authentication flow, which is triggered after first login with this identity provider.
aliases:
- firstBrokerLoginFlowAlias
type: str type: str
post_broker_login_flow_alias: issuer:
description: description:
- Alias of authentication flow, which is triggered after each login with this identity provider. - The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
aliases:
- postBrokerLoginFlowAlias
type: str type: str
authenticate_by_default: authorizationUrl:
description: description:
- Specifies if this identity provider should be used by default for authentication even before displaying login screen. - The Authorization URL.
aliases: type: str
- authenticateByDefault
tokenUrl:
description:
- The Token URL.
type: str
logoutUrl:
description:
- End session endpoint to use to logout user from external IDP.
type: str
userInfoUrl:
description:
- The User Info URL.
type: str
clientAuthMethod:
description:
- The client authentication method.
type: str
clientId:
description:
- The client or client identifier registered within the identity provider.
type: str
clientSecret:
description:
- The client or client secret registered within the identity provider.
type: str
defaultScope:
description:
- The scopes to be sent when asking for authorization.
type: str
validateSignature:
description:
- Enable/disable signature validation of external IDP signatures.
type: bool type: bool
provider_id: useJwksUrl:
description: description:
- Protocol used by this provider (supported values are V(oidc) or V(saml)). - If the switch is on, identity provider public keys will be downloaded from given JWKS URL.
aliases: type: bool
- providerId
jwksUrl:
description:
- URL where identity provider keys in JWK format are stored. See JWK specification for more details.
type: str type: str
config: entityId:
description: description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). - The Entity ID that will be used to uniquely identify this SAML Service Provider.
Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing type: str
identity provider configuration through check-mode in the RV(existing) field.
singleSignOnServiceUrl:
description:
- The URL that must be used to send authentication requests (SAML AuthnRequest).
type: str
singleLogoutServiceUrl:
description:
- The URL that must be used to send logout requests.
type: str
backchannelSupported:
description:
- Does the external IDP support backchannel logout?
type: str
nameIDPolicyFormat:
description:
- Specifies the URI reference corresponding to a name identifier format.
type: str
principalType:
description:
- Way to identify and track external users from the assertion.
type: str
mappers:
description:
- A list of dicts defining mappers associated with this Identity Provider.
type: list
elements: dict
suboptions:
id:
description:
- Unique ID of this mapper.
type: str
name:
description:
- Name of the mapper.
type: str
identityProviderAlias:
description:
- Alias of the identity provider for this mapper.
type: str
identityProviderMapper:
description:
- Type of mapper.
type: str
config:
description:
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of O(mappers[].identityProviderMapper).
type: dict type: dict
suboptions:
hide_on_login_page:
description:
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter.
aliases:
- hideOnLoginPage
type: bool
gui_order:
description:
- Number defining order of the provider in GUI (for example, on Login page).
aliases:
- guiOrder
type: int
sync_mode:
description:
- Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers.
aliases:
- syncMode
type: str
issuer:
description:
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
type: str
authorizationUrl:
description:
- The Authorization URL.
type: str
tokenUrl:
description:
- The Token URL.
type: str
logoutUrl:
description:
- End session endpoint to use to logout user from external IDP.
type: str
userInfoUrl:
description:
- The User Info URL.
type: str
clientAuthMethod:
description:
- The client authentication method.
type: str
clientId:
description:
- The client or client identifier registered within the identity provider.
type: str
clientSecret:
description:
- The client or client secret registered within the identity provider.
type: str
defaultScope:
description:
- The scopes to be sent when asking for authorization.
type: str
validateSignature:
description:
- Enable/disable signature validation of external IDP signatures.
type: bool
useJwksUrl:
description:
- If the switch is on, identity provider public keys will be downloaded from given JWKS URL.
type: bool
jwksUrl:
description:
- URL where identity provider keys in JWK format are stored. See JWK specification for more details.
type: str
entityId:
description:
- The Entity ID that will be used to uniquely identify this SAML Service Provider.
type: str
singleSignOnServiceUrl:
description:
- The URL that must be used to send authentication requests (SAML AuthnRequest).
type: str
singleLogoutServiceUrl:
description:
- The URL that must be used to send logout requests.
type: str
backchannelSupported:
description:
- Does the external IDP support backchannel logout?
type: str
nameIDPolicyFormat:
description:
- Specifies the URI reference corresponding to a name identifier format.
type: str
principalType:
description:
- Way to identify and track external users from the assertion.
type: str
mappers:
description:
- A list of dicts defining mappers associated with this Identity Provider.
type: list
elements: dict
suboptions:
id:
description:
- Unique ID of this mapper.
type: str
name:
description:
- Name of the mapper.
type: str
identityProviderAlias:
description:
- Alias of the identity provider for this mapper.
type: str
identityProviderMapper:
description:
- Type of mapper.
type: str
config:
description:
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of
O(mappers[].identityProviderMapper).
type: dict
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Laurent Paumier (@laurpaum) - Laurent Paumier (@laurpaum)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create OIDC identity provider, authentication with credentials - name: Create OIDC identity provider, authentication with credentials
community.general.keycloak_identity_provider: community.general.keycloak_identity_provider:
state: present state: present
@ -347,14 +342,14 @@ EXAMPLES = '''
attribute.friendly.name: User Roles attribute.friendly.name: User Roles
attribute.name: roles attribute.name: roles
syncMode: INHERIT syncMode: INHERIT
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Identity provider my-idp has been created" sample: "Identity provider my-idp has been created"
proposed: proposed:
description: Representation of proposed identity provider. description: Representation of proposed identity provider.
@ -428,7 +423,7 @@ end_state:
"storeToken": false, "storeToken": false,
"trustEmail": false, "trustEmail": false,
} }
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

1048
plugins/modules/keycloak_realm.py
View file

File diff suppressed because it is too large Load diff

135
plugins/modules/keycloak_realm_info.py
View file

@ -8,98 +8,93 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_realm_info module: keycloak_realm_info
short_description: Allows obtaining Keycloak realm public information via Keycloak API short_description: Allows obtaining Keycloak realm public information using Keycloak API
version_added: 4.3.0 version_added: 4.3.0
description: description:
- This module allows you to get Keycloak realm public information via the Keycloak REST API. - This module allows you to get Keycloak realm public information using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
- The names of module options are snake_cased versions of the camelCase ones found in the U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.attributes - community.general.attributes
- community.general.attributes.info_module - community.general.attributes.info_module
options: options:
auth_keycloak_url: auth_keycloak_url:
description: description:
- URL to the Keycloak instance. - URL to the Keycloak instance.
type: str type: str
required: true required: true
aliases: aliases:
- url - url
validate_certs: validate_certs:
description: description:
- Verify TLS certificates (do not disable this in production). - Verify TLS certificates (do not disable this in production).
type: bool type: bool
default: true default: true
realm: realm:
type: str type: str
description: description:
- They Keycloak realm ID. - They Keycloak realm ID.
default: 'master' default: 'master'
author: author:
- Fynn Chen (@fynncfchen) - Fynn Chen (@fynncfchen)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Get a Keycloak public key - name: Get a Keycloak public key
community.general.keycloak_realm_info: community.general.keycloak_realm_info:
realm: MyCustomRealm realm: MyCustomRealm
auth_keycloak_url: https://auth.example.com/auth auth_keycloak_url: https://auth.example.com/auth
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
realm_info: realm_info:
description: description:
- Representation of the realm public information. - Representation of the realm public information.
returned: always returned: always
type: dict type: dict
contains: contains:
realm: realm:
description: Realm ID. description: Realm ID.
type: str type: str
returned: always returned: always
sample: MyRealm sample: MyRealm
public_key: public_key:
description: Public key of the realm. description: Public key of the realm.
type: str type: str
returned: always returned: always
sample: MIIBIjANBgkqhkiG9w0BAQEFAAO... sample: MIIBIjANBgkqhkiG9w0BAQEFAAO...
token-service: token-service:
description: Token endpoint URL. description: Token endpoint URL.
type: str type: str
returned: always returned: always
sample: https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect sample: https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect
account-service: account-service:
description: Account console URL. description: Account console URL.
type: str type: str
returned: always returned: always
sample: https://auth.example.com/auth/realms/MyRealm/account sample: https://auth.example.com/auth/realms/MyRealm/account
tokens-not-before: tokens-not-before:
description: The token not before. description: The token not before.
type: int type: int
returned: always returned: always
sample: 0 sample: 0
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule

297
plugins/modules/keycloak_realm_key.py
View file

@ -9,145 +9,123 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_realm_key module: keycloak_realm_key
short_description: Allows administration of Keycloak realm keys via Keycloak API short_description: Allows administration of Keycloak realm keys using Keycloak API
version_added: 7.5.0 version_added: 7.5.0
description: description:
- This module allows the administration of Keycloak realm keys via the Keycloak REST API. It - This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
requires access to the REST API via OpenID Connect; the user connecting and the realm being the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
used must have the requisite access rights. In a default Keycloak installation, admin-cli user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate realm definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- The names of module options are snake_cased versions of the camelCase ones found in the - This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can
Aliases are provided so camelCased versions can be used as well. be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
- This module is unable to detect changes to the actual cryptographic key after importing it. to the desired state (which may be empty) is not possible.
However, if some other property is changed alongside the cryptographic key, then the key
will also get changed as a side-effect, as the JSON payload needs to include the private key.
This can be considered either a bug or a feature, as the alternative would be to always
update the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak.
Therefore comparing the current state of the certificate to the desired state (which may be
empty) is not possible.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: partial support: partial
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description:
- State of the keycloak realm key.
- On V(present), the realm key will be created (or updated if it exists already).
- On V(absent), the realm key will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the realm key to create.
type: str
required: true
force:
description:
- Enforce the state of the private key and certificate. This is not automatically the case as this module is unable to determine the current
state of the private key and thus cannot trigger an update based on an actual divergence. That said, a private key update may happen even
if force is false as a side-effect of other changes.
default: false
type: bool
parent_id:
description:
- The parent_id of the realm key. In practice the name of the realm.
type: str
required: true
provider_id:
description:
- The name of the "provider ID" for the key.
- The value V(rsa-enc) has been added in community.general 8.2.0.
choices: ['rsa', 'rsa-enc']
default: 'rsa'
type: str
config:
description:
- Dict specifying the key and its properties.
type: dict
suboptions:
active:
description: description:
- State of the keycloak realm key. - Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
- On V(present), the realm key will be created (or updated if it exists already). default: true
- On V(absent), the realm key will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the realm key to create.
type: str
required: true
force:
description:
- Enforce the state of the private key and certificate. This is not automatically the
case as this module is unable to determine the current state of the private key and
thus cannot trigger an update based on an actual divergence. That said, a private key
update may happen even if force is false as a side-effect of other changes.
default: false
type: bool type: bool
parent_id: enabled:
description: description:
- The parent_id of the realm key. In practice the name of the realm. - Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
type: str default: true
type: bool
priority:
description:
- The priority of the key.
type: int
required: true required: true
provider_id: algorithm:
description: description:
- The name of the "provider ID" for the key. - Key algorithm.
- The value V(rsa-enc) has been added in community.general 8.2.0. - The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general
choices: ['rsa', 'rsa-enc'] 8.2.0.
default: 'rsa' default: RS256
choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
type: str type: str
config: private_key:
description: description:
- Dict specifying the key and its properties. - The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
type: dict - Please note that the module cannot detect whether the private key specified differs from the current state's private key. Use O(force=true)
suboptions: to force the module to update the private key if you expect it to be updated.
active: required: true
description: type: str
- Whether they key is active or inactive. Not to be confused with the state certificate:
of the Ansible resource managed by the O(state) parameter. description:
default: true - A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
type: bool - If you want Keycloak to automatically generate a certificate using your private key then set this to an empty string.
enabled: required: true
description: type: str
- Whether the key is enabled or disabled. Not to be confused with the state
of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
priority:
description:
- The priority of the key.
type: int
required: true
algorithm:
description:
- Key algorithm.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5),
V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general 8.2.0.
default: RS256
choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
type: str
private_key:
description:
- The private key as an ASCII string. Contents of the key must match O(config.algorithm)
and O(provider_id).
- Please note that the module cannot detect whether the private key specified differs from the
current state's private key. Use O(force=true) to force the module to update the private key
if you expect it to be updated.
required: true
type: str
certificate:
description:
- A certificate signed with the private key as an ASCII string. Contents of the
key must match O(config.algorithm) and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private key
then set this to an empty string.
required: true
type: str
notes: notes:
- Current value of the private key cannot be fetched from Keycloak. - Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current state is not possible.
Therefore comparing its desired state to the current state is not - If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
possible. to the desired state (which may be empty) is not possible.
- If certificate is not explicitly provided it will be dynamically created - Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force the module to always
by Keycloak. Therefore comparing the current state of the certificate to update if you know that the private key might have changed.
the desired state (which may be empty) is not possible.
- Due to the private key and certificate options the module is
B(not fully idempotent). You can use O(force=true) to force the module
to always update if you know that the private key might have changed.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Samuli Seppänen (@mattock) - Samuli Seppänen (@mattock)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Manage Keycloak realm key (certificate autogenerated by Keycloak) - name: Manage Keycloak realm key (certificate autogenerated by Keycloak)
community.general.keycloak_realm_key: community.general.keycloak_realm_key:
name: custom name: custom
@ -182,54 +160,49 @@ EXAMPLES = '''
active: true active: true
priority: 120 priority: 120
algorithm: RS256 algorithm: RS256
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
end_state: end_state:
description: Representation of the keycloak_realm_key after module execution. description: Representation of the keycloak_realm_key after module execution.
returned: on success returned: on success
type: dict type: dict
contains: contains:
id: id:
description: ID of the realm key. description: ID of the realm key.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4 sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
name: name:
description: Name of the realm key. description: Name of the realm key.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: mykey sample: mykey
parentId: parentId:
description: ID of the realm this key belongs to. description: ID of the realm this key belongs to.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: myrealm sample: myrealm
providerId: providerId:
description: The ID of the key provider. description: The ID of the key provider.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
sample: rsa sample: rsa
providerType: providerType:
description: The type of provider. description: The type of provider.
type: str type: str
returned: when O(state=present) returned: when O(state=present)
config: config:
description: Realm key configuration. description: Realm key configuration.
type: dict type: dict
returned: when O(state=present) returned: when O(state=present)
sample: { sample: {"active": ["true"], "algorithm": ["RS256"], "enabled": ["true"], "priority": ["140"]}
"active": ["true"], """
"algorithm": ["RS256"],
"enabled": ["true"],
"priority": ["140"]
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

77
plugins/modules/keycloak_realm_keys_metadata_info.py
View file

@ -9,42 +9,39 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = """ DOCUMENTATION = r"""
---
module: keycloak_realm_keys_metadata_info module: keycloak_realm_keys_metadata_info
short_description: Allows obtaining Keycloak realm keys metadata via Keycloak API short_description: Allows obtaining Keycloak realm keys metadata using Keycloak API
version_added: 9.3.0 version_added: 9.3.0
description: description:
- This module allows you to get Keycloak realm keys metadata via the Keycloak REST API. - This module allows you to get Keycloak realm keys metadata using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
- The names of module options are snake_cased versions of the camelCase ones found in the U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
realm: realm:
type: str type: str
description: description:
- They Keycloak realm to fetch keys metadata. - They Keycloak realm to fetch keys metadata.
default: 'master' default: 'master'
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
- community.general.attributes.info_module - community.general.attributes.info_module
author: author:
- Thomas Bach (@thomasbach-dev) - Thomas Bach (@thomasbach-dev)
""" """
EXAMPLES = """ EXAMPLES = r"""
- name: Fetch Keys metadata - name: Fetch Keys metadata
community.general.keycloak_realm_keys_metadata_info: community.general.keycloak_realm_keys_metadata_info:
auth_keycloak_url: https://auth.example.com/auth auth_keycloak_url: https://auth.example.com/auth
@ -67,30 +64,28 @@ EXAMPLES = """
delegate_to: localhost delegate_to: localhost
""" """
RETURN = """ RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
keys_metadata: keys_metadata:
description: description:
- Representation of the realm keys metadata (see - Representation of the realm keys metadata (see U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)). returned: always
type: dict
returned: always contains:
type: dict active:
contains: description: A mapping (that is, a dict) from key algorithms to UUIDs.
active: type: dict
description: A mapping (that is, a dict) from key algorithms to UUIDs. returned: always
type: dict keys:
returned: always description: A list of dicts providing detailed information on the keys.
keys: type: list
description: A list of dicts providing detailed information on the keys. elements: dict
type: list returned: always
elements: dict
returned: always
""" """
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule

242
plugins/modules/keycloak_realm_rolemapping.py
View file

@ -8,8 +8,7 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_realm_rolemapping module: keycloak_realm_rolemapping
short_description: Allows administration of Keycloak realm role mappings into groups with the Keycloak API short_description: Allows administration of Keycloak realm role mappings into groups with the Keycloak API
@ -17,119 +16,104 @@ short_description: Allows administration of Keycloak realm role mappings into gr
version_added: 8.2.0 version_added: 8.2.0
description: description:
- This module allows you to add, remove or modify Keycloak realm role - This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It requires access to
mappings into groups with the Keycloak REST API. It requires access to the the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak
REST API via OpenID Connect; the user connecting and the client being used installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user
must have the requisite access rights. In a default Keycloak installation, having the expected roles.
admin-cli and an admin user would work, as would a separate client - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
definition with the scope tailored to your needs and a user having the U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
expected roles. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- The names of module options are snake_cased versions of the camelCase ones found in the - When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html). into the role ID.
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the realm_rolemapping. - State of the realm_rolemapping.
- On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On C(absent), the realm_rolemapping will be removed if it exists. - On C(absent), the realm_rolemapping will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
- present - present
- absent - absent
realm: realm:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
group_name:
type: str
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
type: str type: str
description: description:
- They Keycloak realm under which this role_representation resides. - Identify parent by ID.
default: 'master' - Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
group_name: - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str type: str
description: description:
- Name of the group to be mapped. - Identify parent by name.
- This parameter is required (can be replaced by gid for less API call). - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
parents: - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
type: list with ID being preferred.
description: gid:
- List of parent groups for the group to handle sorted top to bottom. type: str
- >- description:
Set this if your group is a subgroup and you do not provide the GID in O(gid). - ID of the group to be mapped.
elements: dict - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
suboptions: roles:
id: description:
type: str - Roles to be mapped to the group.
description: type: list
- Identify parent by ID. elements: dict
- Needs less API calls than using O(parents[].name). suboptions:
- A deep parent chain can be started at any point when first given parent is given as ID. name:
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
gid:
type: str type: str
description: description:
- ID of the group to be mapped. - Name of the role_representation.
- This parameter is not required for updating or deleting the rolemapping but - This parameter is required only when creating or updating the role_representation.
providing it will reduce the number of API calls required. id:
type: str
roles:
description: description:
- Roles to be mapped to the group. - The unique identifier for this role_representation.
type: list - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
elements: dict required.
suboptions:
name:
type: str
description:
- Name of the role_representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Gaëtan Daubresse (@Gaetan2907) - Gaëtan Daubresse (@Gaetan2907)
- Marius Huysamen (@mhuysamen) - Marius Huysamen (@mhuysamen)
- Alexander Groß (@agross) - Alexander Groß (@agross)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Map a client role to a group, authentication with credentials - name: Map a client role to a group, authentication with credentials
community.general.keycloak_realm_rolemapping: community.general.keycloak_realm_rolemapping:
realm: MyCustomRealm realm: MyCustomRealm
@ -195,49 +179,37 @@ EXAMPLES = '''
- name: role_name2 - name: role_name2
id: role_id2 id: role_id2
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Role role1 assigned to group group1." sample: "Role role1 assigned to group group1."
proposed: proposed:
description: Representation of proposed client role mapping. description: Representation of proposed client role mapping.
returned: always returned: always
type: dict type: dict
sample: { sample: {clientId: "test"}
clientId: "test"
}
existing: existing:
description: description:
- Representation of existing client role mapping. - Representation of existing client role mapping.
- The sample is truncated. - The sample is truncated.
returned: always returned: always
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
end_state: end_state:
description: description:
- Representation of client role mapping after module execution. - Representation of client role mapping after module execution.
- The sample is truncated. - The sample is truncated.
returned: on success returned: on success
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url", """
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,

260
plugins/modules/keycloak_role.py
View file

@ -8,124 +8,114 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_role module: keycloak_role
short_description: Allows administration of Keycloak roles via Keycloak API short_description: Allows administration of Keycloak roles using Keycloak API
version_added: 3.4.0 version_added: 3.4.0
description: description:
- This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API. - This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
It requires access to the REST API via OpenID Connect; the user connecting and the client being the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
used must have the requisite access rights. In a default Keycloak installation, admin-cli admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate client definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
- The names of module options are snake_cased versions of the camelCase ones found in the You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the role. - State of the role.
- On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the role will be removed if it exists. - On V(absent), the role will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
- present - present
- absent - absent
name: name:
type: str
required: true
description:
- Name of the role.
- This parameter is required.
description:
type: str
description:
- The role description.
realm:
type: str
description:
- The Keycloak realm under which this role resides.
default: 'master'
client_id:
type: str
description:
- If the role is a client role, the client id under which it resides.
- If this parameter is absent, the role is considered a realm role.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the role.
- Values may be single values (for example a string) or a list of strings.
composite:
description:
- If V(true), the role is a composition of other realm and/or client role.
default: false
type: bool
version_added: 7.1.0
composites:
description:
- List of roles to include to the composite realm role.
- If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
default: []
type: list
elements: dict
version_added: 7.1.0
suboptions:
name:
description:
- Name of the role. This can be the name of a REALM role or a client role.
type: str type: str
required: true required: true
client_id:
description: description:
- Name of the role. - Client ID if the role is a client role. Do not include this option for a REALM role.
- This parameter is required. - Use the client ID you can see in the Keycloak console, not the technical ID of the client.
description:
type: str type: str
required: false
aliases:
- clientId
state:
description: description:
- The role description. - Create the composite if present, remove it if absent.
realm:
type: str type: str
description: choices:
- The Keycloak realm under which this role resides. - present
default: 'master' - absent
default: present
client_id:
type: str
description:
- If the role is a client role, the client id under which it resides.
- If this parameter is absent, the role is considered a realm role.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the role.
- Values may be single values (e.g. a string) or a list of strings.
composite:
description:
- If V(true), the role is a composition of other realm and/or client role.
default: false
type: bool
version_added: 7.1.0
composites:
description:
- List of roles to include to the composite realm role.
- If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
default: []
type: list
elements: dict
version_added: 7.1.0
suboptions:
name:
description:
- Name of the role. This can be the name of a REALM role or a client role.
type: str
required: true
client_id:
description:
- Client ID if the role is a client role. Do not include this option for a REALM role.
- Use the client ID you can see in the Keycloak console, not the technical ID of the client.
type: str
required: false
aliases:
- clientId
state:
description:
- Create the composite if present, remove it if absent.
type: str
choices:
- present
- absent
default: present
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Laurent Paumier (@laurpaum) - Laurent Paumier (@laurpaum)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create a Keycloak realm role, authentication with credentials - name: Create a Keycloak realm role, authentication with credentials
community.general.keycloak_role: community.general.keycloak_role:
name: my-new-kc-role name: my-new-kc-role
@ -181,60 +171,44 @@ EXAMPLES = '''
auth_password: PASSWORD auth_password: PASSWORD
name: my-new-role name: my-new-role
attributes: attributes:
attrib1: value1 attrib1: value1
attrib2: value2 attrib2: value2
attrib3: attrib3:
- with - with
- numerous - numerous
- individual - individual
- list - list
- items - items
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Role myrole has been updated" sample: "Role myrole has been updated"
proposed: proposed:
description: Representation of proposed role. description: Representation of proposed role.
returned: always returned: always
type: dict type: dict
sample: { sample: {"description": "My updated test description"}
"description": "My updated test description"
}
existing: existing:
description: Representation of existing role. description: Representation of existing role.
returned: always returned: always
type: dict type: dict
sample: { sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
"attributes": {}, client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
"clientRole": true,
"composite": false,
"containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
"description": "My client test role",
"id": "561703dd-0f38-45ff-9a5a-0c978f794547",
"name": "myrole"
}
end_state: end_state:
description: Representation of role after module execution (sample is truncated). description: Representation of role after module execution (sample is truncated).
returned: on success returned: on success
type: dict type: dict
sample: { sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
"attributes": {}, updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
"clientRole": true, """
"composite": false,
"containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
"description": "My updated client test role",
"id": "561703dd-0f38-45ff-9a5a-0c978f794547",
"name": "myrole"
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included keycloak_argument_spec, get_token, KeycloakError, is_struct_included
@ -290,7 +264,7 @@ def main():
state = module.params.get('state') state = module.params.get('state')
# attributes in Keycloak have their values returned as lists # attributes in Keycloak have their values returned as lists
# via the API. attributes is a dict, so we'll transparently convert # using the API. attributes is a dict, so we'll transparently convert
# the values to lists. # the values to lists.
if module.params.get('attributes') is not None: if module.params.get('attributes') is not None:
for key, val in module.params['attributes'].items(): for key, val in module.params['attributes'].items():

474
plugins/modules/keycloak_user.py
View file

@ -9,225 +9,224 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_user module: keycloak_user
short_description: Create and configure a user in Keycloak short_description: Create and configure a user in Keycloak
description: description:
- This module creates, removes, or updates Keycloak users. - This module creates, removes, or updates Keycloak users.
version_added: 7.1.0 version_added: 7.1.0
options: options:
auth_username: auth_username:
aliases: [] aliases: []
realm: realm:
description:
- The name of the realm in which is the client.
default: master
type: str
username:
description:
- Username for the user.
required: true
type: str
id:
description:
- ID of the user on the Keycloak server if known.
type: str
enabled:
description:
- Enabled user.
type: bool
email_verified:
description:
- Check the validity of user email.
default: false
type: bool
aliases:
- emailVerified
first_name:
description:
- The user's first name.
required: false
type: str
aliases:
- firstName
last_name:
description:
- The user's last name.
required: false
type: str
aliases:
- lastName
email:
description:
- User email.
required: false
type: str
federation_link:
description:
- Federation Link.
required: false
type: str
aliases:
- federationLink
service_account_client_id:
description:
- Description of the client Application.
required: false
type: str
aliases:
- serviceAccountClientId
client_consents:
description:
- Client Authenticator Type.
type: list
elements: dict
default: []
aliases:
- clientConsents
suboptions:
client_id:
description: description:
- The name of the realm in which is the client. - Client ID of the client role. Not the technical ID of the client.
default: master
type: str type: str
username:
description:
- Username for the user.
required: true required: true
type: str
id:
description:
- ID of the user on the Keycloak server if known.
type: str
enabled:
description:
- Enabled user.
type: bool
email_verified:
description:
- Check the validity of user email.
default: false
type: bool
aliases: aliases:
- emailVerified - clientId
first_name: roles:
description: description:
- The user's first name. - List of client roles to assign to the user.
required: false
type: str
aliases:
- firstName
last_name:
description:
- The user's last name.
required: false
type: str
aliases:
- lastName
email:
description:
- User email.
required: false
type: str
federation_link:
description:
- Federation Link.
required: false
type: str
aliases:
- federationLink
service_account_client_id:
description:
- Description of the client Application.
required: false
type: str
aliases:
- serviceAccountClientId
client_consents:
description:
- Client Authenticator Type.
type: list
elements: dict
default: []
aliases:
- clientConsents
suboptions:
client_id:
description:
- Client ID of the client role. Not the technical ID of the client.
type: str
required: true
aliases:
- clientId
roles:
description:
- List of client roles to assign to the user.
type: list
required: true
elements: str
groups:
description:
- List of groups for the user.
type: list
elements: dict
default: []
suboptions:
name:
description:
- Name of the group.
type: str
state:
description:
- Control whether the user must be member of this group or not.
choices: [ "present", "absent" ]
default: present
type: str
credentials:
description:
- User credentials.
default: []
type: list
elements: dict
suboptions:
type:
description:
- Credential type.
type: str
required: true
value:
description:
- Value of the credential.
type: str
required: true
temporary:
description:
- If V(true), the users are required to reset their credentials at next login.
type: bool
default: false
required_actions:
description:
- RequiredActions user Auth.
default: []
type: list type: list
required: true
elements: str elements: str
aliases: groups:
- requiredActions description:
federated_identities: - List of groups for the user.
type: list
elements: dict
default: []
suboptions:
name:
description: description:
- List of IDPs of user. - Name of the group.
default: []
type: list
elements: str
aliases:
- federatedIdentities
attributes:
description:
- List of user attributes.
required: false
type: list
elements: dict
suboptions:
name:
description:
- Name of the attribute.
type: str
values:
description:
- Values for the attribute as list.
type: list
elements: str
state:
description:
- Control whether the attribute must exists or not.
choices: [ "present", "absent" ]
default: present
type: str
access:
description:
- list user access.
required: false
type: dict
disableable_credential_types:
description:
- list user Credential Type.
default: []
type: list
elements: str
aliases:
- disableableCredentialTypes
origin:
description:
- user origin.
required: false
type: str type: str
self: state:
description: description:
- user self administration. - Control whether the user must be member of this group or not.
required: false choices: ["present", "absent"]
type: str
state:
description:
- Control whether the user should exists or not.
choices: [ "present", "absent" ]
default: present default: present
type: str type: str
force: credentials:
description:
- User credentials.
default: []
type: list
elements: dict
suboptions:
type:
description: description:
- If V(true), allows to remove user and recreate it. - Credential type.
type: str
required: true
value:
description:
- Value of the credential.
type: str
required: true
temporary:
description:
- If V(true), the users are required to reset their credentials at next login.
type: bool type: bool
default: false default: false
required_actions:
description:
- RequiredActions user Auth.
default: []
type: list
elements: str
aliases:
- requiredActions
federated_identities:
description:
- List of IDPs of user.
default: []
type: list
elements: str
aliases:
- federatedIdentities
attributes:
description:
- List of user attributes.
required: false
type: list
elements: dict
suboptions:
name:
description:
- Name of the attribute.
type: str
values:
description:
- Values for the attribute as list.
type: list
elements: str
state:
description:
- Control whether the attribute must exists or not.
choices: ["present", "absent"]
default: present
type: str
access:
description:
- List user access.
required: false
type: dict
disableable_credential_types:
description:
- List user Credential Type.
default: []
type: list
elements: str
aliases:
- disableableCredentialTypes
origin:
description:
- User origin.
required: false
type: str
self:
description:
- User self administration.
required: false
type: str
state:
description:
- Control whether the user should exists or not.
choices: ["present", "absent"]
default: present
type: str
force:
description:
- If V(true), allows to remove user and recreate it.
type: bool
default: false
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
notes: notes:
- The module does not modify the user ID of an existing user. - The module does not modify the user ID of an existing user.
author: author:
- Philippe Gauthier (@elfelip) - Philippe Gauthier (@elfelip)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create a user user1 - name: Create a user user1
community.general.keycloak_user: community.general.keycloak_user:
auth_keycloak_url: http://localhost:8080/auth auth_keycloak_url: http://localhost:8080/auth
@ -241,21 +240,21 @@ EXAMPLES = '''
enabled: true enabled: true
emailVerified: false emailVerified: false
credentials: credentials:
- type: password - type: password
value: password value: password
temporary: false temporary: false
attributes: attributes:
- name: attr1 - name: attr1
values: values:
- value1 - value1
state: present state: present
- name: attr2 - name: attr2
values: values:
- value2 - value2
state: absent state: absent
groups: groups:
- name: group1 - name: group1
state: present state: present
state: present state: present
- name: Re-create a User - name: Re-create a User
@ -271,21 +270,21 @@ EXAMPLES = '''
enabled: true enabled: true
emailVerified: false emailVerified: false
credentials: credentials:
- type: password - type: password
value: password value: password
temporary: false temporary: false
attributes: attributes:
- name: attr1 - name: attr1
values: values:
- value1 - value1
state: present state: present
- name: attr2 - name: attr2
values: values:
- value2 - value2
state: absent state: absent
groups: groups:
- name: group1 - name: group1
state: present state: present
state: present state: present
- name: Re-create a User - name: Re-create a User
@ -301,21 +300,21 @@ EXAMPLES = '''
enabled: true enabled: true
emailVerified: false emailVerified: false
credentials: credentials:
- type: password - type: password
value: password value: password
temporary: false temporary: false
attributes: attributes:
- name: attr1 - name: attr1
values: values:
- value1 - value1
state: present state: present
- name: attr2 - name: attr2
values: values:
- value2 - value2
state: absent state: absent
groups: groups:
- name: group1 - name: group1
state: present state: present
state: present state: present
force: true force: true
@ -327,9 +326,9 @@ EXAMPLES = '''
realm: master realm: master
username: user1 username: user1
state: absent state: absent
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
@ -344,14 +343,15 @@ existing:
returned: on success returned: on success
type: dict type: dict
end_state: end_state:
description: Representation of the user after module execution description: Representation of the user after module execution.
returned: on success returned: on success
type: dict type: dict
changed: changed:
description: Return V(true) if the operation changed the user on the keycloak server, V(false) otherwise. description: Return V(true) if the operation changed the user on the keycloak server, V(false) otherwise.
returned: always returned: always
type: bool type: bool
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included keycloak_argument_spec, get_token, KeycloakError, is_struct_included
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule

1124
plugins/modules/keycloak_user_federation.py
View file

File diff suppressed because it is too large Load diff

228
plugins/modules/keycloak_user_rolemapping.py
View file

@ -7,8 +7,7 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_user_rolemapping module: keycloak_user_rolemapping
short_description: Allows administration of Keycloak user_rolemapping with the Keycloak API short_description: Allows administration of Keycloak user_rolemapping with the Keycloak API
@ -16,110 +15,93 @@ short_description: Allows administration of Keycloak user_rolemapping with the K
version_added: 5.7.0 version_added: 5.7.0
description: description:
- This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. - This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access to the REST API using
It requires access to the REST API via OpenID Connect; the user connecting and the client being OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
and an admin user would work, as would a separate client definition with the scope tailored - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
to your needs and a user having the expected roles. U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
- The names of module options are snake_cased versions of the camelCase ones found in the You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the user_rolemapping. - State of the user_rolemapping.
- On V(present), the user_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the user_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the user_rolemapping will be removed if it exists. - On V(absent), the user_rolemapping will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
- present - present
- absent - absent
realm: realm:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
target_username:
type: str
description:
- Username of the user roles are mapped to.
- This parameter is not required (can be replaced by uid for less API call).
uid:
type: str
description:
- ID of the user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
service_account_user_client_id:
type: str
description:
- Client ID of the service-account-user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls that must be made).
cid:
type: str
description:
- ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the user.
type: list
elements: dict
suboptions:
name:
type: str type: str
description: description:
- They Keycloak realm under which this role_representation resides. - Name of the role representation.
default: 'master' - This parameter is required only when creating or updating the role_representation.
id:
target_username:
type: str type: str
description: description:
- Username of the user roles are mapped to. - The unique identifier for this role_representation.
- This parameter is not required (can be replaced by uid for less API call). - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
uid:
type: str
description:
- ID of the user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
service_account_user_client_id:
type: str
description:
- Client ID of the service-account-user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid)
to reduce the number of API calls that must be made).
cid:
type: str
description:
- ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the user.
type: list
elements: dict
suboptions:
name:
type: str
description:
- Name of the role representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Dušan Marković (@bratwurzt) - Dušan Marković (@bratwurzt)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Map a client role to a user, authentication with credentials - name: Map a client role to a user, authentication with credentials
community.general.keycloak_user_rolemapping: community.general.keycloak_user_rolemapping:
realm: MyCustomRealm realm: MyCustomRealm
@ -189,49 +171,37 @@ EXAMPLES = '''
- name: role_name2 - name: role_name2
id: role_id2 id: role_id2
delegate_to: localhost delegate_to: localhost
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: Message as to what action was taken. description: Message as to what action was taken.
returned: always returned: always
type: str type: str
sample: "Role role1 assigned to user user1." sample: "Role role1 assigned to user user1."
proposed: proposed:
description: Representation of proposed client role mapping. description: Representation of proposed client role mapping.
returned: always returned: always
type: dict type: dict
sample: { sample: {clientId: "test"}
clientId: "test"
}
existing: existing:
description: description:
- Representation of existing client role mapping. - Representation of existing client role mapping.
- The sample is truncated. - The sample is truncated.
returned: always returned: always
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
end_state: end_state:
description: description:
- Representation of client role mapping after module execution. - Representation of client role mapping after module execution.
- The sample is truncated. - The sample is truncated.
returned: on success returned: on success
type: dict type: dict
sample: { sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"adminUrl": "http://www.example.com/admin_url", """
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

486
plugins/modules/keycloak_userprofile.py
View file

@ -8,278 +8,274 @@
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: keycloak_userprofile module: keycloak_userprofile
short_description: Allows managing Keycloak User Profiles short_description: Allows managing Keycloak User Profiles
description: description:
- This module allows you to create, update, or delete Keycloak User Profiles via Keycloak API. You can also customize the "Unmanaged Attributes" with it. - This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize the "Unmanaged Attributes"
with it.
- The names of module options are snake_cased versions of the camelCase ones found in the - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html). U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
For compatibility reasons, the module also accepts the camelCase versions of the options. For compatibility reasons, the module also accepts the camelCase versions of the options.
version_added: "9.4.0" version_added: "9.4.0"
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: full support: full
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
options: options:
state: state:
description: description:
- State of the User Profile provider. - State of the User Profile provider.
- On V(present), the User Profile provider will be created if it does not yet exist, or updated with - On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters you provide.
the parameters you provide. - On V(absent), the User Profile provider will be removed if it exists.
- On V(absent), the User Profile provider will be removed if it exists. default: 'present'
default: 'present' type: str
type: str choices:
choices: - present
- present - absent
- absent
parent_id: parent_id:
description:
- The parent ID of the realm key. In practice the ID (name) of the realm.
aliases:
- parentId
- realm
type: str
required: true
provider_id:
description:
- The name of the provider ID for the key (supported value is V(declarative-user-profile)).
aliases:
- providerId
choices: ['declarative-user-profile']
default: 'declarative-user-profile'
type: str
provider_type:
description:
- Component type for User Profile (only supported value is V(org.keycloak.userprofile.UserProfileProvider)).
aliases:
- providerType
choices: ['org.keycloak.userprofile.UserProfileProvider']
default: org.keycloak.userprofile.UserProfileProvider
type: str
config:
description:
- The configuration of the User Profile Provider.
type: dict
required: false
suboptions:
kc_user_profile_config:
description: description:
- The parent ID of the realm key. In practice the ID (name) of the realm. - Define a declarative User Profile. See EXAMPLES for more context.
aliases: aliases:
- parentId - kcUserProfileConfig
- realm type: list
type: str elements: dict
required: true
provider_id:
description:
- The name of the provider ID for the key (supported value is V(declarative-user-profile)).
aliases:
- providerId
choices: ['declarative-user-profile']
default: 'declarative-user-profile'
type: str
provider_type:
description:
- Component type for User Profile (only supported value is V(org.keycloak.userprofile.UserProfileProvider)).
aliases:
- providerType
choices: ['org.keycloak.userprofile.UserProfileProvider']
default: org.keycloak.userprofile.UserProfileProvider
type: str
config:
description:
- The configuration of the User Profile Provider.
type: dict
required: false
suboptions: suboptions:
kc_user_profile_config: attributes:
description:
- A list of attributes to be included in the User Profile.
type: list
elements: dict
suboptions:
name:
description: description:
- Define a declarative User Profile. See EXAMPLES for more context. - The name of the attribute.
type: str
required: true
display_name:
description:
- The display name of the attribute.
aliases: aliases:
- kcUserProfileConfig - displayName
type: list type: str
elements: dict required: true
validations:
description:
- The validations to be applied to the attribute.
type: dict
suboptions: suboptions:
attributes: length:
description:
- The length validation for the attribute.
type: dict
suboptions:
min:
description: description:
- A list of attributes to be included in the User Profile. - The minimum length of the attribute.
type: list type: int
elements: dict max:
suboptions:
name:
description:
- The name of the attribute.
type: str
required: true
display_name:
description:
- The display name of the attribute.
aliases:
- displayName
type: str
required: true
validations:
description:
- The validations to be applied to the attribute.
type: dict
suboptions:
length:
description:
- The length validation for the attribute.
type: dict
suboptions:
min:
description:
- The minimum length of the attribute.
type: int
max:
description:
- The maximum length of the attribute.
type: int
required: true
email:
description:
- The email validation for the attribute.
type: dict
username_prohibited_characters:
description:
- The prohibited characters validation for the username attribute.
type: dict
aliases:
- usernameProhibitedCharacters
up_username_not_idn_homograph:
description:
- The validation to prevent IDN homograph attacks in usernames.
type: dict
aliases:
- upUsernameNotIdnHomograph
person_name_prohibited_characters:
description:
- The prohibited characters validation for person name attributes.
type: dict
aliases:
- personNameProhibitedCharacters
uri:
description:
- The URI validation for the attribute.
type: dict
pattern:
description:
- The pattern validation for the attribute using regular expressions.
type: dict
options:
description:
- Validation to ensure the attribute matches one of the provided options.
type: dict
annotations:
description:
- Annotations for the attribute.
type: dict
group:
description:
- Specifies the User Profile group where this attribute will be added.
type: str
permissions:
description:
- The permissions for viewing and editing the attribute.
type: dict
suboptions:
view:
description:
- The roles that can view the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
edit:
description:
- The roles that can edit the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
multivalued:
description:
- Whether the attribute can have multiple values.
type: bool
default: false
required:
description:
- The roles that require this attribute.
type: dict
suboptions:
roles:
description:
- The roles for which this attribute is required.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- user
groups:
description: description:
- A list of attribute groups to be included in the User Profile. - The maximum length of the attribute.
type: list type: int
elements: dict required: true
suboptions:
name:
description:
- The name of the group.
type: str
required: true
display_header: email:
description: description:
- The display header for the group. - The email validation for the attribute.
aliases: type: dict
- displayHeader
type: str
required: true
display_description: username_prohibited_characters:
description: description:
- The display description for the group. - The prohibited characters validation for the username attribute.
aliases: type: dict
- displayDescription aliases:
type: str - usernameProhibitedCharacters
required: false
annotations: up_username_not_idn_homograph:
description: description:
- The annotations included in the group. - The validation to prevent IDN homograph attacks in usernames.
type: dict type: dict
required: false aliases:
- upUsernameNotIdnHomograph
unmanaged_attribute_policy: person_name_prohibited_characters:
description: description:
- Policy for unmanaged attributes. - The prohibited characters validation for person name attributes.
aliases: type: dict
- unmanagedAttributePolicy aliases:
type: str - personNameProhibitedCharacters
choices:
- ENABLED uri:
- ADMIN_EDIT description:
- ADMIN_VIEW - The URI validation for the attribute.
type: dict
pattern:
description:
- The pattern validation for the attribute using regular expressions.
type: dict
options:
description:
- Validation to ensure the attribute matches one of the provided options.
type: dict
annotations:
description:
- Annotations for the attribute.
type: dict
group:
description:
- Specifies the User Profile group where this attribute will be added.
type: str
permissions:
description:
- The permissions for viewing and editing the attribute.
type: dict
suboptions:
view:
description:
- The roles that can view the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
edit:
description:
- The roles that can edit the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
multivalued:
description:
- Whether the attribute can have multiple values.
type: bool
default: false
required:
description:
- The roles that require this attribute.
type: dict
suboptions:
roles:
description:
- The roles for which this attribute is required.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- user
groups:
description:
- A list of attribute groups to be included in the User Profile.
type: list
elements: dict
suboptions:
name:
description:
- The name of the group.
type: str
required: true
display_header:
description:
- The display header for the group.
aliases:
- displayHeader
type: str
required: true
display_description:
description:
- The display description for the group.
aliases:
- displayDescription
type: str
required: false
annotations:
description:
- The annotations included in the group.
type: dict
required: false
unmanaged_attribute_policy:
description:
- Policy for unmanaged attributes.
aliases:
- unmanagedAttributePolicy
type: str
choices:
- ENABLED
- ADMIN_EDIT
- ADMIN_VIEW
notes: notes:
- Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). - Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). However, there can
However, there can be multiple O(config.kc_user_profile_config[].attributes[]) entries. be multiple O(config.kc_user_profile_config[].attributes[]) entries.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
- community.general.attributes - community.general.attributes
author: author:
- Eike Waldt (@yeoldegrove) - Eike Waldt (@yeoldegrove)
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Create a Declarative User Profile with default settings - name: Create a Declarative User Profile with default settings
community.general.keycloak_userprofile: community.general.keycloak_userprofile:
state: present state: present
@ -397,9 +393,9 @@ EXAMPLES = '''
config: config:
kc_user_profile_config: kc_user_profile_config:
- unmanagedAttributePolicy: ADMIN_VIEW - unmanagedAttributePolicy: ADMIN_VIEW
''' """
RETURN = ''' RETURN = r"""
msg: msg:
description: The output message generated by the module. description: The output message generated by the module.
returned: always returned: always
@ -409,8 +405,8 @@ data:
description: The data returned by the Keycloak API. description: The data returned by the Keycloak API.
returned: when state is present returned: when state is present
type: dict type: dict
sample: {...} sample: {'...': '...'}
''' """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError keycloak_argument_spec, get_token, KeycloakError

5
plugins/modules/keyring.py
View file

@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = r""" DOCUMENTATION = r"""
---
module: keyring module: keyring
version_added: 5.2.0 version_added: 5.2.0
author: author:
- Alexander Hussey (@ahussey-redhat) - Alexander Hussey (@ahussey-redhat)
short_description: Set or delete a passphrase using the Operating System's native keyring short_description: Set or delete a passphrase using the Operating System's native keyring
description: >- description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given service and username
to set or delete passphrases for a given service and username from the OS' native keyring. from the OS' native keyring.
requirements: requirements:
- keyring (Python library) - keyring (Python library)
- gnome-keyring (application - required for headless Gnome keyring access) - gnome-keyring (application - required for headless Gnome keyring access)

33
plugins/modules/keyring_info.py
View file

@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = r""" DOCUMENTATION = r"""
---
module: keyring_info module: keyring_info
version_added: 5.2.0 version_added: 5.2.0
author: author:
- Alexander Hussey (@ahussey-redhat) - Alexander Hussey (@ahussey-redhat)
short_description: Get a passphrase using the Operating System's native keyring short_description: Get a passphrase using the Operating System's native keyring
description: >- description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service and username from
to retrieve passphrases for a given service and username from the OS' native keyring. the OS' native keyring.
requirements: requirements:
- keyring (Python library) - keyring (Python library)
- gnome-keyring (application - required for headless Linux keyring access) - gnome-keyring (application - required for headless Linux keyring access)
@ -45,24 +44,24 @@ options:
""" """
EXAMPLES = r""" EXAMPLES = r"""
- name: Retrieve password for service_name/user_name - name: Retrieve password for service_name/user_name
community.general.keyring_info: community.general.keyring_info:
service: test service: test
username: test1 username: test1
keyring_password: "{{ keyring_password }}" keyring_password: "{{ keyring_password }}"
register: test_password register: test_password
- name: Display password - name: Display password
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ test_password.passphrase }}" msg: "{{ test_password.passphrase }}"
""" """
RETURN = r""" RETURN = r"""
passphrase: passphrase:
description: A string containing the password. description: A string containing the password.
returned: success and the password exists returned: success and the password exists
type: str type: str
sample: Password123 sample: Password123
""" """
try: try:

143
plugins/modules/kibana_plugin.py
View file

@ -11,71 +11,70 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = r"""
---
module: kibana_plugin module: kibana_plugin
short_description: Manage Kibana plugins short_description: Manage Kibana plugins
description: description:
- This module can be used to manage Kibana plugins. - This module can be used to manage Kibana plugins.
author: Thierno IB. BARRY (@barryib) author: Thierno IB. BARRY (@barryib)
extends_documentation_fragment: extends_documentation_fragment:
- community.general.attributes - community.general.attributes
attributes: attributes:
check_mode: check_mode:
support: full support: full
diff_mode: diff_mode:
support: none support: none
options: options:
name: name:
description: description:
- Name of the plugin to install. - Name of the plugin to install.
required: true required: true
type: str type: str
state: state:
description: description:
- Desired state of a plugin. - Desired state of a plugin.
choices: ["present", "absent"] choices: ["present", "absent"]
default: present default: present
type: str type: str
url: url:
description: description:
- Set exact URL to download the plugin from. - Set exact URL to download the plugin from.
- For local file, prefix its absolute path with file:// - For local file, prefix its absolute path with file://.
type: str type: str
timeout: timeout:
description: description:
- "Timeout setting: 30s, 1m, 1h etc." - 'Timeout setting: V(30s), V(1m), V(1h) and so on.'
default: 1m default: 1m
type: str type: str
plugin_bin: plugin_bin:
description: description:
- Location of the Kibana binary. - Location of the Kibana binary.
default: /opt/kibana/bin/kibana default: /opt/kibana/bin/kibana
type: path type: path
plugin_dir: plugin_dir:
description: description:
- Your configured plugin directory specified in Kibana. - Your configured plugin directory specified in Kibana.
default: /opt/kibana/installedPlugins/ default: /opt/kibana/installedPlugins/
type: path type: path
version: version:
description: description:
- Version of the plugin to be installed. - Version of the plugin to be installed.
- If plugin exists with previous version, plugin will B(not) be updated unless O(force) is set to V(true). - If plugin exists with previous version, plugin will B(not) be updated unless O(force) is set to V(true).
type: str type: str
force: force:
description: description:
- Delete and re-install the plugin. Can be useful for plugins update. - Delete and re-install the plugin. Can be useful for plugins update.
type: bool type: bool
default: false default: false
allow_root: allow_root:
description: description:
- Whether to allow C(kibana) and C(kibana-plugin) to be run as root. Passes the C(--allow-root) flag to these commands. - Whether to allow C(kibana) and C(kibana-plugin) to be run as root. Passes the C(--allow-root) flag to these commands.
type: bool type: bool
default: false default: false
version_added: 2.3.0 version_added: 2.3.0
''' """
EXAMPLES = ''' EXAMPLES = r"""
- name: Install Elasticsearch head plugin - name: Install Elasticsearch head plugin
community.general.kibana_plugin: community.general.kibana_plugin:
state: present state: present
@ -91,38 +90,38 @@ EXAMPLES = '''
community.general.kibana_plugin: community.general.kibana_plugin:
state: absent state: absent
name: elasticsearch/marvel name: elasticsearch/marvel
''' """
RETURN = ''' RETURN = r"""
cmd: cmd:
description: the launched command during plugin management (install / remove) description: The launched command during plugin management (install / remove).
returned: success returned: success
type: str type: str
name: name:
description: the plugin name to install or remove description: The plugin name to install or remove.
returned: success returned: success
type: str type: str
url: url:
description: the url from where the plugin is installed from description: The url from where the plugin is installed from.
returned: success returned: success
type: str type: str
timeout: timeout:
description: the timeout for plugin download description: The timeout for plugin download.
returned: success returned: success
type: str type: str
stdout: stdout:
description: the command stdout description: The command stdout.
returned: success returned: success
type: str type: str
stderr: stderr:
description: the command stderr description: The command stderr.
returned: success returned: success
type: str type: str
state: state:
description: the state for the managed plugin description: The state for the managed plugin.
returned: success returned: success
type: str type: str
''' """
import os import os
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule

17
plugins/modules/krb_ticket.py
View file

@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = r''' DOCUMENTATION = r"""
---
module: krb_ticket module: krb_ticket
short_description: Kerberos utils for managing tickets short_description: Kerberos utils for managing tickets
version_added: 10.0.0 version_added: 10.0.0
@ -56,8 +55,9 @@ options:
lifetime: lifetime:
description: description:
- Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used. - Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used.
- Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum
- "The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days." ticket lifetime.
- 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.'
- You cannot mix units; a value of V(3h30m) will result in an error. - You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str type: str
@ -73,7 +73,8 @@ options:
renewable: renewable:
description: description:
- Requests renewable tickets, with a total lifetime equal to O(renewable). - Requests renewable tickets, with a total lifetime equal to O(renewable).
- "The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days." - 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) -
days.'
- You cannot mix units; a value of V(3h30m) will result in an error. - You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str type: str
@ -125,9 +126,9 @@ requirements:
- krb5-user and krb5-config packages - krb5-user and krb5-config packages
extends_documentation_fragment: extends_documentation_fragment:
- community.general.attributes - community.general.attributes
''' """
EXAMPLES = r''' EXAMPLES = r"""
- name: Get Kerberos ticket using default principal - name: Get Kerberos ticket using default principal
community.general.krb_ticket: community.general.krb_ticket:
password: some_password password: some_password
@ -179,7 +180,7 @@ EXAMPLES = r'''
community.general.krb_ticket: community.general.krb_ticket:
state: absent state: absent
kdestroy_all: true kdestroy_all: true
''' """
from ansible.module_utils.basic import AnsibleModule, env_fallback from ansible.module_utils.basic import AnsibleModule, env_fallback
from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt