ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-05 10:10:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

k*.py: normalize docs (#9391)

Browse source 
* k*.py: normalize docs

* Update plugins/modules/keycloak_realm_keys_metadata_info.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/kibana_plugin.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
Alexei Znamensky 2024-12-27 01:42:44 +13:00 committed by GitHub
parent 6aadcc72d1
commit 49ed3d4acf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
34 changed files with 4402 additions and 4882 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
plugins/modules/kdeconfig.py
View file

@ -7,15 +7,13 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = r'''
---
DOCUMENTATION = r"""
module: kdeconfig
short_description: Manage KDE configuration files
version_added: "6.5.0"
description:
- Add or change individual settings in KDE configuration files.
- It uses B(kwriteconfig) under the hood.
options:
path:
description:
@ -24,8 +22,7 @@ options:
required: true
kwriteconfig_path:
description:
- Path to the kwriteconfig executable. If not specified, Ansible will try
to discover it.
- Path to the kwriteconfig executable. If not specified, Ansible will try to discover it.
type: path
values:
description:
@ -74,9 +71,9 @@ requirements:
- kwriteconfig
author:
- Salvatore Mesoraca (@smeso)
'''
"""
EXAMPLES = r'''
EXAMPLES = r"""
- name: Ensure "Homepage=https://www.ansible.com/" in group "Branding"
community.general.kdeconfig:
path: /etc/xdg/kickoffrc
@ -97,9 +94,9 @@ EXAMPLES = r'''
key: KEY
value: VALUE
backup: true
'''
"""
RETURN = r''' # '''
RETURN = r""" # """
import os
import shutil

56
plugins/modules/kernel_blacklist.py
View file

@ -9,47 +9,45 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: kernel_blacklist
author:
- Matthias Vogelgesang (@matze)
- Matthias Vogelgesang (@matze)
short_description: Blacklist kernel modules
description:
- Add or remove kernel modules from blacklist.
- Add or remove kernel modules from blacklist.
extends_documentation_fragment:
- community.general.attributes
- community.general.attributes
attributes:
check_mode:
support: full
diff_mode:
support: full
check_mode:
support: full
diff_mode:
support: full
options:
name:
type: str
description:
- Name of kernel module to black- or whitelist.
required: true
state:
type: str
description:
- Whether the module should be present in the blacklist or absent.
choices: [ absent, present ]
default: present
blacklist_file:
type: str
description:
- If specified, use this blacklist file instead of
C(/etc/modprobe.d/blacklist-ansible.conf).
default: /etc/modprobe.d/blacklist-ansible.conf
'''
name:
type: str
description:
- Name of kernel module to black- or whitelist.
required: true
state:
type: str
description:
- Whether the module should be present in the blacklist or absent.
choices: [absent, present]
default: present
blacklist_file:
type: str
description:
- If specified, use this blacklist file instead of C(/etc/modprobe.d/blacklist-ansible.conf).
default: /etc/modprobe.d/blacklist-ansible.conf
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Blacklist the nouveau driver module
community.general.kernel_blacklist:
name: nouveau
state: present
'''
"""
import os
import re

191
plugins/modules/keycloak_authentication.py
View file

@ -7,112 +7,109 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authentication
short_description: Configure authentication in Keycloak
description:
- This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
- It can also delete the flow.
- This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
- It can also delete the flow.
version_added: "3.3.0"
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
realm:
description:
- The name of the realm in which is the authentication.
required: true
type: str
alias:
description:
- Alias for the authentication flow.
required: true
type: str
realm:
description:
- The name of the realm in which is the authentication.
required: true
type: str
alias:
description:
- Alias for the authentication flow.
required: true
type: str
description:
description:
- Description of the flow.
type: str
providerId:
description:
- C(providerId) for the new flow when not copied from an existing flow.
choices: ["basic-flow", "client-flow"]
type: str
copyFrom:
description:
- C(flowAlias) of the authentication flow to use for the copy.
type: str
authenticationExecutions:
description:
- Configuration structure for the executions.
type: list
elements: dict
suboptions:
providerId:
description:
- Description of the flow.
- C(providerID) for the new flow when not copied from an existing flow.
type: str
providerId:
displayName:
description:
- C(providerId) for the new flow when not copied from an existing flow.
choices: [ "basic-flow", "client-flow" ]
- Name of the execution or subflow to create or update.
type: str
copyFrom:
requirement:
description:
- C(flowAlias) of the authentication flow to use for the copy.
- Control status of the subflow or execution.
choices: ["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"]
type: str
authenticationExecutions:
flowAlias:
description:
- Configuration structure for the executions.
type: list
elements: dict
suboptions:
providerId:
description:
- C(providerID) for the new flow when not copied from an existing flow.
type: str
displayName:
description:
- Name of the execution or subflow to create or update.
type: str
requirement:
description:
- Control status of the subflow or execution.
choices: [ "REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL" ]
type: str
flowAlias:
description:
- Alias of parent flow.
type: str
authenticationConfig:
description:
- Describe the config of the authentication.
type: dict
index:
description:
- Priority order of the execution.
type: int
subFlowType:
description:
- For new subflows, optionally specify the type.
- Is only used at creation.
choices: ["basic-flow", "form-flow"]
default: "basic-flow"
type: str
version_added: 6.6.0
state:
description:
- Control if the authentication flow must exists or not.
choices: [ "present", "absent" ]
default: present
- Alias of parent flow.
type: str
force:
type: bool
default: false
authenticationConfig:
description:
- If V(true), allows to remove the authentication flow and recreate it.
- Describe the config of the authentication.
type: dict
index:
description:
- Priority order of the execution.
type: int
subFlowType:
description:
- For new subflows, optionally specify the type.
- Is only used at creation.
choices: ["basic-flow", "form-flow"]
default: "basic-flow"
type: str
version_added: 6.6.0
state:
description:
- Control if the authentication flow must exists or not.
choices: ["present", "absent"]
default: present
type: str
force:
type: bool
default: false
description:
- If V(true), allows to remove the authentication flow and recreate it.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Philippe Gauthier (@elfelip)
- Gaëtan Daubresse (@Gaetan2907)
'''
- Philippe Gauthier (@elfelip)
- Gaëtan Daubresse (@Gaetan2907)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create an authentication flow from first broker login and add an execution to it.
community.general.keycloak_authentication:
auth_keycloak_url: http://localhost:8080/auth
@ -126,15 +123,15 @@ EXAMPLES = '''
- providerId: "test-execution1"
requirement: "REQUIRED"
authenticationConfig:
alias: "test.execution1.property"
config:
test1.property: "value"
alias: "test.execution1.property"
config:
test1.property: "value"
- providerId: "test-execution2"
requirement: "REQUIRED"
authenticationConfig:
alias: "test.execution2.property"
config:
test2.property: "value"
alias: "test.execution2.property"
config:
test2.property: "value"
state: present
- name: Re-create the authentication flow
@ -150,9 +147,9 @@ EXAMPLES = '''
- providerId: "test-provisioning"
requirement: "REQUIRED"
authenticationConfig:
alias: "test.provisioning.property"
config:
test.provisioning.property: "value"
alias: "test.provisioning.property"
config:
test.provisioning.property: "value"
state: present
force: true
@ -184,13 +181,13 @@ EXAMPLES = '''
realm: master
alias: "Copy of first broker login"
state: absent
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the authentication after module execution.
@ -222,7 +219,7 @@ end_state:
"providerId": "basic-flow",
"topLevel": true
}
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \
import KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, is_struct_included

203
plugins/modules/keycloak_authentication_required_actions.py
View file

@ -9,84 +9,82 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authentication_required_actions
short_description: Allows administration of Keycloak authentication required actions
description:
- This module can register, update and delete required actions.
- It also filters out any duplicate required actions by their alias. The first occurrence is preserved.
- This module can register, update and delete required actions.
- It also filters out any duplicate required actions by their alias. The first occurrence is preserved.
version_added: 7.1.0
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
realm:
realm:
description:
- The name of the realm in which are the authentication required actions.
required: true
type: str
required_actions:
elements: dict
description:
- Authentication required action.
suboptions:
alias:
description:
- The name of the realm in which are the authentication required actions.
- Unique name of the required action.
required: true
type: str
required_actions:
elements: dict
config:
description:
- Authentication required action.
suboptions:
alias:
description:
- Unique name of the required action.
required: true
type: str
config:
description:
- Configuration for the required action.
type: dict
defaultAction:
description:
- Indicates, if any new user will have the required action assigned to it.
type: bool
enabled:
description:
- Indicates, if the required action is enabled or not.
type: bool
name:
description:
- Displayed name of the required action. Required for registration.
type: str
priority:
description:
- Priority of the required action.
type: int
providerId:
description:
- Provider ID of the required action. Required for registration.
type: str
type: list
state:
choices: [ "absent", "present" ]
- Configuration for the required action.
type: dict
defaultAction:
description:
- Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)).
required: true
- Indicates, if any new user will have the required action assigned to it.
type: bool
enabled:
description:
- Indicates, if the required action is enabled or not.
type: bool
name:
description:
- Displayed name of the required action. Required for registration.
type: str
priority:
description:
- Priority of the required action.
type: int
providerId:
description:
- Provider ID of the required action. Required for registration.
type: str
type: list
state:
choices: ["absent", "present"]
description:
- Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)).
required: true
type: str
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Skrekulko (@Skrekulko)
'''
- Skrekulko (@Skrekulko)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Register a new required action.
community.general.keycloak_authentication_required_actions:
auth_client_id: "admin-cli"
@ -126,56 +124,55 @@ EXAMPLES = '''
required_action:
- alias: "TERMS_AND_CONDITIONS"
state: "absent"
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the authentication required actions after module execution.
returned: on success
type: complex
contains:
alias:
description:
- Unique name of the required action.
sample: test-provider-id
type: str
config:
description:
- Configuration for the required action.
sample: {}
type: dict
defaultAction:
description:
- Indicates, if any new user will have the required action assigned to it.
sample: false
type: bool
enabled:
description:
- Indicates, if the required action is enabled or not.
sample: false
type: bool
name:
description:
- Displayed name of the required action. Required for registration.
sample: Test provider ID
type: str
priority:
description:
- Priority of the required action.
sample: 90
type: int
providerId:
description:
- Provider ID of the required action. Required for registration.
sample: test-provider-id
type: str
'''
description: Representation of the authentication required actions after module execution.
returned: on success
type: complex
contains:
alias:
description:
- Unique name of the required action.
sample: test-provider-id
type: str
config:
description:
- Configuration for the required action.
sample: {}
type: dict
defaultAction:
description:
- Indicates, if any new user will have the required action assigned to it.
sample: false
type: bool
enabled:
description:
- Indicates, if the required action is enabled or not.
sample: false
type: bool
name:
description:
- Displayed name of the required action. Required for registration.
sample: Test provider ID
type: str
priority:
description:
- Priority of the required action.
sample: 90
type: int
providerId:
description:
- Provider ID of the required action. Required for registration.
sample: test-provider-id
type: str
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

177
plugins/modules/keycloak_authz_authorization_scope.py
View file

@ -9,81 +9,75 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_authorization_scope
short_description: Allows administration of Keycloak client authorization scopes via Keycloak API
short_description: Allows administration of Keycloak client authorization scopes using Keycloak API
version_added: 6.6.0
description:
- This module allows the administration of Keycloak client Authorization Scopes via the Keycloak REST
API. Authorization Scopes are only available if a client has Authorization enabled.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization Scopes are only available
if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the authorization scope.
- On V(present), the authorization scope will be created (or updated if it exists already).
- On V(absent), the authorization scope will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the authorization scope to create.
type: str
required: true
display_name:
description:
- The display name of the authorization scope.
type: str
required: false
icon_uri:
description:
- The icon URI for the authorization scope.
type: str
required: false
client_id:
description:
- The C(clientId) of the Keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
state:
description:
- State of the authorization scope.
- On V(present), the authorization scope will be created (or updated if it exists already).
- On V(absent), the authorization scope will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the authorization scope to create.
type: str
required: true
display_name:
description:
- The display name of the authorization scope.
type: str
required: false
icon_uri:
description:
- The icon URI for the authorization scope.
type: str
required: false
client_id:
description:
- The C(clientId) of the Keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Samuli Seppänen (@mattock)
'''
- Samuli Seppänen (@mattock)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak file:delete authorization scope
keycloak_authz_authorization_scope:
name: file:delete
@ -95,41 +89,40 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the authorization scope after module execution.
returned: on success
type: complex
contains:
id:
description: ID of the authorization scope.
type: str
returned: when O(state=present)
sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41
name:
description: Name of the authorization scope.
type: str
returned: when O(state=present)
sample: file:delete
display_name:
description: Display name of the authorization scope.
type: str
returned: when O(state=present)
sample: File delete
icon_uri:
description: Icon URI for the authorization scope.
type: str
returned: when O(state=present)
sample: http://localhost/icon.png
'''
description: Representation of the authorization scope after module execution.
returned: on success
type: complex
contains:
id:
description: ID of the authorization scope.
type: str
returned: when O(state=present)
sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41
name:
description: Name of the authorization scope.
type: str
returned: when O(state=present)
sample: file:delete
display_name:
description: Display name of the authorization scope.
type: str
returned: when O(state=present)
sample: File delete
icon_uri:
description: Icon URI for the authorization scope.
type: str
returned: when O(state=present)
sample: http://localhost/icon.png
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

150
plugins/modules/keycloak_authz_custom_policy.py
View file

@ -9,78 +9,71 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_custom_policy
short_description: Allows administration of Keycloak client custom Javascript policies via Keycloak API
short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API
version_added: 7.5.0
description:
- This module allows the administration of Keycloak client custom Javascript via the Keycloak REST
API. Custom Javascript policies are only available if a client has Authorization enabled and if
they have been deployed to the Keycloak server as JAR files.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only
available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
check_mode:
support: full
diff_mode:
support: none
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: none
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the custom policy.
- On V(present), the custom policy will be created (or updated if it exists already).
- On V(absent), the custom policy will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the custom policy to create.
type: str
required: true
policy_type:
description:
- The type of the policy. This must match the name of the custom policy deployed to the server.
- Multiple policies pointing to the same policy type can be created, but their names have to differ.
type: str
required: true
client_id:
description:
- The V(clientId) of the Keycloak client that should have the custom policy attached to it.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
state:
description:
- State of the custom policy.
- On V(present), the custom policy will be created (or updated if it exists already).
- On V(absent), the custom policy will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the custom policy to create.
type: str
required: true
policy_type:
description:
- The type of the policy. This must match the name of the custom policy deployed to the server.
- Multiple policies pointing to the same policy type can be created, but their names have to differ.
type: str
required: true
client_id:
description:
- The V(clientId) of the Keycloak client that should have the custom policy attached to it.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Samuli Seppänen (@mattock)
'''
- Samuli Seppänen (@mattock)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak custom authorization policy
community.general.keycloak_authz_custom_policy:
name: OnlyOwner
@ -92,31 +85,30 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the custom policy after module execution.
returned: on success
type: dict
contains:
name:
description: Name of the custom policy.
type: str
returned: when I(state=present)
sample: file:delete
policy_type:
description: Type of custom policy.
type: str
returned: when I(state=present)
sample: File delete
'''
description: Representation of the custom policy after module execution.
returned: on success
type: dict
contains:
name:
description: Name of the custom policy.
type: str
returned: when I(state=present)
sample: file:delete
policy_type:
description: Type of custom policy.
type: str
returned: when I(state=present)
sample: File delete
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

321
plugins/modules/keycloak_authz_permission.py
View file

@ -9,128 +9,119 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_permission
version_added: 7.2.0
short_description: Allows administration of Keycloak client authorization permissions via Keycloak API
short_description: Allows administration of Keycloak client authorization permissions using Keycloak API
description:
- This module allows the administration of Keycloak client authorization permissions via the Keycloak REST
API. Authorization permissions are only available if a client has Authorization enabled.
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular
POST and PUT operations are targeted at permission endpoints, whereas GET requests go to policies
endpoint. To make matters more interesting the JSON responses from GET requests return data in a
different format than what is expected for POST and PUT. The end result is that it is not possible to
detect changes to things like policies, scopes or resources - at least not without a large number of
additional API calls. Therefore this module always updates authorization permissions instead of
attempting to determine if changes are truly needed.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization permissions are
only available if a client has Authorization enabled.
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations are targeted
at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the JSON responses from GET requests
return data in a different format than what is expected for POST and PUT. The end result is that it is not possible to detect changes to things
like policies, scopes or resources - at least not without a large number of additional API calls. Therefore this module always updates authorization
permissions instead of attempting to determine if changes are truly needed.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
check_mode:
support: full
diff_mode:
support: none
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: none
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the authorization permission.
- On V(present), the authorization permission will be created (or updated if it exists already).
- On V(absent), the authorization permission will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the authorization permission to create.
type: str
required: true
state:
description:
description:
- The description of the authorization permission.
type: str
required: false
permission_type:
description:
- The type of authorization permission.
- On V(scope) create a scope-based permission.
- On V(resource) create a resource-based permission.
type: str
required: true
choices:
- resource
- scope
decision_strategy:
description:
- The decision strategy to use with this permission.
type: str
default: UNANIMOUS
required: false
choices:
- UNANIMOUS
- AFFIRMATIVE
- CONSENSUS
resources:
description:
- Resource names to attach to this permission.
- Scope-based permissions can only include one resource.
- Resource-based permissions can include multiple resources.
type: list
elements: str
default: []
required: false
scopes:
description:
- Scope names to attach to this permission.
- Resource-based permissions cannot have scopes attached to them.
type: list
elements: str
default: []
required: false
policies:
description:
- Policy names to attach to this permission.
type: list
elements: str
default: []
required: false
client_id:
description:
- The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
- State of the authorization permission.
- On V(present), the authorization permission will be created (or updated if it exists already).
- On V(absent), the authorization permission will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the authorization permission to create.
type: str
required: true
description:
description:
- The description of the authorization permission.
type: str
required: false
permission_type:
description:
- The type of authorization permission.
- On V(scope) create a scope-based permission.
- On V(resource) create a resource-based permission.
type: str
required: true
choices:
- resource
- scope
decision_strategy:
description:
- The decision strategy to use with this permission.
type: str
default: UNANIMOUS
required: false
choices:
- UNANIMOUS
- AFFIRMATIVE
- CONSENSUS
resources:
description:
- Resource names to attach to this permission.
- Scope-based permissions can only include one resource.
- Resource-based permissions can include multiple resources.
type: list
elements: str
default: []
required: false
scopes:
description:
- Scope names to attach to this permission.
- Resource-based permissions cannot have scopes attached to them.
type: list
elements: str
default: []
required: false
policies:
description:
- Policy names to attach to this permission.
type: list
elements: str
default: []
required: false
client_id:
description:
- The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Samuli Seppänen (@mattock)
'''
- Samuli Seppänen (@mattock)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage scope-based Keycloak authorization permission
community.general.keycloak_authz_permission:
name: ScopePermission
@ -164,68 +155,68 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the authorization permission after module execution.
returned: on success
type: complex
contains:
id:
description: ID of the authorization permission.
type: str
returned: when O(state=present)
sample: 9da05cd2-b273-4354-bbd8-0c133918a454
name:
description: Name of the authorization permission.
type: str
returned: when O(state=present)
sample: ResourcePermission
description:
description: Description of the authorization permission.
type: str
returned: when O(state=present)
sample: Resource Permission
type:
description: Type of the authorization permission.
type: str
returned: when O(state=present)
sample: resource
decisionStrategy:
description: The decision strategy to use.
type: str
returned: when O(state=present)
sample: UNANIMOUS
logic:
description: The logic used for the permission (part of the payload, but has a fixed value).
type: str
returned: when O(state=present)
sample: POSITIVE
resources:
description: IDs of resources attached to this permission.
type: list
returned: when O(state=present)
sample:
- 49e052ff-100d-4b79-a9dd-52669ed3c11d
scopes:
description: IDs of scopes attached to this permission.
type: list
returned: when O(state=present)
sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454
policies:
description: IDs of policies attached to this permission.
type: list
returned: when O(state=present)
sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454
'''
description: Representation of the authorization permission after module execution.
returned: on success
type: complex
contains:
id:
description: ID of the authorization permission.
type: str
returned: when O(state=present)
sample: 9da05cd2-b273-4354-bbd8-0c133918a454
name:
description: Name of the authorization permission.
type: str
returned: when O(state=present)
sample: ResourcePermission
description:
description: Description of the authorization permission.
type: str
returned: when O(state=present)
sample: Resource Permission
type:
description: Type of the authorization permission.
type: str
returned: when O(state=present)
sample: resource
decisionStrategy:
description: The decision strategy to use.
type: str
returned: when O(state=present)
sample: UNANIMOUS
logic:
description: The logic used for the permission (part of the payload, but has a fixed value).
type: str
returned: when O(state=present)
sample: POSITIVE
resources:
description: IDs of resources attached to this permission.
type: list
returned: when O(state=present)
sample:
- 49e052ff-100d-4b79-a9dd-52669ed3c11d
scopes:
description: IDs of scopes attached to this permission.
type: list
returned: when O(state=present)
sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454
policies:
description: IDs of policies attached to this permission.
type: list
returned: when O(state=present)
sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

149
plugins/modules/keycloak_authz_permission_info.py
View file

@ -9,8 +9,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_permission_info
version_added: 7.2.0
@ -18,52 +17,46 @@ version_added: 7.2.0
short_description: Query Keycloak client authorization permissions information
description:
- This module allows querying information about Keycloak client authorization permissions from the
resources endpoint via the Keycloak REST API. Authorization permissions are only available if a
client has Authorization enabled.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- This module allows querying information about Keycloak client authorization permissions from the resources endpoint using the Keycloak REST
API. Authorization permissions are only available if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
action_group:
version_added: 10.2.0
action_group:
version_added: 10.2.0
options:
name:
description:
- Name of the authorization permission to create.
type: str
required: true
client_id:
description:
- The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
name:
description:
- Name of the authorization permission to create.
type: str
required: true
client_id:
description:
- The clientId of the keycloak client that should have the authorization scope.
- This is usually a human-readable name of the Keycloak client.
type: str
required: true
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
type: str
required: true
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.attributes.info_module
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.attributes.info_module
author:
- Samuli Seppänen (@mattock)
'''
- Samuli Seppänen (@mattock)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Query Keycloak authorization permission
community.general.keycloak_authz_permission_info:
name: ScopePermission
@ -73,48 +66,48 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
queried_state:
description: State of the resource (a policy) as seen by Keycloak.
returned: on success
type: complex
contains:
id:
description: ID of the authorization permission.
type: str
sample: 9da05cd2-b273-4354-bbd8-0c133918a454
name:
description: Name of the authorization permission.
type: str
sample: ResourcePermission
description:
description: Description of the authorization permission.
type: str
sample: Resource Permission
type:
description: Type of the authorization permission.
type: str
sample: resource
decisionStrategy:
description: The decision strategy.
type: str
sample: UNANIMOUS
logic:
description: The logic used for the permission (part of the payload, but has a fixed value).
type: str
sample: POSITIVE
config:
description: Configuration of the permission (empty in all observed cases).
type: dict
sample: {}
'''
description: State of the resource (a policy) as seen by Keycloak.
returned: on success
type: complex
contains:
id:
description: ID of the authorization permission.
type: str
sample: 9da05cd2-b273-4354-bbd8-0c133918a454
name:
description: Name of the authorization permission.
type: str
sample: ResourcePermission
description:
description: Description of the authorization permission.
type: str
sample: Resource Permission
type:
description: Type of the authorization permission.
type: str
sample: resource
decisionStrategy:
description: The decision strategy.
type: str
sample: UNANIMOUS
logic:
description: The logic used for the permission (part of the payload, but has a fixed value).
type: str
sample: POSITIVE
config:
description: Configuration of the permission (empty in all observed cases).
type: dict
sample: {}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

1083
plugins/modules/keycloak_client.py
View file

File diff suppressed because it is too large Load diff

260
plugins/modules/keycloak_client_rolemapping.py
View file

@ -8,8 +8,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_client_rolemapping
short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API
@ -17,129 +16,113 @@ short_description: Allows administration of Keycloak client_rolemapping with the
version_added: 3.5.0
description:
- This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
- This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access to the REST API
using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the client_rolemapping.
- On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the client_rolemapping will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the client_rolemapping.
- On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the client_rolemapping will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
realm:
realm:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
group_name:
type: str
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
version_added: "7.1.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
group_name:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
version_added: "7.1.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
type: str
description:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
gid:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
gid:
type: str
description:
- Id of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required (can be replaced by cid for less API call).
cid:
type: str
description:
- Id of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the group.
type: list
elements: dict
suboptions:
name:
type: str
description:
- Id of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
client_id:
- Name of the role_representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required (can be replaced by cid for less API call).
cid:
type: str
description:
- Id of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the group.
type: list
elements: dict
suboptions:
name:
type: str
description:
- Name of the role_representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Gaëtan Daubresse (@Gaetan2907)
'''
- Gaëtan Daubresse (@Gaetan2907)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Map a client role to a group, authentication with credentials
community.general.keycloak_client_rolemapping:
realm: MyCustomRealm
@ -209,50 +192,37 @@ EXAMPLES = '''
- name: role_name2
id: role_id2
delegate_to: localhost
"""
'''
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Role role1 assigned to group group1."
description: Message as to what action was taken.
returned: always
type: str
sample: "Role role1 assigned to group group1."
proposed:
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {
clientId: "test"
}
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {clientId: "test"}
existing:
description:
- Representation of existing client role mapping.
- The sample is truncated.
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
description:
- Representation of existing client role mapping.
- The sample is truncated.
returned: always
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description:
- Representation of client role mapping after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
description:
- Representation of client role mapping after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,

168
plugins/modules/keycloak_client_rolescope.py
View file

@ -8,84 +8,74 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_client_rolescope
short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications.
short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications
version_added: 8.6.0
description:
- This module allows you to add or remove Keycloak roles from clients scope via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the role mapping.
- On V(present), all roles in O(role_names) will be mapped if not exists yet.
- On V(absent), all roles mapping in O(role_names) will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
realm:
type: str
description:
- The Keycloak realm under which clients resides.
default: 'master'
client_id:
type: str
required: true
description:
- Roles provided in O(role_names) while be added to this client scope.
client_scope_id:
type: str
description:
- If the O(role_names) are client role, the client ID under which it resides.
- If this parameter is absent, the roles are considered a realm role.
role_names:
required: true
type: list
elements: str
description:
- Names of roles to manipulate.
- If O(client_scope_id) is present, all roles must be under this client.
- If O(client_scope_id) is absent, all roles must be under the realm.
state:
description:
- State of the role mapping.
- On V(present), all roles in O(role_names) will be mapped if not exists yet.
- On V(absent), all roles mapping in O(role_names) will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
realm:
type: str
description:
- The Keycloak realm under which clients resides.
default: 'master'
client_id:
type: str
required: true
description:
- Roles provided in O(role_names) while be added to this client scope.
client_scope_id:
type: str
description:
- If the O(role_names) are client role, the client ID under which it resides.
- If this parameter is absent, the roles are considered a realm role.
role_names:
required: true
type: list
elements: str
description:
- Names of roles to manipulate.
- If O(client_scope_id) is present, all roles must be under this client.
- If O(client_scope_id) is absent, all roles must be under the realm.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Andre Desrosiers (@desand01)
'''
- Andre Desrosiers (@desand01)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Add roles to public client scope
community.general.keycloak_client_rolescope:
auth_keycloak_url: https://auth.example.com/auth
@ -96,8 +86,8 @@ EXAMPLES = '''
client_id: frontend-client-public
client_scope_id: backend-client-private
role_names:
- backend-role-admin
- backend-role-user
- backend-role-admin
- backend-role-user
- name: Remove roles from public client scope
community.general.keycloak_client_rolescope:
@ -109,7 +99,7 @@ EXAMPLES = '''
client_id: frontend-client-public
client_scope_id: backend-client-private
role_names:
- backend-role-admin
- backend-role-admin
state: absent
- name: Add realm roles to public client scope
@ -121,16 +111,16 @@ EXAMPLES = '''
realm: MyCustomRealm
client_id: frontend-client-public
role_names:
- realm-role-admin
- realm-role-user
'''
- realm-role-admin
- realm-role-user
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Client role scope for frontend-client-public has been updated"
description: Message as to what action was taken.
returned: always
type: str
sample: "Client role scope for frontend-client-public has been updated"
end_state:
description: Representation of role role scope after module execution.
@ -138,22 +128,22 @@ end_state:
type: list
elements: dict
sample: [
{
"clientRole": false,
"composite": false,
"containerId": "MyCustomRealm",
"id": "47293104-59a6-46f0-b460-2e9e3c9c424c",
"name": "backend-role-admin"
},
{
"clientRole": false,
"composite": false,
"containerId": "MyCustomRealm",
"id": "39c62a6d-542c-4715-92d2-41021eb33967",
"name": "backend-role-user"
}
{
"clientRole": false,
"composite": false,
"containerId": "MyCustomRealm",
"id": "47293104-59a6-46f0-b460-2e9e3c9c424c",
"name": "backend-role-admin"
},
{
"clientRole": false,
"composite": false,
"containerId": "MyCustomRealm",
"id": "39c62a6d-542c-4715-92d2-41021eb33967",
"name": "backend-role-user"
}
]
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

321
plugins/modules/keycloak_clientscope.py
View file

@ -8,166 +8,151 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientscope
short_description: Allows administration of Keycloak client_scopes via Keycloak API
short_description: Allows administration of Keycloak client_scopes using Keycloak API
version_added: 3.4.0
description:
- This module allows you to add, remove or modify Keycloak client_scopes via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup
to the API to translate the name into the client_scope ID.
- This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access to the REST API using OpenID
Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API to translate the
name into the client_scope ID.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the client_scope.
- On V(present), the client_scope will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the client_scope will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
name:
type: str
description:
- Name of the client_scope.
- This parameter is required only when creating or updating the client_scope.
realm:
type: str
description:
- They Keycloak realm under which this client_scope resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this client_scope.
- This parameter is not required for updating or deleting a client_scope but
providing it will reduce the number of API calls required.
state:
description:
type: str
description:
- Description for this client_scope.
- This parameter is not required for updating or deleting a client_scope.
- State of the client_scope.
- On V(present), the client_scope will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the client_scope will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
protocol:
name:
type: str
description:
- Name of the client_scope.
- This parameter is required only when creating or updating the client_scope.
realm:
type: str
description:
- They Keycloak realm under which this client_scope resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this client_scope.
- This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of API calls required.
description:
type: str
description:
- Description for this client_scope.
- This parameter is not required for updating or deleting a client_scope.
protocol:
description:
- Type of client.
- The V(docker-v2) value was added in community.general 8.6.0.
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
type: str
protocol_mappers:
description:
- A list of dicts defining protocol mappers for this client.
- This is C(protocolMappers) in the Keycloak REST API.
aliases:
- protocolMappers
type: list
elements: dict
suboptions:
protocol:
description:
- Type of client.
- The V(docker-v2) value was added in community.general 8.6.0.
- This specifies for which protocol this protocol mapper.
- Is active.
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
type: str
protocol_mappers:
protocolMapper:
description:
- A list of dicts defining protocol mappers for this client.
- This is 'protocolMappers' in the Keycloak REST API.
aliases:
- protocolMappers
type: list
elements: dict
suboptions:
protocol:
description:
- This specifies for which protocol this protocol mapper.
- is active.
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
type: str
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper).
- V(oidc-full-name-mapper).
- V(oidc-group-membership-mapper).
- V(oidc-hardcoded-claim-mapper).
- V(oidc-hardcoded-role-mapper).
- V(oidc-role-name-mapper).
- V(oidc-script-based-protocol-mapper).
- V(oidc-sha256-pairwise-sub-mapper).
- V(oidc-usermodel-attribute-mapper).
- V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
protocolMapper:
description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
type: str
name:
description:
- The name of this protocol mapper.
type: str
name:
description:
- The name of this protocol mapper.
type: str
id:
description:
- Usually a UUID specifying the internal ID of this protocol mapper instance.
type: str
id:
description:
- Usually a UUID specifying the internal ID of this protocol mapper instance.
type: str
config:
description:
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) return value.
type: dict
attributes:
config:
description:
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
O(protocol_mappers[].protocolMapper)
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
return value.
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the client_scope.
- Values may be single values (for example a string) or a list of strings.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the client_scope.
- Values may be single values (for example a string) or a list of strings.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Gaëtan Daubresse (@Gaetan2907)
'''
- Gaëtan Daubresse (@Gaetan2907)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Keycloak client_scopes, authentication with credentials
community.general.keycloak_clientscope:
name: my-new-kc-clientscope
@ -254,54 +239,42 @@ EXAMPLES = '''
protocol: saml
protocolMapper: saml-role-list-mapper
attributes:
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Client_scope testclientscope has been updated"
description: Message as to what action was taken.
returned: always
type: str
sample: "Client_scope testclientscope has been updated"
proposed:
description: Representation of proposed client scope.
returned: always
type: dict
sample: {
clientId: "test"
}
description: Representation of proposed client scope.
returned: always
type: dict
sample: {clientId: "test"}
existing:
description: Representation of existing client scope (sample is truncated).
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
description: Representation of existing client scope (sample is truncated).
returned: always
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description: Representation of client scope after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
description: Representation of client scope after module execution (sample is truncated).
returned: on success
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included

84
plugins/modules/keycloak_clientscope_type.py
View file

@ -9,29 +9,24 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientscope_type
short_description: Set the type of aclientscope in realm or client via Keycloak API
short_description: Set the type of aclientscope in realm or client using Keycloak API
version_added: 6.6.0
description:
- This module allows you to set the type (optional, default) of clientscopes
via the Keycloak REST API. It requires access to the REST API via OpenID
Connect; the user connecting and the client being used must have the
requisite access rights. In a default Keycloak installation, admin-cli and
an admin user would work, as would a separate client definition with the
scope tailored to your needs and a user having the expected roles.
- This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
realm:
@ -66,9 +61,9 @@ extends_documentation_fragment:
author:
- Simon Pahl (@simonpahl)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Set default client scopes on realm level
community.general.keycloak_clientscope_type:
auth_client_id: admin-cli
@ -91,42 +86,33 @@ EXAMPLES = '''
default_clientscopes: ['profile', 'roles']
optional_clientscopes: ['phone']
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: ""
description: Message as to what action was taken.
returned: always
type: str
sample: ""
proposed:
description: Representation of proposed client-scope types mapping.
returned: always
type: dict
sample: {
default_clientscopes: ["profile", "role"],
optional_clientscopes: []
}
description: Representation of proposed client-scope types mapping.
returned: always
type: dict
sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
existing:
description:
- Representation of client scopes before module execution.
returned: always
type: dict
sample: {
default_clientscopes: ["profile", "role"],
optional_clientscopes: ["phone"]
}
description:
- Representation of client scopes before module execution.
returned: always
type: dict
sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: ["phone"]}
end_state:
description:
- Representation of client scopes after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {
default_clientscopes: ["profile", "role"],
optional_clientscopes: []
}
'''
description:
- Representation of client scopes after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
"""
from ansible.module_utils.basic import AnsibleModule

45
plugins/modules/keycloak_clientsecret_info.py
View file

@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientsecret_info
short_description: Retrieve client secret via Keycloak API
short_description: Retrieve client secret using Keycloak API
version_added: 6.1.0
description:
- This module allows you to get a Keycloak client secret via the Keycloak
REST API. It requires access to the REST API via OpenID Connect; the user
connecting and the client being used must have the requisite access rights.
In a default Keycloak installation, admin-cli and an admin user would work,
as would a separate client definition with the scope tailored to your needs
and a user having the expected roles.
- When retrieving a new client secret, where possible provide the client's
O(id) (not O(client_id)) to the module. This removes a lookup to the API to
translate the O(client_id) into the client ID.
- "Note that this module returns the client secret. To avoid this showing up in the logs,
please add C(no_log: true) to the task."
- This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the
user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This removes a lookup to
the API to translate the O(client_id) into the client ID.
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
attributes:
action_group:
version_added: 10.2.0
@ -46,14 +37,12 @@ options:
id:
description:
- The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but
providing it will reduce the number of API calls required.
- This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
type: str
client_id:
description:
- The O(client_id) of the client. Passing this instead of O(id) results in an
extra API call.
- The O(client_id) of the client. Passing this instead of O(id) results in an extra API call.
aliases:
- clientId
type: str
@ -68,9 +57,9 @@ extends_documentation_fragment:
author:
- Fynn Chen (@fynncfchen)
- John Cant (@johncant)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Get a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_info:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -102,16 +91,16 @@ EXAMPLES = '''
token: TOKEN
delegate_to: localhost
no_log: true
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Textual description of whether we succeeded or failed
description: Textual description of whether we succeeded or failed.
returned: always
type: str
clientsecret_info:
description: Representation of the client secret
description: Representation of the client secret.
returned: on success
type: complex
contains:
@ -125,7 +114,7 @@ clientsecret_info:
type: str
returned: always
sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, KeycloakError, get_token)

44
plugins/modules/keycloak_clientsecret_regenerate.py
View file

@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientsecret_regenerate
short_description: Regenerate Keycloak client secret via Keycloak API
short_description: Regenerate Keycloak client secret using Keycloak API
version_added: 6.1.0
description:
- This module allows you to regenerate a Keycloak client secret via the
Keycloak REST API. It requires access to the REST API via OpenID Connect;
the user connecting and the client being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user
would work, as would a separate client definition with the scope tailored to
your needs and a user having the expected roles.
- When regenerating a client secret, where possible provide the client's id
(not client_id) to the module. This removes a lookup to the API to
translate the client_id into the client ID.
- "Note that this module returns the client secret. To avoid this showing up in the logs,
please add C(no_log: true) to the task."
- This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- When regenerating a client secret, where possible provide the client's id (not client_id) to the module. This removes a lookup to the API
to translate the client_id into the client ID.
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
attributes:
check_mode:
support: full
@ -50,14 +41,12 @@ options:
id:
description:
- The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but
providing it will reduce the number of API calls required.
- This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
type: str
client_id:
description:
- The client_id of the client. Passing this instead of id results in an
extra API call.
- The client_id of the client. Passing this instead of id results in an extra API call.
aliases:
- clientId
type: str
@ -71,9 +60,9 @@ extends_documentation_fragment:
author:
- Fynn Chen (@fynncfchen)
- John Cant (@johncant)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Regenerate a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_regenerate:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -105,16 +94,16 @@ EXAMPLES = '''
token: TOKEN
delegate_to: localhost
no_log: true
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the client credential after module execution
description: Representation of the client credential after module execution.
returned: on success
type: complex
contains:
@ -128,8 +117,7 @@ end_state:
type: str
returned: always
sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, KeycloakError, get_token)

329
plugins/modules/keycloak_clienttemplate.py
View file

@ -8,176 +8,163 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clienttemplate
short_description: Allows administration of Keycloak client templates via Keycloak API
short_description: Allows administration of Keycloak client templates using Keycloak API
description:
- This module allows the administration of Keycloak client templates via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html)
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set
SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
If you do not specify a setting, usually a sensible default is chosen.
- This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to the REST API using OpenID
Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on an OpenID Connect
client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the client template.
- On V(present), the client template will be created (or updated if it exists already).
- On V(absent), the client template will be removed if it exists
choices: ['present', 'absent']
default: 'present'
type: str
id:
description:
- Id of client template to be worked on. This is usually a UUID.
type: str
realm:
description:
- Realm this client template is found in.
type: str
default: master
name:
description:
- Name of the client template.
type: str
state:
description:
- State of the client template.
- On V(present), the client template will be created (or updated if it exists already).
- On V(absent), the client template will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
id:
description:
- Id of client template to be worked on. This is usually a UUID.
type: str
realm:
description:
- Realm this client template is found in.
type: str
default: master
name:
description:
- Name of the client template.
type: str
description:
description:
- Description of the client template in Keycloak.
type: str
protocol:
description:
- Type of client template.
- The V(docker-v2) value was added in community.general 8.6.0.
choices: ['openid-connect', 'saml', 'docker-v2']
type: str
full_scope_allowed:
description:
- Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak REST API.
type: bool
protocol_mappers:
description:
- A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST API.
type: list
elements: dict
suboptions:
consentRequired:
description:
- Description of the client template in Keycloak.
- Specifies whether a user needs to provide consent to a client for this mapper to be active.
type: bool
consentText:
description:
- The human-readable name of the consent the user is presented to accept.
type: str
protocol:
id:
description:
- Type of client template.
- The V(docker-v2) value was added in community.general 8.6.0.
- Usually a UUID specifying the internal ID of this protocol mapper instance.
type: str
name:
description:
- The name of this protocol mapper.
type: str
protocol:
description:
- This specifies for which protocol this protocol mapper is active.
choices: ['openid-connect', 'saml', 'docker-v2']
type: str
full_scope_allowed:
protocolMapper:
description:
- Is the "Full Scope Allowed" feature set for this client template or not.
This is 'fullScopeAllowed' in the Keycloak REST API.
type: bool
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper).
- V(oidc-full-name-mapper).
- V(oidc-group-membership-mapper).
- V(oidc-hardcoded-claim-mapper).
- V(oidc-hardcoded-role-mapper).
- V(oidc-role-name-mapper).
- V(oidc-script-based-protocol-mapper).
- V(oidc-sha256-pairwise-sub-mapper).
- V(oidc-usermodel-attribute-mapper).
- V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
protocol_mappers:
config:
description:
- a list of dicts defining protocol mappers for this client template.
This is 'protocolMappers' in the Keycloak REST API.
type: list
elements: dict
suboptions:
consentRequired:
description:
- Specifies whether a user needs to provide consent to a client for this mapper to be active.
type: bool
consentText:
description:
- The human-readable name of the consent the user is presented to accept.
type: str
id:
description:
- Usually a UUID specifying the internal ID of this protocol mapper instance.
type: str
name:
description:
- The name of this protocol mapper.
type: str
protocol:
description:
- This specifies for which protocol this protocol mapper is active.
choices: ['openid-connect', 'saml', 'docker-v2']
type: str
protocolMapper:
description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
type: str
config:
description:
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) field.
type: dict
attributes:
description:
- A dict of further attributes for this client template. This can contain various
configuration settings, though in the default installation of Keycloak as of 3.4, none
are documented or known, so this is usually empty.
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
O(protocol_mappers[].protocolMapper)
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
field.
type: dict
notes:
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled),
C(implicitFlowEnabled), C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and
C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect on
Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such,
they are not available through this module.
attributes:
description:
- A dict of further attributes for this client template. This can contain various configuration settings, though in the default installation
of Keycloak as of 3.4, none are documented or known, so this is usually empty.
type: dict
notes:
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled),
C(directAccessGrantsEnabled),
C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect
on Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, they are not available
through this module.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Eike Frost (@eikef)
'''
- Eike Frost (@eikef)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create or update Keycloak client template (minimal), authentication with credentials
community.general.keycloak_client:
auth_client_id: admin-cli
@ -236,47 +223,33 @@ EXAMPLES = '''
full_scope_allowed: false
id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Client template testclient has been updated"
description: Message as to what action was taken.
returned: always
type: str
sample: "Client template testclient has been updated"
proposed:
description: Representation of proposed client template.
returned: always
type: dict
sample: {
name: "test01"
}
description: Representation of proposed client template.
returned: always
type: dict
sample: {name: "test01"}
existing:
description: Representation of existing client template (sample is truncated).
returned: always
type: dict
sample: {
"description": "test01",
"fullScopeAllowed": false,
"id": "9c3712ab-decd-481e-954f-76da7b006e5f",
"name": "test01",
"protocol": "saml"
}
description: Representation of existing client template (sample is truncated).
returned: always
type: dict
sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
end_state:
description: Representation of client template after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"description": "test01",
"fullScopeAllowed": false,
"id": "9c3712ab-decd-481e-954f-76da7b006e5f",
"name": "test01",
"protocol": "saml"
}
'''
description: Representation of client template after module execution (sample is truncated).
returned: on success
type: dict
sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

183
plugins/modules/keycloak_component.py
View file

@ -8,80 +8,75 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_component
short_description: Allows administration of Keycloak components via Keycloak API
short_description: Allows administration of Keycloak components using Keycloak API
version_added: 10.0.0
description:
- This module allows the administration of Keycloak components via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the realm being
used must have the requisite access rights. In a default Keycloak installation, C(admin-cli)
and an C(admin) user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) and an
C(admin) user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the Keycloak component.
- On V(present), the component will be created (or updated if it exists already).
- On V(absent), the component will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the component to create.
type: str
required: true
parent_id:
description:
- The parent_id of the component. In practice the ID (name) of the realm.
type: str
required: true
provider_id:
description:
- The name of the "provider ID" for the key.
type: str
required: true
provider_type:
description:
- The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.userprofile.UserProfileProvider), ...
- See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers).
type: str
required: true
config:
description:
- Configuration properties for the provider.
- Contents vary depending on the provider type.
type: dict
state:
description:
- State of the Keycloak component.
- On V(present), the component will be created (or updated if it exists already).
- On V(absent), the component will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the component to create.
type: str
required: true
parent_id:
description:
- The parent_id of the component. In practice the ID (name) of the realm.
type: str
required: true
provider_id:
description:
- The name of the "provider ID" for the key.
type: str
required: true
provider_type:
description:
- The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.userprofile.UserProfileProvider),
...
- See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers).
type: str
required: true
config:
description:
- Configuration properties for the provider.
- Contents vary depending on the provider type.
type: dict
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Björn Bösel (@fivetide)
'''
- Björn Bösel (@fivetide)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak User Storage Provider
community.general.keycloak_component:
auth_keycloak_url: http://localhost:8080/auth
@ -97,42 +92,42 @@ EXAMPLES = '''
myCustomKey: "my_custom_key"
cachePolicy: "NO_CACHE"
enabled: true
'''
"""
RETURN = '''
RETURN = r"""
end_state:
description: Representation of the keycloak_component after module execution.
returned: on success
type: dict
contains:
id:
description: ID of the component.
type: str
returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
name:
description: Name of the component.
type: str
returned: when O(state=present)
sample: mykey
parentId:
description: ID of the realm this key belongs to.
type: str
returned: when O(state=present)
sample: myrealm
providerId:
description: The ID of the key provider.
type: str
returned: when O(state=present)
sample: rsa
providerType:
description: The type of provider.
type: str
returned: when O(state=present)
config:
description: component configuration.
type: dict
'''
description: Representation of the keycloak_component after module execution.
returned: on success
type: dict
contains:
id:
description: ID of the component.
type: str
returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
name:
description: Name of the component.
type: str
returned: when O(state=present)
sample: mykey
parentId:
description: ID of the realm this key belongs to.
type: str
returned: when O(state=present)
sample: myrealm
providerId:
description: The ID of the key provider.
type: str
returned: when O(state=present)
sample: rsa
providerType:
description: The type of provider.
type: str
returned: when O(state=present)
config:
description: Component configuration.
type: dict
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

144
plugins/modules/keycloak_component_info.py
View file

@ -8,106 +8,100 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_component_info
short_description: Retrive component info in Keycloak
short_description: Retrieve component info in Keycloak
version_added: 8.2.0
description:
- This module retrive information on component from Keycloak.
- This module retrieve information on component from Keycloak.
attributes:
action_group:
version_added: 10.2.0
action_group:
version_added: 10.2.0
options:
realm:
description:
- The name of the realm.
required: true
type: str
name:
description:
- Name of the Component.
type: str
provider_type:
description:
- Provider type of components.
- "Example:
V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy),
V(org.keycloak.keys.KeyProvider),
V(org.keycloak.userprofile.UserProfileProvider),
V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper)."
type: str
parent_id:
description:
- Container ID of the components.
type: str
realm:
description:
- The name of the realm.
required: true
type: str
name:
description:
- Name of the Component.
type: str
provider_type:
description:
- Provider type of components.
- 'Examples: V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.keys.KeyProvider),
V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
type: str
parent_id:
description:
- Container ID of the components.
type: str
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.attributes.info_module
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.attributes.info_module
author:
- Andre Desrosiers (@desand01)
'''
- Andre Desrosiers (@desand01)
"""
EXAMPLES = '''
- name: Retrive info of a UserStorageProvider named myldap
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
name: myldap
provider_type: org.keycloak.storage.UserStorageProvider
EXAMPLES = r"""
- name: Retrive info of a UserStorageProvider named myldap
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
name: myldap
provider_type: org.keycloak.storage.UserStorageProvider
- name: Retrive key info component
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
name: rsa-enc-generated
provider_type: org.keycloak.keys.KeyProvider
- name: Retrive key info component
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
name: rsa-enc-generated
provider_type: org.keycloak.keys.KeyProvider
- name: Retrive all component from realm master
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
- name: Retrive all component from realm master
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
- name: Retrive all sub components of parent component filter by type
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
- name: Retrive all sub components of parent component filter by type
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
auth_sername: admin
auth_password: password
auth_realm: master
realm: myrealm
parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
"""
'''
RETURN = '''
RETURN = r"""
components:
description: JSON representation of components.
returned: always
type: list
elements: dict
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

303
plugins/modules/keycloak_group.py
View file

@ -8,122 +8,102 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_group
short_description: Allows administration of Keycloak groups via Keycloak API
short_description: Allows administration of Keycloak groups using Keycloak API
description:
- This module allows you to add, remove or modify Keycloak groups via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a group, where possible provide the group ID to the module. This removes a lookup
to the API to translate the name into the group ID.
- This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate the name into the
group ID.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the group.
- On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide.
- >-
On V(absent), the group will be removed if it exists. Be aware that absenting
a group with subgroups will automatically delete all its subgroups too.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the group.
- On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically delete all its
subgroups too.
default: 'present'
type: str
choices:
- present
- absent
name:
name:
type: str
description:
- Name of the group.
- This parameter is required only when creating or updating the group.
realm:
type: str
description:
- They Keycloak realm under which this group resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this group.
- This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls required.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the group.
- Values may be single values (for example a string) or a list of strings.
parents:
version_added: "6.4.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup by name.
- Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly queried without necessarily
knowing its parent(s).
elements: dict
suboptions:
id:
type: str
description:
- Name of the group.
- This parameter is required only when creating or updating the group.
realm:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str
description:
- They Keycloak realm under which this group resides.
default: 'master'
id:
type: str
description:
- The unique identifier for this group.
- This parameter is not required for updating or deleting a group but
providing it will reduce the number of API calls required.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the group.
- Values may be single values (e.g. a string) or a list of strings.
parents:
version_added: "6.4.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this to create a group as a subgroup of another group or groups (parents) or
when accessing an existing subgroup by name.
- >-
Not necessary to set when accessing an existing subgroup by its C(ID) because in
that case the group can be directly queried without necessarily knowing its parent(s).
elements: dict
suboptions:
id:
type: str
description:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
notes:
- Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API
are read-only for groups. This limitation will be removed in a later version of this module.
- Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API are read-only
for groups. This limitation will be removed in a later version of this module.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Adam Goossens (@adamgoossens)
'''
- Adam Goossens (@adamgoossens)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Keycloak group, authentication with credentials
community.general.keycloak_group:
name: my-new-kc-group
@ -191,14 +171,14 @@ EXAMPLES = '''
auth_password: PASSWORD
name: my-new_group
attributes:
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
delegate_to: localhost
- name: Create a Keycloak subgroup of a base group (using parent name)
@ -258,64 +238,63 @@ EXAMPLES = '''
parents:
- id: "{{ result_new_kcgrp_sub.end_state.id }}"
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the group after module execution (sample is truncated).
returned: on success
type: complex
contains:
id:
description: GUID that identifies the group.
type: str
returned: always
sample: 23f38145-3195-462c-97e7-97041ccea73e
name:
description: Name of the group.
type: str
returned: always
sample: grp-test-123
attributes:
description: Attributes applied to this group.
type: dict
returned: always
sample:
attr1: ["val1", "val2", "val3"]
path:
description: URI path to the group.
type: str
returned: always
sample: /grp-test-123
realmRoles:
description: An array of the realm-level roles granted to this group.
type: list
returned: always
sample: []
subGroups:
description: A list of groups that are children of this group. These groups will have the same parameters as
documented here.
type: list
returned: always
clientRoles:
description: A list of client-level roles granted to this group.
type: list
returned: always
sample: []
access:
description: A dict describing the accesses you have to this group based on the credentials used.
type: dict
returned: always
sample:
manage: true
manageMembership: true
view: true
'''
description: Representation of the group after module execution (sample is truncated).
returned: on success
type: complex
contains:
id:
description: GUID that identifies the group.
type: str
returned: always
sample: 23f38145-3195-462c-97e7-97041ccea73e
name:
description: Name of the group.
type: str
returned: always
sample: grp-test-123
attributes:
description: Attributes applied to this group.
type: dict
returned: always
sample:
attr1: ["val1", "val2", "val3"]
path:
description: URI path to the group.
type: str
returned: always
sample: /grp-test-123
realmRoles:
description: An array of the realm-level roles granted to this group.
type: list
returned: always
sample: []
subGroups:
description: A list of groups that are children of this group. These groups will have the same parameters as documented here.
type: list
returned: always
clientRoles:
description: A list of client-level roles granted to this group.
type: list
returned: always
sample: []
access:
description: A dict describing the accesses you have to this group based on the credentials used.
type: dict
returned: always
sample:
manage: true
manageMembership: true
view: true
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError
@ -372,7 +351,7 @@ def main():
parents = module.params.get('parents')
# attributes in Keycloak have their values returned as lists
# via the API. attributes is a dict, so we'll transparently convert
# using the API. attributes is a dict, so we'll transparently convert
# the values to lists.
if attributes is not None:
for key, val in module.params['attributes'].items():

489
plugins/modules/keycloak_identity_provider.py
View file

@ -8,285 +8,280 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_identity_provider
short_description: Allows administration of Keycloak identity providers via Keycloak API
short_description: Allows administration of Keycloak identity providers using Keycloak API
version_added: 3.6.0
description:
- This module allows you to add, remove or modify Keycloak identity providers via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
- This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access to the REST API
using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the identity provider.
- On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the identity provider will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the identity provider.
- On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the identity provider will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
realm:
description:
- The Keycloak realm under which this identity provider resides.
default: 'master'
type: str
realm:
description:
- The Keycloak realm under which this identity provider resides.
default: 'master'
type: str
alias:
description:
- The alias uniquely identifies an identity provider and it is also used to build the redirect URI.
required: true
type: str
alias:
description:
- The alias uniquely identifies an identity provider and it is also used to build the redirect URI.
required: true
type: str
display_name:
display_name:
description:
- Friendly name for identity provider.
aliases:
- displayName
type: str
enabled:
description:
- Enable/disable this identity provider.
type: bool
store_token:
description:
- Enable/disable whether tokens must be stored after authenticating users.
aliases:
- storeToken
type: bool
add_read_token_role_on_create:
description:
- Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role.
aliases:
- addReadTokenRoleOnCreate
type: bool
trust_email:
description:
- If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
aliases:
- trustEmail
type: bool
link_only:
description:
- If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login
from the provider, but want to integrate with a provider.
aliases:
- linkOnly
type: bool
first_broker_login_flow_alias:
description:
- Alias of authentication flow, which is triggered after first login with this identity provider.
aliases:
- firstBrokerLoginFlowAlias
type: str
post_broker_login_flow_alias:
description:
- Alias of authentication flow, which is triggered after each login with this identity provider.
aliases:
- postBrokerLoginFlowAlias
type: str
authenticate_by_default:
description:
- Specifies if this identity provider should be used by default for authentication even before displaying login screen.
aliases:
- authenticateByDefault
type: bool
provider_id:
description:
- Protocol used by this provider (supported values are V(oidc) or V(saml)).
aliases:
- providerId
type: str
config:
description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are
given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing identity provider configuration
through check-mode in the RV(existing) field.
type: dict
suboptions:
hide_on_login_page:
description:
- Friendly name for identity provider.
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter.
aliases:
- displayName
type: str
enabled:
description:
- Enable/disable this identity provider.
- hideOnLoginPage
type: bool
store_token:
gui_order:
description:
- Enable/disable whether tokens must be stored after authenticating users.
- Number defining order of the provider in GUI (for example, on Login page).
aliases:
- storeToken
type: bool
- guiOrder
type: int
add_read_token_role_on_create:
sync_mode:
description:
- Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role.
- Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers.
aliases:
- addReadTokenRoleOnCreate
type: bool
trust_email:
description:
- If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
aliases:
- trustEmail
type: bool
link_only:
description:
- If true, users cannot log in through this provider. They can only link to this provider.
This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
aliases:
- linkOnly
type: bool
first_broker_login_flow_alias:
description:
- Alias of authentication flow, which is triggered after first login with this identity provider.
aliases:
- firstBrokerLoginFlowAlias
- syncMode
type: str
post_broker_login_flow_alias:
issuer:
description:
- Alias of authentication flow, which is triggered after each login with this identity provider.
aliases:
- postBrokerLoginFlowAlias
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
type: str
authenticate_by_default:
authorizationUrl:
description:
- Specifies if this identity provider should be used by default for authentication even before displaying login screen.
aliases:
- authenticateByDefault
- The Authorization URL.
type: str
tokenUrl:
description:
- The Token URL.
type: str
logoutUrl:
description:
- End session endpoint to use to logout user from external IDP.
type: str
userInfoUrl:
description:
- The User Info URL.
type: str
clientAuthMethod:
description:
- The client authentication method.
type: str
clientId:
description:
- The client or client identifier registered within the identity provider.
type: str
clientSecret:
description:
- The client or client secret registered within the identity provider.
type: str
defaultScope:
description:
- The scopes to be sent when asking for authorization.
type: str
validateSignature:
description:
- Enable/disable signature validation of external IDP signatures.
type: bool
provider_id:
useJwksUrl:
description:
- Protocol used by this provider (supported values are V(oidc) or V(saml)).
aliases:
- providerId
- If the switch is on, identity provider public keys will be downloaded from given JWKS URL.
type: bool
jwksUrl:
description:
- URL where identity provider keys in JWK format are stored. See JWK specification for more details.
type: str
config:
entityId:
description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id).
Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing
identity provider configuration through check-mode in the RV(existing) field.
- The Entity ID that will be used to uniquely identify this SAML Service Provider.
type: str
singleSignOnServiceUrl:
description:
- The URL that must be used to send authentication requests (SAML AuthnRequest).
type: str
singleLogoutServiceUrl:
description:
- The URL that must be used to send logout requests.
type: str
backchannelSupported:
description:
- Does the external IDP support backchannel logout?
type: str
nameIDPolicyFormat:
description:
- Specifies the URI reference corresponding to a name identifier format.
type: str
principalType:
description:
- Way to identify and track external users from the assertion.
type: str
mappers:
description:
- A list of dicts defining mappers associated with this Identity Provider.
type: list
elements: dict
suboptions:
id:
description:
- Unique ID of this mapper.
type: str
name:
description:
- Name of the mapper.
type: str
identityProviderAlias:
description:
- Alias of the identity provider for this mapper.
type: str
identityProviderMapper:
description:
- Type of mapper.
type: str
config:
description:
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of O(mappers[].identityProviderMapper).
type: dict
suboptions:
hide_on_login_page:
description:
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter.
aliases:
- hideOnLoginPage
type: bool
gui_order:
description:
- Number defining order of the provider in GUI (for example, on Login page).
aliases:
- guiOrder
type: int
sync_mode:
description:
- Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers.
aliases:
- syncMode
type: str
issuer:
description:
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
type: str
authorizationUrl:
description:
- The Authorization URL.
type: str
tokenUrl:
description:
- The Token URL.
type: str
logoutUrl:
description:
- End session endpoint to use to logout user from external IDP.
type: str
userInfoUrl:
description:
- The User Info URL.
type: str
clientAuthMethod:
description:
- The client authentication method.
type: str
clientId:
description:
- The client or client identifier registered within the identity provider.
type: str
clientSecret:
description:
- The client or client secret registered within the identity provider.
type: str
defaultScope:
description:
- The scopes to be sent when asking for authorization.
type: str
validateSignature:
description:
- Enable/disable signature validation of external IDP signatures.
type: bool
useJwksUrl:
description:
- If the switch is on, identity provider public keys will be downloaded from given JWKS URL.
type: bool
jwksUrl:
description:
- URL where identity provider keys in JWK format are stored. See JWK specification for more details.
type: str
entityId:
description:
- The Entity ID that will be used to uniquely identify this SAML Service Provider.
type: str
singleSignOnServiceUrl:
description:
- The URL that must be used to send authentication requests (SAML AuthnRequest).
type: str
singleLogoutServiceUrl:
description:
- The URL that must be used to send logout requests.
type: str
backchannelSupported:
description:
- Does the external IDP support backchannel logout?
type: str
nameIDPolicyFormat:
description:
- Specifies the URI reference corresponding to a name identifier format.
type: str
principalType:
description:
- Way to identify and track external users from the assertion.
type: str
mappers:
description:
- A list of dicts defining mappers associated with this Identity Provider.
type: list
elements: dict
suboptions:
id:
description:
- Unique ID of this mapper.
type: str
name:
description:
- Name of the mapper.
type: str
identityProviderAlias:
description:
- Alias of the identity provider for this mapper.
type: str
identityProviderMapper:
description:
- Type of mapper.
type: str
config:
description:
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of
O(mappers[].identityProviderMapper).
type: dict
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Laurent Paumier (@laurpaum)
'''
- Laurent Paumier (@laurpaum)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create OIDC identity provider, authentication with credentials
community.general.keycloak_identity_provider:
state: present
@ -347,14 +342,14 @@ EXAMPLES = '''
attribute.friendly.name: User Roles
attribute.name: roles
syncMode: INHERIT
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Identity provider my-idp has been created"
description: Message as to what action was taken.
returned: always
type: str
sample: "Identity provider my-idp has been created"
proposed:
description: Representation of proposed identity provider.
@ -428,7 +423,7 @@ end_state:
"storeToken": false,
"trustEmail": false,
}
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

1048
plugins/modules/keycloak_realm.py
View file

File diff suppressed because it is too large Load diff

135
plugins/modules/keycloak_realm_info.py
View file

@ -8,98 +8,93 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm_info
short_description: Allows obtaining Keycloak realm public information via Keycloak API
short_description: Allows obtaining Keycloak realm public information using Keycloak API
version_added: 4.3.0
description:
- This module allows you to get Keycloak realm public information via the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- This module allows you to get Keycloak realm public information using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
extends_documentation_fragment:
- community.general.attributes
- community.general.attributes.info_module
- community.general.attributes
- community.general.attributes.info_module
options:
auth_keycloak_url:
description:
- URL to the Keycloak instance.
type: str
required: true
aliases:
- url
validate_certs:
description:
- Verify TLS certificates (do not disable this in production).
type: bool
default: true
auth_keycloak_url:
description:
- URL to the Keycloak instance.
type: str
required: true
aliases:
- url
validate_certs:
description:
- Verify TLS certificates (do not disable this in production).
type: bool
default: true
realm:
type: str
description:
- They Keycloak realm ID.
default: 'master'
realm:
type: str
description:
- They Keycloak realm ID.
default: 'master'
author:
- Fynn Chen (@fynncfchen)
'''
- Fynn Chen (@fynncfchen)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Get a Keycloak public key
community.general.keycloak_realm_info:
realm: MyCustomRealm
auth_keycloak_url: https://auth.example.com/auth
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
realm_info:
description:
- Representation of the realm public information.
returned: always
type: dict
contains:
realm:
description: Realm ID.
type: str
returned: always
sample: MyRealm
public_key:
description: Public key of the realm.
type: str
returned: always
sample: MIIBIjANBgkqhkiG9w0BAQEFAAO...
token-service:
description: Token endpoint URL.
type: str
returned: always
sample: https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect
account-service:
description: Account console URL.
type: str
returned: always
sample: https://auth.example.com/auth/realms/MyRealm/account
tokens-not-before:
description: The token not before.
type: int
returned: always
sample: 0
'''
description:
- Representation of the realm public information.
returned: always
type: dict
contains:
realm:
description: Realm ID.
type: str
returned: always
sample: MyRealm
public_key:
description: Public key of the realm.
type: str
returned: always
sample: MIIBIjANBgkqhkiG9w0BAQEFAAO...
token-service:
description: Token endpoint URL.
type: str
returned: always
sample: https://auth.example.com/auth/realms/MyRealm/protocol/openid-connect
account-service:
description: Account console URL.
type: str
returned: always
sample: https://auth.example.com/auth/realms/MyRealm/account
tokens-not-before:
description: The token not before.
type: int
returned: always
sample: 0
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI
from ansible.module_utils.basic import AnsibleModule

297
plugins/modules/keycloak_realm_key.py
View file

@ -9,145 +9,123 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm_key
short_description: Allows administration of Keycloak realm keys via Keycloak API
short_description: Allows administration of Keycloak realm keys using Keycloak API
version_added: 7.5.0
description:
- This module allows the administration of Keycloak realm keys via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the realm being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- This module is unable to detect changes to the actual cryptographic key after importing it.
However, if some other property is changed alongside the cryptographic key, then the key
will also get changed as a side-effect, as the JSON payload needs to include the private key.
This can be considered either a bug or a feature, as the alternative would be to always
update the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak.
Therefore comparing the current state of the certificate to the desired state (which may be
empty) is not possible.
- This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside
the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can
be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
to the desired state (which may be empty) is not possible.
attributes:
check_mode:
support: full
diff_mode:
support: partial
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: partial
action_group:
version_added: 10.2.0
options:
state:
state:
description:
- State of the keycloak realm key.
- On V(present), the realm key will be created (or updated if it exists already).
- On V(absent), the realm key will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the realm key to create.
type: str
required: true
force:
description:
- Enforce the state of the private key and certificate. This is not automatically the case as this module is unable to determine the current
state of the private key and thus cannot trigger an update based on an actual divergence. That said, a private key update may happen even
if force is false as a side-effect of other changes.
default: false
type: bool
parent_id:
description:
- The parent_id of the realm key. In practice the name of the realm.
type: str
required: true
provider_id:
description:
- The name of the "provider ID" for the key.
- The value V(rsa-enc) has been added in community.general 8.2.0.
choices: ['rsa', 'rsa-enc']
default: 'rsa'
type: str
config:
description:
- Dict specifying the key and its properties.
type: dict
suboptions:
active:
description:
- State of the keycloak realm key.
- On V(present), the realm key will be created (or updated if it exists already).
- On V(absent), the realm key will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
name:
description:
- Name of the realm key to create.
type: str
required: true
force:
description:
- Enforce the state of the private key and certificate. This is not automatically the
case as this module is unable to determine the current state of the private key and
thus cannot trigger an update based on an actual divergence. That said, a private key
update may happen even if force is false as a side-effect of other changes.
default: false
- Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
parent_id:
enabled:
description:
- The parent_id of the realm key. In practice the name of the realm.
type: str
- Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
priority:
description:
- The priority of the key.
type: int
required: true
provider_id:
algorithm:
description:
- The name of the "provider ID" for the key.
- The value V(rsa-enc) has been added in community.general 8.2.0.
choices: ['rsa', 'rsa-enc']
default: 'rsa'
- Key algorithm.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general
8.2.0.
default: RS256
choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
type: str
config:
private_key:
description:
- Dict specifying the key and its properties.
type: dict
suboptions:
active:
description:
- Whether they key is active or inactive. Not to be confused with the state
of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
enabled:
description:
- Whether the key is enabled or disabled. Not to be confused with the state
of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
priority:
description:
- The priority of the key.
type: int
required: true
algorithm:
description:
- Key algorithm.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5),
V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general 8.2.0.
default: RS256
choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
type: str
private_key:
description:
- The private key as an ASCII string. Contents of the key must match O(config.algorithm)
and O(provider_id).
- Please note that the module cannot detect whether the private key specified differs from the
current state's private key. Use O(force=true) to force the module to update the private key
if you expect it to be updated.
required: true
type: str
certificate:
description:
- A certificate signed with the private key as an ASCII string. Contents of the
key must match O(config.algorithm) and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private key
then set this to an empty string.
required: true
type: str
- The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
- Please note that the module cannot detect whether the private key specified differs from the current state's private key. Use O(force=true)
to force the module to update the private key if you expect it to be updated.
required: true
type: str
certificate:
description:
- A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private key then set this to an empty string.
required: true
type: str
notes:
- Current value of the private key cannot be fetched from Keycloak.
Therefore comparing its desired state to the current state is not
possible.
- If certificate is not explicitly provided it will be dynamically created
by Keycloak. Therefore comparing the current state of the certificate to
the desired state (which may be empty) is not possible.
- Due to the private key and certificate options the module is
B(not fully idempotent). You can use O(force=true) to force the module
to always update if you know that the private key might have changed.
- Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current state is not possible.
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
to the desired state (which may be empty) is not possible.
- Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force the module to always
update if you know that the private key might have changed.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Samuli Seppänen (@mattock)
'''
- Samuli Seppänen (@mattock)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak realm key (certificate autogenerated by Keycloak)
community.general.keycloak_realm_key:
name: custom
@ -182,54 +160,49 @@ EXAMPLES = '''
active: true
priority: 120
algorithm: RS256
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the keycloak_realm_key after module execution.
returned: on success
type: dict
contains:
id:
description: ID of the realm key.
type: str
returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
name:
description: Name of the realm key.
type: str
returned: when O(state=present)
sample: mykey
parentId:
description: ID of the realm this key belongs to.
type: str
returned: when O(state=present)
sample: myrealm
providerId:
description: The ID of the key provider.
type: str
returned: when O(state=present)
sample: rsa
providerType:
description: The type of provider.
type: str
returned: when O(state=present)
config:
description: Realm key configuration.
type: dict
returned: when O(state=present)
sample: {
"active": ["true"],
"algorithm": ["RS256"],
"enabled": ["true"],
"priority": ["140"]
}
'''
description: Representation of the keycloak_realm_key after module execution.
returned: on success
type: dict
contains:
id:
description: ID of the realm key.
type: str
returned: when O(state=present)
sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
name:
description: Name of the realm key.
type: str
returned: when O(state=present)
sample: mykey
parentId:
description: ID of the realm this key belongs to.
type: str
returned: when O(state=present)
sample: myrealm
providerId:
description: The ID of the key provider.
type: str
returned: when O(state=present)
sample: rsa
providerType:
description: The type of provider.
type: str
returned: when O(state=present)
config:
description: Realm key configuration.
type: dict
returned: when O(state=present)
sample: {"active": ["true"], "algorithm": ["RS256"], "enabled": ["true"], "priority": ["140"]}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

77
plugins/modules/keycloak_realm_keys_metadata_info.py
View file

@ -9,42 +9,39 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = """
---
DOCUMENTATION = r"""
module: keycloak_realm_keys_metadata_info
short_description: Allows obtaining Keycloak realm keys metadata via Keycloak API
short_description: Allows obtaining Keycloak realm keys metadata using Keycloak API
version_added: 9.3.0
description:
- This module allows you to get Keycloak realm keys metadata via the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
- This module allows you to get Keycloak realm keys metadata using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
attributes:
action_group:
version_added: 10.2.0
action_group:
version_added: 10.2.0
options:
realm:
type: str
description:
- They Keycloak realm to fetch keys metadata.
default: 'master'
realm:
type: str
description:
- They Keycloak realm to fetch keys metadata.
default: 'master'
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.attributes.info_module
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.attributes.info_module
author:
- Thomas Bach (@thomasbach-dev)
- Thomas Bach (@thomasbach-dev)
"""
EXAMPLES = """
EXAMPLES = r"""
- name: Fetch Keys metadata
community.general.keycloak_realm_keys_metadata_info:
auth_keycloak_url: https://auth.example.com/auth
@ -67,30 +64,28 @@ EXAMPLES = """
delegate_to: localhost
"""
RETURN = """
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
description: Message as to what action was taken.
returned: always
type: str
keys_metadata:
description:
description:
- Representation of the realm keys metadata (see
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
returned: always
type: dict
contains:
active:
description: A mapping (that is, a dict) from key algorithms to UUIDs.
type: dict
returned: always
keys:
description: A list of dicts providing detailed information on the keys.
type: list
elements: dict
returned: always
- Representation of the realm keys metadata (see U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
returned: always
type: dict
contains:
active:
description: A mapping (that is, a dict) from key algorithms to UUIDs.
type: dict
returned: always
keys:
description: A list of dicts providing detailed information on the keys.
type: list
elements: dict
returned: always
"""
from ansible.module_utils.basic import AnsibleModule

242
plugins/modules/keycloak_realm_rolemapping.py
View file

@ -8,8 +8,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm_rolemapping
short_description: Allows administration of Keycloak realm role mappings into groups with the Keycloak API
@ -17,119 +16,104 @@ short_description: Allows administration of Keycloak realm role mappings into gr
version_added: 8.2.0
description:
- This module allows you to add, remove or modify Keycloak realm role
mappings into groups with the Keycloak REST API. It requires access to the
REST API via OpenID Connect; the user connecting and the client being used
must have the requisite access rights. In a default Keycloak installation,
admin-cli and an admin user would work, as would a separate client
definition with the scope tailored to your needs and a user having the
expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
- This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It requires access to
the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak
installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user
having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the realm_rolemapping.
- On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On C(absent), the realm_rolemapping will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the realm_rolemapping.
- On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On C(absent), the realm_rolemapping will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
realm:
realm:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
group_name:
type: str
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
group_name:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
type: str
description:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
gid:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
gid:
type: str
description:
- ID of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the group.
type: list
elements: dict
suboptions:
name:
type: str
description:
- ID of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
roles:
- Name of the role_representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- Roles to be mapped to the group.
type: list
elements: dict
suboptions:
name:
type: str
description:
- Name of the role_representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Gaëtan Daubresse (@Gaetan2907)
- Marius Huysamen (@mhuysamen)
- Alexander Groß (@agross)
'''
- Gaëtan Daubresse (@Gaetan2907)
- Marius Huysamen (@mhuysamen)
- Alexander Groß (@agross)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Map a client role to a group, authentication with credentials
community.general.keycloak_realm_rolemapping:
realm: MyCustomRealm
@ -195,49 +179,37 @@ EXAMPLES = '''
- name: role_name2
id: role_id2
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Role role1 assigned to group group1."
description: Message as to what action was taken.
returned: always
type: str
sample: "Role role1 assigned to group group1."
proposed:
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {
clientId: "test"
}
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {clientId: "test"}
existing:
description:
- Representation of existing client role mapping.
- The sample is truncated.
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
description:
- Representation of existing client role mapping.
- The sample is truncated.
returned: always
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description:
- Representation of client role mapping after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
description:
- Representation of client role mapping after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,

260
plugins/modules/keycloak_role.py
View file

@ -8,124 +8,114 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_role
short_description: Allows administration of Keycloak roles via Keycloak API
short_description: Allows administration of Keycloak roles using Keycloak API
version_added: 3.4.0
description:
- This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the role.
- On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the role will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the role.
- On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the role will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
name:
name:
type: str
required: true
description:
- Name of the role.
- This parameter is required.
description:
type: str
description:
- The role description.
realm:
type: str
description:
- The Keycloak realm under which this role resides.
default: 'master'
client_id:
type: str
description:
- If the role is a client role, the client id under which it resides.
- If this parameter is absent, the role is considered a realm role.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the role.
- Values may be single values (for example a string) or a list of strings.
composite:
description:
- If V(true), the role is a composition of other realm and/or client role.
default: false
type: bool
version_added: 7.1.0
composites:
description:
- List of roles to include to the composite realm role.
- If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
default: []
type: list
elements: dict
version_added: 7.1.0
suboptions:
name:
description:
- Name of the role. This can be the name of a REALM role or a client role.
type: str
required: true
client_id:
description:
- Name of the role.
- This parameter is required.
description:
- Client ID if the role is a client role. Do not include this option for a REALM role.
- Use the client ID you can see in the Keycloak console, not the technical ID of the client.
type: str
required: false
aliases:
- clientId
state:
description:
- The role description.
realm:
- Create the composite if present, remove it if absent.
type: str
description:
- The Keycloak realm under which this role resides.
default: 'master'
client_id:
type: str
description:
- If the role is a client role, the client id under which it resides.
- If this parameter is absent, the role is considered a realm role.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the role.
- Values may be single values (e.g. a string) or a list of strings.
composite:
description:
- If V(true), the role is a composition of other realm and/or client role.
default: false
type: bool
version_added: 7.1.0
composites:
description:
- List of roles to include to the composite realm role.
- If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
default: []
type: list
elements: dict
version_added: 7.1.0
suboptions:
name:
description:
- Name of the role. This can be the name of a REALM role or a client role.
type: str
required: true
client_id:
description:
- Client ID if the role is a client role. Do not include this option for a REALM role.
- Use the client ID you can see in the Keycloak console, not the technical ID of the client.
type: str
required: false
aliases:
- clientId
state:
description:
- Create the composite if present, remove it if absent.
type: str
choices:
- present
- absent
default: present
choices:
- present
- absent
default: present
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Laurent Paumier (@laurpaum)
'''
- Laurent Paumier (@laurpaum)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Keycloak realm role, authentication with credentials
community.general.keycloak_role:
name: my-new-kc-role
@ -181,60 +171,44 @@ EXAMPLES = '''
auth_password: PASSWORD
name: my-new-role
attributes:
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Role myrole has been updated"
description: Message as to what action was taken.
returned: always
type: str
sample: "Role myrole has been updated"
proposed:
description: Representation of proposed role.
returned: always
type: dict
sample: {
"description": "My updated test description"
}
description: Representation of proposed role.
returned: always
type: dict
sample: {"description": "My updated test description"}
existing:
description: Representation of existing role.
returned: always
type: dict
sample: {
"attributes": {},
"clientRole": true,
"composite": false,
"containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
"description": "My client test role",
"id": "561703dd-0f38-45ff-9a5a-0c978f794547",
"name": "myrole"
}
description: Representation of existing role.
returned: always
type: dict
sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
end_state:
description: Representation of role after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"attributes": {},
"clientRole": true,
"composite": false,
"containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
"description": "My updated client test role",
"id": "561703dd-0f38-45ff-9a5a-0c978f794547",
"name": "myrole"
}
'''
description: Representation of role after module execution (sample is truncated).
returned: on success
type: dict
sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included
@ -290,7 +264,7 @@ def main():
state = module.params.get('state')
# attributes in Keycloak have their values returned as lists
# via the API. attributes is a dict, so we'll transparently convert
# using the API. attributes is a dict, so we'll transparently convert
# the values to lists.
if module.params.get('attributes') is not None:
for key, val in module.params['attributes'].items():

474
plugins/modules/keycloak_user.py
View file

@ -9,225 +9,224 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_user
short_description: Create and configure a user in Keycloak
description:
- This module creates, removes, or updates Keycloak users.
- This module creates, removes, or updates Keycloak users.
version_added: 7.1.0
options:
auth_username:
aliases: []
realm:
auth_username:
aliases: []
realm:
description:
- The name of the realm in which is the client.
default: master
type: str
username:
description:
- Username for the user.
required: true
type: str
id:
description:
- ID of the user on the Keycloak server if known.
type: str
enabled:
description:
- Enabled user.
type: bool
email_verified:
description:
- Check the validity of user email.
default: false
type: bool
aliases:
- emailVerified
first_name:
description:
- The user's first name.
required: false
type: str
aliases:
- firstName
last_name:
description:
- The user's last name.
required: false
type: str
aliases:
- lastName
email:
description:
- User email.
required: false
type: str
federation_link:
description:
- Federation Link.
required: false
type: str
aliases:
- federationLink
service_account_client_id:
description:
- Description of the client Application.
required: false
type: str
aliases:
- serviceAccountClientId
client_consents:
description:
- Client Authenticator Type.
type: list
elements: dict
default: []
aliases:
- clientConsents
suboptions:
client_id:
description:
- The name of the realm in which is the client.
default: master
- Client ID of the client role. Not the technical ID of the client.
type: str
username:
description:
- Username for the user.
required: true
type: str
id:
description:
- ID of the user on the Keycloak server if known.
type: str
enabled:
description:
- Enabled user.
type: bool
email_verified:
description:
- Check the validity of user email.
default: false
type: bool
aliases:
- emailVerified
first_name:
- clientId
roles:
description:
- The user's first name.
required: false
type: str
aliases:
- firstName
last_name:
description:
- The user's last name.
required: false
type: str
aliases:
- lastName
email:
description:
- User email.
required: false
type: str
federation_link:
description:
- Federation Link.
required: false
type: str
aliases:
- federationLink
service_account_client_id:
description:
- Description of the client Application.
required: false
type: str
aliases:
- serviceAccountClientId
client_consents:
description:
- Client Authenticator Type.
type: list
elements: dict
default: []
aliases:
- clientConsents
suboptions:
client_id:
description:
- Client ID of the client role. Not the technical ID of the client.
type: str
required: true
aliases:
- clientId
roles:
description:
- List of client roles to assign to the user.
type: list
required: true
elements: str
groups:
description:
- List of groups for the user.
type: list
elements: dict
default: []
suboptions:
name:
description:
- Name of the group.
type: str
state:
description:
- Control whether the user must be member of this group or not.
choices: [ "present", "absent" ]
default: present
type: str
credentials:
description:
- User credentials.
default: []
type: list
elements: dict
suboptions:
type:
description:
- Credential type.
type: str
required: true
value:
description:
- Value of the credential.
type: str
required: true
temporary:
description:
- If V(true), the users are required to reset their credentials at next login.
type: bool
default: false
required_actions:
description:
- RequiredActions user Auth.
default: []
- List of client roles to assign to the user.
type: list
required: true
elements: str
aliases:
- requiredActions
federated_identities:
groups:
description:
- List of groups for the user.
type: list
elements: dict
default: []
suboptions:
name:
description:
- List of IDPs of user.
default: []
type: list
elements: str
aliases:
- federatedIdentities
attributes:
description:
- List of user attributes.
required: false
type: list
elements: dict
suboptions:
name:
description:
- Name of the attribute.
type: str
values:
description:
- Values for the attribute as list.
type: list
elements: str
state:
description:
- Control whether the attribute must exists or not.
choices: [ "present", "absent" ]
default: present
type: str
access:
description:
- list user access.
required: false
type: dict
disableable_credential_types:
description:
- list user Credential Type.
default: []
type: list
elements: str
aliases:
- disableableCredentialTypes
origin:
description:
- user origin.
required: false
- Name of the group.
type: str
self:
state:
description:
- user self administration.
required: false
type: str
state:
description:
- Control whether the user should exists or not.
choices: [ "present", "absent" ]
- Control whether the user must be member of this group or not.
choices: ["present", "absent"]
default: present
type: str
force:
credentials:
description:
- User credentials.
default: []
type: list
elements: dict
suboptions:
type:
description:
- If V(true), allows to remove user and recreate it.
- Credential type.
type: str
required: true
value:
description:
- Value of the credential.
type: str
required: true
temporary:
description:
- If V(true), the users are required to reset their credentials at next login.
type: bool
default: false
required_actions:
description:
- RequiredActions user Auth.
default: []
type: list
elements: str
aliases:
- requiredActions
federated_identities:
description:
- List of IDPs of user.
default: []
type: list
elements: str
aliases:
- federatedIdentities
attributes:
description:
- List of user attributes.
required: false
type: list
elements: dict
suboptions:
name:
description:
- Name of the attribute.
type: str
values:
description:
- Values for the attribute as list.
type: list
elements: str
state:
description:
- Control whether the attribute must exists or not.
choices: ["present", "absent"]
default: present
type: str
access:
description:
- List user access.
required: false
type: dict
disableable_credential_types:
description:
- List user Credential Type.
default: []
type: list
elements: str
aliases:
- disableableCredentialTypes
origin:
description:
- User origin.
required: false
type: str
self:
description:
- User self administration.
required: false
type: str
state:
description:
- Control whether the user should exists or not.
choices: ["present", "absent"]
default: present
type: str
force:
description:
- If V(true), allows to remove user and recreate it.
type: bool
default: false
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
notes:
- The module does not modify the user ID of an existing user.
- The module does not modify the user ID of an existing user.
author:
- Philippe Gauthier (@elfelip)
'''
- Philippe Gauthier (@elfelip)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a user user1
community.general.keycloak_user:
auth_keycloak_url: http://localhost:8080/auth
@ -241,21 +240,21 @@ EXAMPLES = '''
enabled: true
emailVerified: false
credentials:
- type: password
value: password
temporary: false
- type: password
value: password
temporary: false
attributes:
- name: attr1
values:
- value1
state: present
- name: attr2
values:
- value2
state: absent
- name: attr1
values:
- value1
state: present
- name: attr2
values:
- value2
state: absent
groups:
- name: group1
state: present
- name: group1
state: present
state: present
- name: Re-create a User
@ -271,21 +270,21 @@ EXAMPLES = '''
enabled: true
emailVerified: false
credentials:
- type: password
value: password
temporary: false
- type: password
value: password
temporary: false
attributes:
- name: attr1
values:
- value1
state: present
- name: attr2
values:
- value2
state: absent
- name: attr1
values:
- value1
state: present
- name: attr2
values:
- value2
state: absent
groups:
- name: group1
state: present
- name: group1
state: present
state: present
- name: Re-create a User
@ -301,21 +300,21 @@ EXAMPLES = '''
enabled: true
emailVerified: false
credentials:
- type: password
value: password
temporary: false
- type: password
value: password
temporary: false
attributes:
- name: attr1
values:
- value1
state: present
- name: attr2
values:
- value2
state: absent
- name: attr1
values:
- value1
state: present
- name: attr2
values:
- value2
state: absent
groups:
- name: group1
state: present
- name: group1
state: present
state: present
force: true
@ -327,9 +326,9 @@ EXAMPLES = '''
realm: master
username: user1
state: absent
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -344,14 +343,15 @@ existing:
returned: on success
type: dict
end_state:
description: Representation of the user after module execution
description: Representation of the user after module execution.
returned: on success
type: dict
changed:
description: Return V(true) if the operation changed the user on the keycloak server, V(false) otherwise.
returned: always
type: bool
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included
from ansible.module_utils.basic import AnsibleModule

1124
plugins/modules/keycloak_user_federation.py
View file

File diff suppressed because it is too large Load diff

228
plugins/modules/keycloak_user_rolemapping.py
View file

@ -7,8 +7,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_user_rolemapping
short_description: Allows administration of Keycloak user_rolemapping with the Keycloak API
@ -16,110 +15,93 @@ short_description: Allows administration of Keycloak user_rolemapping with the K
version_added: 5.7.0
description:
- This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
- This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the user_rolemapping.
- On V(present), the user_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the user_rolemapping will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the user_rolemapping.
- On V(present), the user_rolemapping will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the user_rolemapping will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
realm:
realm:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
target_username:
type: str
description:
- Username of the user roles are mapped to.
- This parameter is not required (can be replaced by uid for less API call).
uid:
type: str
description:
- ID of the user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
service_account_user_client_id:
type: str
description:
- Client ID of the service-account-user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls that must be made).
cid:
type: str
description:
- ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the user.
type: list
elements: dict
suboptions:
name:
type: str
description:
- They Keycloak realm under which this role_representation resides.
default: 'master'
target_username:
- Name of the role representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- Username of the user roles are mapped to.
- This parameter is not required (can be replaced by uid for less API call).
uid:
type: str
description:
- ID of the user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
service_account_user_client_id:
type: str
description:
- Client ID of the service-account-user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid)
to reduce the number of API calls that must be made).
cid:
type: str
description:
- ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the user.
type: list
elements: dict
suboptions:
name:
type: str
description:
- Name of the role representation.
- This parameter is required only when creating or updating the role_representation.
id:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Dušan Marković (@bratwurzt)
'''
- Dušan Marković (@bratwurzt)
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Map a client role to a user, authentication with credentials
community.general.keycloak_user_rolemapping:
realm: MyCustomRealm
@ -189,49 +171,37 @@ EXAMPLES = '''
- name: role_name2
id: role_id2
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Role role1 assigned to user user1."
description: Message as to what action was taken.
returned: always
type: str
sample: "Role role1 assigned to user user1."
proposed:
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {
clientId: "test"
}
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {clientId: "test"}
existing:
description:
- Representation of existing client role mapping.
- The sample is truncated.
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
description:
- Representation of existing client role mapping.
- The sample is truncated.
returned: always
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description:
- Representation of client role mapping after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
description:
- Representation of client role mapping after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

486
plugins/modules/keycloak_userprofile.py
View file

@ -8,278 +8,274 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_userprofile
short_description: Allows managing Keycloak User Profiles
description:
- This module allows you to create, update, or delete Keycloak User Profiles via Keycloak API. You can also customize the "Unmanaged Attributes" with it.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
- This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize the "Unmanaged Attributes"
with it.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
For compatibility reasons, the module also accepts the camelCase versions of the options.
version_added: "9.4.0"
attributes:
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
check_mode:
support: full
diff_mode:
support: full
action_group:
version_added: 10.2.0
options:
state:
description:
- State of the User Profile provider.
- On V(present), the User Profile provider will be created if it does not yet exist, or updated with
the parameters you provide.
- On V(absent), the User Profile provider will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
state:
description:
- State of the User Profile provider.
- On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the User Profile provider will be removed if it exists.
default: 'present'
type: str
choices:
- present
- absent
parent_id:
parent_id:
description:
- The parent ID of the realm key. In practice the ID (name) of the realm.
aliases:
- parentId
- realm
type: str
required: true
provider_id:
description:
- The name of the provider ID for the key (supported value is V(declarative-user-profile)).
aliases:
- providerId
choices: ['declarative-user-profile']
default: 'declarative-user-profile'
type: str
provider_type:
description:
- Component type for User Profile (only supported value is V(org.keycloak.userprofile.UserProfileProvider)).
aliases:
- providerType
choices: ['org.keycloak.userprofile.UserProfileProvider']
default: org.keycloak.userprofile.UserProfileProvider
type: str
config:
description:
- The configuration of the User Profile Provider.
type: dict
required: false
suboptions:
kc_user_profile_config:
description:
- The parent ID of the realm key. In practice the ID (name) of the realm.
- Define a declarative User Profile. See EXAMPLES for more context.
aliases:
- parentId
- realm
type: str
required: true
provider_id:
description:
- The name of the provider ID for the key (supported value is V(declarative-user-profile)).
aliases:
- providerId
choices: ['declarative-user-profile']
default: 'declarative-user-profile'
type: str
provider_type:
description:
- Component type for User Profile (only supported value is V(org.keycloak.userprofile.UserProfileProvider)).
aliases:
- providerType
choices: ['org.keycloak.userprofile.UserProfileProvider']
default: org.keycloak.userprofile.UserProfileProvider
type: str
config:
description:
- The configuration of the User Profile Provider.
type: dict
required: false
- kcUserProfileConfig
type: list
elements: dict
suboptions:
kc_user_profile_config:
attributes:
description:
- A list of attributes to be included in the User Profile.
type: list
elements: dict
suboptions:
name:
description:
- Define a declarative User Profile. See EXAMPLES for more context.
- The name of the attribute.
type: str
required: true
display_name:
description:
- The display name of the attribute.
aliases:
- kcUserProfileConfig
type: list
elements: dict
- displayName
type: str
required: true
validations:
description:
- The validations to be applied to the attribute.
type: dict
suboptions:
attributes:
length:
description:
- The length validation for the attribute.
type: dict
suboptions:
min:
description:
- A list of attributes to be included in the User Profile.
type: list
elements: dict
suboptions:
name:
description:
- The name of the attribute.
type: str
required: true
display_name:
description:
- The display name of the attribute.
aliases:
- displayName
type: str
required: true
validations:
description:
- The validations to be applied to the attribute.
type: dict
suboptions:
length:
description:
- The length validation for the attribute.
type: dict
suboptions:
min:
description:
- The minimum length of the attribute.
type: int
max:
description:
- The maximum length of the attribute.
type: int
required: true
email:
description:
- The email validation for the attribute.
type: dict
username_prohibited_characters:
description:
- The prohibited characters validation for the username attribute.
type: dict
aliases:
- usernameProhibitedCharacters
up_username_not_idn_homograph:
description:
- The validation to prevent IDN homograph attacks in usernames.
type: dict
aliases:
- upUsernameNotIdnHomograph
person_name_prohibited_characters:
description:
- The prohibited characters validation for person name attributes.
type: dict
aliases:
- personNameProhibitedCharacters
uri:
description:
- The URI validation for the attribute.
type: dict
pattern:
description:
- The pattern validation for the attribute using regular expressions.
type: dict
options:
description:
- Validation to ensure the attribute matches one of the provided options.
type: dict
annotations:
description:
- Annotations for the attribute.
type: dict
group:
description:
- Specifies the User Profile group where this attribute will be added.
type: str
permissions:
description:
- The permissions for viewing and editing the attribute.
type: dict
suboptions:
view:
description:
- The roles that can view the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
edit:
description:
- The roles that can edit the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
multivalued:
description:
- Whether the attribute can have multiple values.
type: bool
default: false
required:
description:
- The roles that require this attribute.
type: dict
suboptions:
roles:
description:
- The roles for which this attribute is required.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- user
groups:
- The minimum length of the attribute.
type: int
max:
description:
- A list of attribute groups to be included in the User Profile.
type: list
elements: dict
suboptions:
name:
description:
- The name of the group.
type: str
required: true
- The maximum length of the attribute.
type: int
required: true
display_header:
description:
- The display header for the group.
aliases:
- displayHeader
type: str
required: true
email:
description:
- The email validation for the attribute.
type: dict
display_description:
description:
- The display description for the group.
aliases:
- displayDescription
type: str
required: false
username_prohibited_characters:
description:
- The prohibited characters validation for the username attribute.
type: dict
aliases:
- usernameProhibitedCharacters
annotations:
description:
- The annotations included in the group.
type: dict
required: false
up_username_not_idn_homograph:
description:
- The validation to prevent IDN homograph attacks in usernames.
type: dict
aliases:
- upUsernameNotIdnHomograph
unmanaged_attribute_policy:
description:
- Policy for unmanaged attributes.
aliases:
- unmanagedAttributePolicy
type: str
choices:
- ENABLED
- ADMIN_EDIT
- ADMIN_VIEW
person_name_prohibited_characters:
description:
- The prohibited characters validation for person name attributes.
type: dict
aliases:
- personNameProhibitedCharacters
uri:
description:
- The URI validation for the attribute.
type: dict
pattern:
description:
- The pattern validation for the attribute using regular expressions.
type: dict
options:
description:
- Validation to ensure the attribute matches one of the provided options.
type: dict
annotations:
description:
- Annotations for the attribute.
type: dict
group:
description:
- Specifies the User Profile group where this attribute will be added.
type: str
permissions:
description:
- The permissions for viewing and editing the attribute.
type: dict
suboptions:
view:
description:
- The roles that can view the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
edit:
description:
- The roles that can edit the attribute.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- admin
- user
multivalued:
description:
- Whether the attribute can have multiple values.
type: bool
default: false
required:
description:
- The roles that require this attribute.
type: dict
suboptions:
roles:
description:
- The roles for which this attribute is required.
- Supported values are V(admin) and V(user).
type: list
elements: str
default:
- user
groups:
description:
- A list of attribute groups to be included in the User Profile.
type: list
elements: dict
suboptions:
name:
description:
- The name of the group.
type: str
required: true
display_header:
description:
- The display header for the group.
aliases:
- displayHeader
type: str
required: true
display_description:
description:
- The display description for the group.
aliases:
- displayDescription
type: str
required: false
annotations:
description:
- The annotations included in the group.
type: dict
required: false
unmanaged_attribute_policy:
description:
- Policy for unmanaged attributes.
aliases:
- unmanagedAttributePolicy
type: str
choices:
- ENABLED
- ADMIN_EDIT
- ADMIN_VIEW
notes:
- Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API).
However, there can be multiple O(config.kc_user_profile_config[].attributes[]) entries.
- Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). However, there can
be multiple O(config.kc_user_profile_config[].attributes[]) entries.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
- community.general.attributes
author:
- Eike Waldt (@yeoldegrove)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Declarative User Profile with default settings
community.general.keycloak_userprofile:
state: present
@ -397,9 +393,9 @@ EXAMPLES = '''
config:
kc_user_profile_config:
- unmanagedAttributePolicy: ADMIN_VIEW
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: The output message generated by the module.
returned: always
@ -409,8 +405,8 @@ data:
description: The data returned by the Keycloak API.
returned: when state is present
type: dict
sample: {...}
'''
sample: {'...': '...'}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

5
plugins/modules/keyring.py
View file

@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r"""
---
module: keyring
version_added: 5.2.0
author:
- Alexander Hussey (@ahussey-redhat)
short_description: Set or delete a passphrase using the Operating System's native keyring
description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/)
to set or delete passphrases for a given service and username from the OS' native keyring.
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given service and username
from the OS' native keyring.
requirements:
- keyring (Python library)
- gnome-keyring (application - required for headless Gnome keyring access)

33
plugins/modules/keyring_info.py
View file

@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r"""
---
module: keyring_info
version_added: 5.2.0
author:
- Alexander Hussey (@ahussey-redhat)
short_description: Get a passphrase using the Operating System's native keyring
description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/)
to retrieve passphrases for a given service and username from the OS' native keyring.
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service and username from
the OS' native keyring.
requirements:
- keyring (Python library)
- gnome-keyring (application - required for headless Linux keyring access)
@ -45,24 +44,24 @@ options:
"""
EXAMPLES = r"""
- name: Retrieve password for service_name/user_name
community.general.keyring_info:
service: test
username: test1
keyring_password: "{{ keyring_password }}"
register: test_password
- name: Retrieve password for service_name/user_name
community.general.keyring_info:
service: test
username: test1
keyring_password: "{{ keyring_password }}"
register: test_password
- name: Display password
ansible.builtin.debug:
msg: "{{ test_password.passphrase }}"
- name: Display password
ansible.builtin.debug:
msg: "{{ test_password.passphrase }}"
"""
RETURN = r"""
passphrase:
description: A string containing the password.
returned: success and the password exists
type: str
sample: Password123
passphrase:
description: A string containing the password.
returned: success and the password exists
type: str
sample: Password123
"""
try:

143
plugins/modules/kibana_plugin.py
View file

@ -11,71 +11,70 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: kibana_plugin
short_description: Manage Kibana plugins
description:
- This module can be used to manage Kibana plugins.
- This module can be used to manage Kibana plugins.
author: Thierno IB. BARRY (@barryib)
extends_documentation_fragment:
- community.general.attributes
- community.general.attributes
attributes:
check_mode:
support: full
diff_mode:
support: none
check_mode:
support: full
diff_mode:
support: none
options:
name:
description:
name:
description:
- Name of the plugin to install.
required: true
type: str
state:
description:
required: true
type: str
state:
description:
- Desired state of a plugin.
choices: ["present", "absent"]
default: present
type: str
url:
description:
choices: ["present", "absent"]
default: present
type: str
url:
description:
- Set exact URL to download the plugin from.
- For local file, prefix its absolute path with file://
type: str
timeout:
description:
- "Timeout setting: 30s, 1m, 1h etc."
default: 1m
type: str
plugin_bin:
description:
- For local file, prefix its absolute path with file://.
type: str
timeout:
description:
- 'Timeout setting: V(30s), V(1m), V(1h) and so on.'
default: 1m
type: str
plugin_bin:
description:
- Location of the Kibana binary.
default: /opt/kibana/bin/kibana
type: path
plugin_dir:
description:
default: /opt/kibana/bin/kibana
type: path
plugin_dir:
description:
- Your configured plugin directory specified in Kibana.
default: /opt/kibana/installedPlugins/
type: path
version:
description:
default: /opt/kibana/installedPlugins/
type: path
version:
description:
- Version of the plugin to be installed.
- If plugin exists with previous version, plugin will B(not) be updated unless O(force) is set to V(true).
type: str
force:
description:
type: str
force:
description:
- Delete and re-install the plugin. Can be useful for plugins update.
type: bool
default: false
allow_root:
description:
type: bool
default: false
allow_root:
description:
- Whether to allow C(kibana) and C(kibana-plugin) to be run as root. Passes the C(--allow-root) flag to these commands.
type: bool
default: false
version_added: 2.3.0
'''
type: bool
default: false
version_added: 2.3.0
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Install Elasticsearch head plugin
community.general.kibana_plugin:
state: present
@ -91,38 +90,38 @@ EXAMPLES = '''
community.general.kibana_plugin:
state: absent
name: elasticsearch/marvel
'''
"""
RETURN = '''
RETURN = r"""
cmd:
description: the launched command during plugin management (install / remove)
returned: success
type: str
description: The launched command during plugin management (install / remove).
returned: success
type: str
name:
description: the plugin name to install or remove
returned: success
type: str
description: The plugin name to install or remove.
returned: success
type: str
url:
description: the url from where the plugin is installed from
returned: success
type: str
description: The url from where the plugin is installed from.
returned: success
type: str
timeout:
description: the timeout for plugin download
returned: success
type: str
description: The timeout for plugin download.
returned: success
type: str
stdout:
description: the command stdout
returned: success
type: str
description: The command stdout.
returned: success
type: str
stderr:
description: the command stderr
returned: success
type: str
description: The command stderr.
returned: success
type: str
state:
description: the state for the managed plugin
returned: success
type: str
'''
description: The state for the managed plugin.
returned: success
type: str
"""
import os
from ansible.module_utils.basic import AnsibleModule

17
plugins/modules/krb_ticket.py
View file

@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r'''
---
DOCUMENTATION = r"""
module: krb_ticket
short_description: Kerberos utils for managing tickets
version_added: 10.0.0
@ -56,8 +55,9 @@ options:
lifetime:
description:
- Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used.
- Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime.
- "The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days."
- Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum
ticket lifetime.
- 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.'
- You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str
@ -73,7 +73,8 @@ options:
renewable:
description:
- Requests renewable tickets, with a total lifetime equal to O(renewable).
- "The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days."
- 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) -
days.'
- You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str
@ -125,9 +126,9 @@ requirements:
- krb5-user and krb5-config packages
extends_documentation_fragment:
- community.general.attributes
'''
"""
EXAMPLES = r'''
EXAMPLES = r"""
- name: Get Kerberos ticket using default principal
community.general.krb_ticket:
password: some_password
@ -179,7 +180,7 @@ EXAMPLES = r'''
community.general.krb_ticket:
state: absent
kdestroy_all: true
'''
"""
from ansible.module_utils.basic import AnsibleModule, env_fallback
from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt