mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-23 05:10:22 -07:00
Keycloak client role scope (#8252)
* first commit * minor update * fixe Copyright * fixe sanity * Update plugins/modules/keycloak_client_rolescope.py Co-authored-by: Felix Fontein <felix@fontein.de> * fixe sanity 2 * Update plugins/modules/keycloak_client_rolescope.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Andre Desrosiers <andre.desrosiers@ssss.gouv.qc.ca> Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
0735656319
commit
a5697da29c
7 changed files with 752 additions and 0 deletions
|
@ -0,0 +1,20 @@
|
|||
<!--
|
||||
Copyright (c) Ansible Project
|
||||
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
SPDX-License-Identifier: GPL-3.0-or-later
|
||||
-->
|
||||
# Running keycloak_client_rolescope module integration test
|
||||
|
||||
To run Keycloak component info module's integration test, start a keycloak server using Docker:
|
||||
|
||||
docker run -d --rm --name mykeycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:latest start-dev --http-relative-path /auth
|
||||
|
||||
Run integration tests:
|
||||
|
||||
ansible-test integration -v keycloak_client_rolescope --allow-unsupported --docker fedora35 --docker-network host
|
||||
|
||||
Cleanup:
|
||||
|
||||
docker stop mykeycloak
|
||||
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# Copyright (c) Ansible Project
|
||||
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
unsupported
|
|
@ -0,0 +1,317 @@
|
|||
---
|
||||
# Copyright (c) Ansible Project
|
||||
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
- name: Wait for Keycloak
|
||||
uri:
|
||||
url: "{{ url }}/admin/"
|
||||
status_code: 200
|
||||
validate_certs: no
|
||||
register: result
|
||||
until: result.status == 200
|
||||
retries: 10
|
||||
delay: 10
|
||||
|
||||
- name: Delete realm if exists
|
||||
community.general.keycloak_realm:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
state: absent
|
||||
|
||||
- name: Create realm
|
||||
community.general.keycloak_realm:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
id: "{{ realm }}"
|
||||
realm: "{{ realm }}"
|
||||
state: present
|
||||
|
||||
- name: Create a Keycloak realm role
|
||||
community.general.keycloak_role:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
name: "{{ item }}"
|
||||
realm: "{{ realm }}"
|
||||
with_items:
|
||||
- "{{ realm_role_admin }}"
|
||||
- "{{ realm_role_user }}"
|
||||
|
||||
- name: Client private
|
||||
community.general.keycloak_client:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_private }}"
|
||||
state: present
|
||||
redirect_uris:
|
||||
- "https://my-backend-api.c.org/"
|
||||
fullScopeAllowed: True
|
||||
attributes: '{{client_attributes1}}'
|
||||
public_client: False
|
||||
|
||||
- name: Create a Keycloak client role
|
||||
community.general.keycloak_role:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
name: "{{ item }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_private }}"
|
||||
with_items:
|
||||
- "{{ client_role_admin }}"
|
||||
- "{{ client_role_user }}"
|
||||
|
||||
- name: Client public
|
||||
community.general.keycloak_client:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
redirect_uris:
|
||||
- "https://my-onepage-app-frontend.c.org/"
|
||||
attributes: '{{client_attributes1}}'
|
||||
full_scope_allowed: False
|
||||
public_client: True
|
||||
|
||||
|
||||
- name: Map roles to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
client_scope_id: "{{ client_name_private }}"
|
||||
role_names:
|
||||
- "{{ client_role_admin }}"
|
||||
- "{{ client_role_user }}"
|
||||
register: result
|
||||
|
||||
- name: Assert mapping created
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 2
|
||||
|
||||
- name: remap role user to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
client_scope_id: "{{ client_name_private }}"
|
||||
role_names:
|
||||
- "{{ client_role_user }}"
|
||||
register: result
|
||||
|
||||
- name: Assert mapping created
|
||||
assert:
|
||||
that:
|
||||
- result is not changed
|
||||
- result.end_state | length == 2
|
||||
|
||||
- name: Remove Map role admin to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
client_scope_id: "{{ client_name_private }}"
|
||||
role_names:
|
||||
- "{{ client_role_admin }}"
|
||||
state: absent
|
||||
register: result
|
||||
|
||||
- name: Assert mapping deleted
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 1
|
||||
- result.end_state[0].name == client_role_user
|
||||
|
||||
- name: Map missing roles to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
client_scope_id: "{{ client_name_private }}"
|
||||
role_names:
|
||||
- "{{ client_role_admin }}"
|
||||
- "{{ client_role_not_exists }}"
|
||||
ignore_errors: true
|
||||
register: result
|
||||
|
||||
- name: Assert failed mapping missing role
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
|
||||
- name: Map roles duplicate
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
client_scope_id: "{{ client_name_private }}"
|
||||
role_names:
|
||||
- "{{ client_role_admin }}"
|
||||
- "{{ client_role_admin }}"
|
||||
register: result
|
||||
|
||||
- name: Assert result
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 2
|
||||
|
||||
- name: Map roles to private client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_private }}"
|
||||
role_names:
|
||||
- "{{ realm_role_admin }}"
|
||||
ignore_errors: true
|
||||
register: result
|
||||
|
||||
- name: Assert failed mapping role to full scope client
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
|
||||
- name: Map realm role to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
role_names:
|
||||
- "{{ realm_role_admin }}"
|
||||
register: result
|
||||
|
||||
- name: Assert result
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 1
|
||||
|
||||
- name: Map two realm roles to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
role_names:
|
||||
- "{{ realm_role_admin }}"
|
||||
- "{{ realm_role_user }}"
|
||||
register: result
|
||||
|
||||
- name: Assert result
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 2
|
||||
|
||||
- name: Unmap all realm roles to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
role_names:
|
||||
- "{{ realm_role_admin }}"
|
||||
- "{{ realm_role_user }}"
|
||||
state: absent
|
||||
register: result
|
||||
|
||||
- name: Assert result
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 0
|
||||
|
||||
- name: Map missing realm role to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
role_names:
|
||||
- "{{ realm_role_not_exists }}"
|
||||
ignore_errors: true
|
||||
register: result
|
||||
|
||||
- name: Assert failed mapping missing realm role
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
|
||||
- name: Check-mode try to Map realm roles to public client
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
role_names:
|
||||
- "{{ realm_role_admin }}"
|
||||
- "{{ realm_role_user }}"
|
||||
check_mode: true
|
||||
register: result
|
||||
|
||||
- name: Assert result
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.end_state | length == 2
|
||||
|
||||
- name: Check-mode step two, check if change where applied
|
||||
community.general.keycloak_client_rolescope:
|
||||
auth_keycloak_url: "{{ url }}"
|
||||
auth_realm: "{{ admin_realm }}"
|
||||
auth_username: "{{ admin_user }}"
|
||||
auth_password: "{{ admin_password }}"
|
||||
realm: "{{ realm }}"
|
||||
client_id: "{{ client_name_public }}"
|
||||
role_names: []
|
||||
register: result
|
||||
|
||||
- name: Assert result
|
||||
assert:
|
||||
that:
|
||||
- result is not changed
|
||||
- result.end_state | length == 0
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
# Copyright (c) Ansible Project
|
||||
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
url: http://localhost:8080/auth
|
||||
admin_realm: master
|
||||
admin_user: admin
|
||||
admin_password: password
|
||||
realm: myrealm
|
||||
|
||||
|
||||
client_name_private: backend-client-private
|
||||
client_role_admin: client-role-admin
|
||||
client_role_user: client-role-user
|
||||
client_role_not_exists: client-role-missing
|
||||
|
||||
client_name_public: frontend-client-public
|
||||
|
||||
|
||||
realm_role_admin: realm-role-admin
|
||||
realm_role_user: realm-role-user
|
||||
realm_role_not_exists: client-role-missing
|
||||
|
||||
|
||||
client_attributes1: {"backchannel.logout.session.required": true, "backchannel.logout.revoke.offline.tokens": false, "client.secret.creation.time": 0}
|
Loading…
Add table
Add a link
Reference in a new issue