Keycloak client role scope (#8252)

* first commit * minor update * fixe Copyright * fixe sanity * Update plugins/modules/keycloak_client_rolescope.py Co-authored-by: Felix Fontein <felix@fontein.de> * fixe sanity 2 * Update plugins/modules/keycloak_client_rolescope.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Andre Desrosiers <andre.desrosiers@ssss.gouv.qc.ca> Co-authored-by: Felix Fontein <felix@fontein.de>
2025-07-24 22:00:22 -07:00 · 2024-04-21 14:10:03 -04:00 · 2024-04-21 14:10:03 -04:00 · a5697da29c
commit a5697da29c
parent 0735656319
7 changed files with 752 additions and 0 deletions
--- a/tests/integration/targets/keycloak_client_rolescope/README.md
+++ b/tests/integration/targets/keycloak_client_rolescope/README.md
@ -0,0 +1,20 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+# Running keycloak_client_rolescope module integration test
+
+To run Keycloak component info module's integration test, start a keycloak server using Docker:
+
+    docker run -d --rm --name mykeycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:latest start-dev --http-relative-path /auth
+
+Run integration tests:
+
+    ansible-test integration -v keycloak_client_rolescope --allow-unsupported --docker fedora35 --docker-network host
+
+Cleanup:
+
+    docker stop mykeycloak
+
+
--- a/tests/integration/targets/keycloak_client_rolescope/aliases
+++ b/tests/integration/targets/keycloak_client_rolescope/aliases
@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+unsupported
--- a/tests/integration/targets/keycloak_client_rolescope/tasks/main.yml
+++ b/tests/integration/targets/keycloak_client_rolescope/tasks/main.yml
@ -0,0 +1,317 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+- name: Wait for Keycloak
+  uri:
+    url: "{{ url }}/admin/"
+    status_code: 200
+    validate_certs: no
+  register: result
+  until: result.status == 200
+  retries: 10
+  delay: 10
+
+- name: Delete realm if exists
+  community.general.keycloak_realm:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    state: absent
+
+- name: Create realm
+  community.general.keycloak_realm:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    id: "{{ realm }}"
+    realm: "{{ realm }}"
+    state: present
+
+- name: Create a Keycloak realm role
+  community.general.keycloak_role:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: "{{ item }}"
+    realm: "{{ realm }}"
+  with_items: 
+  - "{{ realm_role_admin }}"
+  - "{{ realm_role_user }}"
+
+- name: Client private
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_private }}"
+    state: present
+    redirect_uris:
+    - "https://my-backend-api.c.org/"
+    fullScopeAllowed: True
+    attributes: '{{client_attributes1}}'
+    public_client: False
+
+- name: Create a Keycloak client role
+  community.general.keycloak_role:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: "{{ item }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_private }}"
+  with_items: 
+  - "{{ client_role_admin }}"
+  - "{{ client_role_user }}"
+
+- name: Client public
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    redirect_uris:
+    - "https://my-onepage-app-frontend.c.org/"
+    attributes: '{{client_attributes1}}'
+    full_scope_allowed: False
+    public_client: True
+
+
+- name: Map roles to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    client_scope_id: "{{ client_name_private }}"
+    role_names:
+    - "{{ client_role_admin }}"
+    - "{{ client_role_user }}"
+  register: result
+
+- name: Assert mapping created
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 2
+
+- name: remap role user to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    client_scope_id: "{{ client_name_private }}"
+    role_names:
+    - "{{ client_role_user }}"
+  register: result
+
+- name: Assert mapping created
+  assert:
+    that:
+    - result is not changed
+    - result.end_state | length == 2
+  
+- name: Remove Map role admin to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    client_scope_id: "{{ client_name_private }}"
+    role_names:
+    - "{{ client_role_admin }}"
+    state: absent
+  register: result
+
+- name: Assert mapping deleted
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 1
+    - result.end_state[0].name == client_role_user
+
+- name: Map missing roles to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    client_scope_id: "{{ client_name_private }}"
+    role_names:
+    - "{{ client_role_admin }}"
+    - "{{ client_role_not_exists }}"
+  ignore_errors: true
+  register: result
+
+- name: Assert failed mapping missing role
+  assert:
+    that:
+    - result is failed
+
+- name: Map roles duplicate
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    client_scope_id: "{{ client_name_private }}"
+    role_names:
+    - "{{ client_role_admin }}"
+    - "{{ client_role_admin }}"
+  register: result
+
+- name: Assert result
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 2
+
+- name: Map roles to private client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_private }}"
+    role_names:
+    - "{{ realm_role_admin }}"
+  ignore_errors: true
+  register: result
+
+- name: Assert failed mapping role to full scope client
+  assert:
+    that:
+    - result is failed
+
+- name: Map realm role to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    role_names:
+    - "{{ realm_role_admin }}"
+  register: result
+
+- name: Assert result
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 1
+
+- name: Map two realm roles to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    role_names:
+    - "{{ realm_role_admin }}"
+    - "{{ realm_role_user }}"
+  register: result
+
+- name: Assert result
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 2
+
+- name: Unmap all realm roles to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    role_names:
+    - "{{ realm_role_admin }}"
+    - "{{ realm_role_user }}"
+    state: absent
+  register: result
+
+- name: Assert result
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 0
+
+- name: Map missing realm role to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    role_names:
+    - "{{ realm_role_not_exists }}"
+  ignore_errors: true
+  register: result
+
+- name: Assert failed mapping missing realm role
+  assert:
+    that:
+    - result is failed
+
+- name: Check-mode try to Map realm roles to public client
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    role_names:
+    - "{{ realm_role_admin }}"
+    - "{{ realm_role_user }}"
+  check_mode: true
+  register: result
+
+- name: Assert result
+  assert:
+    that:
+    - result is changed
+    - result.end_state | length == 2
+    
+- name: Check-mode step two, check if change where applied
+  community.general.keycloak_client_rolescope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_name_public }}"
+    role_names: []
+  register: result
+
+- name: Assert result
+  assert:
+    that:
+    - result is not changed
+    - result.end_state | length == 0
--- a/tests/integration/targets/keycloak_client_rolescope/vars/main.yml
+++ b/tests/integration/targets/keycloak_client_rolescope/vars/main.yml
@ -0,0 +1,26 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+url: http://localhost:8080/auth
+admin_realm: master
+admin_user: admin
+admin_password: password
+realm: myrealm
+
+
+client_name_private: backend-client-private
+client_role_admin: client-role-admin
+client_role_user: client-role-user
+client_role_not_exists: client-role-missing
+
+client_name_public: frontend-client-public
+
+
+realm_role_admin: realm-role-admin
+realm_role_user: realm-role-user
+realm_role_not_exists: client-role-missing
+
+
+client_attributes1: {"backchannel.logout.session.required": true, "backchannel.logout.revoke.offline.tokens": false, "client.secret.creation.time": 0}