Keycloak client role scope (#8252)

* first commit

* minor update

* fixe Copyright

* fixe sanity

* Update plugins/modules/keycloak_client_rolescope.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* fixe sanity 2

* Update plugins/modules/keycloak_client_rolescope.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Andre Desrosiers <andre.desrosiers@ssss.gouv.qc.ca>
Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
desand01 2024-04-21 14:10:03 -04:00 committed by GitHub
commit a5697da29c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 752 additions and 0 deletions

View file

@ -0,0 +1,20 @@
<!--
Copyright (c) Ansible Project
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
-->
# Running keycloak_client_rolescope module integration test
To run Keycloak component info module's integration test, start a keycloak server using Docker:
docker run -d --rm --name mykeycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:latest start-dev --http-relative-path /auth
Run integration tests:
ansible-test integration -v keycloak_client_rolescope --allow-unsupported --docker fedora35 --docker-network host
Cleanup:
docker stop mykeycloak

View file

@ -0,0 +1,5 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
unsupported

View file

@ -0,0 +1,317 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Wait for Keycloak
uri:
url: "{{ url }}/admin/"
status_code: 200
validate_certs: no
register: result
until: result.status == 200
retries: 10
delay: 10
- name: Delete realm if exists
community.general.keycloak_realm:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
state: absent
- name: Create realm
community.general.keycloak_realm:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
id: "{{ realm }}"
realm: "{{ realm }}"
state: present
- name: Create a Keycloak realm role
community.general.keycloak_role:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
name: "{{ item }}"
realm: "{{ realm }}"
with_items:
- "{{ realm_role_admin }}"
- "{{ realm_role_user }}"
- name: Client private
community.general.keycloak_client:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_private }}"
state: present
redirect_uris:
- "https://my-backend-api.c.org/"
fullScopeAllowed: True
attributes: '{{client_attributes1}}'
public_client: False
- name: Create a Keycloak client role
community.general.keycloak_role:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
name: "{{ item }}"
realm: "{{ realm }}"
client_id: "{{ client_name_private }}"
with_items:
- "{{ client_role_admin }}"
- "{{ client_role_user }}"
- name: Client public
community.general.keycloak_client:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
redirect_uris:
- "https://my-onepage-app-frontend.c.org/"
attributes: '{{client_attributes1}}'
full_scope_allowed: False
public_client: True
- name: Map roles to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
client_scope_id: "{{ client_name_private }}"
role_names:
- "{{ client_role_admin }}"
- "{{ client_role_user }}"
register: result
- name: Assert mapping created
assert:
that:
- result is changed
- result.end_state | length == 2
- name: remap role user to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
client_scope_id: "{{ client_name_private }}"
role_names:
- "{{ client_role_user }}"
register: result
- name: Assert mapping created
assert:
that:
- result is not changed
- result.end_state | length == 2
- name: Remove Map role admin to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
client_scope_id: "{{ client_name_private }}"
role_names:
- "{{ client_role_admin }}"
state: absent
register: result
- name: Assert mapping deleted
assert:
that:
- result is changed
- result.end_state | length == 1
- result.end_state[0].name == client_role_user
- name: Map missing roles to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
client_scope_id: "{{ client_name_private }}"
role_names:
- "{{ client_role_admin }}"
- "{{ client_role_not_exists }}"
ignore_errors: true
register: result
- name: Assert failed mapping missing role
assert:
that:
- result is failed
- name: Map roles duplicate
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
client_scope_id: "{{ client_name_private }}"
role_names:
- "{{ client_role_admin }}"
- "{{ client_role_admin }}"
register: result
- name: Assert result
assert:
that:
- result is changed
- result.end_state | length == 2
- name: Map roles to private client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_private }}"
role_names:
- "{{ realm_role_admin }}"
ignore_errors: true
register: result
- name: Assert failed mapping role to full scope client
assert:
that:
- result is failed
- name: Map realm role to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
role_names:
- "{{ realm_role_admin }}"
register: result
- name: Assert result
assert:
that:
- result is changed
- result.end_state | length == 1
- name: Map two realm roles to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
role_names:
- "{{ realm_role_admin }}"
- "{{ realm_role_user }}"
register: result
- name: Assert result
assert:
that:
- result is changed
- result.end_state | length == 2
- name: Unmap all realm roles to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
role_names:
- "{{ realm_role_admin }}"
- "{{ realm_role_user }}"
state: absent
register: result
- name: Assert result
assert:
that:
- result is changed
- result.end_state | length == 0
- name: Map missing realm role to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
role_names:
- "{{ realm_role_not_exists }}"
ignore_errors: true
register: result
- name: Assert failed mapping missing realm role
assert:
that:
- result is failed
- name: Check-mode try to Map realm roles to public client
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
role_names:
- "{{ realm_role_admin }}"
- "{{ realm_role_user }}"
check_mode: true
register: result
- name: Assert result
assert:
that:
- result is changed
- result.end_state | length == 2
- name: Check-mode step two, check if change where applied
community.general.keycloak_client_rolescope:
auth_keycloak_url: "{{ url }}"
auth_realm: "{{ admin_realm }}"
auth_username: "{{ admin_user }}"
auth_password: "{{ admin_password }}"
realm: "{{ realm }}"
client_id: "{{ client_name_public }}"
role_names: []
register: result
- name: Assert result
assert:
that:
- result is not changed
- result.end_state | length == 0

View file

@ -0,0 +1,26 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
url: http://localhost:8080/auth
admin_realm: master
admin_user: admin
admin_password: password
realm: myrealm
client_name_private: backend-client-private
client_role_admin: client-role-admin
client_role_user: client-role-user
client_role_not_exists: client-role-missing
client_name_public: frontend-client-public
realm_role_admin: realm-role-admin
realm_role_user: realm-role-user
realm_role_not_exists: client-role-missing
client_attributes1: {"backchannel.logout.session.required": true, "backchannel.logout.revoke.offline.tokens": false, "client.secret.creation.time": 0}