mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-06-23 08:40:22 -07:00
f44ca23d7a
Some checks are pending
EOL CI / EOL Sanity (Ⓐ2.16) (push) Waiting to run
EOL CI / EOL Units (Ⓐ2.16+py2.7) (push) Waiting to run
EOL CI / EOL Units (Ⓐ2.16+py3.11) (push) Waiting to run
EOL CI / EOL Units (Ⓐ2.16+py3.6) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+alpine3+py:azp/posix/1/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+alpine3+py:azp/posix/2/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+alpine3+py:azp/posix/3/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+fedora38+py:azp/posix/1/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+fedora38+py:azp/posix/2/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+fedora38+py:azp/posix/3/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+opensuse15+py:azp/posix/1/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+opensuse15+py:azp/posix/2/) (push) Waiting to run
EOL CI / EOL I (Ⓐ2.16+opensuse15+py:azp/posix/3/) (push) Waiting to run
nox / Run extra sanity tests (push) Waiting to run
* add client_credentials authentication for keycloak tasks incl. test case * support client credentials in all keycloak modules * Add changelog fragment * fix typos in required list * Update changelogs/fragments/10231-keycloak-add-client-credentials-authentication.yml Co-authored-by: Felix Fontein <felix@fontein.de> * revert keycloak url in test environment --------- Co-authored-by: Felix Fontein <felix@fontein.de>
342 lines
9.6 KiB
YAML
342 lines
9.6 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
- name: Reset public login in master admin-cli (if potentially previous test failed)
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
auth_client_id: "admin-cli"
|
|
auth_client_secret: "{{ client_secret }}"
|
|
client_id: "admin-cli"
|
|
secret: "{{ client_secret }}"
|
|
public_client: true
|
|
state: present
|
|
|
|
- name: Create realm
|
|
community.general.keycloak_realm:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
id: "{{ realm }}"
|
|
realm: "{{ realm }}"
|
|
state: present
|
|
|
|
- name: Create client
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
client_id: "{{ client_id }}"
|
|
state: present
|
|
register: client
|
|
|
|
- name: Create new realm role with username/password authentication
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Remove created realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Get Keycloak token
|
|
ansible.builtin.uri:
|
|
url: "{{ url }}/realms/{{ admin_realm }}/protocol/openid-connect/token"
|
|
method: POST
|
|
return_content: true
|
|
status_code: 200
|
|
body_format: form-urlencoded
|
|
body:
|
|
grant_type: "password"
|
|
client_id: "admin-cli"
|
|
username: "{{ admin_user }}"
|
|
password: "{{ admin_password }}"
|
|
register: token_response
|
|
|
|
- name: Extract tokens
|
|
ansible.builtin.set_fact:
|
|
access_token: "{{ token_response.json | json_query('access_token') }}"
|
|
refresh_token: "{{ token_response.json | json_query('refresh_token') }}"
|
|
|
|
- name: Create new realm role with provided token authentication
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
token: "{{ access_token }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Remove created realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Create new realm role with invalid auth token and valid refresh token
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
token: "invalidtoken!!!"
|
|
refresh_token: "{{ refresh_token }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Remove created realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Create new realm role with invalid auth token and valid username/password
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
token: "invalidtoken!!!"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Remove created realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Create new realm role with invalid auth token, invalid refresh token, and valid username/password
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
token: "invalidtoken!!!"
|
|
refresh_token: "invalidrefreshtoken!!!"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Remove created realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: PREPARE - Temporarily disable public login in master admin-cli
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
auth_client_id: "admin-cli"
|
|
auth_client_secret: "{{ client_secret }}"
|
|
client_id: "admin-cli"
|
|
secret: "{{ client_secret }}"
|
|
public_client: false
|
|
service_accounts_enabled: true
|
|
client_authenticator_type: "client-secret"
|
|
state: present
|
|
|
|
- name: PREPARE - Get admin role id
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
auth_client_id: "admin-cli"
|
|
auth_client_secret: "{{ client_secret }}"
|
|
name: "admin"
|
|
register: admin_role
|
|
|
|
- name: PREPARE - Assign admin role to admin-cli in master
|
|
community.general.keycloak_user_rolemapping:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
auth_client_id: "admin-cli"
|
|
auth_client_secret: "{{ client_secret }}"
|
|
realm: "master"
|
|
roles:
|
|
- name: "admin"
|
|
service_account_user_client_id: "admin-cli"
|
|
|
|
- name: Create new realm role with valid client_id and client_secret
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_client_id: "admin-cli"
|
|
auth_client_secret: "{{ client_secret }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
- name: Reset temporarily disabled public login in master admin-cli
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
auth_client_id: "admin-cli"
|
|
auth_client_secret: "{{ client_secret }}"
|
|
client_id: "admin-cli"
|
|
secret: "{{ client_secret }}"
|
|
public_client: true
|
|
state: present
|
|
|
|
- name: Remove created realm role
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "{{ admin_password }}"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
state: absent
|
|
register: result
|
|
|
|
- name: Debug
|
|
debug:
|
|
var: result
|
|
|
|
### Unhappy path tests
|
|
|
|
- name: Fail to create new realm role with invalid username/password
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "invalid_password"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
failed_when: >
|
|
("HTTP Error 401: Unauthorized" not in result.msg)
|
|
|
|
- name: Fail to create new realm role with invalid auth token
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
token: "invalidtoken!!!"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
failed_when: >
|
|
("HTTP Error 401: Unauthorized" not in result.msg)
|
|
|
|
- name: Fail to create new realm role with invalid auth and refresh tokens, and invalid username/password
|
|
community.general.keycloak_role:
|
|
auth_keycloak_url: "{{ url }}"
|
|
auth_realm: "{{ admin_realm }}"
|
|
auth_username: "{{ admin_user }}"
|
|
auth_password: "invalid_password"
|
|
token: "invalidtoken!!!"
|
|
refresh_token: "invalidtoken!!!"
|
|
realm: "{{ realm }}"
|
|
name: "{{ role }}"
|
|
description: "{{ keycloak_role_description }}"
|
|
state: present
|
|
register: result
|
|
failed_when: >
|
|
("HTTP Error 401: Unauthorized" not in result.msg)
|