mirror of
				https://github.com/ansible-middleware/keycloak.git
				synced 2025-10-24 13:04:09 -07:00 
			
		
		
		
	Merge pull request #225 from world-direct/feature/224_policy_files
#224: keycloak_quarkus: Add support for policy files
This commit is contained in:
		
				commit
				
					
						1b69191a6e
					
				
			
		
					 6 changed files with 64 additions and 0 deletions
				
			
		|  | @ -31,6 +31,12 @@ | |||
|             value: 10 | ||||
|       - id: spid-saml | ||||
|         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar | ||||
|     keycloak_quarkus_policies: | ||||
|       - name: "xato-net-10-million-passwords.txt" | ||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt" | ||||
|       - name: "xato-net-10-million-passwords-10.txt" | ||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt" | ||||
|         type: password-blacklists | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|     - role: keycloak_realm | ||||
|  |  | |||
|  | @ -176,6 +176,22 @@ bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-cl | |||
| ``` | ||||
| 
 | ||||
| 
 | ||||
| #### Configuring policies | ||||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_policies`| List of policy definitions; see below | `[]` | | ||||
| 
 | ||||
| Provider definition: | ||||
| 
 | ||||
| ```yaml | ||||
| keycloak_quarkus_policies: | ||||
|   - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name | ||||
|     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download | ||||
|     type: password-blacklists                                                                              # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] | ||||
| ``` | ||||
| 
 | ||||
| 
 | ||||
| Role Variables | ||||
| -------------- | ||||
| 
 | ||||
|  |  | |||
|  | @ -150,3 +150,5 @@ keycloak_quarkus_ks_vault_type: PKCS12 | |||
| keycloak_quarkus_ks_vault_pass: | ||||
| 
 | ||||
| keycloak_quarkus_providers: [] | ||||
| keycloak_quarkus_policies: [] | ||||
| keycloak_quarkus_supported_policy_types: ['password-blacklists'] | ||||
|  |  | |||
|  | @ -394,6 +394,14 @@ argument_specs: | |||
|                 description: "List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'default': bool, 'properties': list of key/value }" | ||||
|                 default: [] | ||||
|                 type: "list" | ||||
|             keycloak_quarkus_supported_policy_types: | ||||
|                 description: "List of str of supported policy types" | ||||
|                 default: ['password-blacklists'] | ||||
|                 type: "list" | ||||
|             keycloak_quarkus_policies: | ||||
|                 description: "List of policy definition dicts: { 'name': str, 'url': str, 'type': str }" | ||||
|                 default: [] | ||||
|                 type: "list" | ||||
|             keycloak_quarkus_jdbc_download_url: | ||||
|                 description: "Override the default Maven Central download URL for the JDBC driver" | ||||
|                 type: "str" | ||||
|  |  | |||
|  | @ -226,3 +226,25 @@ | |||
|   loop: "{{ keycloak_quarkus_providers }}" | ||||
|   when: item.url is defined and item.url | length > 0 | ||||
|   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" | ||||
| 
 | ||||
| - name: Ensure required folder structure for policies exits | ||||
|   ansible.builtin.file: | ||||
|     path: "{{ keycloak.home }}/data/{{ item | lower }}" | ||||
|     state: directory | ||||
|     owner: "{{ keycloak.service_user }}" | ||||
|     group: "{{ keycloak.service_group }}" | ||||
|     mode: '0750' | ||||
|   become: true | ||||
|   loop: "{{ keycloak_quarkus_supported_policy_types }}" | ||||
| 
 | ||||
| - name: "Install custom policies" | ||||
|   ansible.builtin.get_url: | ||||
|     url: "{{ item.url }}" | ||||
|     dest: "{{ keycloak.home }}/data/{{ item.type|default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}" | ||||
|     owner: "{{ keycloak.service_user }}" | ||||
|     group: "{{ keycloak.service_group }}" | ||||
|     mode: '0640' | ||||
|   become: true | ||||
|   loop: "{{ keycloak_quarkus_policies }}" | ||||
|   when: item.url is defined and item.url | length > 0 | ||||
|   notify: "restart keycloak" | ||||
|  |  | |||
|  | @ -65,3 +65,13 @@ | |||
|     quiet: true | ||||
|     fail_msg: "Providers definition is incorrect; `id` and one of `spi` or `url` are mandatory. `key` and `value` are mandatory for each property" | ||||
|   loop: "{{ keycloak_quarkus_providers }}" | ||||
| 
 | ||||
| - name: "Validate policies" | ||||
|   ansible.builtin.assert: | ||||
|     that: | ||||
|       - item.name is defined and item.name | length > 0 | ||||
|       - item.url is defined and item.url | length > 0 | ||||
|       - item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types | ||||
|     quiet: true | ||||
|     fail_msg: "Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}." | ||||
|   loop: "{{ keycloak_quarkus_policies }}" | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue