Extract new keycloak_realm role out of keycloak

2025-07-30 00:21:36 -07:00 · 2021-12-22 10:05:48 +01:00 · 2021-12-22 10:05:48 +01:00 · 702d09c731
commit 702d09c731
parent 1ded0a1cfe
13 changed files with 197 additions and 15 deletions
--- a/roles/keycloak/tasks/manage_client_roles.yml
+++ b/roles/keycloak/tasks/manage_client_roles.yml
@ -1,12 +0,0 @@
- name: Create client roles
-  community.general.keycloak_role:
-    name: "{{ item }}"
-    realm: "{{ client.realm }}"
-    client_id: "{{ client.name }}"
-    auth_client_id: "{{ keycloak_auth_client }}"
-    auth_keycloak_url: "{{ keycloak_url }}/auth"
-    auth_realm: "{{ keycloak_auth_realm }}"
-    auth_username: "{{ keycloak_admin_user }}"
-    auth_password: "{{ keycloak_admin_password }}"
-    state: present
-  loop: "{{ client.roles | flatten }}"
--- a/roles/keycloak/tasks/manage_realm.yml
+++ b/roles/keycloak/tasks/manage_realm.yml
@ -1,73 +0,0 @@
---
- name: Generate keycloak auth token
-  uri:
-    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
-    method: POST
-    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
-    validate_certs: no
-  register: keycloak_auth_response
-  until: keycloak_auth_response.status == 200
-  retries: 5
-  delay: 2
-
- name: "Determine if realm exists"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
-    method: GET
-    status_code:
-      - 200
-      - 404
-    headers:
-      Accept: "application/json"
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: keycloak_realm_exists
-
- name: Create Realm
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms"
-    method: POST
-    body: "{{ lookup('template','realm.json.j2') }}"
-    validate_certs: no
-    body_format: json
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-    status_code: 201
-  when: keycloak_realm_exists.status == 404
-
- name: Create Client
-  community.general.keycloak_client:
-    auth_client_id: "{{ keycloak_auth_client }}"
-    auth_keycloak_url: "{{ keycloak_url }}/auth"
-    auth_realm: "{{ keycloak_auth_realm }}"
-    auth_username: "{{ keycloak_admin_user }}"
-    auth_password: "{{ keycloak_admin_password }}"
-    client_id: "{{ item.name }}"
-    realm: "{{ item.realm }}"
-    default_roles: "{{ item.roles | default(omit) }}"
-    root_url: "{{ item.root_url | default('') }}"
-    redirect_uris: "{{ demo_app_redirect_uris | default([]) }}"
-    public_client: "{{ item.public_client | default(False) }}"
-    web_origins: "{{ item.web_origins | default('+') }}"
-    state: present
-  register: create_client_result
-  loop: "{{ keycloak_clients | flatten }}"
-
- name: Create client roles
-  include_tasks: manage_client_roles.yml
-  when: keycloak_rhsso_enable
-  loop: "{{ keycloak_clients | flatten }}"
-  loop_control:
-    loop_var: client
-
- name: Manage Users
-  include_tasks: manage_user.yml
-  loop: "{{ keycloak_users }}"
-  loop_control:
-    loop_var: user
-
- name: Manage User Roles
-  include_tasks: manage_user_roles.yml
-  loop: "{{ keycloak_users | flatten }}"
-  loop_control:
-    loop_var: user
-  when: "'client_roles' in user"
--- a/roles/keycloak/tasks/manage_user.yml
+++ b/roles/keycloak/tasks/manage_user.yml
@ -1,51 +0,0 @@
---
- name: "Check if User Already Exists"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
-    validate_certs: no
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: keycloak_user_serach_result
-
- name: "Create User"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
-    method: POST
-    body:
-      enabled: true
-      attributes: "{{ user.attributes | default(omit) }}"
-      username: "{{ user.username }}"
-      email: "{{ user.email | default(omit) }}"
-      firstName: "{{ user.firstName | default(omit) }}"
-      lastName: "{{ user.lastName | default(omit) }}"
-    validate_certs: no
-    body_format: json
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-    status_code: 201
-  when: keycloak_user_serach_result.json | length == 0
-
- name: "Get User"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
-    validate_certs: no
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: keycloak_user
-
- name: "Update User Password"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
-    method: PUT
-    body:
-      type: password
-      temporary: false
-      value: "{{ user.password }}"
-    validate_certs: no
-    body_format: json
-    status_code:
-      - 200
-      - 204
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: keycloak_user
--- a/roles/keycloak/tasks/manage_user_client_roles.yml
+++ b/roles/keycloak/tasks/manage_user_client_roles.yml
@ -1,40 +0,0 @@
---
- name: "Get Realm for role"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
-    method: GET
-    status_code:
-      - 200
-    headers:
-      Accept: "application/json"
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: client_role_realm
-
- name: Check if Mapping is available
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
-    method: GET
-    status_code:
-      - 200
-    headers:
-      Accept: "application/json"
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: client_role_user_available
-
- name: "Create Role Mapping"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
-    method: POST
-    body:
-      - id: "{{ item.id }}"
-        clientRole: "{{ item.clientRole }}"
-        containerId: "{{ item.containerId }}"
-        name: "{{ item.name }}"
-        composite: "{{ item.composite }}"
-    validate_certs: False
-    body_format: json
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-    status_code: 204
-  loop: "{{ client_role_user_available.json | flatten }}"
-  when: item.name == client_role.role
--- a/roles/keycloak/tasks/manage_user_roles.yml
+++ b/roles/keycloak/tasks/manage_user_roles.yml
@ -1,26 +0,0 @@
---
-
- name: "Get User {{ user.username }}"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
-    headers:
-      validate_certs: no
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: keycloak_user
-
- name: Refresh keycloak auth token
-  uri:
-    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
-    method: POST
-    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
-    validate_certs: no
-  register: keycloak_auth_response
-  until: keycloak_auth_response.status == 200
-  retries: 5
-  delay: 2
-
- name: "Manage Client Role Mapping for {{ user.username }}"
-  include_tasks: manage_user_client_roles.yml
-  loop: "{{ user.client_roles | flatten }}"
-  loop_control:
-    loop_var: client_role