Extract new keycloak_realm role out of keycloak

2025-07-29 16:11:34 -07:00 · 2021-12-22 10:05:48 +01:00 · 2021-12-22 10:05:48 +01:00 · 702d09c731
commit 702d09c731
parent 1ded0a1cfe
13 changed files with 197 additions and 15 deletions
--- a/roles/keycloak_realm/README.md
+++ b/roles/keycloak_realm/README.md
@ -0,0 +1,59 @@
+keycloak_realm
+==============
+
+Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
+
+
+Role Defaults
+-------------
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_admin_user`| Administration console user account | `admin` |
+
+Role Variables
+--------------
+
+The following are a set of _required_ variables for the role:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_admin_password`| Password for the administration console user account |
+
+
+The following variables are _required_ only when keycloak_ha_enabled is True:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+
+
+
+Example Playbook
+----------------
+
+The following is an example playbook that makes use of the role to install keycloak
+
+```yaml
+---
+- hosts: ...
+      collections:
+        - middleware_automation.keycloak
+      tasks:
+        - name: Include keycloak role
+          include_role:
+            name: keycloak_realm
+          vars:
+            keycloak_admin_password: "changeme"
+```
+
+License
+-------
+
+Apache License 2.0
+
+
+Author Information
+------------------
+
+* [Guido Grazioli](https://github.com/guidograzioli)
+* [Romain Pelisse](https://github.com/rpelisse)
--- a/roles/keycloak_realm/defaults/main.yml
+++ b/roles/keycloak_realm/defaults/main.yml
@ -0,0 +1,44 @@
+---
+### Keycloak configuration settings
+keycloak_host: localhost
+keycloak_http_port: 8080
+keycloak_https_port: 8443
+
+### Keycloak administration console user
+keycloak_admin_user: admin
+keycloak_auth_realm: master
+keycloak_auth_client: admin-cli
+
+### Keycloak realm client defaults
+# list of clients to create in the realm
+#
+# Refer to the playbook for a comprehensive example.
+#
+# Each client has the form:
+#    { name: '', roles: [], realm: '', public_client: bool, web_origins: '', users: [] }
+# where roles is a list of default role names for the client
+# and users is a list of account, see below for the format definition
+# an empty name will skip the creation of the client
+keycloak_clients:
+  - name: ''
+    roles: "{{ keycloak_client_default_roles }}"
+    realm: "{{ keycloak_realm }}"
+    public_client: "{{ keycloak_client_public }}"
+    web_origins: "{{ keycloak_client_web_origins }}"
+    users: "{{ keycloak_client_users }}"
+
+# list of roles to create in the client
+keycloak_client_default_roles: []
+
+# if True, create a public client; otherwise, a confidetial client
+keycloak_client_public: True
+
+# allowed web origins for the client
+keycloak_client_web_origins: '+'
+
+# list of user and role mappings to create in the client
+# Each user has the form:
+#    { username: '', password: '', email: '', firstName: '', lastName: '', client_roles: [] }
+# where each client_role has the form:
+#    { client: '', role: '', realm: '' }
+keycloak_client_users: []
--- a/roles/keycloak_realm/meta/main.yml
+++ b/roles/keycloak_realm/meta/main.yml
@ -0,0 +1 @@
+---
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@ -0,0 +1,67 @@
+---
+- name: Generate keycloak auth token
+  uri:
+    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
+    method: POST
+    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
+    validate_certs: no
+  register: keycloak_auth_response
+  until: keycloak_auth_response.status == 200
+  retries: 5
+  delay: 2
+
+- name: "Determine if realm exists"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
+    method: GET
+    status_code:
+      - 200
+      - 404
+    headers:
+      Accept: "application/json"
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: keycloak_realm_exists
+
+- name: Create Realm
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms"
+    method: POST
+    body: "{{ lookup('template','realm.json.j2') }}"
+    validate_certs: no
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+    status_code: 201
+  when: keycloak_realm_exists.status == 404
+
+- name: Create Client
+  community.general.keycloak_client:
+    auth_client_id: "{{ keycloak_auth_client }}"
+    auth_keycloak_url: "{{ keycloak_url }}/auth"
+    auth_realm: "{{ keycloak_auth_realm }}"
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    client_id: "{{ item.name }}"
+    realm: "{{ item.realm }}"
+    default_roles: "{{ item.roles | default(omit) }}"
+    root_url: "{{ item.root_url | default('') }}"
+    redirect_uris: "{{ demo_app_redirect_uris | default([]) }}"
+    public_client: "{{ item.public_client | default(False) }}"
+    web_origins: "{{ item.web_origins | default('+') }}"
+    state: present
+  register: create_client_result
+  loop: "{{ keycloak_clients | flatten }}"
+  when: item.name|length > 0
+
+- name: Create client roles
+  include_tasks: manage_client_roles.yml
+  when: keycloak_rhsso_enable
+  loop: "{{ keycloak_clients | flatten }}"
+  loop_control:
+    loop_var: client
+
+- name: Create client users
+  include_tasks: manage_client_users.yml
+  loop: "{{ keycloak_clients | flatten }}"
+  loop_control:
+    loop_var: client
--- a/roles/keycloak_realm/tasks/manage_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_client_roles.yml
@ -0,0 +1,12 @@
+- name: Create client roles
+  community.general.keycloak_role:
+    name: "{{ item }}"
+    realm: "{{ client.realm }}"
+    client_id: "{{ client.name }}"
+    auth_client_id: "{{ keycloak_auth_client }}"
+    auth_keycloak_url: "{{ keycloak_url }}/auth"
+    auth_realm: "{{ keycloak_auth_realm }}"
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    state: present
+  loop: "{{ client.roles | flatten }}"
--- a/roles/keycloak_realm/tasks/manage_client_users.yml
+++ b/roles/keycloak_realm/tasks/manage_client_users.yml
@ -0,0 +1,13 @@
+---
+- name: Manage Users
+  include_tasks: manage_user.yml
+  loop: "{{ client.users | flatten }}"
+  loop_control:
+    loop_var: user
+
+- name: Manage User Roles
+  include_tasks: manage_user_roles.yml
+  loop: "{{ client.users | flatten }}"
+  loop_control:
+    loop_var: user
+  when: "'client_roles' in user"
--- a/roles/keycloak_realm/tasks/manage_user.yml
+++ b/roles/keycloak_realm/tasks/manage_user.yml
@ -0,0 +1,51 @@
+---
+- name: "Check if User Already Exists"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
+    validate_certs: no
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: keycloak_user_search_result
+
+- name: "Create User"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
+    method: POST
+    body:
+      enabled: true
+      attributes: "{{ user.attributes | default(omit) }}"
+      username: "{{ user.username }}"
+      email: "{{ user.email | default(omit) }}"
+      firstName: "{{ user.firstName | default(omit) }}"
+      lastName: "{{ user.lastName | default(omit) }}"
+    validate_certs: no
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+    status_code: 201
+  when: keycloak_user_search_result.json | length == 0
+
+- name: "Get User"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
+    validate_certs: no
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: keycloak_user
+
+- name: "Update User Password"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
+    method: PUT
+    body:
+      type: password
+      temporary: false
+      value: "{{ user.password }}"
+    validate_certs: no
+    body_format: json
+    status_code:
+      - 200
+      - 204
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: keycloak_user
--- a/roles/keycloak_realm/tasks/manage_user_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_user_client_roles.yml
@ -0,0 +1,40 @@
+---
+- name: "Get Realm for role"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
+    method: GET
+    status_code:
+      - 200
+    headers:
+      Accept: "application/json"
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: client_role_realm
+
+- name: Check if Mapping is available
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
+    method: GET
+    status_code:
+      - 200
+    headers:
+      Accept: "application/json"
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: client_role_user_available
+
+- name: "Create Role Mapping"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
+    method: POST
+    body:
+      - id: "{{ item.id }}"
+        clientRole: "{{ item.clientRole }}"
+        containerId: "{{ item.containerId }}"
+        name: "{{ item.name }}"
+        composite: "{{ item.composite }}"
+    validate_certs: False
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+    status_code: 204
+  loop: "{{ client_role_user_available.json | flatten }}"
+  when: item.name == client_role.role
--- a/roles/keycloak_realm/tasks/manage_user_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_user_roles.yml
@ -0,0 +1,26 @@
+---
+
+- name: "Get User {{ user.username }}"
+  uri:
+    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
+    headers:
+      validate_certs: no
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: keycloak_user
+
+- name: Refresh keycloak auth token
+  uri:
+    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
+    method: POST
+    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
+    validate_certs: no
+  register: keycloak_auth_response
+  until: keycloak_auth_response.status == 200
+  retries: 5
+  delay: 2
+
+- name: "Manage Client Role Mapping for {{ user.username }}"
+  include_tasks: manage_user_client_roles.yml
+  loop: "{{ user.client_roles | flatten }}"
+  loop_control:
+    loop_var: client_role
--- a/roles/keycloak_realm/templates/realm.json.j2
+++ b/roles/keycloak_realm/templates/realm.json.j2
@ -0,0 +1,7 @@
+{
+  "id": "{{ keycloak_realm }}",
+  "realm": "{{ keycloak_realm }}",
+  "enabled": true,
+  "eventsEnabled": true,
+  "eventsExpiration": 7200
+}
--- a/roles/keycloak_realm/vars/main.yml
+++ b/roles/keycloak_realm/vars/main.yml
@ -0,0 +1,16 @@
+---
+# vars file for keycloak_realm
+
+# administrator console password, this is a required variable
+keycloak_admin_password:
+
+# name of the realm to create, this is a required variable
+keycloak_realm:
+
+# keycloak realm clients, this is a required variable
+keycloak_clients:
+
+# other settings
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"