From bdc1ad8b51433077af2b10c4cfa5542b1a00eb28 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 13 Dec 2022 11:20:44 +0100 Subject: [PATCH] Add validation of realm client and id --- playbooks/keycloak_federation.yml | 68 ++++++++++++++++++++++ playbooks/keycloak_realm.yml | 89 ++++++++--------------------- roles/keycloak/tasks/main.yml | 1 + roles/keycloak_realm/README.md | 5 ++ roles/keycloak_realm/tasks/main.yml | 13 ++++- 5 files changed, 111 insertions(+), 65 deletions(-) create mode 100644 playbooks/keycloak_federation.yml diff --git a/playbooks/keycloak_federation.yml b/playbooks/keycloak_federation.yml new file mode 100644 index 0000000..f6de6c1 --- /dev/null +++ b/playbooks/keycloak_federation.yml @@ -0,0 +1,68 @@ +--- +- name: Playbook for Keycloak Hosts + hosts: all + tasks: + - name: Keycloak Realm Role + ansible.builtin.include_role: + name: keycloak_realm + vars: + keycloak_admin_password: "remembertochangeme" + keycloak_realm: TestRealm + keycloak_user_federation: + - realm: TestRealm + name: my-ldap + provider_id: ldap + provider_type: org.keycloak.storage.UserStorageProvider + config: + priority: '0' + enabled: true + cachePolicy: DEFAULT + batchSizeForSync: '1000' + editMode: READ_ONLY + importEnabled: true + syncRegistrations: false + vendor: other + usernameLDAPAttribute: uid + rdnLDAPAttribute: uid + uuidLDAPAttribute: entryUUID + userObjectClasses: inetOrgPerson, organizationalPerson + connectionUrl: ldaps://ldap.example.com:636 + usersDn: ou=Users,dc=example,dc=com + authType: simple + bindDn: cn=directory reader + bindCredential: password + searchScope: '1' + validatePasswordPolicy: false + trustEmail: false + useTruststoreSpi: ldapsOnly + connectionPooling: true + pagination: true + allowKerberosAuthentication: false + debug: false + useKerberosForPasswordAuthentication: false + mappers: + - name: "full name" + providerId: "full-name-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.full.name.attribute: cn + read.only: true + write.only: false + keycloak_clients: + - name: TestClient1 + client_id: TestClient1 + roles: + - TestClient1Admin + - TestClient1User + realm: "{{ keycloak_realm }}" + public_client: True + web_origins: + - http://testclient1origin/application + - http://testclient1origin/other + users: + - username: TestUser + password: password + client_roles: + - client: TestClient1 + role: TestClient1User + realm: "{{ keycloak_realm }}" diff --git a/playbooks/keycloak_realm.yml b/playbooks/keycloak_realm.yml index baeb2f2..1efc4f7 100644 --- a/playbooks/keycloak_realm.yml +++ b/playbooks/keycloak_realm.yml @@ -1,67 +1,28 @@ --- - name: Playbook for Keycloak Hosts hosts: all - tasks: - - name: Keycloak Realm Role - ansible.builtin.include_role: - name: middleware_automation.keycloak.keycloak_realm - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_realm: TestRealm - keycloak_user_federation: - - realm: TestRealm - name: my-ldap - provider_id: ldap - provider_type: org.keycloak.storage.UserStorageProvider - config: - priority: '0' - enabled: true - cachePolicy: DEFAULT - batchSizeForSync: '1000' - editMode: READ_ONLY - importEnabled: true - syncRegistrations: false - vendor: other - usernameLDAPAttribute: uid - rdnLDAPAttribute: uid - uuidLDAPAttribute: entryUUID - userObjectClasses: inetOrgPerson, organizationalPerson - connectionUrl: ldaps://ldap.example.com:636 - usersDn: ou=Users,dc=example,dc=com - authType: simple - bindDn: cn=directory reader - bindCredential: password - searchScope: '1' - validatePasswordPolicy: false - trustEmail: false - useTruststoreSpi: ldapsOnly - connectionPooling: true - pagination: true - allowKerberosAuthentication: false - debug: false - useKerberosForPasswordAuthentication: false - mappers: - - name: "full name" - providerId: "full-name-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.full.name.attribute: cn - read.only: true - write.only: false - keycloak_clients: - - name: TestClient1 - roles: - - TestClient1Admin - - TestClient1User - realm: "{{ keycloak_realm }}" - public_client: True - web_origins: - - http://testclient1origin/application - - http://testclient1origin/other - users: - - username: TestUser - password: password - client_roles: - - client: TestClient1 - role: TestClient1User - realm: "{{ keycloak_realm }}" + vars: + keycloak_admin_password: "remembertochangeme" + keycloak_realm: TestRealm + keycloak_clients: + - name: TestClient1 + client_id: TestClient1 + roles: + - TestClient1Admin + - TestClient1User + realm: "{{ keycloak_realm }}" + public_client: True + web_origins: + - http://testclient1origin/application + - http://testclient1origin/other + users: + - username: TestUser + password: password + client_roles: + - client: TestClient1 + role: TestClient1User + realm: "{{ keycloak_realm }}" + collections: + - middleware_automation.keycloak + roles: + - keycloak_realm diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index b89b401..316c033 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -36,6 +36,7 @@ state: link src: "{{ keycloak_jboss_home }}/standalone/log" dest: /var/log/keycloak + become: yes - name: Set admin credentials and restart if not already created block: diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index 1a5709c..73d823f 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -71,6 +71,8 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge ```yaml - name: + id: + client_id: roles: realm: public_client: @@ -78,6 +80,9 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge users: ``` +`name` and either `id` or `client_id` are required. + + * `keycloak_client_users`, a list of: ```yaml diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml index 2554958..1544a1e 100644 --- a/roles/keycloak_realm/tasks/main.yml +++ b/roles/keycloak_realm/tasks/main.yml @@ -53,6 +53,17 @@ loop: "{{ keycloak_user_federation | flatten }}" when: keycloak_user_federation is defined +- name: Validate Keycloak clients + ansible.builtin.assert: + that: + - item.name is defined and item.name | length > 0 + - (item.client_id is defined and item.client_id | length > 0) or (item.id is defined and item.id | length > 0) + fail_msg: "For each keycloak client, attributes `name` and either `id` or `client_id` is required" + quiet: True + loop: "{{ keycloak_clients | flatten }}" + loop_control: + label: "{{ item.name | default('unnamed client') }}" + - name: Create or update a Keycloak client community.general.keycloak_client: auth_client_id: "{{ keycloak_auth_client }}" @@ -97,4 +108,4 @@ loop: "{{ keycloak_clients | flatten }}" loop_control: loop_var: client - when: "'users' in client" \ No newline at end of file + when: "'users' in client"