Add validation of realm client and id

2025-04-06 10:50:31 -07:00 · 2022-12-13 11:20:44 +01:00 · 2022-12-13 11:20:44 +01:00 · bdc1ad8b51
commit bdc1ad8b51
parent db111aaf3a
5 changed files with 111 additions and 65 deletions
--- a/playbooks/keycloak_federation.yml
+++ b/playbooks/keycloak_federation.yml
@ -0,0 +1,68 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles:
+              - TestClient1Admin
+              - TestClient1User
+            realm: "{{ keycloak_realm }}"
+            public_client: True
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users:
+            - username: TestUser
+              password: password
+              client_roles:
+                - client: TestClient1
+                  role: TestClient1User
+                  realm: "{{ keycloak_realm }}"
--- a/playbooks/keycloak_realm.yml
+++ b/playbooks/keycloak_realm.yml
@ -1,55 +1,12 @@
 ---
 - name: Playbook for Keycloak Hosts
  hosts: all
-  tasks:
-    - name: Keycloak Realm Role
-      ansible.builtin.include_role:
-        name: middleware_automation.keycloak.keycloak_realm
  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_realm: TestRealm
-        keycloak_user_federation:
-          - realm: TestRealm
-            name: my-ldap
-            provider_id: ldap
-            provider_type: org.keycloak.storage.UserStorageProvider
-            config:
-              priority: '0'
-              enabled: true
-              cachePolicy: DEFAULT
-              batchSizeForSync: '1000'
-              editMode: READ_ONLY
-              importEnabled: true
-              syncRegistrations: false
-              vendor: other
-              usernameLDAPAttribute: uid
-              rdnLDAPAttribute: uid
-              uuidLDAPAttribute: entryUUID
-              userObjectClasses: inetOrgPerson, organizationalPerson
-              connectionUrl: ldaps://ldap.example.com:636
-              usersDn: ou=Users,dc=example,dc=com
-              authType: simple
-              bindDn: cn=directory reader
-              bindCredential: password
-              searchScope: '1'
-              validatePasswordPolicy: false
-              trustEmail: false
-              useTruststoreSpi: ldapsOnly
-              connectionPooling: true
-              pagination: true
-              allowKerberosAuthentication: false
-              debug: false
-              useKerberosForPasswordAuthentication: false
-            mappers:
-              - name: "full name"
-                providerId: "full-name-ldap-mapper"
-                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-                config:
-                  ldap.full.name.attribute: cn
-                  read.only: true
-                  write.only: false
    keycloak_clients:
      - name: TestClient1
+        client_id: TestClient1
        roles:
          - TestClient1Admin
          - TestClient1User
@ -65,3 +22,7 @@
            - client: TestClient1
              role: TestClient1User
              realm: "{{ keycloak_realm }}"
+  collections:
+    - middleware_automation.keycloak  
+  roles:
+    - keycloak_realm
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -36,6 +36,7 @@
    state: link
    src: "{{ keycloak_jboss_home }}/standalone/log"
    dest: /var/log/keycloak
+  become: yes

 - name: Set admin credentials and restart if not already created
  block:
--- a/roles/keycloak_realm/README.md
+++ b/roles/keycloak_realm/README.md
@ -71,6 +71,8 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge

 ```yaml
    - name: <name of the client>
+      id: <id of the client>
+      client_id: <id of the client>
      roles: <keycloak_client_default_roles>
      realm: <name of the realm that contains the client>
      public_client: <true for public, false for confidential>
@ -78,6 +80,9 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
      users: <keycloak_client_users>
 ```

+`name` and either `id` or `client_id` are required.
+
+
 * `keycloak_client_users`, a list of:

 ```yaml
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@ -53,6 +53,17 @@
  loop: "{{ keycloak_user_federation | flatten }}"
  when: keycloak_user_federation is defined

+- name: Validate Keycloak clients
+  ansible.builtin.assert:
+    that:
+      - item.name is defined and item.name | length > 0
+      - (item.client_id is defined and item.client_id | length > 0) or (item.id is defined and item.id | length > 0)
+    fail_msg: "For each keycloak client, attributes `name` and either `id` or `client_id` is required"
+    quiet: True
+  loop: "{{ keycloak_clients | flatten }}"
+  loop_control:
+    label: "{{ item.name | default('unnamed client') }}"
+
 - name: Create or update a Keycloak client
  community.general.keycloak_client:
    auth_client_id: "{{ keycloak_auth_client }}"