From a67081a68d413c4bd7d7762534633468a0b07976 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Thu, 24 Mar 2022 17:44:13 +0100 Subject: [PATCH 1/3] move admin pwd param from vars to defaults, add assert --- roles/keycloak/defaults/main.yml | 3 +++ roles/keycloak/meta/main.yml | 6 ++++-- roles/keycloak/tasks/firewalld.yml | 2 +- roles/keycloak/tasks/prereqs.yml | 10 +++++++++- roles/keycloak/vars/main.yml | 4 ---- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index ebbaa05..ad1b2c6 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -32,6 +32,9 @@ keycloak_service_group: keycloak keycloak_service_pidfile: "/run/keycloak.pid" keycloak_configure_firewalld: False +### administrator console password +keycloak_admin_password: '' + ### Common configuration settings keycloak_bind_address: 0.0.0.0 keycloak_host: localhost diff --git a/roles/keycloak/meta/main.yml b/roles/keycloak/meta/main.yml index 8f5bc1e..4760762 100644 --- a/roles/keycloak/meta/main.yml +++ b/roles/keycloak/meta/main.yml @@ -23,5 +23,7 @@ galaxy_info: - keycloak - redhat - rhel - - rhn - - sso \ No newline at end of file + - sso + - authentication + - identity + - security diff --git a/roles/keycloak/tasks/firewalld.yml b/roles/keycloak/tasks/firewalld.yml index 15f91cb..58a6cac 100644 --- a/roles/keycloak/tasks/firewalld.yml +++ b/roles/keycloak/tasks/firewalld.yml @@ -1,5 +1,5 @@ --- -- name: Ensures required package firewalld are installed +- name: Ensure required package firewalld are installed ansible.builtin.include_tasks: fastpackages.yml vars: packages_list: diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml index 77e8364..5d685be 100644 --- a/roles/keycloak/tasks/prereqs.yml +++ b/roles/keycloak/tasks/prereqs.yml @@ -1,4 +1,12 @@ --- +- name: Validate admin console password + ansible.builtin.assert: + that: + - keycloak_admin_password | length > 12 + quiet: True + fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 16+ char long string" + success_msg: "{{ 'Console administrator password OK' }}" + - name: Validate configuration ansible.builtin.assert: that: @@ -16,7 +24,7 @@ fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined" success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}" -- name: Ensures required packages are installed +- name: Ensure required packages are installed ansible.builtin.include_tasks: fastpackages.yml vars: packages_list: diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index ff7456a..437eac0 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -1,8 +1,4 @@ --- -# required variables for keycloak -# administrator console password -keycloak_admin_password: - # internal variables below rhsso_rhn_ids: '7.5.0': From d854791183b3af5a9db1a6a503e297440eb2baa0 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Thu, 24 Mar 2022 18:07:33 +0100 Subject: [PATCH 2/3] set admin pass to valid length --- playbooks/keycloak_realm.yml | 2 +- playbooks/rhsso.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/keycloak_realm.yml b/playbooks/keycloak_realm.yml index e7d0259..8bc1962 100644 --- a/playbooks/keycloak_realm.yml +++ b/playbooks/keycloak_realm.yml @@ -6,7 +6,7 @@ ansible.builtin.include_role: name: middleware_automation.keycloak.keycloak_realm vars: - keycloak_admin_password: "changeme" + keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm keycloak_user_federation: - realm: TestRealm diff --git a/playbooks/rhsso.yml b/playbooks/rhsso.yml index 13f4ce6..ba30a74 100644 --- a/playbooks/rhsso.yml +++ b/playbooks/rhsso.yml @@ -2,7 +2,7 @@ - name: Playbook for Keycloak Hosts hosts: keycloak vars: - keycloak_admin_password: "changeme" + keycloak_admin_password: "remembertochangeme" keycloak_rhsso_enable: True collections: - middleware_automation.redhat_csp_download From 85b0a2549af5d1ef925ab113e25c6fb3bb6092a8 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Thu, 24 Mar 2022 19:00:30 +0100 Subject: [PATCH 3/3] update tests with pwd, apply change to keycloak_realm --- molecule/default/converge.yml | 4 +--- molecule/default/verify.yml | 1 + roles/keycloak_realm/README.md | 2 +- roles/keycloak_realm/defaults/main.yml | 2 ++ roles/keycloak_realm/vars/main.yml | 3 --- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 55f17ef..2ab6ad5 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -2,17 +2,15 @@ - name: Converge hosts: all vars: + keycloak_admin_password: "remembertochangeme" tasks: - name: Include keycloak role include_role: name: ../../roles/keycloak - vars: - keycloak_admin_password: "changeme" - name: Keycloak Realm Role include_role: name: ../../roles/keycloak_realm vars: - keycloak_admin_password: "changeme" keycloak_client_default_roles: - TestRoleAdmin - TestRoleUser diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 0952ba5..ef973cd 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -8,3 +8,4 @@ ansible.builtin.assert: that: - ansible_facts.services["keycloak.service"]["state"] == "running" + - ansible_facts.services["keycloak.service"]["status"] == "enabled" diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index 4a01e64..cf098a7 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -30,8 +30,8 @@ The following are a set of _required_ variables for the role: | Variable | Description | |:---------|:------------| -|`keycloak_admin_password`| Password for the administration console user account | |`keycloak_realm` | Name of the realm to be created | +|`keycloak_admin_password`| Password for the administration console user account | The following variables are available for creating clients: diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml index c47aea3..2f33e57 100644 --- a/roles/keycloak_realm/defaults/main.yml +++ b/roles/keycloak_realm/defaults/main.yml @@ -11,6 +11,8 @@ keycloak_admin_user: admin keycloak_auth_realm: master keycloak_auth_client: admin-cli +# administrator console password, this is a required variable +keycloak_admin_password: '' ### Keycloak realms, clients, roles, federation # list of clients to create in the realm diff --git a/roles/keycloak_realm/vars/main.yml b/roles/keycloak_realm/vars/main.yml index f87e7f5..076a8a9 100644 --- a/roles/keycloak_realm/vars/main.yml +++ b/roles/keycloak_realm/vars/main.yml @@ -1,9 +1,6 @@ --- # vars file for keycloak_realm -# administrator console password, this is a required variable -keycloak_admin_password: - # name of the realm to create, this is a required variable keycloak_realm: