From 702d09c7317b1ff023e53d851829b8a9c4667a90 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 22 Dec 2021 10:05:48 +0100 Subject: [PATCH] Extract new keycloak_realm role out of keycloak --- molecule/default/converge.yml | 34 ++++++++++- playbooks/keycloak.yml | 25 +++++++- roles/keycloak_realm/README.md | 59 +++++++++++++++++++ roles/keycloak_realm/defaults/main.yml | 44 ++++++++++++++ roles/keycloak_realm/meta/main.yml | 1 + .../tasks/main.yml} | 16 ++--- .../tasks/manage_client_roles.yml | 0 .../tasks/manage_client_users.yml | 13 ++++ .../tasks/manage_user.yml | 4 +- .../tasks/manage_user_client_roles.yml | 0 .../tasks/manage_user_roles.yml | 0 .../templates/realm.json.j2 | 0 roles/keycloak_realm/vars/main.yml | 16 +++++ 13 files changed, 197 insertions(+), 15 deletions(-) create mode 100644 roles/keycloak_realm/README.md create mode 100644 roles/keycloak_realm/defaults/main.yml create mode 100644 roles/keycloak_realm/meta/main.yml rename roles/{keycloak/tasks/manage_realm.yml => keycloak_realm/tasks/main.yml} (87%) rename roles/{keycloak => keycloak_realm}/tasks/manage_client_roles.yml (100%) create mode 100644 roles/keycloak_realm/tasks/manage_client_users.yml rename roles/{keycloak => keycloak_realm}/tasks/manage_user.yml (94%) rename roles/{keycloak => keycloak_realm}/tasks/manage_user_client_roles.yml (100%) rename roles/{keycloak => keycloak_realm}/tasks/manage_user_roles.yml (100%) rename roles/{keycloak => keycloak_realm}/templates/realm.json.j2 (100%) create mode 100644 roles/keycloak_realm/vars/main.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 4c8e3fb..aa66e44 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -7,4 +7,36 @@ include_role: name: ../../roles/keycloak vars: - keycloak_admin_password: "changeme" \ No newline at end of file + keycloak_admin_password: "changeme" + - name: Keycloak Realm Role + include_role: + name: ../../roles/keycloak_realm + vars: + keycloak_admin_password: "changeme" + keycloak_client_default_roles: + - TestRoleAdmin + - TestRoleUser + keycloak_client_users: + - username: TestUser + password: password + client_roles: + - client: TestClient + role: TestRoleUser + realm: "{{ keycloak_realm }}" + - username: TestAdmin + password: password + client_roles: + - client: TestClient + role: TestRoleUser + realm: "{{ keycloak_realm }}" + - client: TestClient + role: TestRoleAdmin + realm: "{{ keycloak_realm }}" + keycloak_realm: TestRealm + keycloak_clients: + - name: TestClient + roles: "{{ keycloak_client_default_roles }}" + realm: "{{ keycloak_realm }}" + public_client: "{{ keycloak_client_public }}" + web_origins: "{{ keycloak_client_web_origins }}" + users: "{{ keycloak_client_users }}" diff --git a/playbooks/keycloak.yml b/playbooks/keycloak.yml index c40d219..e0c8ac4 100644 --- a/playbooks/keycloak.yml +++ b/playbooks/keycloak.yml @@ -10,4 +10,27 @@ include_role: name: keycloak vars: - keycloak_admin_password: "changeme" \ No newline at end of file + keycloak_admin_password: "changeme" + - name: Keycloak Realm Role + include_role: + name: keycloak_realm + vars: + keycloak_admin_password: "changeme" + keycloak_realm: TestRealm + keycloak_clients: + - name: TestClient1 + roles: + - TestClient1Admin + - TestClient1User + realm: "{{ keycloak_realm }}" + public_client: True + web_origins: + - http://testclient1origin/application + - http://testclient1origin/other + users: + - username: TestUser + password: password + client_roles: + - client: TestClient1 + role: TestClient1User + realm: "{{ keycloak_realm }}" diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md new file mode 100644 index 0000000..40c2ec7 --- /dev/null +++ b/roles/keycloak_realm/README.md @@ -0,0 +1,59 @@ +keycloak_realm +============== + +Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) services. + + +Role Defaults +------------- + +| Variable | Description | Default | +|:---------|:------------|:---------| +|`keycloak_admin_user`| Administration console user account | `admin` | + +Role Variables +-------------- + +The following are a set of _required_ variables for the role: + +| Variable | Description | +|:---------|:------------| +|`keycloak_admin_password`| Password for the administration console user account | + + +The following variables are _required_ only when keycloak_ha_enabled is True: + +| Variable | Description | Default | +|:---------|:------------|:---------| + + + +Example Playbook +---------------- + +The following is an example playbook that makes use of the role to install keycloak + +```yaml +--- +- hosts: ... + collections: + - middleware_automation.keycloak + tasks: + - name: Include keycloak role + include_role: + name: keycloak_realm + vars: + keycloak_admin_password: "changeme" +``` + +License +------- + +Apache License 2.0 + + +Author Information +------------------ + +* [Guido Grazioli](https://github.com/guidograzioli) +* [Romain Pelisse](https://github.com/rpelisse) \ No newline at end of file diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml new file mode 100644 index 0000000..dfc7a49 --- /dev/null +++ b/roles/keycloak_realm/defaults/main.yml @@ -0,0 +1,44 @@ +--- +### Keycloak configuration settings +keycloak_host: localhost +keycloak_http_port: 8080 +keycloak_https_port: 8443 + +### Keycloak administration console user +keycloak_admin_user: admin +keycloak_auth_realm: master +keycloak_auth_client: admin-cli + +### Keycloak realm client defaults +# list of clients to create in the realm +# +# Refer to the playbook for a comprehensive example. +# +# Each client has the form: +# { name: '', roles: [], realm: '', public_client: bool, web_origins: '', users: [] } +# where roles is a list of default role names for the client +# and users is a list of account, see below for the format definition +# an empty name will skip the creation of the client +keycloak_clients: + - name: '' + roles: "{{ keycloak_client_default_roles }}" + realm: "{{ keycloak_realm }}" + public_client: "{{ keycloak_client_public }}" + web_origins: "{{ keycloak_client_web_origins }}" + users: "{{ keycloak_client_users }}" + +# list of roles to create in the client +keycloak_client_default_roles: [] + +# if True, create a public client; otherwise, a confidetial client +keycloak_client_public: True + +# allowed web origins for the client +keycloak_client_web_origins: '+' + +# list of user and role mappings to create in the client +# Each user has the form: +# { username: '', password: '', email: '', firstName: '', lastName: '', client_roles: [] } +# where each client_role has the form: +# { client: '', role: '', realm: '' } +keycloak_client_users: [] diff --git a/roles/keycloak_realm/meta/main.yml b/roles/keycloak_realm/meta/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/keycloak_realm/meta/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/keycloak/tasks/manage_realm.yml b/roles/keycloak_realm/tasks/main.yml similarity index 87% rename from roles/keycloak/tasks/manage_realm.yml rename to roles/keycloak_realm/tasks/main.yml index 76b260f..c51ecff 100644 --- a/roles/keycloak/tasks/manage_realm.yml +++ b/roles/keycloak_realm/tasks/main.yml @@ -51,6 +51,7 @@ state: present register: create_client_result loop: "{{ keycloak_clients | flatten }}" + when: item.name|length > 0 - name: Create client roles include_tasks: manage_client_roles.yml @@ -59,15 +60,8 @@ loop_control: loop_var: client -- name: Manage Users - include_tasks: manage_user.yml - loop: "{{ keycloak_users }}" +- name: Create client users + include_tasks: manage_client_users.yml + loop: "{{ keycloak_clients | flatten }}" loop_control: - loop_var: user - -- name: Manage User Roles - include_tasks: manage_user_roles.yml - loop: "{{ keycloak_users | flatten }}" - loop_control: - loop_var: user - when: "'client_roles' in user" \ No newline at end of file + loop_var: client \ No newline at end of file diff --git a/roles/keycloak/tasks/manage_client_roles.yml b/roles/keycloak_realm/tasks/manage_client_roles.yml similarity index 100% rename from roles/keycloak/tasks/manage_client_roles.yml rename to roles/keycloak_realm/tasks/manage_client_roles.yml diff --git a/roles/keycloak_realm/tasks/manage_client_users.yml b/roles/keycloak_realm/tasks/manage_client_users.yml new file mode 100644 index 0000000..e6f5153 --- /dev/null +++ b/roles/keycloak_realm/tasks/manage_client_users.yml @@ -0,0 +1,13 @@ +--- +- name: Manage Users + include_tasks: manage_user.yml + loop: "{{ client.users | flatten }}" + loop_control: + loop_var: user + +- name: Manage User Roles + include_tasks: manage_user_roles.yml + loop: "{{ client.users | flatten }}" + loop_control: + loop_var: user + when: "'client_roles' in user" \ No newline at end of file diff --git a/roles/keycloak/tasks/manage_user.yml b/roles/keycloak_realm/tasks/manage_user.yml similarity index 94% rename from roles/keycloak/tasks/manage_user.yml rename to roles/keycloak_realm/tasks/manage_user.yml index 019d65b..c98ae90 100644 --- a/roles/keycloak/tasks/manage_user.yml +++ b/roles/keycloak_realm/tasks/manage_user.yml @@ -5,7 +5,7 @@ validate_certs: no headers: Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" - register: keycloak_user_serach_result + register: keycloak_user_search_result - name: "Create User" uri: @@ -23,7 +23,7 @@ headers: Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" status_code: 201 - when: keycloak_user_serach_result.json | length == 0 + when: keycloak_user_search_result.json | length == 0 - name: "Get User" uri: diff --git a/roles/keycloak/tasks/manage_user_client_roles.yml b/roles/keycloak_realm/tasks/manage_user_client_roles.yml similarity index 100% rename from roles/keycloak/tasks/manage_user_client_roles.yml rename to roles/keycloak_realm/tasks/manage_user_client_roles.yml diff --git a/roles/keycloak/tasks/manage_user_roles.yml b/roles/keycloak_realm/tasks/manage_user_roles.yml similarity index 100% rename from roles/keycloak/tasks/manage_user_roles.yml rename to roles/keycloak_realm/tasks/manage_user_roles.yml diff --git a/roles/keycloak/templates/realm.json.j2 b/roles/keycloak_realm/templates/realm.json.j2 similarity index 100% rename from roles/keycloak/templates/realm.json.j2 rename to roles/keycloak_realm/templates/realm.json.j2 diff --git a/roles/keycloak_realm/vars/main.yml b/roles/keycloak_realm/vars/main.yml new file mode 100644 index 0000000..2f5a56f --- /dev/null +++ b/roles/keycloak_realm/vars/main.yml @@ -0,0 +1,16 @@ +--- +# vars file for keycloak_realm + +# administrator console password, this is a required variable +keycloak_admin_password: + +# name of the realm to create, this is a required variable +keycloak_realm: + +# keycloak realm clients, this is a required variable +keycloak_clients: + +# other settings +keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" +keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" +keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}" \ No newline at end of file