From f010fca28cce98f3ff5d94ecb03733b59358a507 Mon Sep 17 00:00:00 2001 From: Sven Ketelsen Date: Wed, 20 Dec 2023 10:33:37 +0100 Subject: [PATCH] chore: pmci create/assign default client roles - "internal-system-scope:system:admin" - "internal-system-scope:system:workflow-admin" - "internal-system-scope:system:process-data-reader" --- .../tasks/assign_client_roles.yml | 22 ++++++++++++++++ .../tasks/create_client_role.yml | 16 ++++++++++++ roles/connect_realm/tasks/main.yml | 25 ++++++++++++++++--- .../keycloak/tasks/_read_keycloak_user_id.yml | 17 +++++++++++++ 4 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 roles/connect_realm/tasks/assign_client_roles.yml create mode 100644 roles/connect_realm/tasks/create_client_role.yml create mode 100644 roles/keycloak/tasks/_read_keycloak_user_id.yml diff --git a/roles/connect_realm/tasks/assign_client_roles.yml b/roles/connect_realm/tasks/assign_client_roles.yml new file mode 100644 index 0000000..a395463 --- /dev/null +++ b/roles/connect_realm/tasks/assign_client_roles.yml @@ -0,0 +1,22 @@ +--- +- name: "Read keycloak user id for <{{ connect_client_admin_username }}>" + include_role: + name: keycloak + tasks_from: _read_keycloak_user_id + +- name: "Map client roles to <{{ connect_client_admin_username }}>" + community.general.keycloak_user_rolemapping: + auth_realm: "master" + auth_client_id: "admin-cli" + auth_username: "{{ keycloak_admin_username }}" + auth_password: "{{ keycloak_admin_password }}" + auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" + state: present + realm: "{{ current_realm_name }}" + client_id: "{{ client.clientId }}" + uid: "{{ keycloak_user_id }}" + roles: "{{ current_client_roles }}" + with_items: "{{ current_realm_clients | default([]) }}" + loop_control: + loop_var: client + delegate_to: localhost \ No newline at end of file diff --git a/roles/connect_realm/tasks/create_client_role.yml b/roles/connect_realm/tasks/create_client_role.yml new file mode 100644 index 0000000..f41acf7 --- /dev/null +++ b/roles/connect_realm/tasks/create_client_role.yml @@ -0,0 +1,16 @@ +--- +- name: "Create keycloak client roles" + community.general.keycloak_role: + auth_realm: "master" + auth_client_id: "admin-cli" + auth_username: "{{ keycloak_admin_username }}" + auth_password: "{{ keycloak_admin_password }}" + auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" + state: present + name: "{{ role }}" + realm: "{{ current_realm_name }}" + client_id: "{{ client.clientId }}" + with_items: "{{ current_realm_clients | default([]) }}" + loop_control: + loop_var: client + delegate_to: localhost \ No newline at end of file diff --git a/roles/connect_realm/tasks/main.yml b/roles/connect_realm/tasks/main.yml index 2b7caf3..9c6dd2f 100644 --- a/roles/connect_realm/tasks/main.yml +++ b/roles/connect_realm/tasks/main.yml @@ -1,7 +1,4 @@ --- - -### tags: - - name: "Authenticate on keycloak for {{ inventory_hostname }}" include_role: name: keycloak @@ -21,3 +18,25 @@ include_role: name: keycloak tasks_from: _create_realm_admin + +- name: "Create client roles" + include_role: + name: connect_realm + tasks_from: create_client_role + with_items: + - "internal-system-scope:system:admin" + - "internal-system-scope:system:workflow-admin" + - "internal-system-scope:system:process-data-reader" + loop_control: + loop_var: role + +- name: "Assign client roles to <{{ connect_client_admin_username }}>" + include_role: + name: connect_realm + tasks_from: assign_client_roles + vars: + current_username: "{{ connect_client_admin_username }}" + current_client_roles: + - name: "internal-system-scope:system:admin" + - name: "internal-system-scope:system:workflow-admin" + - name: "internal-system-scope:system:process-data-reader" diff --git a/roles/keycloak/tasks/_read_keycloak_user_id.yml b/roles/keycloak/tasks/_read_keycloak_user_id.yml new file mode 100644 index 0000000..83181d7 --- /dev/null +++ b/roles/keycloak/tasks/_read_keycloak_user_id.yml @@ -0,0 +1,17 @@ +--- +- name: "Reading users by username <{{ current_username }}> from realm <{{ current_realm_name }}>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ current_realm_name }}/users?username={{ current_username }}" + method: GET + headers: + Authorization: "Bearer {{ access_token }} " + status_code: [200] + register: keycloak_user_result + +- name: "Reading user id for username <{{ current_username }}>" + set_fact: + keycloak_user_id: "{{ keycloak_user_result.json | json_query(querystr1) | first }}" + vars: + querystr1: "[*].id"