internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-06-13 12:05:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

rename to role_owner_client_id

Browse Source
This commit is contained in:
Felix Grzelka
2026-06-08 13:21:27 +00:00
parent a1bb84ea5b
commit 92d6dddd49
5 changed files with 74 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
plugins/modules/keycloak_client_rolescope.py
View File

@@ -19,7 +19,7 @@ description:
to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
the scope tailored to your needs and a user having the expected roles.
- Client O(client_id) must have O(middleware_automation.keycloak.keycloak_client#module:full_scope_allowed) set to V(false).
- Client O(target_client_id) must have O(middleware_automation.keycloak.keycloak_client#module:full_scope_allowed) set to V(false).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and are returned that way
by this module. You may pass single values for attributes when calling the module, and this is translated into a list
suitable for the API.
@@ -50,12 +50,12 @@ options:
- The Keycloak realm under which clients resides.
default: 'master'
client_id:
target_client_id:
type: str
required: true
description:
- Roles provided in O(role_names) while be added to this client scope.
client_scope_id:
role_owner_client_id:
type: str
description:
- If the O(role_names) are client role, the client ID under which it resides.
@@ -66,8 +66,8 @@ options:
elements: str
description:
- Names of roles to manipulate.
- If O(client_scope_id) is present, all roles must be under this client.
- If O(client_scope_id) is absent, all roles must be under the realm.
- If O(role_owner_client_id) is present, all roles must be under this client.
- If O(role_owner_client_id) is absent, all roles must be under the realm.
extends_documentation_fragment:
- middleware_automation.keycloak.keycloak
- middleware_automation.keycloak.actiongroup_keycloak
@@ -85,8 +85,8 @@ EXAMPLES = r"""
auth_username: USERNAME
auth_password: PASSWORD
realm: MyCustomRealm
client_id: frontend-client-public
client_scope_id: backend-client-private
target_client_id: frontend-client-public
role_owner_client_id: backend-client-private
role_names:
- backend-role-admin
- backend-role-user
@@ -98,8 +98,8 @@ EXAMPLES = r"""
auth_username: USERNAME
auth_password: PASSWORD
realm: MyCustomRealm
client_id: frontend-client-public
client_scope_id: backend-client-private
target_client_id: frontend-client-public
role_owner_client_id: backend-client-private
role_names:
- backend-role-admin
state: absent
@@ -111,7 +111,7 @@ EXAMPLES = r"""
auth_username: USERNAME
auth_password: PASSWORD
realm: MyCustomRealm
client_id: frontend-client-public
target_client_id: frontend-client-public
role_names:
- realm-role-admin
- realm-role-user
@@ -167,8 +167,8 @@ def main():
argument_spec = keycloak_argument_spec()
meta_args = dict(
client_id=dict(type="str", required=True),
client_scope_id=dict(type="str"),
target_client_id=dict(type="str", required=True),
role_owner_client_id=dict(type="str"),
realm=dict(type="str", default="master"),
role_names=dict(type="list", elements="str", required=True),
state=dict(type="str", default="present", choices=["present", "absent"]),
@@ -189,8 +189,8 @@ def main():
kc = KeycloakAPI(module, connection_header)
realm = module.params.get("realm")
clientid = module.params.get("client_id")
client_scope_id = module.params.get("client_scope_id")
target_client_id = module.params.get("target_client_id")
role_owner_client_id = module.params.get("role_owner_client_id")
role_names = module.params.get("role_names")
state = module.params.get("state")
@@ -198,23 +198,23 @@ def main():
if not objRealm:
module.fail_json(msg=f"Failed to retrive realm '{realm}'")
objClient = kc.get_client_by_clientid(clientid, realm)
objClient = kc.get_client_by_target_client_id(target_client_id, realm)
if not objClient:
module.fail_json(msg=f"Failed to retrive client '{realm}.{clientid}'")
module.fail_json(msg=f"Failed to retrive client '{realm}.{target_client_id}'")
if objClient["fullScopeAllowed"] and state == "present":
module.fail_json(msg=f"FullScopeAllowed is active for Client '{realm}.{clientid}'")
module.fail_json(msg=f"FullScopeAllowed is active for Client '{realm}.{target_client_id}'")
if client_scope_id:
objClientScope = kc.get_client_by_clientid(client_scope_id, realm)
if not objClientScope:
module.fail_json(msg=f"Failed to retrive client '{realm}.{client_scope_id}'")
before_role_mapping = kc.get_client_role_scope_from_client(objClient["id"], objClientScope["id"], realm)
if role_owner_client_id:
role_owner_client = kc.get_client_by_client_id(role_owner_client_id, realm)
if not role_owner_client:
module.fail_json(msg=f"Failed to retrive client '{realm}.{role_owner_client_id}'")
before_role_mapping = kc.get_client_role_scope_from_client(objClient["id"], role_owner_client["id"], realm)
else:
before_role_mapping = kc.get_client_role_scope_from_realm(objClient["id"], realm)
if client_scope_id:
if role_owner_client_id:
# retrive all role from client_scope
client_scope_roles_by_name = kc.get_client_roles_by_id(objClientScope["id"], realm)
client_scope_roles_by_name = kc.get_client_roles_by_id(role_owner_client["id"], realm)
else:
# retrive all role from realm
client_scope_roles_by_name = kc.get_realm_roles(realm)
@@ -228,8 +228,8 @@ def main():
# update desired
for role_name in role_names:
if role_name not in client_scope_roles_by_name:
if client_scope_id:
module.fail_json(msg=f"Failed to retrive role '{realm}.{client_scope_id}.{role_name}'")
if role_owner_client_id:
module.fail_json(msg=f"Failed to retrive role '{realm}.{role_owner_client_id}.{role_name}'")
else:
module.fail_json(msg=f"Failed to retrive role '{realm}.{role_name}'")
if role_name not in role_mapping_by_name:
@@ -253,33 +253,33 @@ def main():
if not result["changed"]:
# no changes
result["end_state"] = before_role_mapping
result["msg"] = f"No changes required for client role scope {clientid}."
result["msg"] = f"No changes required for client role scope {target_client_id}."
elif state == "present":
# doing update
if module.check_mode:
result["end_state"] = desired_role_mapping
elif client_scope_id:
elif role_owner_client_id:
result["end_state"] = kc.update_client_role_scope_from_client(
role_mapping_to_manipulate, objClient["id"], objClientScope["id"], realm
role_mapping_to_manipulate, objClient["id"], role_owner_client["id"], realm
)
else:
result["end_state"] = kc.update_client_role_scope_from_realm(
role_mapping_to_manipulate, objClient["id"], realm
)
result["msg"] = f"Client role scope for {clientid} has been updated"
result["msg"] = f"Client role scope for {target_client_id} has been updated"
else:
# doing delete
if module.check_mode:
result["end_state"] = desired_role_mapping
elif client_scope_id:
elif role_owner_client_id:
result["end_state"] = kc.delete_client_role_scope_from_client(
role_mapping_to_manipulate, objClient["id"], objClientScope["id"], realm
role_mapping_to_manipulate, objClient["id"], role_owner_client["id"], realm
)
else:
result["end_state"] = kc.delete_client_role_scope_from_realm(
role_mapping_to_manipulate, objClient["id"], realm
)
result["msg"] = f"Client role scope for {clientid} has been deleted"
result["msg"] = f"Client role scope for {target_client_id} has been deleted"
module.exit_json(**result)