ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-03-22 05:09:12 +00:00
Code Activity

Reformat everything.

Browse source
This commit is contained in:
Felix Fontein 2025-11-01 12:08:41 +01:00
parent 3f2213791a
commit 340ff8586d
1008 changed files with 61301 additions and 58309 deletions
Download patch file Download diff file Expand all files Collapse all files

197
plugins/modules/keycloak_authz_permission.py
View file

@ -218,8 +218,12 @@ end_state:
- 9da05cd2-b273-4354-bbd8-0c133918a454
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI,
keycloak_argument_spec,
get_token,
KeycloakError,
)
from ansible.module_utils.basic import AnsibleModule
@ -232,56 +236,56 @@ def main():
argument_spec = keycloak_argument_spec()
meta_args = dict(
state=dict(type='str', default='present',
choices=['present', 'absent']),
name=dict(type='str', required=True),
description=dict(type='str'),
permission_type=dict(type='str', choices=['scope', 'resource'], required=True),
decision_strategy=dict(type='str', default='UNANIMOUS',
choices=['UNANIMOUS', 'AFFIRMATIVE', 'CONSENSUS']),
resources=dict(type='list', elements='str', default=[]),
scopes=dict(type='list', elements='str', default=[]),
policies=dict(type='list', elements='str', default=[]),
client_id=dict(type='str', required=True),
realm=dict(type='str', required=True)
state=dict(type="str", default="present", choices=["present", "absent"]),
name=dict(type="str", required=True),
description=dict(type="str"),
permission_type=dict(type="str", choices=["scope", "resource"], required=True),
decision_strategy=dict(type="str", default="UNANIMOUS", choices=["UNANIMOUS", "AFFIRMATIVE", "CONSENSUS"]),
resources=dict(type="list", elements="str", default=[]),
scopes=dict(type="list", elements="str", default=[]),
policies=dict(type="list", elements="str", default=[]),
client_id=dict(type="str", required=True),
realm=dict(type="str", required=True),
)
argument_spec.update(meta_args)
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=True,
required_one_of=(
[['token', 'auth_realm', 'auth_username', 'auth_password', 'auth_client_id', 'auth_client_secret']]),
required_together=([['auth_username', 'auth_password']]),
required_by={'refresh_token': 'auth_realm'},
)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
required_one_of=(
[["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
),
required_together=([["auth_username", "auth_password"]]),
required_by={"refresh_token": "auth_realm"},
)
# Convenience variables
state = module.params.get('state')
name = module.params.get('name')
description = module.params.get('description')
permission_type = module.params.get('permission_type')
decision_strategy = module.params.get('decision_strategy')
realm = module.params.get('realm')
client_id = module.params.get('client_id')
realm = module.params.get('realm')
resources = module.params.get('resources')
scopes = module.params.get('scopes')
policies = module.params.get('policies')
state = module.params.get("state")
name = module.params.get("name")
description = module.params.get("description")
permission_type = module.params.get("permission_type")
decision_strategy = module.params.get("decision_strategy")
realm = module.params.get("realm")
client_id = module.params.get("client_id")
realm = module.params.get("realm")
resources = module.params.get("resources")
scopes = module.params.get("scopes")
policies = module.params.get("policies")
if permission_type == 'scope' and state == 'present':
if permission_type == "scope" and state == "present":
if scopes == []:
module.fail_json(msg='Scopes need to defined when permission type is set to scope!')
module.fail_json(msg="Scopes need to defined when permission type is set to scope!")
if len(resources) > 1:
module.fail_json(msg='Only one resource can be defined for a scope permission!')
module.fail_json(msg="Only one resource can be defined for a scope permission!")
if permission_type == 'resource' and state == 'present':
if permission_type == "resource" and state == "present":
if resources == []:
module.fail_json(msg='A resource need to defined when permission type is set to resource!')
module.fail_json(msg="A resource need to defined when permission type is set to resource!")
if scopes != []:
module.fail_json(msg='Scopes cannot be defined when permission type is set to resource!')
module.fail_json(msg="Scopes cannot be defined when permission type is set to resource!")
result = dict(changed=False, msg='', end_state={})
result = dict(changed=False, msg="", end_state={})
# Obtain access token, initialize API
try:
@ -294,26 +298,25 @@ def main():
# Get id of the client based on client_id
cid = kc.get_client_id(client_id, realm=realm)
if not cid:
module.fail_json(msg=f'Invalid client {client_id} for realm {realm}')
module.fail_json(msg=f"Invalid client {client_id} for realm {realm}")
# Get current state of the permission using its name as the search
# filter. This returns False if it is not found.
permission = kc.get_authz_permission_by_name(
name=name, client_id=cid, realm=realm)
permission = kc.get_authz_permission_by_name(name=name, client_id=cid, realm=realm)
# Generate a JSON payload for Keycloak Admin API. This is needed for
# "create" and "update" operations.
payload = {}
payload['name'] = name
payload['description'] = description
payload['type'] = permission_type
payload['decisionStrategy'] = decision_strategy
payload['logic'] = 'POSITIVE'
payload['scopes'] = []
payload['resources'] = []
payload['policies'] = []
payload["name"] = name
payload["description"] = description
payload["type"] = permission_type
payload["decisionStrategy"] = decision_strategy
payload["logic"] = "POSITIVE"
payload["scopes"] = []
payload["resources"] = []
payload["policies"] = []
if permission_type == 'scope':
if permission_type == "scope":
# Add the resource id, if any, to the payload. While the data type is a
# list, it is only possible to have one entry in it based on what Keycloak
# Admin Console does.
@ -323,30 +326,36 @@ def main():
if resources:
r = kc.get_authz_resource_by_name(resources[0], cid, realm)
if not r:
module.fail_json(msg=f'Unable to find authorization resource with name {resources[0]} for client {cid} in realm {realm}')
module.fail_json(
msg=f"Unable to find authorization resource with name {resources[0]} for client {cid} in realm {realm}"
)
else:
payload['resources'].append(r['_id'])
payload["resources"].append(r["_id"])
for rs in r['scopes']:
resource_scopes.append(rs['id'])
for rs in r["scopes"]:
resource_scopes.append(rs["id"])
# Generate a list of scope ids based on scope names. Fail if the
# defined resource does not include all those scopes.
for scope in scopes:
s = kc.get_authz_authorization_scope_by_name(scope, cid, realm)
if r and not s['id'] in resource_scopes:
module.fail_json(msg=f'Resource {resources[0]} does not include scope {scope} for client {client_id} in realm {realm}')
if r and not s["id"] in resource_scopes:
module.fail_json(
msg=f"Resource {resources[0]} does not include scope {scope} for client {client_id} in realm {realm}"
)
else:
payload['scopes'].append(s['id'])
payload["scopes"].append(s["id"])
elif permission_type == 'resource':
elif permission_type == "resource":
if resources:
for resource in resources:
r = kc.get_authz_resource_by_name(resource, cid, realm)
if not r:
module.fail_json(msg=f'Unable to find authorization resource with name {resource} for client {cid} in realm {realm}')
module.fail_json(
msg=f"Unable to find authorization resource with name {resource} for client {cid} in realm {realm}"
)
else:
payload['resources'].append(r['_id'])
payload["resources"].append(r["_id"])
# Add policy ids, if any, to the payload.
if policies:
@ -354,20 +363,26 @@ def main():
p = kc.get_authz_policy_by_name(policy, cid, realm)
if p:
payload['policies'].append(p['id'])
payload["policies"].append(p["id"])
else:
module.fail_json(msg=f'Unable to find authorization policy with name {policy} for client {client_id} in realm {realm}')
module.fail_json(
msg=f"Unable to find authorization policy with name {policy} for client {client_id} in realm {realm}"
)
# Add "id" to payload for update operations
if permission:
payload['id'] = permission['id']
payload["id"] = permission["id"]
# Handle the special case where the user attempts to change an already
# existing permission's type - something that can't be done without a
# full delete -> (re)create cycle.
if permission['type'] != payload['type']:
module.fail_json(msg=(f"Modifying the type of permission (scope/resource) is not supported: "
f"permission {permission['id']} of client {cid} in realm {realm} unchanged"))
if permission["type"] != payload["type"]:
module.fail_json(
msg=(
f"Modifying the type of permission (scope/resource) is not supported: "
f"permission {permission['id']} of client {cid} in realm {realm} unchanged"
)
)
# Updating an authorization permission is tricky for several reasons.
# Firstly, the current permission is retrieved using a _policy_ endpoint,
@ -385,43 +400,47 @@ def main():
#
# The approach taken here is a).
#
if permission and state == 'present':
if permission and state == "present":
if module.check_mode:
result['msg'] = 'Notice: unable to check current resources, scopes and policies for permission. \
Would apply desired state without checking the current state.'
result["msg"] = "Notice: unable to check current resources, scopes and policies for permission. \
Would apply desired state without checking the current state."
else:
kc.update_authz_permission(payload=payload, permission_type=permission_type, id=permission['id'], client_id=cid, realm=realm)
result['msg'] = 'Notice: unable to check current resources, scopes and policies for permission. \
Applying desired state without checking the current state.'
kc.update_authz_permission(
payload=payload, permission_type=permission_type, id=permission["id"], client_id=cid, realm=realm
)
result["msg"] = "Notice: unable to check current resources, scopes and policies for permission. \
Applying desired state without checking the current state."
# Assume that something changed, although we don't know if that is the case.
result['changed'] = True
result['end_state'] = payload
elif not permission and state == 'present':
result["changed"] = True
result["end_state"] = payload
elif not permission and state == "present":
if module.check_mode:
result['msg'] = 'Would create permission'
result["msg"] = "Would create permission"
else:
kc.create_authz_permission(payload=payload, permission_type=permission_type, client_id=cid, realm=realm)
result['msg'] = 'Permission created'
result["msg"] = "Permission created"
result['changed'] = True
result['end_state'] = payload
elif permission and state == 'absent':
result["changed"] = True
result["end_state"] = payload
elif permission and state == "absent":
if module.check_mode:
result['msg'] = 'Would remove permission'
result["msg"] = "Would remove permission"
else:
kc.remove_authz_permission(id=permission['id'], client_id=cid, realm=realm)
result['msg'] = 'Permission removed'
kc.remove_authz_permission(id=permission["id"], client_id=cid, realm=realm)
result["msg"] = "Permission removed"
result['changed'] = True
result["changed"] = True
elif not permission and state == 'absent':
result['changed'] = False
elif not permission and state == "absent":
result["changed"] = False
else:
module.fail_json(msg=f'Unable to determine what to do with permission {name} of client {client_id} in realm {realm}')
module.fail_json(
msg=f"Unable to determine what to do with permission {name} of client {client_id} in realm {realm}"
)
module.exit_json(**result)
if __name__ == '__main__':
if __name__ == "__main__":
main()