#!/usr/bin/python # Copyright (c) 2017, Eike Frost # Copyright (c) 2021, Christophe Gilles # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or # https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later from __future__ import annotations DOCUMENTATION = r""" module: keycloak_authz_custom_policy short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API version_added: 7.5.0 description: - This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files. - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). attributes: check_mode: support: full diff_mode: support: none action_group: version_added: 10.2.0 options: state: description: - State of the custom policy. - On V(present), the custom policy is created (or updated if it exists already). - On V(absent), the custom policy is removed if it exists. choices: ['present', 'absent'] default: 'present' type: str name: description: - Name of the custom policy to create. type: str required: true policy_type: description: - The type of the policy. This must match the name of the custom policy deployed to the server. - Multiple policies pointing to the same policy type can be created, but their names have to differ. type: str required: true client_id: description: - The V(clientId) of the Keycloak client that should have the custom policy attached to it. - This is usually a human-readable name of the Keycloak client. type: str required: true realm: description: - The name of the Keycloak realm the Keycloak client is in. type: str required: true extends_documentation_fragment: - community.general.keycloak - community.general.keycloak.actiongroup_keycloak - community.general.attributes author: - Samuli Seppänen (@mattock) """ EXAMPLES = r""" - name: Manage Keycloak custom authorization policy community.general.keycloak_authz_custom_policy: name: OnlyOwner state: present policy_type: script-policy.js client_id: myclient realm: myrealm auth_keycloak_url: http://localhost:8080/auth auth_username: keycloak auth_password: keycloak auth_realm: master """ RETURN = r""" msg: description: Message as to what action was taken. returned: always type: str end_state: description: Representation of the custom policy after module execution. returned: on success type: dict contains: name: description: Name of the custom policy. type: str returned: when I(state=present) sample: file:delete policy_type: description: Type of custom policy. type: str returned: when I(state=present) sample: File delete """ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import ( KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, ) from ansible.module_utils.basic import AnsibleModule def main(): """ Module execution :return: """ argument_spec = keycloak_argument_spec() meta_args = dict( state=dict(type="str", default="present", choices=["present", "absent"]), name=dict(type="str", required=True), policy_type=dict(type="str", required=True), client_id=dict(type="str", required=True), realm=dict(type="str", required=True), ) argument_spec.update(meta_args) module = AnsibleModule( argument_spec=argument_spec, supports_check_mode=True, required_one_of=( [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]] ), required_together=([["auth_username", "auth_password"]]), required_by={"refresh_token": "auth_realm"}, ) result = dict(changed=False, msg="", end_state={}) # Obtain access token, initialize API try: connection_header = get_token(module.params) except KeycloakError as e: module.fail_json(msg=str(e)) kc = KeycloakAPI(module, connection_header) # Convenience variables state = module.params.get("state") name = module.params.get("name") policy_type = module.params.get("policy_type") client_id = module.params.get("client_id") realm = module.params.get("realm") cid = kc.get_client_id(client_id, realm=realm) if not cid: module.fail_json(msg=f"Invalid client {client_id} for realm {realm}") before_authz_custom_policy = kc.get_authz_policy_by_name(name=name, client_id=cid, realm=realm) desired_authz_custom_policy = {} desired_authz_custom_policy["name"] = name desired_authz_custom_policy["type"] = policy_type # Modifying existing custom policies is not possible if before_authz_custom_policy and state == "present": result["msg"] = f"Custom policy {name} already exists" result["changed"] = False result["end_state"] = desired_authz_custom_policy elif not before_authz_custom_policy and state == "present": if module.check_mode: result["msg"] = f"Would create custom policy {name}" else: kc.create_authz_custom_policy( payload=desired_authz_custom_policy, policy_type=policy_type, client_id=cid, realm=realm ) result["msg"] = f"Custom policy {name} created" result["changed"] = True result["end_state"] = desired_authz_custom_policy elif before_authz_custom_policy and state == "absent": if module.check_mode: result["msg"] = f"Would remove custom policy {name}" else: kc.remove_authz_custom_policy(policy_id=before_authz_custom_policy["id"], client_id=cid, realm=realm) result["msg"] = f"Custom policy {name} removed" result["changed"] = True result["end_state"] = {} elif not before_authz_custom_policy and state == "absent": result["msg"] = f"Custom policy {name} does not exist" result["changed"] = False result["end_state"] = {} module.exit_json(**result) if __name__ == "__main__": main()