8000 New Module: Keycloak Client ScopeMapping by fynncfchen · Pull Request #4017 · ansible-collections/community.general · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

New Module: Keycloak Client ScopeMapping #4017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 17 commits into from
Closed

New Module: Keycloak Client ScopeMapping #4017

wants to merge 17 commits into from

Conversation

fynncfchen
Copy link
Contributor
@fynncfchen fynncfchen commented Jan 9, 2022
edited
Loading
SUMMARY

Add keycloak_client_scopemapping module to provide manage client scope mappings for other clients or realm (not support yet).

Different from keycloak_client_rolemapping module, the keycloak_client_scopemapping module is creating mappings between clients but the keycloak_client_rolemapping module is creating mapping associate with client and group, and can't assign role from different clients (it seems to be a bug and can be fixed later)

ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME

keycloak_client_scopemapping

ADDITIONAL INFORMATION

Example:

- name: Map a client role to a client, authentication with credentials
  community.general.keycloak_client_scope_mapping:
    realm: MyCustomRealm
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    state: present
    client_id: client1
    client_role:
        client_id: client2
        roles:
          - name: role_name1
            id: role_id1
          - name: role_name2
            id: role_id2
  delegate_to: localhost

- name: Map a client role to a client, authentication with token
  community.general.keycloak_client_scope_mapping:
    realm: MyCustomRealm
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    token: TOKEN
    state: present
    id: 6e1d65de-f01a-4d3a-b7c6-3d581165966f
    client_role:
        id: 6e1d65de-f01a-4d3a-b7c6-3d581165966f
        roles:
          - name: role_name1
            id: role_id1
          - name: role_name2
            id: role_id2
  delegate_to: localhost

- name: Unmap client role from a client
  community.general.keycloak_client_scope_mapping:
    realm: MyCustomRealm
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    state: absent
    id: 6e1d65de-f01a-4d3a-b7c6-3d581165966f
    client_role:
        id: 52c4d786-b790-4570-9fc2-037aee19a2c2
        roles:
          - name: role_name3
            id: role_id3
  delegate_to: localhost

@ansibullbot
Copy link
Collaborator

cc @Gaetan2907 @eikef @ndclt
click here for bot help

@ansibullbot ansibullbot added identity module module module_utils module_utils needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR new_contributor Help guide this first time contributor new_plugin New plugin plugins plugin (any type) tests tests unit tests/unit labels Jan 9, 2022
@ansibullbot

This comment has been minimized.

Sign in to view
@ansibullbot ansibullbot added ci_verified Push fixes to PR branch to re-run CI and removed needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI labels Jan 9, 2022
@felixfontein felixfontein added backport-4 check-before-release PR will be looked at again shortly before release and merged if possible. labels Jan 9, 2022
@felixfontein felixfontein mentioned this pull request Jan 9, 2022
Closed
@ansibullbot ansibullbot removed ci_verified Push fixes to PR branch to re-run CI new_contributor Help guide this first time contributor needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Jan 11, 2022
@ansibullbot ansibullbot added the needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI label Jan 22, 2022
@fynncfchen @felixfontein
Update plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
01c0496 
Co-authored-by: Felix Fontein <felix@fontein.de>
@ansibullbot ansibullbot removed the needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI label Jan 22, 2022
pmdumuid
pmdumuid reviewed Jan 22, 2022
View reviewed changes
pmdumuid
pmdumuid reviewed Jan 22, 2022
View reviewed changes
plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
id: role_id1
- name: role_name2
id: role_id2
delegate_to: localhost
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name of this example implies that it is the same example as the former one, but with different authentication solution. However, I note that the client-id's are different - which may be confusing.

However, I'm not actually sure of the benefit to the reader by showing both authentication variations, particularly as there's no example included of how to get the token itself in ansible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The clients' IDs should be different, one is for the client to be granted, another is the client with roles, I know it's confusing but I have no idea for naming them differently, for now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @fynncfchen. My concern wasn't with there being different client Id's, but rather than the name of the examples compared to the name of the previous example implied there was only a difference in how the module authenticates.

pmdumuid
pmdumuid reviewed Jan 22, 2022
View reviewed changes
pmdumuid
pmdumuid reviewed Jan 22, 2022
View reviewed changes
plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
"attributes": {
"request.object.signature.alg": "RS256",
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is these sample actually true? The seem cut-n-pasted from a different function. The code you have shows that the content of end_state is the value of assigned_roles_after which this doesn't look like it represents.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I actually copy it from another function. I'm not sure this will represent and I should make a double check with it.

pmdumuid
pmdumuid reviewed Jan 22, 2022
View reviewed changes
plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
if role['id'] is None:
role['id'] = kc.get_client_role_id_by_name(cid, role['name'], realm=realm)
if role['id'] is None:
module.fail_json(msg='Could not fetch role %s:' % (role['name']))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just an observation is that get_client_role_id_by_name, even though that function seems to get the full list of client roles and filters for just the name. This would imply that this solution is wasteful - either the web request could include a query parameter for the role's name, or the list could be filtered for each iteration of this for loop.

However, for most use cases, I don't think this is a great concern.

pmdumuid
pmdumuid reviewed Jan 22, 2022
View reviewed changes
plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
if role['name'] is None:
role['name'] = kc.get_client_role_name_by_id(client_role['id'], role['id'], realm=realm)
if role['name'] is None:
module.fail_json(msg='Could not fetch role %s:' % (role['id']))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the function to get_client_role_name_by_id performs the same request to Keycloak as the one above (i.e. without any query parameters). The wastefulness described above is this potentially double by this solution.

fynncfchen and others added 2 commits January 24, 2022 17:54
@fynncfchen @pmdumuid
Update plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
b0cac15 
Co-authored-by: Pierre Dumuid <pmdumuid@gmail.com>
@fynncfchen @felixfontein
Update plugins/modules/identity/keycloak/keycloak_client_scopemapping.py
f2982ff 
Co-authored-by: Felix Fontein <felix@fontein.de>
@ansibullbot ansibullbot added the needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI label Jan 24, 2022
@ansibullbot ansibullbot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR and removed needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Jan 24, 2022
@felixfontein
Copy link
Collaborator

@fynncfchen @pmdumuid what's the current state of this PR? @fynncfchen are you planning to do more changes? @pmdumuid do you think there should be more changes?

@ansibullbot ansibullbot added the stale_ci CI is older than 7 days, rerun before merging label Feb 7, 2022
felixfontein
felixfontein reviewed Feb 14, 2022
View reviewed changes
plugins/module_utils/identity/keycloak/keycloak.py
url=self.baseurl, realm=realm, id=cid, client=client)
try:
open_url(client_scopemappings_client_url, method="POST", headers=self.restheaders,
data=json.dumps(rolereps), validate_certs=self.validate_certs)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This (and others) need to be adjusted similar to #4178.

@felixfontein
Copy link
Collaborator

This New Module PR contains a symbolic link from plugins/modules/ to the actual Python file. Since #4562 this is no longer necessary and will soon be flagged as an error. Instead you need to add an entry to meta/runtime.yml, similar to this one: https://github.com/ansible-collections/community.general/blob/main/meta/runtime.yml#L21-L22

See also our updated instructions on creating new modules: https://github.com/ansible-collections/community.general/blob/main/CONTRIBUTING.md#creating-new-modules-or-plugins

@felixfontein
Copy link
Collaborator

needs_info

@ansibullbot ansibullbot added the needs_info This issue requires further information. Please answer any outstanding questions label May 14, 2022
@ansibullbot
Copy link
Collaborator

@fynncfchen This pullrequest is waiting for your response. Please respond or the pullrequest will be closed.

click here for bot help

@ansibullbot
Copy link
Collaborator

@fynncfchen You have not responded to information requests in this pullrequest so we will assume it no longer affects you. If you are still interested in this, please create a new pullrequest with the requested information.

click here for bot help

@github-actions
Copy link

Docs Build 📝

This PR is closed and any previously published docsite has been unpublished.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmdumuid pmdumuid pmdumuid left review comments

@felixfontein felixfontein felixfontein left review comments

Assignees
No one assigned
Labels
check-before-release PR will be looked at again shortly before release and merged if possible. identity module_utils module_utils module module needs_info This issue requires further information. Please answer any outstanding questions new_plugin New plugin plugins plugin (any type) stale_ci CI is older than 7 days, rerun before merging tests tests unit tests/unit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fynncfchen @ansibullbot @felixfontein @pmdumuid
0