Add keycloak_realm_rolemapping module to map realm roles to groups (#…

…7663) * Add keycloak_realm_rolemapping module to map realm roles to groups * Whitespace * Description in plain English * Casing * Update error reporting as per #7645 * Add agross as maintainer of keycloak_realm_rolemapping module * cid and client_id are not used here * Credit other authors * mhuysamen submitted #7645 * Gaetan2907 authored keycloak_client_rolemapping.py which I took as a basis * Add integration tests * With Keycloak 23 realmRoles are only returned if assigned * Remove debug statement * Add test verifying that unmap works when no realm roles are assigned * Add license to readme * Change version number this module was added * Document which versions of the docker images have been tested * Downgrade version_added Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Felix Fontein <felix@fontein.de>
ansible-collections · Dec 28, 2023 · f7bc696 · f7bc696
1 parent dfb9b1b
commit f7bc696
Show file tree

Hide file tree

Showing 7 changed files with 627 additions and 0 deletions.
diff --git a/.github/BOTMETA.yml b/.github/BOTMETA.yml
@@ -756,6 +756,8 @@ files:
  maintainers: laurpaum
  $modules/keycloak_user_rolemapping.py:
  maintainers: bratwurzt
+ $modules/keycloak_realm_rolemapping.py:
+ maintainers: agross mhuysamen Gaetan2907
  $modules/keyring.py:
  maintainers: ahussey-redhat
  $modules/keyring_info.py:

diff --git a/plugins/module_utils/identity/keycloak/keycloak.py b/plugins/module_utils/identity/keycloak/keycloak.py
@@ -78,6 +78,8 @@
 URL_CLIENT_USER_ROLEMAPPINGS_AVAILABLE = "{url}/admin/realms/{realm}/users/{id}/role-mappings/clients/{client}/available"
 URL_CLIENT_USER_ROLEMAPPINGS_COMPOSITE = "{url}/admin/realms/{realm}/users/{id}/role-mappings/clients/{client}/composite"
 
+URL_REALM_GROUP_ROLEMAPPINGS = "{url}/admin/realms/{realm}/groups/{group}/role-mappings/realm"
+
 URL_CLIENTSECRET = "{url}/admin/realms/{realm}/clients/{id}/client-secret"
 
 URL_AUTHENTICATION_FLOWS = "{url}/admin/realms/{realm}/authentication/flows"
@@ -626,6 +628,38 @@ def add_client_roles_by_id_composite_rolemapping(self, rid, roles_rep, realm="ma
  self.fail_open_url(e, msg="Could not assign roles to composite role %s and realm %s: %s"
  % (rid, realm, str(e)))
 
+ def add_group_realm_rolemapping(self, gid, role_rep, realm="master"):
+ """ Add the specified realm role to specified group on the Keycloak server.
+
+ :param gid: ID of the group to add the role mapping.
+ :param role_rep: Representation of the role to assign.
+ :param realm: Realm from which to obtain the rolemappings.
+ :return: None.
+ """
+ url = URL_REALM_GROUP_ROLEMAPPINGS.format(url=self.baseurl, realm=realm, group=gid)
+ try:
+ open_url(url, method="POST", http_agent=self.http_agent, headers=self.restheaders, data=json.dumps(role_rep),
+ validate_certs=self.validate_certs, timeout=self.connection_timeout)
+ except Exception as e:
+ self.fail_open_url(e, msg="Could add realm role mappings for group %s, realm %s: %s"
+ % (gid, realm, str(e)))
+
+ def delete_group_realm_rolemapping(self, gid, role_rep, realm="master"):
+ """ Delete the specified realm role from the specified group on the Keycloak server.
+
+ :param gid: ID of the group from which to obtain the rolemappings.
+ :param role_rep: Representation of the role to assign.
+ :param realm: Realm from which to obtain the rolemappings.
+ :return: None.
+ """
+ url = URL_REALM_GROUP_ROLEMAPPINGS.format(url=self.baseurl, realm=realm, group=gid)
+ try:
+ open_url(url, method="DELETE", http_agent=self.http_agent, headers=self.restheaders, data=json.dumps(role_rep),
+ validate_certs=self.validate_certs, timeout=self.connection_timeout)
+ except Exception as e:
+ self.fail_open_url(e, msg="Could not delete realm role mappings for group %s, realm %s: %s"
+ % (gid, realm, str(e)))
+
  def add_group_rolemapping(self, gid, cid, role_rep, realm="master"):
  """ Fetch the composite role of a client in a specified group on the Keycloak server.