Skip to content

Commit

Permalink
Merge pull request #225 from world-direct/feature/224_policy_files
Browse files Browse the repository at this point in the history 
#224:  keycloak_quarkus: Add support for policy files
  • Loading branch information
@guidograzioli
guidograzioli authored May 14, 2024
2 parents 599ce01 + 6682853 commit 1b69191
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 0 deletions.
6 changes: 6 additions & 0 deletions molecule/quarkus/converge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@
value: 10
- id: spid-saml
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
keycloak_quarkus_policies:
- name: "xato-net-10-million-passwords.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
- name: "xato-net-10-million-passwords-10.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
type: password-blacklists
roles:
- role: keycloak_quarkus
- role: keycloak_realm
Expand Down
16 changes: 16 additions & 0 deletions roles/keycloak_quarkus/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,22 @@ bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-cl
```


#### Configuring policies

| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_policies`| List of policy definitions; see below | `[]` |

Provider definition:

```yaml
keycloak_quarkus_policies:
- name: xato-net-10-million-passwords.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
```
Role Variables
--------------
Expand Down
2 changes: 2 additions & 0 deletions roles/keycloak_quarkus/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,5 @@ keycloak_quarkus_ks_vault_type: PKCS12
keycloak_quarkus_ks_vault_pass:

keycloak_quarkus_providers: []
keycloak_quarkus_policies: []
keycloak_quarkus_supported_policy_types: ['password-blacklists']
8 changes: 8 additions & 0 deletions roles/keycloak_quarkus/meta/argument_specs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,14 @@ argument_specs:
description: "List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'default': bool, 'properties': list of key/value }"
default: []
type: "list"
keycloak_quarkus_supported_policy_types:
description: "List of str of supported policy types"
default: ['password-blacklists']
type: "list"
keycloak_quarkus_policies:
description: "List of policy definition dicts: { 'name': str, 'url': str, 'type': str }"
default: []
type: "list"
keycloak_quarkus_jdbc_download_url:
description: "Override the default Maven Central download URL for the JDBC driver"
type: "str"
Expand Down
22 changes: 22 additions & 0 deletions roles/keycloak_quarkus/tasks/install.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,3 +226,25 @@
loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"

- name: Ensure required folder structure for policies exits
ansible.builtin.file:
path: "{{ keycloak.home }}/data/{{ item | lower }}"
state: directory
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0750'
become: true
loop: "{{ keycloak_quarkus_supported_policy_types }}"

- name: "Install custom policies"
ansible.builtin.get_url:
url: "{{ item.url }}"

Check warning on line 242 in roles/keycloak_quarkus/tasks/install.yml

View workflow job for this annotation

GitHub Actions / ci / linter (3.11, 2.15)

jinja[spacing] 

Jinja2 spacing could be improved: {{ keycloak.home }}/data/{{ item.type|default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }} -> {{ keycloak.home }}/data/{{ item.type | default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}
dest: "{{ keycloak.home }}/data/{{ item.type|default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_policies }}"
when: item.url is defined and item.url | length > 0
notify: "restart keycloak"
10 changes: 10 additions & 0 deletions roles/keycloak_quarkus/tasks/prereqs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,13 @@
quiet: true
fail_msg: "Providers definition is incorrect; `id` and one of `spi` or `url` are mandatory. `key` and `value` are mandatory for each property"
loop: "{{ keycloak_quarkus_providers }}"

- name: "Validate policies"
ansible.builtin.assert:
that:
- item.name is defined and item.name | length > 0
- item.url is defined and item.url | length > 0
- item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types
quiet: true
fail_msg: "Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}."
loop: "{{ keycloak_quarkus_policies }}"

0 comments on commit 1b69191

Please sign in to comment.