diff --git a/defaults/main.yaml b/defaults/main.yaml index bad3f6c..46acdb2 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -9,7 +9,8 @@ workflows: - user-group_deleted - user-group-role_deleted - delete-user-account - - role_created + - role_created + - add_role_policy_permission keycloak_host: "https://accounts.dev.d4science.org/auth" keycloak: "{{ keycloak_host }}/realms" keycloak_realm: "d4science" diff --git a/templates/role_created.json.j2 b/templates/role_created.json.j2 index ce229b8..ebfd4ad 100644 --- a/templates/role_created.json.j2 +++ b/templates/role_created.json.j2 @@ -126,32 +126,20 @@ }, { "name": "LAMBDA_TASK", - "taskReferenceName": "reorder_roles", + "taskReferenceName": "build_policy_permission_tasks", "type": "LAMBDA", "inputParameters": { - "role" : "${workflow.input.role}", "roles" : "${join_parallel_getting_back.output[*].body}", - "vres" : "${get_all_vres.output.body}", - "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.vres.length;i++)vre=$.vres[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+i}),inputs['create_role_policy_'+i]={url:'${init.input.keycloak_admin}/clients/' + vre.id + '/authz/resource-server/policy/role',body:{name:$.role +'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:$.roles[i].id,required:true}],'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize.output.body.access_token}','Content-Type' : 'application/json',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" - } - }, - { - "name": "LAMBDA_TASK", - "taskReferenceName": "build_add_policy_tasks", - "type": "LAMBDA", - "inputParameters": { - "role" : "${workflow.input.role}", - "roles" : "${join_parallel_getting_back.output[*].body}", - "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+i}),inputs['create_role_policy_'+i]={url:'${init.input.keycloak_admin}/clients/' + r.containerId + '/authz/resource-server/policy/role',body:{name:$.role +'_policy',description:'Policy for being in ' + $.role,type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}],'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize.output.body.access_token}','Content-Type' : 'application/json',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" + "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'call_policy_workflow_'+i, subWorkflowParam:{ name:'add_role_policy_permission'}}),inputs['call_policy_workflow_'+i]={role:Java.to(r,'java.util.Map')}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" } }, { "name" : "fork_dynamic", "type" : "FORK_JOIN_DYNAMIC", - "taskReferenceName" : "parallel_add_policy_role", + "taskReferenceName" : "parallel_call_policy_permission_workflow", "inputParameters" : { - "tasks" : "${build_add_policy_tasks.output.result.tasks}", - "inputs" : "${build_add_policy_tasks.output.result.inputs}" + "tasks" : "${build_policy_permission_tasks.output.result.tasks}", + "inputs" : "${build_policy_permission_tasks.output.result.inputs}" }, "dynamicForkTasksParam": "tasks", "dynamicForkTasksInputParamName": "inputs" @@ -159,7 +147,7 @@ { "name" : "join", "type" : "JOIN", - "taskReferenceName" : "join_parallel_policy_addition" + "taskReferenceName" : "join_parallel_policy_permission_addition" } ] }