From 872358fcc81effc2af34b1beb094259e2cf2d35b Mon Sep 17 00:00:00 2001 From: "m.lettere" Date: Wed, 15 May 2024 15:32:00 +0200 Subject: [PATCH] added new keycloak delete account workflow --- defaults/main.yaml | 3 +- templates/keycloak_delete_account.json.j2 | 306 ++++++++++++++++++++++ 2 files changed, 308 insertions(+), 1 deletion(-) create mode 100644 templates/keycloak_delete_account.json.j2 diff --git a/defaults/main.yaml b/defaults/main.yaml index 45c6c13..90a9946 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -3,12 +3,13 @@ workflows: # - create-user-add-to-vre # - group_deleted # - user-group_created - - user-group-role_created + # - user-group-role_created # - group_created # - invitation-accepted # - user-group_deleted # - user-group-role_deleted # - delete-user-account + - keycloak_delete_account # - role_deleted # - role_created # - add_role_policy_permission diff --git a/templates/keycloak_delete_account.json.j2 b/templates/keycloak_delete_account.json.j2 new file mode 100644 index 0000000..6d2e2cd --- /dev/null +++ b/templates/keycloak_delete_account.json.j2 @@ -0,0 +1,306 @@ +{ + "ownerApp": "Orchestrator", + "createTime": 1712929588891, + "updateTime": 1712930905661, + "accessPolicy": {}, + "name": "keycloak_delete_account", + "description": "Handle Admin events from Keycloak", + "version": 4, + "tasks": [ + { + "name": "INLINE_TASK", + "taskReferenceName": "init", + "inputParameters": { + "root_vo": "{{ root_vo }}", + "keycloak": "{{ keycloak }}/${workflow.input.realm}", + "keycloak_admin": "{{ keycloak_admin }}/${workflow.input.realm}", + "liferay": "{{ liferay }}", + "liferay_auth": "{{ liferay_auth }}", + "keycloak_username": "${workflow.input.username}", + "evaluatorType": "javascript", + "expression": "function f(){ return { 'decoded_root_vo' : $.root_vo.replace('%2F','/'), 'encoded_root_vo' : encodeURIComponent($.root_vo)}} f()" + }, + "type": "INLINE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pyrest", + "taskReferenceName": "authorize", + "inputParameters": { + "url": "${init.input.keycloak}/protocol/openid-connect/token", + "method": "POST", + "headers": { + "Accept": "application/json" + }, + "body": { + "client_id": "orchestrator", + "client_secret" : "{{ keycloak_auth }}", + "grant_type": "client_credentials" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "fork_join", + "taskReferenceName": "global_delete_user", + "inputParameters": {}, + "type": "FORK_JOIN", + "forkTasks": [ + [ + { + "name": "pyrest", + "taskReferenceName": "lookup_lr_company", + "inputParameters": { + "url": "${init.input.liferay}/company/get-company-by-web-id", + "method": "GET", + "params": { + "webId": "liferay.com" + }, + "headers": { + "Authorization": "Basic ${init.input.liferay_auth}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pyrest", + "taskReferenceName": "lookup_lr_user_by_screenname", + "inputParameters": { + "url": "${init.input.liferay}/user/get-user-by-screen-name", + "method": "GET", + "params": { + "companyId": "${lookup_lr_company.output.body.companyId}", + "screenName": "${init.input.keycloak_username}" + }, + "headers": { + "Authorization": "Basic ${init.input.liferay_auth}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pyrest", + "taskReferenceName": "lookup_lr_user_groups", + "inputParameters": { + "url": "${init.input.liferay}/group/get-user-sites-groups", + "method": "GET", + "params": { + "classNames": "[\"com.liferay.portal.model.Group\"]", + "userId": "${lookup_lr_user_by_screenname.output.body.userId}", + "max": "-1" + }, + "headers": { + "Authorization": "Basic ${init.input.liferay_auth}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "INLINE_TASK", + "taskReferenceName": "build_delete_group_tasks", + "inputParameters": { + "evaluatorType": "javascript", + "groups": "${lookup_lr_user_groups.output.body.*.groupId}", + "userId": "${lookup_lr_user_by_screenname.output.body.userId}", + "expression": "inputs = {}; tasks = []; function f(){ for(var i=0;i<$.groups.length;i++){tasks.push({'name': 'pyrest','type' : 'SIMPLE','taskReferenceName' : 'del-' + i});inputs['del-'+i] = {'url' : '${init.input.liferay}/user/unset-group-users?userIds=' + $.userId + '&groupId=' + $.groups[i],'method' : 'POST','headers' : {'Authorization' : 'Basic ' + '${init.input.liferay_auth}', 'Accept' : 'application/json'}}}; return { 'tasks' : Java.to(tasks, 'java.util.Map[]'), 'inputs' : inputs}} f()" + }, + "type": "INLINE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "fork_dynamic", + "taskReferenceName": "parallel_delete_group", + "inputParameters": { + "tasks": "${build_delete_group_tasks.output.result.tasks}", + "inputs": "${build_delete_group_tasks.output.result.inputs}" + }, + "type": "FORK_JOIN_DYNAMIC", + "dynamicForkTasksParam": "tasks", + "dynamicForkTasksInputParamName": "inputs", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "join", + "taskReferenceName": "join_parallel_group_deletion", + "inputParameters": {}, + "type": "JOIN", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pyrest", + "taskReferenceName": "delete_lr_user", + "inputParameters": { + "url": "${init.input.liferay}/user/delete-user", + "method": "POST", + "params": { + "userId": "${lookup_lr_user_by_screenname.output.body.userId}" + }, + "headers": { + "Authorization": "Basic ${init.input.liferay_auth}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "INLINE_TASK", + "taskReferenceName": "lr_final_task", + "inputParameters": { + "evaluatorType": "javascript", + "expression": "1 == 1" + }, + "type": "INLINE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + } + ], + [ + { + "name": "pyrest", + "taskReferenceName": "get_rootvo", + "inputParameters": { + "url": "${init.input.keycloak_admin}/clients?clientId=${init.output.result.encoded_root_vo}", + "method": "GET", + "headers": { + "Authorization": "Bearer ${authorize.output.body.access_token}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pyrest", + "taskReferenceName": "get_rootvo_roles", + "inputParameters": { + "url": "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles", + "method": "GET", + "expect": [ + 200, + 404 + ], + "headers": { + "Authorization": "Bearer ${authorize.output.body.access_token}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pyrest", + "taskReferenceName": "get_rootvo_infra_managers", + "inputParameters": { + "url": "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles/Infrastructure-Manager/users", + "method": "GET", + "expect": [ + 200, + 404 + ], + "headers": { + "Authorization": "Bearer ${authorize.output.body.access_token}", + "Accept": "application/json" + } + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + } + ] + ], + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "join", + "taskReferenceName": "global_delete_user_join", + "inputParameters": {}, + "type": "JOIN", + "startDelay": 0, + "joinOn": [ + "lr_final_task", + "get_rootvo_infra_managers" + ], + "optional": false, + "asyncComplete": false, + "permissive": false + }, + { + "name": "pymail", + "taskReferenceName": "notify_infra_managers", + "inputParameters": { + "subject": "User account REMOVAL notification", + "from": "noreply@d4science.org", + "to": "${get_rootvo_infra_managers.output.body.*.email}", + "html": "

Dear ${init.output.result.decoded_root_vo} Infrastructure Manager,

'${ +lookup_lr_user_by_screenname.output.body.firstName} ${ +lookup_lr_user_by_screenname.output.body.lastName} (${ +lookup_lr_user_by_screenname.output.body.screenName})' removed his/her account from the IAM

You received this email because you are an Infrastructure Manager.

WARNING / LEGAL TEXT: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.

" + }, + "type": "SIMPLE", + "startDelay": 0, + "optional": false, + "asyncComplete": false, + "permissive": false + } + ], + "inputParameters": [ + "userid" + ], + "outputParameters": {}, + "schemaVersion": 2, + "restartable": true, + "workflowStatusListenerEnabled": false, + "ownerEmail": "mauro.mugnaini@nubisware.com", + "timeoutPolicy": "ALERT_ONLY", + "timeoutSeconds": 0, + "variables": {}, + "inputTemplate": {} +}