From c007896a557963b19ea5a700016ad7acef7f39ae Mon Sep 17 00:00:00 2001
From: dcore94 <m.lettere@gmail.com>
Date: Wed, 3 Mar 2021 18:27:15 +0100
Subject: [PATCH] addition of policies for roles

---
 templates/group_created.json.j2 | 75 ++++++++++++++++++++++++---------
 1 file changed, 56 insertions(+), 19 deletions(-)

diff --git a/templates/group_created.json.j2 b/templates/group_created.json.j2
index ffb5984..97438da 100644
--- a/templates/group_created.json.j2
+++ b/templates/group_created.json.j2
@@ -157,7 +157,7 @@
 					}
 				},
 				{
-				    "name" : "pyrest",
+				  "name" : "pyrest",
 					"taskReferenceName" : "create_kc_group",
 					"type" : "SIMPLE",
 					"inputParameters" : {
@@ -173,7 +173,7 @@
 					}
 				},
 				{
-				    "name" : "pyrest",
+				  "name" : "pyrest",
 					"taskReferenceName" : "list_kc_groups",
 					"type" : "SIMPLE",
 					"inputParameters" : {
@@ -238,7 +238,7 @@
 					]
 				},
 				{
-				    "name" : "pyrest",
+				  "name" : "pyrest",
 					"taskReferenceName" : "assign_client_member_role_to_kc_group",
 					"type" : "SIMPLE",
 					"inputParameters" : {
@@ -253,22 +253,59 @@
 					}
 				}
 				],
-				[{
-					"name" : "pyrest",
-					"taskReferenceName" : "create_role_accountingmanager",
-					"type" : "SIMPLE",
-					"inputParameters" : {
-						"url" : "${create_client.output.headers.location}/roles",
-						"body" : { 
-							"clientRole" : true, "name" : "Accounting-Manager", "description" : "Accounting-Manager for ${init.output.result.name}"
-						},
-						"method" : "POST",
-						"headers" : {
-							"Authorization" : "Bearer ${authorize.output.body.access_token}",
-							"Content-Type" : "application/json"
-						}
-					}
-				}],
+				[
+				  {
+					  "name" : "pyrest",
+					  "taskReferenceName" : "create_role_accountingmanager",
+					  "type" : "SIMPLE",
+					  "inputParameters" : {
+						  "url" : "${create_client.output.headers.location}/roles",
+						  "body" : { 
+							  "clientRole" : true, "name" : "Accounting-Manager", "description" : "Accounting-Manager for ${init.output.result.name}"
+						  },
+						  "method" : "POST",
+						  "headers" : {
+							  "Authorization" : "Bearer ${authorize.output.body.access_token}",
+							  "Content-Type" : "application/json"
+						  }
+					  }
+				  },
+				  {
+              "name": "LAMBDA_TASK",
+              "taskReferenceName": "extract_accountimgmanager_role_id",
+              "type": "LAMBDA",
+              "inputParameters": {
+                  "role_location" : "${create_role_accountingmanager.output.headers.location}",
+                  "scriptExpression": "var role_id = $.role_location.split('/').pop(); return {'role_id' : role_id}"
+              }
+          },
+				  {
+					  "name" : "pyrest",
+					  "taskReferenceName" : "create_role_policy_accountingmanager",
+					  "type" : "SIMPLE",
+					  "inputParameters" : {
+						  "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role",
+						  "body" : {
+                 "name": "Accounting-Manager_policy",
+                 "description": "",
+                 "type" : "role",
+                 "logic": "POSITIVE",
+                 "decisionStrategy": "UNANIMOUS",
+                 "roles" : [
+                    {
+                      "id" : "${extract_accountimgmanager_role_id.output.result.role_id}",
+                      "required" : true
+                    }
+                 ]
+              },
+						  "method" : "POST",
+						  "headers" : {
+							  "Authorization" : "Bearer ${authorize.output.body.access_token}",
+							  "Content-Type" : "application/json"
+						  }
+					  }
+				  }
+				],
 				[{
 					"name" : "pyrest",
 					"taskReferenceName" : "create_role_catalogueadmin",