{ "ownerApp" : "Orchestrator", "name" : "add_role_policy_permission", "createBy" : "Marco Lettere", "description": "Atomically add a policy and a update client permission with new role", "version" : 1, "ownerEmail" : "marco.lettere@nubisware.com", "inputParameters" : ["role"], "tasks" : [ { "name": "INLINE_TASK", "taskReferenceName": "init", "type": "INLINE", "inputParameters": { "keycloak": "{{ keycloak }}/{{ keycloak_realm }}", "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}", "evaluatorType" : "javascript", "expression": "1 == 1" } }, { "name" : "pyrest", "taskReferenceName" : "authorize", "type" : "SIMPLE", "inputParameters" : { "url" : "{{ keycloak }}/master/protocol/openid-connect/token", "method" : "POST", "headers" : { "Accept" : "application/json" }, "body" : { "client_id" : "orchestrator", "client_secret" : "{{ keycloak_auth_master }}", "grant_type" : "client_credentials" } } }, { "name" : "fork_join", "taskReferenceName" : "prepare_policy_and_permission", "type" : "FORK_JOIN", "forkTasks" : [ [ { "name" : "pyrest", "type" : "SIMPLE", "taskReferenceName": "add_policy", "retryCount" : 1, "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/policy/role", "method" :"POST", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Content-Type" : "application/json", "Accept" : "application/json" }, "body" : { "name":"${workflow.input.role.name}_policy", "description" : "Policy for having ${workflow.input.role.name} role", "type":"role", "logic" : "POSITIVE", "decisionStrategy" : "UNANIMOUS", "roles" : [{ "id" : "${workflow.input.role.id}", "required" : true}] } } } ], [ { "name" : "pyrest", "type" : "SIMPLE", "taskReferenceName": "retrieve_default_permission", "retryCount" : 1, "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission?name=Default Permission", "method" :"GET", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Accept" : "application/json" } } }, { "name" : "pyrest", "type" : "SIMPLE", "taskReferenceName": "retrieve_default_permission_policies", "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}/associatedPolicies", "method" :"GET", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Accept" : "application/json" } } } ] ] }, { "name" : "join", "type" : "JOIN", "taskReferenceName" : "join_prepare_policy_and_permission", "joinOn" : ["retrieve_default_permission_policies","add_policy"] }, { "name": "INLINE_TASK", "taskReferenceName": "to_policy_array", "type": "INLINE", "inputParameters": { "newpolicy": "${add_policy.output.body}", "evaluatorType" : "javascript", "prevpolicies" : "${retrieve_default_permission_policies.output.body}", "expression": "Java.from($.prevpolicies).concat($.newpolicy)" } }, { "name": "INLINE_TASK", "taskReferenceName": "count_check", "inputParameters": { "tocount": "${to_policy_array.output.result[*].id}", "tocompare": "${retrieve_default_permission_policies.output.body}", "evaluatorType": "javascript", "expression": "if($.tocount.length < $.tocompare.length) throw 'Unexpected low value'; else $.tocount.length < $.tocompare.length" }, "type": "INLINE", "startDelay": 0, "optional": false, "asyncComplete": false }, { "name" : "pyrest", "taskReferenceName" : "finalize_permission", "type" : "SIMPLE", "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}", "method" : "PUT", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Content-Type" : "application/json" }, "body" : { "name": "Default Permission", "description": "", "type" : "resource", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "policies" : "${to_policy_array.output.result[*].id}" } } } ] }