{ "ownerApp" : "Orchestrator", "name" : "add_role_policy_permission", "createBy" : "Marco Lettere", "description": "Atomically add a policy and a update client permission with new role", "version" : 1, "ownerEmail" : "marco.lettere@nubisware.com", "inputParameters" : ["role"], "tasks" : [ { "name": "LAMBDA_TASK", "taskReferenceName": "init", "type": "LAMBDA", "inputParameters": { "keycloak": "{{ keycloak }}/{{ keycloak_realm }}", "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}", "scriptExpression": "1 == 1" } }, { "name" : "pyrest", "taskReferenceName" : "authorize", "type" : "SIMPLE", "inputParameters" : { "url" : "{{ keycloak }}/master/protocol/openid-connect/token", "method" : "POST", "headers" : { "Accept" : "application/json" }, "body" : { "client_id" : "orchestrator", "client_secret" : "{{ keycloak_auth_master }}", "grant_type" : "client_credentials" } } }, { "name" : "fork_join", "taskReferenceName" : "prepare_policy_and_permission", "type" : "FORK_JOIN", "forkTasks" : [ [ { "name" : "pyrest", "type" : "SIMPLE", "taskReferenceName": "add_policy", "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/policy/role", "method" :"POST", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Content-Type" : "application/json", "Accept" : "application/json" }, "expect" : [201, 409], "body" : { "name":"${workflow.input.role.name}_policy", "description" : "Policy for having ${workflow.input.role.name} role", "type":"role", "logic" : "POSITIVE", "decisionStrategy" : "UNANIMOUS", "roles" : [{ "id" : "${workflow.input.role.id}", "required" : true}] } } } ], [ { "name" : "pyrest", "type" : "SIMPLE", "taskReferenceName": "retrieve_default_permission", "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission?name=Default Permission", "method" :"GET", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Accept" : "application/json" } } }, { "name" : "pyrest", "type" : "SIMPLE", "taskReferenceName": "retrieve_default_permission_policies", "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}/associatedPolicies", "method" :"GET", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Accept" : "application/json" } } } ] ] }, { "name" : "join", "type" : "JOIN", "taskReferenceName" : "join_prepare_policy_and_permission", "joinOn" : ["retrieve_default_permission_policies","add_policy"] }, { "name": "LAMBDA_TASK", "taskReferenceName": "to_policy_array", "type": "LAMBDA", "inputParameters": { "newpolicy": "${add_policy.output.body}", "prevpolicies" : "${retrieve_default_permission_policies.output.body}", "scriptExpression": "return Java.to(Java.from($.prevpolicies).concat($.newpolicy),'java.util.Map[]')" } }, { "name" : "pyrest", "taskReferenceName" : "finalize_permission", "type" : "SIMPLE", "inputParameters" : { "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}", "method" : "PUT", "headers" : { "Authorization" : "Bearer ${authorize.output.body.access_token}", "Content-Type" : "application/json" }, "body" : { "name": "Default Permission", "description": "", "type" : "resource", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "policies" : "${to_policy_array.output.result[*].id}" } } } ] }