ansible-role-conductor-workflows-user-management/templates/add_role_policy_permission.json.j2

{
	"ownerApp" : "Orchestrator",
	"name" : "add_role_policy_permission",
	"createBy" : "Marco Lettere",
	"description": "Atomically add a policy and a update client permission with new role",
	"version" : 1,
	"ownerEmail" : "marco.lettere@nubisware.com",
	"inputParameters" : ["role"],
	"tasks" : [
    {
		  "name": "INLINE_TASK",
		  "taskReferenceName": "init",
		  "type": "INLINE",
		  "inputParameters": {
			  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
			  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
			  "evaluatorType" : "javascript",
        "expression": "1 == 1"
		  }
		},
		{
			"name" : "pyrest",
			"taskReferenceName" : "authorize",
			"type" : "SIMPLE",
			"inputParameters" : {
				"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
				"method" : "POST",
				"headers" : {
					"Accept" : "application/json"
				},
				"body" : {
					"client_id" : "orchestrator", 
					"client_secret" : "{{ keycloak_auth_master }}",
					"grant_type" : "client_credentials"
				}
			}
		},
		{
        "name" : "fork_join",
        "taskReferenceName" : "prepare_policy_and_permission",
        "type" : "FORK_JOIN",
        "forkTasks" : [
          [
            {
              "name" : "pyrest",
              "type" : "SIMPLE",
              "taskReferenceName": "add_policy",
              "retryCount" : 1,
              "inputParameters" : {
                "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/policy/role",
                "method" :"POST",
                "headers" : {
                  "Authorization" : "Bearer ${authorize.output.body.access_token}",
                  "Content-Type" : "application/json",
                  "Accept" : "application/json"
                },
                "body" : {
                  "name":"${workflow.input.role.name}_policy",
                  "description" : "Policy for having ${workflow.input.role.name} role",
                  "type":"role",
                  "logic" : "POSITIVE",
                  "decisionStrategy" : "UNANIMOUS",
                  "roles" : [{ "id" : "${workflow.input.role.id}", "required" : true}]
                } 
              }
            }
        ],
        [
          {
            "name" : "pyrest",
            "type" : "SIMPLE",
            "taskReferenceName": "retrieve_default_permission",
            "retryCount" : 1,
            "inputParameters" : {
              "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission?name=Default Permission",
              "method" :"GET",
              "headers" : {
                "Authorization" : "Bearer ${authorize.output.body.access_token}",
                "Accept" : "application/json"
              }
            }
          },
          {
            "name" : "pyrest",
            "type" : "SIMPLE",
            "taskReferenceName": "retrieve_default_permission_policies",
            "inputParameters" : {
              "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}/associatedPolicies",
              "method" :"GET",
              "headers" : {
                "Authorization" : "Bearer ${authorize.output.body.access_token}",
                "Accept" : "application/json"
              }
            }
          }
        ]
      ]
    },
    {
        "name" : "join",
        "type" : "JOIN",
        "taskReferenceName" : "join_prepare_policy_and_permission",
        "joinOn" : ["retrieve_default_permission_policies","add_policy"]
    },
    {
      "name": "INLINE_TASK",
      "taskReferenceName": "to_policy_array",
      "type": "INLINE",
      "inputParameters": {
        "newpolicy": "${add_policy.output.body}",
        "evaluatorType" : "javascript",
        "prevpolicies" : "${retrieve_default_permission_policies.output.body}",
        "expression": "Java.from($.prevpolicies).concat($.newpolicy)"
      }
    },
    {
      "name": "INLINE_TASK",
      "taskReferenceName": "count_check",
      "inputParameters": {
        "tocount": "${to_policy_array.output.result[*].id}",
        "tocompare": "${retrieve_default_permission_policies.output.body}",
        "evaluatorType": "javascript",
        "expression": "if($.tocount.length < $.tocompare.length) throw 'Unexpected low value'; else $.tocount.length < $.tocompare.length"
      },
      "type": "INLINE",
      "startDelay": 0,
      "optional": false,
      "asyncComplete": false
    },
    {
		  "name" : "pyrest",
		  "taskReferenceName" : "finalize_permission",
		  "type" : "SIMPLE",
		  "inputParameters" : {
			  "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}",
			  "method" : "PUT",
			  "headers" : {
				  "Authorization" : "Bearer ${authorize.output.body.access_token}",
				  "Content-Type" : "application/json"
			  },
			  "body" : {
           "name": "Default Permission",
           "description": "",
           "type" : "resource",
           "logic": "POSITIVE",
           "decisionStrategy": "AFFIRMATIVE",
           "policies" : "${to_policy_array.output.result[*].id}"
        }
		  }
	  }
	]
}