ansible-role-conductor-work.../templates/add_role_policy_permission....

153 lines
5.2 KiB
Django/Jinja

{
"ownerApp" : "Orchestrator",
"name" : "add_role_policy_permission",
"createBy" : "Marco Lettere",
"description": "Atomically add a policy and a update client permission with new role",
"version" : 1,
"ownerEmail" : "marco.lettere@nubisware.com",
"inputParameters" : ["role"],
"tasks" : [
{
"name": "INLINE_TASK",
"taskReferenceName": "init",
"type": "INLINE",
"inputParameters": {
"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
"evaluatorType" : "javascript",
"expression": "1 == 1"
}
},
{
"name" : "pyrest",
"taskReferenceName" : "authorize",
"type" : "SIMPLE",
"inputParameters" : {
"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
"method" : "POST",
"headers" : {
"Accept" : "application/json"
},
"body" : {
"client_id" : "orchestrator",
"client_secret" : "{{ keycloak_auth_master }}",
"grant_type" : "client_credentials"
}
}
},
{
"name" : "fork_join",
"taskReferenceName" : "prepare_policy_and_permission",
"type" : "FORK_JOIN",
"forkTasks" : [
[
{
"name" : "pyrest",
"type" : "SIMPLE",
"taskReferenceName": "add_policy",
"retryCount" : 1,
"inputParameters" : {
"url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/policy/role",
"method" :"POST",
"headers" : {
"Authorization" : "Bearer ${authorize.output.body.access_token}",
"Content-Type" : "application/json",
"Accept" : "application/json"
},
"body" : {
"name":"${workflow.input.role.name}_policy",
"description" : "Policy for having ${workflow.input.role.name} role",
"type":"role",
"logic" : "POSITIVE",
"decisionStrategy" : "UNANIMOUS",
"roles" : [{ "id" : "${workflow.input.role.id}", "required" : true}]
}
}
}
],
[
{
"name" : "pyrest",
"type" : "SIMPLE",
"taskReferenceName": "retrieve_default_permission",
"retryCount" : 1,
"inputParameters" : {
"url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission?name=Default Permission",
"method" :"GET",
"headers" : {
"Authorization" : "Bearer ${authorize.output.body.access_token}",
"Accept" : "application/json"
}
}
},
{
"name" : "pyrest",
"type" : "SIMPLE",
"taskReferenceName": "retrieve_default_permission_policies",
"inputParameters" : {
"url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}/associatedPolicies",
"method" :"GET",
"headers" : {
"Authorization" : "Bearer ${authorize.output.body.access_token}",
"Accept" : "application/json"
}
}
}
]
]
},
{
"name" : "join",
"type" : "JOIN",
"taskReferenceName" : "join_prepare_policy_and_permission",
"joinOn" : ["retrieve_default_permission_policies","add_policy"]
},
{
"name": "INLINE_TASK",
"taskReferenceName": "to_policy_array",
"type": "INLINE",
"inputParameters": {
"newpolicy": "${add_policy.output.body}",
"evaluatorType" : "javascript",
"prevpolicies" : "${retrieve_default_permission_policies.output.body}",
"expression": "Java.from($.prevpolicies).concat($.newpolicy)"
}
},
{
"name": "INLINE_TASK",
"taskReferenceName": "count_check",
"inputParameters": {
"tocount": "${to_policy_array.output.result[*].id}",
"tocompare": "${retrieve_default_permission_policies.output.body}",
"evaluatorType": "javascript",
"expression": "if($.tocount.length < $.tocompare.length) throw 'Unexpected low value'; else $.tocount.length < $.tocompare.length"
},
"type": "INLINE",
"startDelay": 0,
"optional": false,
"asyncComplete": false
},
{
"name" : "pyrest",
"taskReferenceName" : "finalize_permission",
"type" : "SIMPLE",
"inputParameters" : {
"url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission/${retrieve_default_permission.output.body[0].id}",
"method" : "PUT",
"headers" : {
"Authorization" : "Bearer ${authorize.output.body.access_token}",
"Content-Type" : "application/json"
},
"body" : {
"name": "Default Permission",
"description": "",
"type" : "resource",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"policies" : "${to_policy_array.output.result[*].id}"
}
}
}
]
}