--- - name: "Getting Token for service access on Keycloak" uri: url: "{{ keycloak_baseurl }}/auth/realms/master/protocol/openid-connect/token" method: POST body_format: form-urlencoded body: username: "{{ keycloak_username }}" password: "{{ keycloak_password }}" grant_type: "password" client_id: "admin-cli" register: keycloak_token run_once: True - name: "Find out, if realm {{ d4science_realm_name }} exists on Keycloak" uri: url: "{{ d4science_realm_url }}" method: GET status_code: - 200 - 404 headers: Accept: "application/json" Authorization: "Bearer {{ keycloak_token.json.access_token }}" register: d4science_realm_check run_once: True - name: "Create and configure d4science realm named: {{ d4science_realm_name }}" vars: authorization: "Bearer {{ keycloak_token.json.access_token }}" block: - name: "Create new {{ d4science_realm_name }} realm on Keycloak" uri: url: "{{ keycloak_baseurl }}/auth/admin/realms" method: POST body: "{{ lookup('template', 'd4science_realm.json.j2') }}" body_format: "json" status_code: - 201 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" register: d4science_realm_create - name: "Getting {{ d4science_realm_name }} registration flow executions" uri: url: "{{ d4science_realm_url }}/authentication/flows/registration/executions" method: GET status_code: - 200 headers: Accept: "application/json" Authorization: "{{ authorization }}" register: registration_executions - name: "Enabling ReCaptcha registration flow executions" uri: url: "{{d4science_realm_url}}/authentication/flows/registration/executions" method: PUT body: "{'id':'{{ registration_executions.json | json_query(query_id) }}','requirement':'REQUIRED','providerId': 'registration-recaptcha-action' }" body_format: "json" status_code: - 204 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" vars: query_id: "[?providerId == 'registration-recaptcha-action'] | [0].id" - name: "Configuring ReCaptcha" uri: url: "{{d4science_realm_url}}/authentication/executions/{{ registration_executions.json | json_query(query_id) }}/config" method: POST body: "{'alias':'reCaptcha','config':{'secret':'{{ recaptcha_secret }}','site.key':'{{ recaptcha_key }}','useRecaptchaNet':'false'}}" body_format: "json" status_code: - 201 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" vars: query_id: "[?providerId == 'registration-recaptcha-action'] | [0].id" - name: "Adding Infrastructure-Manager realm role" uri: url: "{{d4science_realm_url}}/roles" method: POST body: "{{ lookup('file', 'infrastructure-manager_role.json') }}" body_format: "json" status_code: - 201 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" - name: "Adding Infrastructure-Client realm role" uri: url: "{{d4science_realm_url}}/roles" method: POST body: "{{ lookup('file', 'infrastructure-client_role.json') }}" body_format: "json" status_code: - 201 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" - name: "Adding orchestrator client to realm" uri: url: "{{ d4science_realm_url }}/clients" method: POST body: "{{ lookup('template', 'orchestrator_client.json.j2') }}" body_format: "json" status_code: - 201 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" register: orchestrator_client_create - name: "Adding lr62_portal client to realm" uri: url: "{{ d4science_realm_url }}/clients" method: POST body: "{{ lookup('template', 'lr62_portal_client.json.j2') }}" body_format: "json" status_code: - 201 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" register: lr62_client_create - name: "Getting orchestrator service-account-user" uri: url: "{{ d4science_realm_url }}/clients/{{ orchestrator_client_create.location.split('/').pop() }}/service-account-user" method: GET status_code: - 200 headers: Accept: "application/json" Authorization: "{{ authorization }}" register: orchestrator_sau - name: "Getting lr62_portal service-account-user" uri: url: "{{ d4science_realm_url }}/clients/{{ lr62_client_create.location.split('/').pop() }}/service-account-user" method: GET status_code: - 200 headers: Accept: "application/json" Authorization: "{{ authorization }}" register: lr62_sau - name: "Getting {{ d4science_realm_name }} realm roles" uri: url: "{{ d4science_realm_url }}/roles" method: GET status_code: - 200 headers: Accept: "application/json" Authorization: "{{ authorization }}" register: d4s_realm_roles - name: "Assigning infrastructure-manager role to orchestrator SAU" uri: url: "{{ d4science_realm_url }}/users/{{ orchestrator_sau.json.id }}/role-mappings/realm" method: POST body: "{{ d4s_realm_roles.json | json_query(\"[?name == 'Infrastructure-Manager']\") }}" body_format: "json" status_code: - 204 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" register: lr62_client_create - name: "Assigning infrastructure-client role to lr62_portal SAU" uri: url: "{{ d4science_realm_url }}/users/{{ lr62_sau.json.id }}/role-mappings/realm" method: POST body: "{{ d4s_realm_roles.json | json_query(query) }}" body_format: "json" status_code: - 204 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" register: lr62_client_create vars: query: "[?name == 'Infrastructure-Client']" - name: "Getting realm-management client by clientId" uri: url: "{{ d4science_realm_url }}/clients?clientId=realm-management" method: GET status_code: - 200 headers: Accept: "application/json" Authorization: "{{ authorization }}" register: realm_management_client - name: "Getting realm-management client roles" uri: url: "{{ d4science_realm_url }}/clients/{{ realm_management_client.json[0].id }}/roles" method: GET status_code: - 200 headers: Accept: "application/json" Authorization: "{{ authorization }}" register: realm_management_roles - name: "Assigning realm-management roles to orchestrator SAU" uri: url: "{{ d4science_realm_url }}/users/{{ orchestrator_sau.json.id }}/role-mappings/clients/{{ realm_management_client.json[0].id }}" method: POST body: "{{ realm_management_roles.json | json_query(query) }}" body_format: "json" status_code: - 204 headers: Content-type: "application/json" Accept: "application/json" Authorization: "{{ authorization }}" vars: query: "[?contains([`manage-users`, `view-users`, `manage-clients`, `query-clients`, `query-users`], name)]" run_once: True when: "d4science_realm_check.status == 404"