You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

247 lines
8.6 KiB
YAML

---
- name: "Getting Token for service access on Keycloak"
uri:
url: "{{ keycloak_baseurl }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body_format: form-urlencoded
body:
username: "{{ keycloak_username }}"
password: "{{ keycloak_password }}"
grant_type: "password"
client_id: "admin-cli"
register: keycloak_token
run_once: True
- name: "Find out, if realm {{ d4science_realm_name }} exists on Keycloak"
uri:
url: "{{ d4science_realm_url }}"
method: GET
status_code:
- 200
- 404
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: d4science_realm_check
run_once: True
- name: "Create and configure d4science realm named: {{ d4science_realm_name }}"
vars:
authorization: "Bearer {{ keycloak_token.json.access_token }}"
block:
- name: "Create new {{ d4science_realm_name }} realm on Keycloak"
uri:
url: "{{ keycloak_baseurl }}/auth/admin/realms"
method: POST
body: "{{ lookup('template', 'd4science_realm.json.j2') }}"
body_format: "json"
status_code:
- 201
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
register: d4science_realm_create
- name: "Getting {{ d4science_realm_name }} registration flow executions"
uri:
url: "{{ d4science_realm_url }}/authentication/flows/registration/executions"
method: GET
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "{{ authorization }}"
register: registration_executions
- name: "Enabling ReCaptcha registration flow executions"
uri:
url: "{{d4science_realm_url}}/authentication/flows/registration/executions"
method: PUT
body: "{'id':'{{ registration_executions.json | json_query(query_id) }}','requirement':'REQUIRED','providerId': 'registration-recaptcha-action' }"
body_format: "json"
status_code:
- 204
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
vars:
query_id: "[?providerId == 'registration-recaptcha-action'] | [0].id"
- name: "Configuring ReCaptcha"
uri:
url: "{{d4science_realm_url}}/authentication/executions/{{ registration_executions.json | json_query(query_id) }}/config"
method: POST
body: "{'alias':'reCaptcha','config':{'secret':'{{ recaptcha_secret }}','site.key':'{{ recaptcha_key }}','useRecaptchaNet':'false'}}"
body_format: "json"
status_code:
- 201
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
vars:
query_id: "[?providerId == 'registration-recaptcha-action'] | [0].id"
- name: "Adding Infrastructure-Manager realm role"
uri:
url: "{{d4science_realm_url}}/roles"
method: POST
body: "{{ lookup('file', 'infrastructure-manager_role.json') }}"
body_format: "json"
status_code:
- 201
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
- name: "Adding Infrastructure-Client realm role"
uri:
url: "{{d4science_realm_url}}/roles"
method: POST
body: "{{ lookup('file', 'infrastructure-client_role.json') }}"
body_format: "json"
status_code:
- 201
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
- name: "Adding orchestrator client to realm"
uri:
url: "{{ d4science_realm_url }}/clients"
method: POST
body: "{{ lookup('template', 'orchestrator_client.json.j2') }}"
body_format: "json"
status_code:
- 201
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
register: orchestrator_client_create
- name: "Adding lr62_portal client to realm"
uri:
url: "{{ d4science_realm_url }}/clients"
method: POST
body: "{{ lookup('template', 'lr62_portal_client.json.j2') }}"
body_format: "json"
status_code:
- 201
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
register: lr62_client_create
- name: "Getting orchestrator service-account-user"
uri:
url: "{{ d4science_realm_url }}/clients/{{ orchestrator_client_create.location.split('/').pop() }}/service-account-user"
method: GET
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "{{ authorization }}"
register: orchestrator_sau
- name: "Getting lr62_portal service-account-user"
uri:
url: "{{ d4science_realm_url }}/clients/{{ lr62_client_create.location.split('/').pop() }}/service-account-user"
method: GET
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "{{ authorization }}"
register: lr62_sau
- name: "Getting {{ d4science_realm_name }} realm roles"
uri:
url: "{{ d4science_realm_url }}/roles"
method: GET
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "{{ authorization }}"
register: d4s_realm_roles
- name: "Assigning infrastructure-manager role to orchestrator SAU"
uri:
url: "{{ d4science_realm_url }}/users/{{ orchestrator_sau.json.id }}/role-mappings/realm"
method: POST
body: "{{ d4s_realm_roles.json | json_query(\"[?name == 'Infrastructure-Manager']\") }}"
body_format: "json"
status_code:
- 204
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
register: lr62_client_create
- name: "Assigning infrastructure-client role to lr62_portal SAU"
uri:
url: "{{ d4science_realm_url }}/users/{{ lr62_sau.json.id }}/role-mappings/realm"
method: POST
body: "{{ d4s_realm_roles.json | json_query(query) }}"
body_format: "json"
status_code:
- 204
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
register: lr62_client_create
vars:
query: "[?name == 'Infrastructure-Client']"
- name: "Getting realm-management client by clientId"
uri:
url: "{{ d4science_realm_url }}/clients?clientId=realm-management"
method: GET
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "{{ authorization }}"
register: realm_management_client
- name: "Getting realm-management client roles"
uri:
url: "{{ d4science_realm_url }}/clients/{{ realm_management_client.json[0].id }}/roles"
method: GET
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "{{ authorization }}"
register: realm_management_roles
- name: "Assigning realm-management roles to orchestrator SAU"
uri:
url: "{{ d4science_realm_url }}/users/{{ orchestrator_sau.json.id }}/role-mappings/clients/{{ realm_management_client.json[0].id }}"
method: POST
body: "{{ realm_management_roles.json | json_query(query) }}"
body_format: "json"
status_code:
- 204
headers:
Content-type: "application/json"
Accept: "application/json"
Authorization: "{{ authorization }}"
vars:
query: "[?contains([`manage-users`, `view-users`, `manage-clients`, `query-clients`, `query-users`], name)]"
run_once: True
when: "d4science_realm_check.status == 404"