2020-03-09 09:11:07 +00:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
2022-08-05 10:28:29 +00:00
|
|
|
# Copyright (c) 2017, Eike Frost <ei@kefro.st>
|
|
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2020-06-24 19:50:36 +00:00
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
2020-03-09 09:11:07 +00:00
|
|
|
|
|
|
|
|
class ModuleDocFragment(object):
|
|
|
|
|
|
|
|
|
|
# Standard documentation fragment
|
2024-12-27 13:30:17 +00:00
|
|
|
DOCUMENTATION = r"""
|
2020-03-09 09:11:07 +00:00
|
|
|
options:
|
2024-12-27 13:30:17 +00:00
|
|
|
auth_keycloak_url:
|
|
|
|
|
description:
|
|
|
|
|
- URL to the Keycloak instance.
|
|
|
|
|
type: str
|
|
|
|
|
required: true
|
|
|
|
|
aliases:
|
|
|
|
|
- url
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
auth_client_id:
|
|
|
|
|
description:
|
|
|
|
|
- OpenID Connect C(client_id) to authenticate to the API with.
|
|
|
|
|
type: str
|
|
|
|
|
default: admin-cli
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
auth_realm:
|
|
|
|
|
description:
|
|
|
|
|
- Keycloak realm name to authenticate to for API access.
|
|
|
|
|
type: str
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
auth_client_secret:
|
|
|
|
|
description:
|
|
|
|
|
- Client Secret to use in conjunction with O(auth_client_id) (if required).
|
|
|
|
|
type: str
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
auth_username:
|
|
|
|
|
description:
|
|
|
|
|
- Username to authenticate for API access with.
|
|
|
|
|
type: str
|
|
|
|
|
aliases:
|
|
|
|
|
- username
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
auth_password:
|
|
|
|
|
description:
|
|
|
|
|
- Password to authenticate for API access with.
|
|
|
|
|
type: str
|
|
|
|
|
aliases:
|
|
|
|
|
- password
|
2020-03-09 09:11:07 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
token:
|
|
|
|
|
description:
|
|
|
|
|
- Authentication token for Keycloak API.
|
|
|
|
|
type: str
|
|
|
|
|
version_added: 3.0.0
|
2021-04-20 11:20:46 +00:00
|
|
|
|
Keycloak modules retry request on authentication error, support refresh token parameter (#9494)
* feat: begin refactor to support refresh token in keycloak modules
* chore: add start of tests for shared token usage
* feat: progress towards supporting refresh token; token introspection not yet working [8857]
* chore: reset to main branch previous state; a different approach is needed [8857]
* feat: add request methods to keycloak class, which will be expanded with retry logic [8857]
* feat: all requests to keycloak use request methods instead of open_url [8857]
* fix: data argument is optional in keycloak request methods [8857]
* feat: add integration test for keycloak module authentication methods [8857]
* chore: refactor get token logic to separate logic using username/pass credentials [8857]
* chore: refactor token request logic further to isolate request logic [8857]
* chore: fix minor lint issues [8857]
* test: add (currently failing) test for request with invalid auth token, valid refresh token [8857]
* chore: allow realm to be provided to role module with refresh_token, without username/pass [8857]
* feat: add retry logic to requests in keycloak module utils [8857]
* chore: rename keycloak module fail_open_url method to fail_request [8857]
* chore: update all keycloak modules to support refresh token param [8857]
* chore: add refresh_token param to keycloak doc_fragments [8857]
* chore: restore dependency between auth_realm and auth_username,auth_password params [8857]
* chore: rearrange module param checks to reduce future pr size [8857]
* chore: remove extra comma [8857]
* chore: update version added for refresh token param [8857]
* chore: add changelog fragment [8857]
* chore: re-add fail_open_url to keycloak module utils for backward compatability [8857]
* fix: do not make a new request to keycloak without reauth when refresh token not provided (#8857)
* fix: only make final auth attempt if username/pass provided, and return exception on failure (#8857)
* fix: make re-auth and retry code more consistent, ensure final exceptions are thrown (#8857)
* test: fix arguments for invalid token, valid refresh token test (#8857)
* feat: catch invalid refresh token errors during re-auth attempt (#8857)
Add test to verify this behaviour works.
* test: improve test coverage, including some unhappy path tests for authentication failures (#8857)
* chore: store auth errors from token request in backwards compatible way (#8857)
* fix: ensure method is still specified for all requests (#8857)
* chore: simplify token request logic (#8857)
* chore: rename functions to request tokens using refresh token or username/password (#8857)
To emphasize their difference from the `get_token` function,
which either gets the token from the module params
*or* makes a request for it.
* doc: add docstrings for new or significantly modified functions (#8857)
* test: repair unit test following change to exception message upon key error during auth request (#8857)
2025-01-26 14:23:39 +00:00
|
|
|
refresh_token:
|
|
|
|
|
description:
|
|
|
|
|
- Authentication refresh token for Keycloak API.
|
|
|
|
|
type: str
|
|
|
|
|
version_added: 10.3.0
|
|
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
validate_certs:
|
|
|
|
|
description:
|
|
|
|
|
- Verify TLS certificates (do not disable this in production).
|
|
|
|
|
type: bool
|
|
|
|
|
default: true
|
2022-02-14 18:43:17 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
connection_timeout:
|
|
|
|
|
description:
|
|
|
|
|
- Controls the HTTP connections timeout period (in seconds) to Keycloak API.
|
|
|
|
|
type: int
|
|
|
|
|
default: 10
|
|
|
|
|
version_added: 4.5.0
|
2023-11-22 08:13:33 +00:00
|
|
|
|
2024-12-27 13:30:17 +00:00
|
|
|
http_agent:
|
|
|
|
|
description:
|
|
|
|
|
- Configures the HTTP User-Agent header.
|
|
|
|
|
type: str
|
|
|
|
|
default: Ansible
|
|
|
|
|
version_added: 5.4.0
|
|
|
|
|
"""
|
2024-12-23 17:51:34 +00:00
|
|
|
|
|
|
|
|
ACTIONGROUP_KEYCLOAK = r"""
|
|
|
|
|
options: {}
|
|
|
|
|
attributes:
|
|
|
|
|
action_group:
|
|
|
|
|
description: Use C(group/community.general.keycloak) in C(module_defaults) to set defaults for this module.
|
|
|
|
|
support: full
|
|
|
|
|
membership:
|
|
|
|
|
- community.general.keycloak
|
|
|
|
|
"""
|
