tasks/main.yml

---
# keycloak tasks/main.yml
#
# SPDX-FileCopyrightText: © 2021 Open Networking Foundation <support@opennetworking.org>
# SPDX-License-Identifier: Apache-2.0

- name: include OS-specific tasks
  include_tasks: "{{ ansible_os_family }}.yml"

- name: Create group for Keycloak
  group:
    name: "{{ keycloak_groupname }}"

- name: Create user for Keycloak
  user:
    name: "{{ keycloak_username }}"
    group: "{{ keycloak_groupname }}"
    comment: "{{ keycloak_comment }}"
    shell: "{{ keycloak_shell }}"
    system: true
    password_lock: true

- name: Create keycloak dist directory
  file:
    path: "{{ keycloak_dist_dir }}"
    owner: "{{ keycloak_username }}"
    group: "{{ keycloak_groupname }}"
    state: directory
    mode: 0700

- name: Download keycloak
  get_url:
    url: "{{ keycloak_download_url }}"
    dest: "{{ keycloak_dist_dir }}"
    timeout: 30
    checksum: "{{ keycloak_checksum }}"
  become: true
  become_user: "{{ keycloak_username }}"

- name: Extract keycloak
  unarchive:
    remote_src: true
    src: "{{ keycloak_dist_dir }}/keycloak-{{ keycloak_version }}.tar.gz"
    dest: "{{ keycloak_base_dir }}"
    owner: "{{ keycloak_username }}"
    group: "{{ keycloak_groupname }}"
    creates: "{{ keycloak_base_dir }}/keycloak-{{ keycloak_version }}"

- name: Link Keycloak distro to working dir
  file:
    state: "link"
    src: "{{ keycloak_base_dir }}/keycloak-{{ keycloak_version }}"
    dest: "{{ keycloak_working_dir }}"

- name: Check admin account
  command:
    chdir: "{{ keycloak_working_dir }}/bin/"
    cmd: >
      ./kcadm.sh get users
      --server {{ keycloak_server }}/auth
      --realm master --user {{ keycloak_admin_username }}
      --password {{ keycloak_admin_password }}
  register: kcadm_result
  changed_when: false
  failed_when: false

# search proxy-address-forwarding in the following link
# https://www.keycloak.org/docs/15.0/server_installation/#_setting-up-a-load-balancer-or-proxy
- name: Enable HTTPS Reverse Proxy(Modify standalone.xml)
  community.general.xml:
    path: "/opt/keycloak/standalone/configuration/standalone.xml"
    xpath: "/m:server/m:profile/n:subsystem/n:server/n:http-listener"
    attribute: "proxy-address-forwarding"
    value: "true"
    namespaces:
      m: "urn:jboss:domain:16.0"
      n: "urn:jboss:domain:undertow:12.0"
  when: (keycloak_behind_reverse_proxy is defined) and (keycloak_behind_reverse_proxy)
  notify:
    - "start-keycloak"
    - "restart-keycloak"

# search proxy-address-forwarding in the following link
# https://www.keycloak.org/docs/15.0/server_installation/#_setting-up-a-load-balancer-or-proxy
- name: Disable HTTPS Reverse Proxy(Modify standalone.xml)
  community.general.xml:
    path: "/opt/keycloak/standalone/configuration/standalone.xml"
    xpath: "/m:server/m:profile/n:subsystem/n:server/n:http-listener/@proxy-address-forwarding"
    value: "true"
    state: absent
    namespaces:
      m: "urn:jboss:domain:16.0"
      n: "urn:jboss:domain:undertow:12.0"
  when: (keycloak_behind_reverse_proxy is not defined) or (not keycloak_behind_reverse_proxy)
  notify:
    - "start-keycloak"
    - "restart-keycloak"

- name: Create admin account
  command:
    chdir: "{{ keycloak_working_dir }}/bin/"
    cmd: >
      ./add-user-keycloak.sh
      --realm master --user {{ keycloak_admin_username }}
      --password {{ keycloak_admin_password }}
  when: kcadm_result.rc != 0
  notify:
    - "start-keycloak"
    - "restart-keycloak"
- name: Flush handlers to start keycloak server before configuring it via API
  meta: flush_handlers

- name: Wait for Keycloak to be ready
  uri:
    url: "http://localhost:9990/health"
    method: GET
    return_content: "yes"
    timeout: 5
    body_format: raw
    follow_redirects: "no"
    status_code: 200
  register: result
  until: result.status == 200
  retries: 60
  delay: 5

- name: Configure Keycloak client
  community.general.keycloak_client:
    auth_keycloak_url: "{{ keycloak_server }}/auth"
    auth_realm: "{{ item.auth_realm }}"
    auth_username: "{{ keycloak_admin_username }}"
    auth_password: "{{ keycloak_admin_password }}"
    client_id: "{{ item.client_id }}"
    name: "{{ item.name }}"
    protocol: "{{ item.protocol }}"
    description: "{{ item.description }}"
    attributes: "{{ item.attributes }}"
    redirect_uris: "{{ item.redirect_uris }}"
    protocol_mappers: "{{ item.protocol_mappers }}"
    state: present
  with_items: "{{ keycloak_client_settings }}"

- name: "Create Token for Keycloak service"
  uri:
    url: "{{ keycloak_server }}/auth/realms/master/protocol/openid-connect/token"
    method: POST
    body_format: form-urlencoded
    body:
      username: "{{ keycloak_admin_username }}"
      password: "{{ keycloak_admin_password }}"
      grant_type: "password"
      client_id: "admin-cli"
  register: keycloak_token

- name: "Get existing LDAP configuration"
  uri:
    url: "{{ keycloak_admin_api }}/components?type=org.keycloak.storage.UserStorageProvider"
    method: GET
    headers:
      Accept: "application/json"
      Authorization: "Bearer {{ keycloak_token.json.access_token }}"
  register: keycloak_components_list

- name: Check if the Keycloak already has the LDAP configuration
  set_fact:
    ldap_id: "{{ item.id }}"
  with_items: "{{ keycloak_components_list.json }}"
  when: item.name == "ldap"

- name: Generate a local json file for LDAP configuration
  become: false
  delegate_to: localhost
  template:
    src: "ldap.config.j2"
    dest: "/tmp/ldap.config"
    mode: "0600"
  changed_when: false

- name: "Create LDAP Provider if not exist"
  uri:
    url: "{{ keycloak_admin_api }}/components"
    method: POST
    src: /tmp/ldap.config
    status_code: [201]
    headers:
      Content-Type: application/json
      Authorization: "Bearer {{ keycloak_token.json.access_token }}"
  register: keycloak_create_ldap_response
  when: ldap_id is not defined

- name: "Update LDAP Provider if exist"
  uri:
    url: "{{ keycloak_admin_api }}/components/{{ ldap_id }}"
    method: PUT
    src: /tmp/ldap.config
    status_code: [204]
    headers:
      Content-Type: application/json
      Authorization: "Bearer {{ keycloak_token.json.access_token }}"
  when: ldap_id is defined

- name: Update LDAP_ID with new created LDAP components
  set_fact:
    ldap_id: "{{ keycloak_create_ldap_response.location | basename }}"
  when: ldap_id is not defined

- name: Generate a local json file for LDAP mapper configuration
  become: false
  delegate_to: localhost
  template:
    src: "{{ item }}.j2"
    dest: "/tmp/{{ item }}"
    mode: "0600"
  with_items:
    - ldap.mapper.group
    - keycloak.event.config
  changed_when: false

- name: Create LDAP mapper from local json configuraiton
  uri:
    url: "{{ keycloak_admin_api }}/components/"
    method: POST
    src: "/tmp/{{ item }}"
    status_code: [201]
    headers:
      Content-Type: application/json
      Authorization: "Bearer {{ keycloak_token.json.access_token }}"
  with_items:
    - ldap.mapper.group

- name: Create LDAP mapper from local json configuraiton
  uri:
    url: "{{ keycloak_admin_api }}/events/config"
    method: PUT
    src: "/tmp/keycloak.event.config"
    status_code: [204]
    headers:
      Content-Type: application/json
      Authorization: "Bearer {{ keycloak_token.json.access_token }}"

- name: Remove local LDAP json file
  delegate_to: localhost
  file:
    path: "/tmp/{{ item }}"
    state: absent
  with_items:
    - ldap.config
    - ldap.mapper.group
    - keycloak.event.config
  changed_when: false