Fix RBAC groups handling and refactor Keycloak role

- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set). - Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS). - Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables. - Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'. - Refactored Keycloak role task structure: * Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.). * Introduced meta and dependency handling separation. - Cleaned up Keycloak config defaults and recaptcha placeholders.
2025-08-29 15:06:26 +02:00 · 2025-08-17 23:27:01 +02:00
parent 5f0762e4f6 5642793f4a
commit d1cd87c843
24 changed files with 66 additions and 58 deletions
--- a/roles/web-app-keycloak/tasks/05_rbac_client_scope.yml
+++ b/roles/web-app-keycloak/tasks/05_rbac_client_scope.yml
@@ -0,0 +1,72 @@
+# --- Ensure RBAC client scope exists (idempotent) ---
+- name: Ensure RBAC client scope exists
+  shell: |
+    cat <<'JSON' | {{ KEYCLOAK_EXEC_KCADM }} create client-scopes -r {{ KEYCLOAK_REALM }} -f -
+    {{
+      (
+        KEYCLOAK_DICTIONARY_REALM.clientScopes
+        | selectattr('name','equalto', KEYCLOAK_RBAC_GROUP_CLAIME)
+        | list | first
+      ) | to_json
+    }}
+    JSON
+  register: create_rbac_scope
+  changed_when: create_rbac_scope.rc == 0
+  failed_when: create_rbac_scope.rc != 0 and
+               ('already exists' not in (create_rbac_scope.stderr | lower))
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+# --- Get the scope id we will attach to the client ---
+- name: Get all client scopes
+  shell: "{{ KEYCLOAK_EXEC_KCADM }} get client-scopes -r {{ KEYCLOAK_REALM }} --format json"
+  register: all_scopes
+  changed_when: false
+
+- name: Extract RBAC scope id
+  set_fact:
+    scope_id_rbac: >-
+      {{ (
+          all_scopes.stdout | from_json
+          | selectattr('name','equalto', KEYCLOAK_RBAC_GROUP_CLAIME)
+          | list | first | default({})
+        ).id | default('') }}
+
+- name: Resolve application client id
+  shell: >
+    {{ KEYCLOAK_EXEC_KCADM }} get clients
+    -r {{ KEYCLOAK_REALM }}
+    --query 'clientId={{ KEYCLOAK_CLIENT_ID }}'
+    --fields id --format json | jq -r '.[0].id'
+  register: app_client_id_cmd
+  changed_when: false
+
+- name: Sanity check IDs
+  assert:
+    that:
+      - scope_id_rbac | length > 0
+      - (app_client_id_cmd.stdout | trim) is match('^[0-9a-f-]+$')
+    fail_msg: "Could not determine client or scope ID."
+
+- name: Get current optional client scopes
+  shell: >
+    {{ KEYCLOAK_EXEC_KCADM }} get
+    clients/{{ app_client_id_cmd.stdout | trim }}/optional-client-scopes
+    -r {{ KEYCLOAK_REALM }} --format json
+  register: opt_scopes
+  changed_when: false
+
+- name: Decide if RBAC scope already assigned
+  set_fact:
+    has_rbac_optional: >-
+      {{ (opt_scopes.stdout | from_json
+          | selectattr('id','equalto', scope_id_rbac) | list | length) > 0 }}
+
+- name: Ensure RBAC scope assigned as optional (only if missing)
+  when: not has_rbac_optional
+  shell: >
+    {{ KEYCLOAK_EXEC_KCADM }} update
+    clients/{{ app_client_id_cmd.stdout | trim }}/optional-client-scopes/{{ scope_id_rbac }}
+    -r {{ KEYCLOAK_REALM }}
+  register: add_opt
+  changed_when: true
+  failed_when: add_opt.rc != 0