From e1b2fd53948a649fb4a4c20ad0109752da8a10bf Mon Sep 17 00:00:00 2001
From: Kevin <k.besson@clm.foundation>
Date: Thu, 20 Feb 2025 18:29:16 +0100
Subject: [PATCH] =?UTF-8?q?Ajout=20de=20la=20configuration=20du=20client?=
 =?UTF-8?q?=20Keycloak=20et=20du=20scope=20profile=20dans=20les=20playbook?=
 =?UTF-8?q?s=20Ansible,=20incluant=20l'installation=20de=20packages=20supp?=
 =?UTF-8?q?l=C3=A9mentaires=20pour=20Docker.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ansible/playbooks/1_docker.yml   | 11 +++++
 ansible/playbooks/3_keycloak.yml | 73 ++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)

diff --git a/ansible/playbooks/1_docker.yml b/ansible/playbooks/1_docker.yml
index 3e5c204..537b303 100644
--- a/ansible/playbooks/1_docker.yml
+++ b/ansible/playbooks/1_docker.yml
@@ -9,6 +9,8 @@
     git_dest: "/opt/Neah-Enkun"
     git_branch: "master"
     traefik_service_name: "traefik"
+    packages:
+      - jq
     docker_packages:
       - apt-transport-https
       - ca-certificates
@@ -33,6 +35,15 @@
       delay: 5
 
   tasks:
+    - name: Installation de packages supplémentaires
+      apt:
+        name: "{{ packages }}"
+        state: present
+      register: pkg_status
+      until: pkg_status is success
+      retries: 3
+      delay: 5
+
     - name: Installer les dépendances pour Docker
       apt:
         name: "{{ docker_packages }}"
diff --git a/ansible/playbooks/3_keycloak.yml b/ansible/playbooks/3_keycloak.yml
index ff83427..5d3eecc 100644
--- a/ansible/playbooks/3_keycloak.yml
+++ b/ansible/playbooks/3_keycloak.yml
@@ -33,6 +33,16 @@
       - account/view-profile
     student_permissions:
       - master-realm/view-users
+    keycloak_client:
+      client_id: "front"
+      client_secret: "Klsbm7hzyXscypXU0wUPPVBrttFPt6Pn"
+      root_url: "http://neah.local/"
+      redirect_uris:
+        - "http://neah.local/*"
+        - "http://localhost:3000/*"
+      web_origins:
+        - "http://neah.local"
+        - "http://localhost:3000"
 
   tasks:
     - name: Lancer le service Keycloak
@@ -130,6 +140,69 @@
           debug:
             msg: "Erreur lors de l'attribution des permissions aux rôles"
 
+    - name: Configurer le client front
+      block:
+        - name: Créer le client
+          shell: >
+            docker exec {{ keycloak_container }} {{ keycloak_bin }} create clients -r {{ keycloak_realm }}
+            -s clientId={{ keycloak_client.client_id }}
+            -s secret={{ keycloak_client.client_secret }}
+            -s protocol=openid-connect
+            -s publicClient=false
+            -s authorizationServicesEnabled=true
+            -s serviceAccountsEnabled=true
+            -s standardFlowEnabled=true
+            -s implicitFlowEnabled=true
+            -s directAccessGrantsEnabled=true
+            -s rootUrl={{ keycloak_client.root_url }}
+            -s baseUrl={{ keycloak_client.root_url }}
+            -s 'redirectUris=["{{ keycloak_client.redirect_uris | join('","') }}"]'
+            -s 'webOrigins=["{{ keycloak_client.web_origins | join('","') }}"]'
+          register: create_client
+          until: create_client is success
+          retries: 3
+          delay: 5
+      when: check_config.rc != 0
+      rescue:
+        - name: Gérer les erreurs de création du client
+          debug:
+            msg: "Erreur lors de la création du client front"
+
+    - name: Configurer le Client Scope Profile
+      block:
+        - name: Récupérer l'ID du scope profile
+          shell: |
+            ID=$(docker exec {{ keycloak_container }} {{ keycloak_bin }} get client-scopes -r {{ keycloak_realm }} --fields id,name --format json | jq -r '.[] | select(.name=="profile") | .id')
+            echo $ID
+          register: profile_scope_id
+          until: profile_scope_id.stdout != ""
+          retries: 3
+          delay: 5
+
+        - name: Ajouter le Mapper realm roles au scope profile
+          shell: >
+            docker exec {{ keycloak_container }} {{ keycloak_bin }} create client-scopes/{{ profile_scope_id.stdout | trim }}/protocol-mappers/models
+            -r {{ keycloak_realm }}
+            -s name="realm roles"
+            -s protocol="openid-connect"
+            -s protocolMapper="oidc-usermodel-realm-role-mapper"
+            -s 'config."id.token.claim"=true'
+            -s 'config."access.token.claim"=true'
+            -s 'config."userinfo.token.claim"=true'
+            -s 'config."claim.name"="realm_roles"'
+            -s 'config."introspection.token.claim"=true'
+            -s 'config."multivalued"=true'
+          register: create_mapper
+          until: create_mapper is success
+          retries: 3
+          delay: 5
+          when: profile_scope_id.stdout != ""
+      when: check_config.rc != 0
+      rescue:
+        - name: Gérer les erreurs de configuration du mapper
+          debug:
+            msg: "Erreur lors de la configuration du mapper realm roles"
+
     - name: Supprimer l'administrateur temporaire
       block:
         - name: Récupérer les informations