New iam client registration (#11)

* Implemented new IAM client registration * Implemented new iam-client policy * Implemented new iam-client policy * Implemented new iam-client policy * Implemented new iam-client policy * Fixed the grafana_port variable check * New IAM client registration * Removed whitespace --------- Co-authored-by: Gioacchino Vino <[email protected]>
DODAS-TS · Mar 6, 2024 · 4eee16d · 4eee16d
1 parent 7173205
commit 4eee16d
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 48 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -10,6 +10,8 @@ monitoring_iam_groups: "beta_testers" # group1 group2
 monitoring_iam_admin_groups: "" # group1 group2
 monitoring_server_ip: "" # 192.168.1.42
 monitoring_dns_name: ""
+monitoring_iam_client_id: ""
+monitoring_iam_token: ""
 
 service_grafana: yes
 service_grafana_port: 3000

diff --git a/tasks/grafana.yml b/tasks/grafana.yml
@@ -32,59 +32,25 @@
     dest: /usr/local/share/dodasts/monitoring
     directory_mode: 0755
 
-
-- name: check if the oidc client file already exists
-  stat:
-    path: "/usr/local/share/dodasts/monitoring/.client-iam.json"
-  register: oidc_config
-
-
-- block:
-  - name: Retrieve registration endpoint from OpenID configuration
-    uri:
-      url: "{{ monitoring_iam_url }}/.well-known/openid-configuration"
-      method: GET
-      return_content: yes
-    register: openid_config
-
-  - name: Set registration endpoint variable
-    set_fact:
-      registration_endpoint: "{{ openid_config.json.registration_endpoint }}"
-
-  - name: Register iam client
-    uri:
-      url: "{{ registration_endpoint }}"
-      validate_certs: "no"
-      method: POST
-      status_code: 201
-      headers:
-         Content-Type: "application/json"
-      body:
-        redirect_uris:
-          - "https://{{ monitoring_dns_name }}:{{ service_grafana_port }}/login/generic_oauth"
-        client_name: "oc-client"
-        token_endpoint_auth_method: client_secret_basic
-        scope: openid email profile
-        grant_types:
-          - authorization_code
-        response_types:
-          - code
-      body_format: json
-      return_content: yes
-    register: iam_response
-
-  - name: Save client info
-    copy:
-      content: "{{ iam_response.json }}"
-      dest: "/usr/local/share/dodasts/monitoring/.client-iam.json"
-  when: not oidc_config.stat.exists|bool
-
+# ---------- IAM Client retrieving, updating and local saving ----------
+- name: Check vars before interacting with the IAM issuer
+  ansible.builtin.assert:
+    that:
+      - monitoring_iam_url        | length > 0
+      - monitoring_iam_client_id  | length > 0
+      - monitoring_iam_token      | length > 0
+      - monitoring_dns_name       | length > 0
+      - service_grafana_port      is defined
+    fail_msg: Not defined variable among monitoring_iam_url, monitoring_iam_client_id, monitoring_iam_token, monitoring_dns_name and service_grafana_port.
+
+- name: Collect, Update and store locally the IAM Client info
+  ansible.builtin.include_tasks: iam-client.yml
+# ----------------------------------------------------------------------
 
 - name: Retrieve client info
   set_fact:
     iam_response: "{{ lookup('file', '/usr/local/share/dodasts/monitoring/.client-iam.json') }}"
 
-
 - name: Create grafana config
   template:
     src: grafana.ini.j2

diff --git a/tasks/iam-client.yml b/tasks/iam-client.yml
@@ -0,0 +1,50 @@
+---
+- name: Define the new redirect_uri variable
+  ansible.builtin.set_fact:
+    mon_iam_redirect_uri: "https://{{ monitoring_dns_name }}:{{ service_grafana_port }}/login/generic_oauth"
+
+- name: Retrieve registration endpoint from OpenID configuration
+  ansible.builtin.uri:
+    url: "{{ monitoring_iam_url }}/.well-known/openid-configuration"
+    method: GET
+    return_content: yes
+  register: openid_config
+
+- name: Set registration endpoint variable
+  ansible.builtin.set_fact:
+    registration_endpoint: "{{ openid_config.json.registration_endpoint }}"
+
+- name: Retrieve the IAM client info
+  ansible.builtin.uri:
+    url: "{{ registration_endpoint }}/{{ monitoring_iam_client_id }}"
+    method: GET
+    status_code: 200
+    headers:
+      Accept: "application/json"
+      Authorization: "Bearer {{ monitoring_iam_token }}"
+    return_content: true
+  register: iam_client_get_response
+
+- name: Modify client JSON
+  ansible.builtin.set_fact:
+    modified_client_info: "{{ iam_client_get_response.json | combine({'redirect_uris': iam_client_get_response.json.redirect_uris + [mon_iam_redirect_uri]}) }}"
+
+- name: Update client
+  ansible.builtin.uri:
+    url: "{{ registration_endpoint }}/{{ monitoring_iam_client_id }}"
+    validate_certs: "no"
+    method: PUT
+    status_code: 200
+    headers:
+      Authorization: "Bearer {{ monitoring_iam_token }}"
+      Content-Type: application/json
+    body_format: json
+    body: "{{ modified_client_info }}"
+    return_content: true
+  register: iam_response
+
+- name: Save client info
+  ansible.builtin.copy:
+    content: "{{ modified_client_info }}"
+    dest: /usr/local/share/dodasts/monitoring/.client-iam.json
+    mode: "0644"