Merge pull request freeipa#1105 from t-woerner/new_idp_module

New idp management module

README-idp.md

@@ -0,0 +1,192 @@
+Idp module
+============
+
+Description
+-----------
+
+The idp module allows to ensure presence and absence of idps.
+
+Features
+--------
+
+* Idp management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaidp module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.13
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure keycloak idp my-keycloak-idp is present:
+
+```yaml
+---
+- name: Playbook to manage IPA idp.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure keycloak idp my-keycloak-idp is present
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-keycloak-idp
+      provider: keycloak
+      organization: main
+      base_url: keycloak.idm.example.com:8443/auth
+      client_id: my-client-id
+```
+
+
+Example playbook to make sure keycloak idp my-keycloak-idp is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA idp.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure keycloak idp my-keycloak-idp is absent
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-keycloak-idp
+      delete_continue: true
+      state: absent
+```
+
+
+Example playbook to make sure github idp my-github-idp is present:
+
+```yaml
+---
+- name: Playbook to manage IPA idp.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure github idp my-github-idp is present
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-github-idp
+      provider: github
+      client_id: my-github-client-id
+```
+
+
+Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:
+
+```yaml
+---
+- name: Playbook to manage IPA idp.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-google-idp
+      auth_uri: https://accounts.google.com/o/oauth2/auth
+      dev_auth_uri: https://oauth2.googleapis.com/device/code
+      token_uri: https://oauth2.googleapis.com/token
+      keys_uri: https://www.googleapis.com/oauth2/v3/certs
+      userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
+      client_id: my-google-client-id
+      scope: "openid email"
+      idp_user_id: email
+```
+
+
+Example playbook to make sure google idp my-google-idp is present using provider:
+
+```yaml
+---
+- name: Playbook to manage IPA idp.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure google idp my-google-idp is present using provider
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-google-idp
+      provider: google
+      client_id: my-google-client-id
+```
+
+
+Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:
+
+```yaml
+---
+- name: Playbook to manage IPA idp.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - my-keycloak-idp
+      - my-github-idp
+      - my-google-idp
+      delete_continue: true
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | false
+`name` \| `cn` | The list of idp name strings. | yes
+auth_uri \| ipaidpauthendpoint | OAuth 2.0 authorization endpoint string. | no
+dev_auth_uri \| ipaidpdevauthendpoint | Device authorization endpoint string. | no
+token_uri \| ipaidptokenendpoint | Token endpoint string. | no
+userinfo_uri \| ipaidpuserinfoendpoint | User information endpoint string. | no
+keys_uri \| ipaidpkeysendpoint | JWKS endpoint string. | no
+issuer_url \| ipaidpissuerurl | The Identity Provider OIDC URL string. | no
+client_id \| ipaidpclientid | OAuth 2.0 client identifier string. | no
+secret \| ipaidpclientsecret | OAuth 2.0 client secret string. | no
+scope \| ipaidpscope | OAuth 2.0 scope string. Multiple scopes separated by space. | no
+idp_user_id \| ipaidpsub | Attribute string for user identity in OAuth 2.0 userinfo. | no
+provider \| ipaidpprovider | Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] | no
+organization \| ipaidporg | Organization ID string or Realm name for IdP provider templates. | no
+base_url \| ipaidpbaseurl | Base URL string for IdP provider templates. | no
+rename \| new_name | New name for the Identity Provider server object. Only with `state: renamed`. | no
+delete_continue \| continue | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, `renamed`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README.md

@@ -32,6 +32,7 @@ Features
 * Modules for hostgroup management
 * Modules for idoverridegroup management
 * Modules for idoverrideuser management
+* Modules for idp management
 * Modules for idrange management
 * Modules for idview management
 * Modules for location management
@@ -445,6 +446,7 @@ Modules in plugin/modules
 * [ipahostgroup](README-hostgroup.md)
 * [idoverridegroup](README-idoverridegroup.md)
 * [idoverrideuser](README-idoverrideuser.md)
+* [idp](README-idp.md)
 * [idrange](README-idrange.md)
 * [idview](README-idview.md)
 * [ipalocation](README-location.md)

playbooks/idp/idp-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Idp absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure github idp my-github-idp is absent
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-github-idp
+      state: absent

playbooks/idp/idp-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Idp present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure github idp my-github-idp is present
+    ipaidp:
+      ipaadmin_password: SomeADMINpassword
+      name: my-github-idp
+      provider: github
+      client_id: my-github-client-id

plugins/module_utils/ansible_freeipa_module.py

@@ -30,7 +30,7 @@
            "kinit_password", "kinit_keytab", "run", "DN", "VERSION",
            "paths", "tasks", "get_credentials_if_valid", "Encoding",
            "DNSName", "getargspec", "certificate_loader",
-           "write_certificate_list", "boolean"]
+           "write_certificate_list", "boolean", "template_str"]
 
 import os
 # ansible-freeipa requires locale to be C, IPA requires utf-8.
@@ -90,6 +90,7 @@ def getargspec(func):
     except ImportError:
         from ipapython.ipautil import kinit_password, kinit_keytab
     from ipapython.ipautil import run
+    from ipapython.ipautil import template_str
     from ipapython.dn import DN
     from ipapython.version import VERSION
     from ipaplatform.paths import paths