LDAP-Gruppe active per cron setzen/entfernen

webserver/docker_keycloak/tasks/main.yml

@@ -13,6 +13,7 @@
   with_items:
     - /srv/keycloak/
     - /srv/keycloak/db/
+    - /srv/keycloak/sync-group-active/
     - /srv/keycloak/themes/
     - /srv/keycloak/themes/keycloak/
     - /srv/keycloak/themes/keycloak/account/
@@ -26,6 +27,8 @@
     dest: "/srv/keycloak/{{ item }}"
   with_items:
     - docker-compose.yml
+    - sync-group-active/Dockerfile
+    - sync-group-active/main.py
     - themes/keycloak/account/account.ftl
     - themes/keycloak/login/register.ftl
     - welcome-content/index.html

webserver/docker_keycloak/templates/docker-compose.yml

@@ -49,6 +49,20 @@ services:
       - default      
 
 
+  sync-group-active:
+
+    build: 
+      context: /srv/keycloak/sync-group-active/
+      dockerfile: /srv/keycloak/sync-group-active/Dockerfile
+    restart: always
+    depends_on:
+      - app
+    volumes:
+      - /srv/keycloak/sync-group-active/:/usr/src/app/
+    networks:
+      - default      
+
+
 networks:
   mail:
     external: true    

webserver/docker_keycloak/templates/sync-group-active/Dockerfile

+
+FROM python:3.9-alpine3.13
+
+RUN pip install python-keycloak
+
+WORKDIR /usr/src/app
+
+CMD [ "python", "/usr/src/app/main.py" ]
+

webserver/docker_keycloak/templates/sync-group-active/main.py

+# Automatische Verwaltung der /active -Gruppe, damit diese auch im LDAP korrekt zugewiesen wird. 
+# Die Gruppe wird für legacy-Anwendungen benötigt, die lediglich auf dem LDAP basieren.
+# Python API: https://pypi.org/project/python-keycloak/
+
+import logging 
+
+from datetime import datetime, timezone
+from time import sleep
+from threading import Timer
+from keycloak import KeycloakAdmin
+
+# Debug flag
+DEBUG = False
+
+llevel = logging.INFO
+if DEBUG:
+  llevel = logging.DEBUG
+
+logging.basicConfig(format='%(asctime)s [%(levelname)s] %(message)s', datefmt='%Y-%m-%d %H:%M:%S %Z', level=llevel)
+
+# Sleep time for loops 
+LOOP_START_SECONDS = 60
+LOOP_SLEEP_SECONDS = 4*60*60
+
+if DEBUG:
+  LOOP_START_SECONDS = 20
+  LOOP_SLEEP_SECONDS = 30
+
+# Keycloak Setup 
+KEYCLOAK_URL = "https://keycloak.warpzone.ms/auth/"
+KEYCLOAK_REALM = "master"
+KEYCLOAK_ADMIN_USER = "keycloakadmin"
+KEYCLOAK_ADMIN_PASS = "{{ keycloak_admin_pass }}"
+
+
+def main_loop():
+
+  while(True):
+
+    keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL, username=KEYCLOAK_ADMIN_USER, password=KEYCLOAK_ADMIN_PASS, realm_name=KEYCLOAK_REALM, verify=True)
+
+    logging.info("START: connected to keycloak")
+
+    group_active = keycloak_admin.get_group_by_path(path='/active', search_in_subgroups=False)
+
+    logging.debug("Group /active: %s" % group_active)
+
+
+    # Abfrage der aktiven Benutzer mit verifizierter E-Mail Adresse
+    # Wenn diese noch nicht die Rolle /active haben wird diese zugewiesen
+
+    users_active = keycloak_admin.get_users({ 'enabled': True, 'emailVerified': True })
+
+    for user in users_active:
+      logging.debug("User active %s" %  user['username'])
+      if user['username'] == KEYCLOAK_ADMIN_USER:
+        continue
+      groups = keycloak_admin.get_user_groups(user['id'])
+      logging.debug(groups)
+      has_group = False
+      for group in groups:
+        if group['id'] == group_active['id']:
+          has_group = True
+      logging.debug("has_group = %s" % has_group)
+      if has_group == False:
+        logging.info('User: %s => Add group active'  % user['username'])
+        keycloak_admin.group_user_add(user['id'], group_active['id'])
+
+
+    # Abfrage der inaktiven Benutzer und entfernen der Gruppe /active falls diese noch zugewiesen ist
+
+    users_inactive = keycloak_admin.get_users({ 'enabled': False })
+
+    for user in users_inactive:
+      logging.debug("User inactive %s" %  user['username'])
+      if user['username'] == KEYCLOAK_ADMIN_USER:
+        continue
+      groups = keycloak_admin.get_user_groups(user['id'])
+      logging.debug(groups)
+      for group in groups:
+        if group['id'] == group_active['id']:
+          logging.info('User: %s => Remove group active'  % user['username'])
+          keycloak_admin.group_user_remove(user['id'], group_active['id'])
+
+    logging.info("DONE (loop)")
+
+    # sleep and repeat 
+    sleep(LOOP_SLEEP_SECONDS)
+
+
+logging.info("START (pre-loop)")
+
+t = Timer(LOOP_START_SECONDS, main_loop)
+t.start()
+t.join()
+
+logging.info("DONE (final)")
+
+
+