1
0
Fork 0
selfhostblocks/keycloak-cli-config/configcreator.nix

211 lines
5.7 KiB
Nix
Raw Normal View History

{ stdenv
, pkgs
, lib
}:
{ realm
, domain
, roles ? {}
, clients ? {}
, users ? {}
2023-02-12 06:28:00 +01:00
, groups ? []
}:
with builtins;
with (pkgs.lib.attrsets);
let
mkRole = k: v:
let
iscomposite = (length v) > 0;
in {
name = k;
2023-02-12 06:28:00 +01:00
composite = if iscomposite then true else false;
} // optionalAttrs iscomposite {
composites = {
realm = v;
};
};
mkClientRole =
let
2023-02-12 06:28:00 +01:00
roles = config: config.roles or [];
c = v:
{
name = v;
2023-02-12 06:28:00 +01:00
clientRole = true;
};
in k: config: map c (roles config);
2023-02-12 06:28:00 +01:00
mkGroup = name: {
inherit name;
path = "/${name}";
attributes = {};
realmRoles = [];
clientRoles = {};
subGroups = [];
};
mkClient = k: config:
let
url = "https://${k}.${domain}";
in
{
clientId = k;
rootUrl = url;
clientAuthenticatorType = "client-secret";
2023-02-12 06:28:00 +01:00
redirectUris = ["${url}/oauth2/callback"];
webOrigins = [url];
2023-02-12 06:28:00 +01:00
authorizationServicesEnabled = true;
serviceAccountsEnabled = true;
protocol = "openid-connect";
2023-02-12 06:28:00 +01:00
publicClient = false;
protocolMappers = [
{
name = "Client ID";
protocol = "openid-connect";
protocolMapper = "oidc-usersessionmodel-note-mapper";
consentRequired = false;
config = {
"user.session.note" = "clientId";
"id.token.claim" = "true";
"access.token.claim" = "true";
"claim.name" = "clientId";
"jsonType.label" = "String";
};
}
{
name = "Client Host";
protocol = "openid-connect";
protocolMapper = "oidc-usersessionmodel-note-mapper";
consentRequired = false;
config = {
"user.session.note" = "clientHost";
"id.token.claim" = "true";
"access.token.claim" = "true";
"claim.name" = "clientHost";
"jsonType.label" = "String";
};
}
{
name = "Client IP Address";
protocol = "openid-connect";
protocolMapper = "oidc-usersessionmodel-note-mapper";
consentRequired = false;
config = {
"user.session.note" = "clientAddress";
"id.token.claim" = "true";
"access.token.claim" = "true";
"claim.name" = "clientAddress";
"jsonType.label" = "String";
};
}
{
name = "Audience";
protocol = "openid-connect";
protocolMapper = "oidc-audience-mapper";
config = {
"included.client.audience" = k;
"id.token.claim" = "false";
"access.token.claim" = "true";
"included.custom.audience" = k;
};
}
{
name = "Group";
protocol = "openid-connect";
protocolMapper = "oidc-group-membership-mapper";
config = {
"full.path" = "true";
"id.token.claim" = "true";
"access.token.claim" = "true";
"claim.name" = "groups";
"userinfo.token.claim" = "true";
};
}
];
authorizationSettings = {
policyEnforcementMode = "ENFORCING";
resources =
let
mkResource = name: uris: {
inherit name;
type = "urn:${k}:resources:${name}";
ownerManagedAccess = false;
inherit uris;
};
in
mapAttrsToList mkResource (config.resourcesUris or {});
policies =
let
mkPolicyRole = role: {
id = role;
required = true;
};
mkPolicy = name: roles: {
name = "${concatStringsSep "," roles} has access";
type = "role";
logic = "POSITIVE";
decisionStrategy = "UNANIMOUS";
config = {
roles = toJSON (map mkPolicyRole roles);
};
};
mkPermission = name: roles: resources: {
name = "${concatStringsSep "," roles} has access to ${concatStringsSep "," resources}";
type = "resource";
logic = "POSITIVE";
decisionStrategy = "UNANIMOUS";
config = {
resources = toJSON resources;
applyPolicies = toJSON (map (r: "${concatStringsSep "," roles} has access") roles);
};
};
in
(mapAttrsToList (name: {roles, ...}: mkPolicy name roles) (config.access or {}))
++ (mapAttrsToList (name: {roles, resources}: mkPermission name roles resources) (config.access or {}));
};
};
mkUser = k: config:
{
username = k;
2023-02-12 06:28:00 +01:00
enabled = true;
emailVerified = true;
2023-02-12 06:28:00 +01:00
inherit (config) email firstName lastName;
} // optionalAttrs (config ? "groups") {
inherit (config) groups;
} // optionalAttrs (config ? "roles") {
realmRoles = config.roles;
} // optionalAttrs (config ? "initialPassword") {
2022-10-19 09:29:14 +02:00
credentials = [
{
type = "password";
userLabel = "initial";
value = "$(keycloak.users.${k}.password)";
}
];
};
in
{
inherit realm;
id = realm;
2023-02-12 06:28:00 +01:00
enabled = true;
clients = mapAttrsToList mkClient clients;
roles = {
realm = mapAttrsToList mkRole roles;
client = mapAttrs mkClientRole clients;
};
2023-02-12 06:28:00 +01:00
groups = map mkGroup groups;
users = mapAttrsToList mkUser users;
}