feat: opencloud group provisioning via oidc

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>

roles/keycloak/tasks/provisioning.yml

@@ -163,6 +163,7 @@
     direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(false) }}"
     protocol: openid-connect
     default_client_scopes: "{{ item.default_client_scopes | default(['openid', 'email', 'profile']) }}"
+    protocol_mappers: "{{ item.protocol_mappers | default(omit) }}"
     state: present
     validate_certs: false
   loop: "{{ keycloak_oidc_clients }}"

roles/opencloud/defaults/main.yml

@@ -64,6 +64,17 @@ opencloud_ldap_group_schema_groupname: "cn"
 opencloud_ldap_group_schema_member: "member"
 opencloud_ldap_write_enabled: false
 
+# Role assignment via OIDC (set opencloud_role_assignment_driver to "oidc" to enable)
+opencloud_role_assignment_driver: "default"
+opencloud_role_assignment_oidc_claim: "groups"
+opencloud_role_mapping: []
+# Example mapping LDAP groups to OpenCloud roles:
+# opencloud_role_mapping:
+#   - role_name: admin
+#     claim_value: admins
+#   - role_name: user
+#     claim_value: users
+
 # Draw.io integration (set opencloud_drawio_url to enable)
 opencloud_drawio_url: ""
 opencloud_drawio_theme: "minimal"

roles/opencloud/tasks/main.yml

@@ -34,6 +34,16 @@
   when: opencloud_csp_extra_connect_src | length > 0 or opencloud_csp_extra_frame_src | length > 0
   notify: restart opencloud
 
+- name: Create proxy role assignment config
+  template:
+    src: proxy.yaml.j2
+    dest: "{{ opencloud_docker_volume_dir }}/config/proxy.yaml"
+    owner: "1000"
+    group: "1000"
+    mode: '0644'
+  when: opencloud_role_assignment_driver == "oidc" and opencloud_role_mapping | length > 0
+  notify: restart opencloud
+
 - name: Create draw.io extension apps directory
   file:
     path: "{{ opencloud_docker_volume_dir }}/data/web/assets/apps/draw-io"

roles/opencloud/templates/docker-compose.yml.j2

@@ -35,6 +35,12 @@ services:
       PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/opencloud/csp-override.yaml"
 {% endif %}
       IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
+{% if opencloud_role_assignment_driver == "oidc" %}
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "{{ opencloud_role_assignment_oidc_claim }}"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+{% endif %}
 {% if opencloud_oidc_issuer %}
       OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
       OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"

roles/opencloud/templates/proxy.yaml.j2

@@ -0,0 +1,9 @@
+role_assignment:
+  driver: oidc
+  oidc_role_mapper:
+    role_claim: {{ opencloud_role_assignment_oidc_claim }}
+    role_mapping:
+{% for mapping in opencloud_role_mapping %}
+      - role_name: {{ mapping.role_name }}
+        claim_value: "{{ mapping.claim_value }}"
+{% endfor %}