community.general/tests/integration/targets/keycloak_group_rolemapping/tasks/main.yml

# Copyright (c) 2023, Alexander Groß (@agross)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

- name: Create realm
  community.general.keycloak_realm:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    id: "{{ realm }}"
    realm: "{{ realm }}"
    state: present

- name: Create realm roles
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    name: "{{ item }}"
    state: present
  loop:
    - "{{ role_1 }}"
    - "{{ role_2 }}"

- name: Create group
  community.general.keycloak_group:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    name: "{{ group }}"
    state: present

- name: Map realm roles to group
  community.general.keycloak_realm_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    group_name: "{{ group }}"
    roles:
      - name: "{{ role_1 }}"
      - name: "{{ role_2 }}"
    state: present
  register: result

- name: Assert realm roles are assigned to group
  ansible.builtin.assert:
    that:
      - result is changed
      - result.end_state | count == 2

- name: Map realm roles to group again (idempotency)
  community.general.keycloak_realm_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    group_name: "{{ group }}"
    roles:
      - name: "{{ role_1 }}"
      - name: "{{ role_2 }}"
    state: present
  register: result

- name: Assert realm roles stay assigned to group
  ansible.builtin.assert:
    that:
      - result is not changed

- name: Unmap realm role 1 from group
  community.general.keycloak_realm_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    group_name: "{{ group }}"
    roles:
      - name: "{{ role_1 }}"
    state: absent
  register: result

- name: Assert realm role 1 is unassigned from group
  ansible.builtin.assert:
    that:
      - result is changed
      - result.end_state | count == 1
      - result.end_state[0] == role_2

- name: Unmap realm role 1 from group again (idempotency)
  community.general.keycloak_realm_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    group_name: "{{ group }}"
    roles:
      - name: "{{ role_1 }}"
    state: absent
  register: result

- name: Assert realm role 1 stays unassigned from group
  ansible.builtin.assert:
    that:
      - result is not changed

- name: Unmap realm role 2 from group
  community.general.keycloak_realm_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    group_name: "{{ group }}"
    roles:
      - name: "{{ role_2 }}"
    state: absent
  register: result

- name: Assert no realm roles are assigned to group
  ansible.builtin.assert:
    that:
      - result is changed
      - result.end_state | count == 0

- name: Unmap realm role 2 from group again (idempotency)
  community.general.keycloak_realm_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"

    realm: "{{ realm }}"
    group_name: "{{ group }}"
    roles:
      - name: "{{ role_2 }}"
    state: absent
  register: result

- name: Assert no realm roles are assigned to group
  ansible.builtin.assert:
    that:
      - result is not changed
      - result.end_state | count == 0
[PR #7663/f7bc6964 backport][stable-8] Add keycloak_realm_rolemapping module to map realm roles to groups (#7785) Add keycloak_realm_rolemapping module to map realm roles to groups (#7663) * Add keycloak_realm_rolemapping module to map realm roles to groups * Whitespace * Description in plain English * Casing * Update error reporting as per #7645 * Add agross as maintainer of keycloak_realm_rolemapping module * cid and client_id are not used here * Credit other authors * mhuysamen submitted #7645 * Gaetan2907 authored keycloak_client_rolemapping.py which I took as a basis * Add integration tests * With Keycloak 23 realmRoles are only returned if assigned * Remove debug statement * Add test verifying that unmap works when no realm roles are assigned * Add license to readme * Change version number this module was added * Document which versions of the docker images have been tested * Downgrade version_added Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit f7bc6964be2d052278bf291f689dc2b85c609013) Co-authored-by: Alexander Groß <agross@therightstuff.de> 2023-12-28 18:28:03 +01:00			`# Copyright (c) 2023, Alexander Groß (@agross)`
			`# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)`
			`# SPDX-License-Identifier: GPL-3.0-or-later`

			`- name: Create realm`
			`community.general.keycloak_realm:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`id: "{{ realm }}"`
			`realm: "{{ realm }}"`
			`state: present`

			`- name: Create realm roles`
			`community.general.keycloak_role:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`name: "{{ item }}"`
			`state: present`
			`loop:`
			`- "{{ role_1 }}"`
			`- "{{ role_2 }}"`

			`- name: Create group`
			`community.general.keycloak_group:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`name: "{{ group }}"`
			`state: present`

			`- name: Map realm roles to group`
			`community.general.keycloak_realm_rolemapping:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`group_name: "{{ group }}"`
			`roles:`
			`- name: "{{ role_1 }}"`
			`- name: "{{ role_2 }}"`
			`state: present`
			`register: result`

			`- name: Assert realm roles are assigned to group`
			`ansible.builtin.assert:`
			`that:`
			`- result is changed`
			`- result.end_state \| count == 2`

			`- name: Map realm roles to group again (idempotency)`
			`community.general.keycloak_realm_rolemapping:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`group_name: "{{ group }}"`
			`roles:`
			`- name: "{{ role_1 }}"`
			`- name: "{{ role_2 }}"`
			`state: present`
			`register: result`

			`- name: Assert realm roles stay assigned to group`
			`ansible.builtin.assert:`
			`that:`
			`- result is not changed`

			`- name: Unmap realm role 1 from group`
			`community.general.keycloak_realm_rolemapping:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`group_name: "{{ group }}"`
			`roles:`
			`- name: "{{ role_1 }}"`
			`state: absent`
			`register: result`

			`- name: Assert realm role 1 is unassigned from group`
			`ansible.builtin.assert:`
			`that:`
			`- result is changed`
			`- result.end_state \| count == 1`
			`- result.end_state[0] == role_2`

			`- name: Unmap realm role 1 from group again (idempotency)`
			`community.general.keycloak_realm_rolemapping:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`group_name: "{{ group }}"`
			`roles:`
			`- name: "{{ role_1 }}"`
			`state: absent`
			`register: result`

			`- name: Assert realm role 1 stays unassigned from group`
			`ansible.builtin.assert:`
			`that:`
			`- result is not changed`

			`- name: Unmap realm role 2 from group`
			`community.general.keycloak_realm_rolemapping:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`group_name: "{{ group }}"`
			`roles:`
			`- name: "{{ role_2 }}"`
			`state: absent`
			`register: result`

			`- name: Assert no realm roles are assigned to group`
			`ansible.builtin.assert:`
			`that:`
			`- result is changed`
			`- result.end_state \| count == 0`

			`- name: Unmap realm role 2 from group again (idempotency)`
			`community.general.keycloak_realm_rolemapping:`
			`auth_keycloak_url: "{{ url }}"`
			`auth_realm: "{{ admin_realm }}"`
			`auth_username: "{{ admin_user }}"`
			`auth_password: "{{ admin_password }}"`

			`realm: "{{ realm }}"`
			`group_name: "{{ group }}"`
			`roles:`
			`- name: "{{ role_2 }}"`
			`state: absent`
			`register: result`

			`- name: Assert no realm roles are assigned to group`
			`ansible.builtin.assert:`
			`that:`
			`- result is not changed`
			`- result.end_state \| count == 0`