Fixes #1226 - keycloak_client detects changes on check_mode but not in run mode (#7881)

* Fix warning integrated

* Update Keycloak version intergrated test

* Exclude metadata from diff test

* Sanity

* Add fragments

* typo

* Add test

* Update changelogs/fragments/7881-fix-keycloak-client-ckeckmode.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Remove docker compose

* Update changelogs/fragments/7881-fix-keycloak-client-ckeckmode.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Andre Desrosiers <andre.desrosiers@ssss.gouv.qc.ca>
Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/7881-fix-keycloak-client-ckeckmode.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - keycloak_client - fixes issue when metadata is provided in desired state when task is in check mode (https://github.com/ansible-collections/community.general/issues/1226, https://github.com/ansible-collections/community.general/pull/7881).

plugins/modules/keycloak_client.py

@@ -717,13 +717,14 @@ end_state:
 '''
 
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
-    keycloak_argument_spec, get_token, KeycloakError
+    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
 from ansible.module_utils.basic import AnsibleModule
 import copy
 
 
 PROTOCOL_OPENID_CONNECT = 'openid-connect'
 PROTOCOL_SAML = 'saml'
+CLIENT_META_DATA = ['authorizationServicesEnabled']
 
 
 def normalise_cr(clientrep, remove_ids=False):
@@ -946,7 +947,7 @@ def main():
                 if module._diff:
                     result['diff'] = dict(before=sanitize_cr(before_norm),
                                           after=sanitize_cr(desired_norm))
-                result['changed'] = (before_norm != desired_norm)
+                result['changed'] = not is_struct_included(desired_norm, before_norm, CLIENT_META_DATA)
 
                 module.exit_json(**result)
 

tests/integration/targets/keycloak_client/README.md

@@ -4,14 +4,16 @@ GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://w
 SPDX-License-Identifier: GPL-3.0-or-later
 -->
 
-The integration test can be performed as follows:
+# Running keycloak_client module integration test
 
-```
+To run Keycloak client module's integration test, start a keycloak server using Docker:
-# 1. Start docker-compose:
-docker-compose -f tests/integration/targets/keycloak_client/docker-compose.yml stop
-docker-compose -f tests/integration/targets/keycloak_client/docker-compose.yml rm -f -v
-docker-compose -f tests/integration/targets/keycloak_client/docker-compose.yml up -d
 
-# 2. Run the integration tests:
+    docker run -d --rm --name mykeycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:latest start-dev --http-relative-path /auth
-ansible-test integration keycloak_client --allow-unsupported -v
+
-```
+Run the integration tests:
+
+    ansible-test integration -v keycloak_client --allow-unsupported --docker fedora35 --docker-network host
+
+Cleanup:
+
+    docker stop mykeycloak

tests/integration/targets/keycloak_client/docker-compose.yml

@@ -1,31 +0,0 @@
----
-# Copyright (c) Ansible Project
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-version: '3.4'
-
-services:
-  postgres:
-    image: postgres:9.6
-    restart: always
-    environment:
-      POSTGRES_USER: postgres
-      POSTGRES_DB: postgres
-      POSTGRES_PASSWORD: postgres
-
-  keycloak:
-    image: jboss/keycloak:12.0.4
-    ports:
-      - 8080:8080
-
-    environment:
-      DB_VENDOR: postgres
-      DB_ADDR: postgres
-      DB_DATABASE: postgres
-      DB_USER: postgres
-      DB_SCHEMA: public
-      DB_PASSWORD: postgres
-
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: password

tests/integration/targets/keycloak_client/tasks/main.yml

@@ -2,58 +2,78 @@
 # Copyright (c) Ansible Project
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
+- name: Wait for Keycloak
+  uri:
+    url: "{{ url }}/admin/"
+    status_code: 200
+    validate_certs: no
+  register: result
+  until: result.status == 200
+  retries: 10
+  delay: 10
 
 - name: Delete realm
-  community.general.keycloak_realm: "{{ auth_args | combine(call_args) }}"
+  community.general.keycloak_realm:
-  vars:
+    auth_keycloak_url: "{{ url }}"
-    call_args:
+    auth_realm: "{{ admin_realm }}"
-      id: "{{ realm }}"
+    auth_username: "{{ admin_user }}"
-      realm: "{{ realm }}"
+    auth_password: "{{ admin_password }}"
-      state: absent
+    id: "{{ realm }}"
+    realm: "{{ realm }}"
+    state: absent
 
 - name: Create realm
-  community.general.keycloak_realm: "{{ auth_args | combine(call_args) }}"
+  community.general.keycloak_realm:
-  vars:
+    auth_keycloak_url: "{{ url }}"
-    call_args:
+    auth_realm: "{{ admin_realm }}"
-      id: "{{ realm }}"
+    auth_username: "{{ admin_user }}"
-      realm: "{{ realm }}"
+    auth_password: "{{ admin_password }}"
-      state: present
+    id: "{{ realm }}"
+    realm: "{{ realm }}"
+    state: present
 
 - name: Desire client
-  community.general.keycloak_client: "{{ auth_args | combine(call_args) }}"
+  community.general.keycloak_client:
-  vars:
+    auth_keycloak_url: "{{ url }}"
-    call_args:
+    auth_realm: "{{ admin_realm }}"
-      realm: "{{ realm }}"
+    auth_username: "{{ admin_user }}"
-      client_id: "{{ client_id }}"
+    auth_password: "{{ admin_password }}"
-      state: present
+    realm: "{{ realm }}"
-      redirect_uris: '{{redirect_uris1}}'
+    client_id: "{{ client_id }}"
-      attributes: '{{client_attributes1}}'
+    state: present
-      protocol_mappers: '{{protocol_mappers1}}'
+    redirect_uris: '{{redirect_uris1}}'
+    attributes: '{{client_attributes1}}'
+    protocol_mappers: '{{protocol_mappers1}}'
   register: desire_client_not_present
 
 - name: Desire client again with same props
-  community.general.keycloak_client: "{{ auth_args | combine(call_args) }}"
+  community.general.keycloak_client:
-  vars:
+    auth_keycloak_url: "{{ url }}"
-    call_args:
+    auth_realm: "{{ admin_realm }}"
-      realm: "{{ realm }}"
+    auth_username: "{{ admin_user }}"
-      client_id: "{{ client_id }}"
+    auth_password: "{{ admin_password }}"
-      state: present
+    realm: "{{ realm }}"
-      redirect_uris: '{{redirect_uris1}}'
+    client_id: "{{ client_id }}"
-      attributes: '{{client_attributes1}}'
+    state: present
-      protocol_mappers: '{{protocol_mappers1}}'
+    redirect_uris: '{{redirect_uris1}}'
+    attributes: '{{client_attributes1}}'
+    protocol_mappers: '{{protocol_mappers1}}'
   register: desire_client_when_present_and_same
 
 - name: Check client again with same props
-  community.general.keycloak_client: "{{ auth_args | combine(call_args) }}"
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    state: present
+    redirect_uris: '{{redirect_uris1}}'
+    attributes: '{{client_attributes1}}'
+    protocol_mappers: '{{protocol_mappers1}}'
+    authorization_services_enabled: False
   check_mode: true
-  vars:
-    call_args:
-      realm: "{{ realm }}"
-      client_id: "{{ client_id }}"
-      state: present
-      redirect_uris: '{{redirect_uris1}}'
-      attributes: '{{client_attributes1}}'
-      protocol_mappers: '{{protocol_mappers1}}'
   register: check_client_when_present_and_same
 
 - name: Assert changes not detected in last two tasks (desire when same, and check)
@@ -61,3 +81,25 @@
     that:
       - desire_client_when_present_and_same is not changed
       - check_client_when_present_and_same is not changed
+
+- name: Check client again with changed props
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    state: present
+    redirect_uris: '{{redirect_uris1}}'
+    attributes: '{{client_attributes1}}'
+    protocol_mappers: '{{protocol_mappers1}}'
+    authorization_services_enabled: False
+    service_accounts_enabled: True
+  check_mode: true
+  register: check_client_when_present_and_changed
+
+- name: Assert changes detected in last tasks
+  assert:
+    that:
+      - check_client_when_present_and_changed is changed

tests/integration/targets/keycloak_client/vars/main.yml

@@ -24,7 +24,7 @@ redirect_uris1:
   - "http://example.b.com/"
   - "http://example.a.com/"
 
-client_attributes1: {"backchannel.logout.session.required": true, "backchannel.logout.revoke.offline.tokens": false}
+client_attributes1: {"backchannel.logout.session.required": true, "backchannel.logout.revoke.offline.tokens": false, "client.secret.creation.time": 0}
 
 protocol_mappers1:
   - name: 'email'