diff --git a/changelogs/fragments/5619-keycloak-improvements.yml b/changelogs/fragments/5619-keycloak-improvements.yml new file mode 100644 index 0000000000..2e5a739dad --- /dev/null +++ b/changelogs/fragments/5619-keycloak-improvements.yml @@ -0,0 +1,3 @@ +bugfixes: + - "keycloak_client_rolemapping - remove only listed mappings with ``state=absent`` (https://github.com/ansible-collections/community.general/pull/5619)." + - "keycloak_client_rolemapping - calculate ``proposed`` and ``after`` return values properly (https://github.com/ansible-collections/community.general/pull/5619)." diff --git a/plugins/module_utils/identity/keycloak/keycloak.py b/plugins/module_utils/identity/keycloak/keycloak.py index 87b2120318..09b22b7561 100644 --- a/plugins/module_utils/identity/keycloak/keycloak.py +++ b/plugins/module_utils/identity/keycloak/keycloak.py @@ -608,7 +608,7 @@ class KeycloakAPI(object): """ available_rolemappings_url = URL_CLIENT_GROUP_ROLEMAPPINGS.format(url=self.baseurl, realm=realm, id=gid, client=cid) try: - open_url(available_rolemappings_url, method="DELETE", http_agent=self.http_agent, headers=self.restheaders, + open_url(available_rolemappings_url, method="DELETE", http_agent=self.http_agent, headers=self.restheaders, data=json.dumps(role_rep), validate_certs=self.validate_certs, timeout=self.connection_timeout) except Exception as e: self.module.fail_json(msg="Could not delete available rolemappings for client %s in group %s, realm %s: %s" diff --git a/plugins/modules/keycloak_client_rolemapping.py b/plugins/modules/keycloak_client_rolemapping.py index 4f1f9b0d0f..f0da97ef59 100644 --- a/plugins/modules/keycloak_client_rolemapping.py +++ b/plugins/modules/keycloak_client_rolemapping.py @@ -295,7 +295,7 @@ def main(): assigned_roles_before = kc.get_client_group_composite_rolemappings(gid, cid, realm=realm) result['existing'] = assigned_roles_before - result['proposed'] = roles + result['proposed'] = list(assigned_roles_before) if assigned_roles_before else [] update_roles = [] for role_index, role in enumerate(roles, start=0): @@ -307,6 +307,7 @@ def main(): 'id': role['id'], 'name': role['name'], }) + result['proposed'].append(available_role) # Fetch roles to remove if state absent else: for assigned_role in assigned_roles_before: @@ -315,13 +316,15 @@ def main(): 'id': role['id'], 'name': role['name'], }) + if assigned_role in result['proposed']: # Handle double removal + result['proposed'].remove(assigned_role) if len(update_roles): if state == 'present': # Assign roles result['changed'] = True if module._diff: - result['diff'] = dict(before=assigned_roles_before, after=update_roles) + result['diff'] = dict(before=assigned_roles_before, after=result['proposed']) if module.check_mode: module.exit_json(**result) kc.add_group_rolemapping(gid, cid, update_roles, realm=realm) @@ -333,7 +336,7 @@ def main(): # Remove mapping of role result['changed'] = True if module._diff: - result['diff'] = dict(before=assigned_roles_before, after=update_roles) + result['diff'] = dict(before=assigned_roles_before, after=result['proposed']) if module.check_mode: module.exit_json(**result) kc.delete_group_rolemapping(gid, cid, update_roles, realm=realm) @@ -344,7 +347,7 @@ def main(): # Do nothing else: result['changed'] = False - result['msg'] = 'Nothing to do, roles %s are correctly mapped with group %s.' % (roles, group_name) + result['msg'] = 'Nothing to do, roles %s are %s with group %s.' % (roles, 'mapped' if state == 'present' else 'not mapped', group_name) module.exit_json(**result)