community.general/tests/integration/targets/keycloak_user_rolemapping/tasks/main.yml

# Copyright (c) 2022, Dušan Marković (@bratwurzt)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

- name: Create realm
  community.general.keycloak_realm:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    id: "{{ realm }}"
    realm: "{{ realm }}"
    state: present

- name: Create client
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    service_accounts_enabled: true
    state: present
  register: client

- name: Create new realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ description_1 }}"
    state: present

- name: Map a realm role to client service account
  vars:
    - roles: [ {'name': '{{ role }}'} ]
  community.general.keycloak_user_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    service_account_user_client_id: "{{ client_id }}"
    roles: "{{ roles }}"
    state: present
  register: result

- name: Assert realm role is assigned
  assert:
    that:
      - result is changed
      - result.end_state | selectattr("clientRole", "eq", false) | selectattr("name", "eq", "{{role}}") | list | count > 0

- name: Unmap a realm role from client service account
  vars:
    - roles: [ {'name': '{{ role }}'} ]
  community.general.keycloak_user_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    service_account_user_client_id: "{{ client_id }}"
    roles: "{{ roles }}"
    state: absent
  register: result

- name: Assert realm role is unassigned
  assert:
    that:
      - result is changed
      - (result.end_state | length) == (result.existing | length) - 1
      - result.existing | selectattr("clientRole", "eq", false) | selectattr("name", "eq", "{{role}}") | list | count > 0
      - result.end_state | selectattr("clientRole", "eq", false) | selectattr("name", "eq", "{{role}}") | list | count == 0

- name: Delete existing realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent

- name: Create new client role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    name: "{{ role }}"
    description: "{{ description_1 }}"
    state: present

- name: Map a client role to client service account
  vars:
    - roles: [ {'name': '{{ role }}'} ]
  community.general.keycloak_user_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    service_account_user_client_id: "{{ client_id }}"
    roles: "{{ roles }}"
    state: present
  register: result

- name: Assert client role is assigned
  assert:
    that:
      - result is changed
      - result.end_state | selectattr("clientRole", "eq", true) | selectattr("name", "eq", "{{role}}") | list | count > 0

- name: Unmap a client role from client service account
  vars:
    - roles: [ {'name': '{{ role }}'} ]
  community.general.keycloak_user_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    service_account_user_client_id: "{{ client_id }}"
    roles: "{{ roles }}"
    state: absent
  register: result

- name: Assert client role is unassigned
  assert:
    that:
      - result is changed
      - result.end_state == []
      - result.existing | selectattr("clientRole", "eq", true) | selectattr("name", "eq", "{{role}}") | list | count > 0