[PR #11471/34938ca1 backport][stable-12] keycloak_user_rolemapping: handle None response for client role lookup (#11522)

keycloak_user_rolemapping: handle None response for client role lookup (#11471)

* fix(keycloak_user_rolemapping): handle None response for client role lookup

When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.

Fixes #10960

* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests

Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".

* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml



---------


(cherry picked from commit 34938ca1ef)

Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>

plugins/modules/keycloak_user_rolemapping.py

@@ -356,9 +356,9 @@ def main():
                     if role_rep is not None:
                         role["name"] = role_rep["name"]
                 else:
-                    role["name"] = kc.get_client_user_rolemapping_by_id(
-                        uid=uid, cid=cid, rid=role.get("id"), realm=realm
-                    )["name"]
+                    role_rep = kc.get_client_user_rolemapping_by_id(uid=uid, cid=cid, rid=role.get("id"), realm=realm)
+                    if role_rep is not None:
+                        role["name"] = role_rep["name"]
                 if role.get("name") is None:
                     module.fail_json(
                         msg=f"Could not fetch role {role.get('id')} for client_id {client_id} or realm {realm}"