[PR #11585/25b5655b backport][stable-12] keycloak_authentication_v2: verify providerIds (fix 11583) (#11619)

keycloak_authentication_v2: verify providerIds (fix 11583) (#11585)

* 11583 verify providerIds in keycloak_authentication_v2

* 11583 code cleanup

---------


(cherry picked from commit 25b5655be7)

Co-authored-by: thomasbargetz <thomas.bargetz@gmail.com>
Co-authored-by: Thomas Bargetz <thomas.bargetz@rise-world.com>

plugins/module_utils/identity/keycloak/keycloak.py

@@ -103,6 +103,7 @@ URL_REALM_GROUP_ROLEMAPPINGS = "{url}/admin/realms/{realm}/groups/{group}/role-m
 
 URL_CLIENTSECRET = "{url}/admin/realms/{realm}/clients/{id}/client-secret"
 
+URL_AUTHENTICATION_AUTHENTICATOR_PROVIDERS = "{url}/admin/realms/{realm}/authentication/authenticator-providers"
 URL_AUTHENTICATION_FLOWS = "{url}/admin/realms/{realm}/authentication/flows"
 URL_AUTHENTICATION_FLOW = "{url}/admin/realms/{realm}/authentication/flows/{id}"
 URL_AUTHENTICATION_FLOW_COPY = "{url}/admin/realms/{realm}/authentication/flows/{copyfrom}/copy"
@@ -2253,6 +2254,19 @@ class KeycloakAPI:
         except Exception as e:
             self.fail_request(e, msg=f"Unable to delete role {name} for client {clientid} in realm {realm}: {e}")
 
+    def get_authenticator_providers(self, realm: str = "master"):
+        """
+        Get all available authenticator providers of the realm.
+        :param realm: Realm.
+        :return: List of authenticator provider representations.
+        """
+        try:
+            return self._request_and_deserialize(
+                URL_AUTHENTICATION_AUTHENTICATOR_PROVIDERS.format(url=self.baseurl, realm=realm), method="GET"
+            )
+        except Exception as e:
+            self.fail_request(e, msg=f"Unable get authenticator providers in realm {realm}: {e}")
+
     def get_authentication_flow_by_alias(self, alias, realm: str = "master"):
         """
         Get an authentication flow by its alias

plugins/modules/keycloak_authentication_v2.py

@@ -810,6 +810,35 @@ def create_authentication_execution_spec_options(depth: int) -> dict[str, t.Any]
     return options
 
 
+def validate_executions(kc: KeycloakAPI, realm: str, executions: dict) -> None:
+    valid_providers = kc.get_authenticator_providers(realm)
+    valid_provider_ids = {provider["id"] for provider in valid_providers}
+
+    invalid_provider_ids = validate_executions_rec(valid_provider_ids, executions)
+    if len(invalid_provider_ids) > 0:
+        invalid_provider_ids_str = ", ".join(f"'{item}'" for item in invalid_provider_ids)
+        raise ValueError(
+            f"The following execution providerIds are unknown and therefore invalid: {invalid_provider_ids_str}"
+        )
+
+
+def validate_executions_rec(valid_provider_ids: set, executions: dict) -> list:
+    invalid_provider_ids = []
+    for execution in executions:
+        provider_id = execution["providerId"]
+        sub_flow = execution["subFlow"]
+        if provider_id is not None:
+            if provider_id not in valid_provider_ids:
+                invalid_provider_ids.append(provider_id)
+
+        if sub_flow is not None:
+            invalid_provider_ids.extend(
+                validate_executions_rec(valid_provider_ids, execution["authenticationExecutions"])
+            )
+
+    return invalid_provider_ids
+
+
 def main() -> None:
     """Module entry point."""
     argument_spec = keycloak_argument_spec()
@@ -869,6 +898,14 @@ def main() -> None:
         existing_auth_diff_repr = existing_auth_to_diff_repr(kc, realm, existing_auth)
 
     try:
+        try:
+            validate_executions(kc, realm, desired_auth["authenticationExecutions"])
+        except ValueError as e:
+            module.fail_json(
+                msg=f"Validation of executions failed: {e}",
+                exception=traceback.format_exc(),
+            )
+
         if not existing_auth:
             if state == "absent":
                 # The flow does not exist and is not required; nothing to do.