* fix(keycloak_user_rolemapping): handle None response for client role lookup
When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.
Fixes#10960
* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests
Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".
* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
* ModuleHelper: ensure compatibility with `ModuleTestCase`.
This change allows to configure the `module_fails_on_exception` decorator by passing a tuple of exception types that should not be handled by the decorator itself. In the context of `ModuleTestCase`, use `(AnsibleExitJson, AnsibleFailJson)` to let them pass through the decorator without modification.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Another approach allowing user-defined exception types to pass through the decorator. When the decorator should have no arguments at all, we must hard code the name of the attribute that is looked up on self.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Approach that removes decorator parametrization and relies on an object/class variable named `unhandled_exceptions`.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* context manager implemented that allows to pass through some exception types
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Update changelogs/fragments/11488-mh-ensure-compatibiliy-with-module-tests.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Exception placeholder added
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
---------
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Updated get_group_by_name with a query based lookup for improved speed
* Add changelog fragment for keycloak group search optimization
* Address review feedback: update changelog text and reformat code with ruff
* improved changelog fragment
* Update changelogs/fragments/11503-keycloak-group-search-optimization.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix(maven_artifact): resolve SNAPSHOT to latest using snapshot metadata block
Prefer the <snapshot> block (timestamp + buildNumber) from maven-metadata.xml
which always points to the latest build, instead of scanning <snapshotVersions>
and returning on the first match. Repositories like GitHub Packages keep all
historical entries in <snapshotVersions> (oldest first), causing the module to
resolve to the oldest snapshot instead of the latest.
Fixes#5117Fixes#11489
* fix(maven_artifact): address review feedback
- Check both timestamp and buildNumber before using snapshot block,
preventing IndexError when buildNumber is missing
- Remove unreliable snapshotVersions scanning fallback; use literal
-SNAPSHOT version for non-unique snapshot repos instead
- Add tests for incomplete snapshot block and non-SNAPSHOT versions
* fix(maven_artifact): restore snapshotVersions scanning with last-match
Restore <snapshotVersions> scanning as primary resolution (needed for
per-extension accuracy per MNG-5459), but collect the last match instead
of returning on the first. Fall back to <snapshot> block when no
<snapshotVersions> match is found, then to literal -SNAPSHOT version.
* docs: update changelog fragment to match final implementation
* fix(maven_artifact): use updated timestamp for snapshot resolution
Use the <updated> attribute to select the newest snapshotVersion entry
instead of relying on list order. This works independently of how the
repository manager sorts entries in maven-metadata.xml.
Also fix test docstring and update changelog fragment per reviewer
feedback.
* test(maven_artifact): shuffle entries to verify updated timestamp sorting
Reorder snapshotVersion entries so the newest JAR is in the middle,
not at the end. This ensures the test actually validates that resolution
uses the <updated> timestamp rather than relying on list position.
* fix(keycloak_realm_key): handle missing config fields for default keys
Keycloak API may not return 'active', 'enabled', or 'algorithm' fields
in the config response for default/auto-generated realm keys. This caused
a KeyError when the module tried to compare these fields during state
detection.
Use .get() with the expected value as default to handle missing fields
gracefully, treating them as unchanged if not present in the API response.
Fixes: #11459
* add PR link to changelog entry per review feedback
* feat(keycloak_client): add valid_post_logout_redirect_uris and backchannel_logout_url
Add two new convenience parameters that map to client attributes:
- valid_post_logout_redirect_uris: sets post.logout.redirect.uris
attribute (list items joined with ##)
- backchannel_logout_url: sets backchannel.logout.url attribute
These fields are not top-level in the Keycloak REST API but are stored
as client attributes. The new parameters provide a user-friendly
interface without requiring users to know the internal attribute names
and ##-separator format.
Fixes#6812, fixes#4892
* consolidate changelog and add PR link per review feedback
* fix(keycloak): URL-encode query params for usernames with special chars
get_user_by_username() concatenates the username directly into the URL
query string. When the username contains a +, it is interpreted as a
space by the server, returning no match and causing a TypeError.
Use urllib.parse.quote() (already imported) for the username parameter.
Also replace three fragile .replace(' ', '%20') calls in the authz
search methods with proper quote() calls.
Fixes#10305
* Update changelogs/fragments/keycloak-url-encode-query-params.yml
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---------
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* 11453 remove id's as change from diff for protocol mappers
* Update changelogs/fragments/11453-keycloak-client-protocol-mapper-ids.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix gem module compatibility with ruby-4-rubygems
rubygem's `query` command has recently been removed, see ruby/rubygems#9083.
address this by using the `list` command instead.
resolves#11397
* add changelog
* Adjust changelog fragment.
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding 'project' parameter support for the Scaleway SG module.
* Adding changelog fragment.
* Fixing documentation, organization is deprecated (although still available).
* Updating docs to show both org and project ID options.
* Incrementing version.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Moving deprecated example to the end.
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding 'project' parameter to Scaleway IP module.
* Adding changelog fragment.
* Incrementing version.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Updating docs to show both org and project ID options.
* Moving deprecated example to the end.
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* nsupdate: support server FQDN
Right now, the server has to be specified as an IPv4/IPv6 address. This
adds support for specifing the server as a FQDN as well.
* nsupdate: support GSS-TSIG/Kerberos
Add support for GSS-TSIG (Kerberos) keys to nsupdate. This makes life
easier when working with Windows DNS servers or Bind in a Kerberos
environment.
Inspiration taken from here:
https://github.com/rthalley/dnspython/pull/530#issuecomment-1363265732Closes: #5730
* nsupdate: introduce query helper function
This simplifies the code by moving the protocol checks, etc, into a
single place.
* nsupdate: try all server IP addresses
Change resolve_server() to generate a list of IPv[46] addresses, then
try all of them in a round-robin fashion in query().
* nsupdate: some more cleanups
As suggested in the PR review.
* nsupdate: apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat(wsl): add option for wsl_shell_type, protect wsl arguments if SSH shell is Powershell
* docs(wsl): add changelog fragment
* docs(wsl): fix changelog fragment syntax, add issue link
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat(wsl): improve new option documentation
Co-authored-by: Felix Fontein <felix@fontein.de>
* refactor(wsl): put integrasion test flag into a variable for convenience
* feat(wsl): rename option to wsl_remote_ssh_shell_type
* feat(wsl): escape "%" if shell is cmd, raise AnsibleError if powershell
* test(wsl): fix unit tests for wsl
- remove redundant check - moved to a separate function
- fix check for cmd escaping of "%"
- fix formatting / whitespace
* test(wsl): fix expected error message
* test(wsl): fix test - position of stop-parsing token changed
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* move imports from functions to the top of the file
* add changelog frag
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* support diff mode for netcup-dns module
* Fix issue with yaml encoding after testing
* Add changelog fragment
* Fixed: proper and robust yaml import
* Remove need for yaml import
* Show whole zone in diff for context
* Update changelogs/fragments/11376-netcup-dns-diff-mode.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/netcup_dns.py
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update get_manager_attributes method to support systems with multiple managers present
Fixes https://github.com/ansible-collections/community.general/issues/11294
* Add changelog fragment
Pre-define reponse for get_manager_attributes method
* Update changelogs/fragments/11301-idrac-info-multi-manager.yml
Update per suggestion!
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/idrac_redfish_info.py
Remove extra manager quantity check
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding scw_profile parameter to Scaleway module utilities.
* Setting param name to profile for consistency and adding scw_profile as an alias.
* Adding changelog fragment.
* Forgot to import 'os' library.
* Type in variable type for Scaleway profile.
* Also forgot to include the yaml library, code taking from plugins/inventory/scaleway.py.
* Adding default 'profile' value of empty string and changing check to a length check.
* Treated wrong variable, checking XDG_CONFIG_HOME is a string.
* Explicitly setting default of environment path vars to empty strings instead of None.
* Letting ruff reformat the dict for 'profile'.
* Changes from code review.
* Fixing ruff formatting issue with error message.
* Properly catching PyYAML import issues.
* Adding PyYAML requirement when 'profile' is used.
* Ruff wants an extra line after the PyYAML import code.
* Fixing PyYAML dependency code as per review.
* Removing extraneous var declaration.
* Moving SCW_CONFIG loading to a function.
* Fixing type errors with os.getenv calls.
* Cannot send None to os.path.exists() or open().
* Oops, inversed logic!
* Setting os.getenv() default to empty string so it is never None.
Co-authored-by: Felix Fontein <felix@fontein.de>
* None check no longer needed as scw_config_path is never None.
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding support for the Scaleway SCW_PROFILE environment variable.
* Adding changelog fragment.
* Adding documentation for the environment variable.
* Adding SCW_PROFILE as a proper environment variable via the DOCUMENTATION block.
* Updating changelog fragment.
* fix: listen_ports_facts return no facts when using with podman
* Update changelogs/fragments/listen-ports-facts-return-no-facts.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* add missing validations-parameters as config options and add documentation for them; fixes https://github.com/ansible-collections/community.general/issues/9048
* fix parameter names
* extend unit tests
* support for camel casing for new validations and add changelog fragment
* Fix fragment format
* add 'version_added' documentation
* Update changelogs/fragments/11285-extended-keycloak-user-profile-validations.yml
mention fixed issue in fragment
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix ruff formatting
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* add monit version to successful exit
* install the standard monit - if 5.34, then bail out
* add 3sec wait after service restart
- that restart happens exactly before the task receiving the SIGTERM, so maybe, just maybe, it just needs time to get ready for the party
* wait for monit initialisation after restart
* monit tests: check service-specific status in readiness wait
The wait task was checking 'monit status' (general), but the actual
failing command is 'monit status -B httpd_echo' (service-specific).
This causes a race where general status succeeds but service queries
fail. Update to check the exact command format that will be used.
* monit tests: remove 5.34.x version restriction
The version restriction was based on incorrect diagnosis. The actual
issue was the readiness check validating general status instead of
service-specific queries. Now that we check the correct command
format, the tests should work across all monit versions.
* monit tests: add stabilization delay after readiness check
After the readiness check succeeds, add a 1-second pause before
running actual tests. Monit 5.34.x and 5.35 appear to have a
concurrency issue where rapid successive 'monit status -B' calls
can cause hangs even though the first call succeeds.
* monit tests: add retry logic for state changes to handle monit daemon hangs
Monit daemon has an intermittent concurrency bug across versions 5.27-5.35
where 'monit status -B' commands can hang (receiving SIGTERM) even after
the daemon has successfully responded to previous queries. This appears
to be a monit daemon issue, not a timing problem.
Add retry logic with 2-second delays to the state change task to work
around these intermittent hangs. Skip retries if the failure is not
SIGTERM (rc=-15) to avoid masking real errors.
* monit tests: capture and display monit.log for debugging
Add tasks in the always block to capture and display the monit log file.
This will help diagnose the intermittent hanging issues by showing what
monit daemon was doing when 'monit status -B' commands hang.
* monit tests: enable verbose logging (-v flag)
Modify the monit systemd service to start with -v flag for verbose
logging. This should provide more detailed information in the monit
log about what's happening when status commands hang.
* monit: add 0.5s delay after state change command
After extensive testing and analysis with verbose logging enabled, identified
that monit's HTTP interface can become temporarily unresponsive immediately
after processing state change commands (stop, start, restart, etc.).
This manifests as intermittent SIGTERM (rc=-15) failures when the module
calls 'monit status -B <service>' to verify the state change. The issue
affects all monit versions tested (5.27-5.35) and is intermittent, suggesting
a race condition or brief lock in monit's HTTP request handling.
Verbose logging confirmed:
- State change commands complete successfully
- HTTP server reports as 'started'
- But subsequent status checks can hang without any log entry
Adding a 0.5 second sleep after sending state change commands gives the
monit daemon time to fully process the command and become responsive again
before the first status verification check.
This complements the existing readiness check after daemon restart and
the retry logic for SIGTERM failures in the tests.
* tests(monit): remove workarounds after module race condition fix
After 10+ successful CI runs with no SIGTERM failures, removing test-level
workarounds that are now redundant due to the 0.5s delay fix in the module:
- Remove 1-second stabilization pause after daemon restart
The module's built-in 0.5s delay after state changes makes this unnecessary
- Remove retry logic for SIGTERM failures in state change tests
The race condition is now prevented at the module level
- Remove verbose logging setup and log capture
Verbose mode didn't log HTTP requests, so it didn't help diagnose the issue
and adds unnecessary overhead
Kept the readiness check with retries after daemon restart - still needed
to validate daemon is responsive after service restart (different scenario
than the state change race condition).
* restore tasks/main.yml
* monit tests: reduce readiness check retries from 60 to 10
After successful CI runs, observed that monit daemon becomes responsive
within 1-2 seconds after restart. The readiness check typically passes
on the first attempt.
Reducing from 60 retries (30s timeout) to 10 retries (5s timeout) is
more appropriate and allows tests to fail faster if something is
genuinely broken.
* add changelog frag
* Update changelogs/fragments/11255-monit-integrationtests.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
