keycloak_user_rolemapping: handle None response for client role lookup (#11471)
* fix(keycloak_user_rolemapping): handle None response for client role lookup
When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.
Fixes#10960
* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests
Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".
* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml
---------
(cherry picked from commit 34938ca1ef)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_realm_key: add full support for all Keycloak key providers (#11468)
* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
(cherry picked from commit 80d21f2a0d)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
keycloak_realm_localization: new module - realm localization control (#10841)
* add support for management of keycloak localizations
* unit test for keycloak localization support
* keycloak_realm_localization botmeta record
* rev: improvements after code review
(cherry picked from commit 986118c0af)
Co-authored-by: Jakub Danek <danekja@users.noreply.github.com>
seport: Add support for dccp and sctp protocols (#11486)
Support for dccp and sctp protocols were added to SELinux userspace
python libraries in 3.0 version release in November 2019.
(cherry picked from commit c05c31334b)
Co-authored-by: Petr Lautrbach <lautrbach@redhat.com>
maven_artifact: resolve SNAPSHOT to latest using snapshot metadata block (#11501)
* fix(maven_artifact): resolve SNAPSHOT to latest using snapshot metadata block
Prefer the <snapshot> block (timestamp + buildNumber) from maven-metadata.xml
which always points to the latest build, instead of scanning <snapshotVersions>
and returning on the first match. Repositories like GitHub Packages keep all
historical entries in <snapshotVersions> (oldest first), causing the module to
resolve to the oldest snapshot instead of the latest.
Fixes#5117Fixes#11489
* fix(maven_artifact): address review feedback
- Check both timestamp and buildNumber before using snapshot block,
preventing IndexError when buildNumber is missing
- Remove unreliable snapshotVersions scanning fallback; use literal
-SNAPSHOT version for non-unique snapshot repos instead
- Add tests for incomplete snapshot block and non-SNAPSHOT versions
* fix(maven_artifact): restore snapshotVersions scanning with last-match
Restore <snapshotVersions> scanning as primary resolution (needed for
per-extension accuracy per MNG-5459), but collect the last match instead
of returning on the first. Fall back to <snapshot> block when no
<snapshotVersions> match is found, then to literal -SNAPSHOT version.
* docs: update changelog fragment to match final implementation
* fix(maven_artifact): use updated timestamp for snapshot resolution
Use the <updated> attribute to select the newest snapshotVersion entry
instead of relying on list order. This works independently of how the
repository manager sorts entries in maven-metadata.xml.
Also fix test docstring and update changelog fragment per reviewer
feedback.
* test(maven_artifact): shuffle entries to verify updated timestamp sorting
Reorder snapshotVersion entries so the newest JAR is in the middle,
not at the end. This ensures the test actually validates that resolution
uses the <updated> timestamp rather than relying on list position.
(cherry picked from commit ed7ccbe3d4)
Co-authored-by: Adam R. <ariwk@protonmail.com>
keycloak_identity_provider: add claims example for oidc-advanced-group-idp-mapper (#11500)
Add claims example for oidc-advanced-group-idp-mapper
For me it wasn't clear how to create claims using oidc-advanced-group-idp-mapper, perhaps other people can benefit from the following example.
(cherry picked from commit c9313af971)
Co-authored-by: David Filipe <68902816+daveopz@users.noreply.github.com>
python_requirements_info: use importlib.metadata when available (#11495)
Use importlib.metadata when available.
(cherry picked from commit 88adca3fb4)
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_client: add valid_post_logout_redirect_uris and backchannel_logout_url (#11473)
* feat(keycloak_client): add valid_post_logout_redirect_uris and backchannel_logout_url
Add two new convenience parameters that map to client attributes:
- valid_post_logout_redirect_uris: sets post.logout.redirect.uris
attribute (list items joined with ##)
- backchannel_logout_url: sets backchannel.logout.url attribute
These fields are not top-level in the Keycloak REST API but are stored
as client attributes. The new parameters provide a user-friendly
interface without requiring users to know the internal attribute names
and ##-separator format.
Fixes#6812, fixes#4892
* consolidate changelog and add PR link per review feedback
(cherry picked from commit df6d6269a6)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
community.general.copr: clarify includepkgs/excludepkgs (#11464)
At first glance, includepkgs seems to be something that would install
the package name from the given copr repo. This isn't helped by the
example that says "Install caddy" which very much looks like it is
installing the package from the repo. Not only did I, a human,
hallucinate this behaviour, so did a large search engine's AI
responses to related queries.
In fact these are labels to vary what packages DNF sees. Clarify this
by using wording and examples closer to the upstream documentation [1]
[1] https://dnf.readthedocs.io/en/latest/conf_ref.html
(cherry picked from commit 8b0ce3e28f)
Co-authored-by: Ian Wienand <ian@wienand.org>
keycloak_realm_key: handle missing config fields for default keys (#11470)
* fix(keycloak_realm_key): handle missing config fields for default keys
Keycloak API may not return 'active', 'enabled', or 'algorithm' fields
in the config response for default/auto-generated realm keys. This caused
a KeyError when the module tried to compare these fields during state
detection.
Use .get() with the expected value as default to handle missing fields
gracefully, treating them as unchanged if not present in the API response.
Fixes: #11459
* add PR link to changelog entry per review feedback
(cherry picked from commit 106817316d)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
keycloak_client: remove id's as change from diff for protocol mappers (#11454)
* 11453 remove id's as change from diff for protocol mappers
* Update changelogs/fragments/11453-keycloak-client-protocol-mapper-ids.yml
---------
(cherry picked from commit b236772e57)
Co-authored-by: Simon Moosbrugger <707958+simonmoosbrugger@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
fix gem module compatibility with ruby-4-rubygems (#11442)
* fix gem module compatibility with ruby-4-rubygems
rubygem's `query` command has recently been removed, see ruby/rubygems#9083.
address this by using the `list` command instead.
resolves#11397
* add changelog
* Adjust changelog fragment.
---------
(cherry picked from commit 72220a2b15)
Co-authored-by: glaszig <mail+github@glasz.org>
Co-authored-by: Felix Fontein <felix@fontein.de>
Logstash plugin version fix (#11440)
* logstash_plugin: fix argument order when using version parameter
* logstash_plugin: add integration tests
* logstash_plugin: add changelog fragment
(cherry picked from commit 53e1e86bcc)
Co-authored-by: Nicolas Boutet <amd3002@gmail.com>
Adding 'project' parameter to Scaleway IP module. (#11368)
* Adding 'project' parameter to Scaleway IP module.
* Adding changelog fragment.
* Incrementing version.
* Updating docs to show both org and project ID options.
* Moving deprecated example to the end.
---------
(cherry picked from commit aada864718)
Co-authored-by: Greg Harvey <greg.harvey@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Adding 'project' parameter support for the Scaleway SG module. (#11366)
* Adding 'project' parameter support for the Scaleway SG module.
* Adding changelog fragment.
* Fixing documentation, organization is deprecated (although still available).
* Updating docs to show both org and project ID options.
* Incrementing version.
* Moving deprecated example to the end.
---------
(cherry picked from commit c0df366471)
Co-authored-by: Greg Harvey <greg.harvey@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
nsupdate: add server FQDN and GSS-TSIG support (#11425)
* nsupdate: support server FQDN
Right now, the server has to be specified as an IPv4/IPv6 address. This
adds support for specifing the server as a FQDN as well.
* nsupdate: support GSS-TSIG/Kerberos
Add support for GSS-TSIG (Kerberos) keys to nsupdate. This makes life
easier when working with Windows DNS servers or Bind in a Kerberos
environment.
Inspiration taken from here:
https://github.com/rthalley/dnspython/pull/530#issuecomment-1363265732Closes: #5730
* nsupdate: introduce query helper function
This simplifies the code by moving the protocol checks, etc, into a
single place.
* nsupdate: try all server IP addresses
Change resolve_server() to generate a list of IPv[46] addresses, then
try all of them in a round-robin fashion in query().
* nsupdate: some more cleanups
As suggested in the PR review.
* nsupdate: apply suggestions from code review
---------
(cherry picked from commit 9fcd9338b1)
Co-authored-by: David Härdeman <david@hardeman.nu>
Co-authored-by: Felix Fontein <felix@fontein.de>
move imports from functions to the top of the file (#11396)
* move imports from functions to the top of the file
* add changelog frag
* Apply suggestions from code review
---------
(cherry picked from commit c8356981bb)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Support diff mode for netcup-dns module (#11376)
* support diff mode for netcup-dns module
* Fix issue with yaml encoding after testing
* Add changelog fragment
* Fixed: proper and robust yaml import
* Remove need for yaml import
* Show whole zone in diff for context
* Update changelogs/fragments/11376-netcup-dns-diff-mode.yml
* Update plugins/modules/netcup_dns.py
---------
(cherry picked from commit 75234597bc)
Co-authored-by: mqus <8398165+mqus@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
cloudflare_dns: also allow 128 as a value for flag (#11377)
* Also allow 128 as a value for flag.
* Forgot to add changelog fragment.
(cherry picked from commit c00fb4fb5c)
Co-authored-by: Felix Fontein <felix@fontein.de>
Add support for multiple managers to get_manager_attributes command in idrac_redfish_info module (#11301)
* Update get_manager_attributes method to support systems with multiple managers present
Fixes https://github.com/ansible-collections/community.general/issues/11294
* Add changelog fragment
Pre-define reponse for get_manager_attributes method
* Update changelogs/fragments/11301-idrac-info-multi-manager.yml
Update per suggestion!
* Update plugins/modules/idrac_redfish_info.py
Remove extra manager quantity check
---------
(cherry picked from commit 13035e2a2c)
Co-authored-by: Scott Seekamp <13857911+sseekamp@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
fix: listen_ports_facts return no facts when using with podman (#11332)
* fix: listen_ports_facts return no facts when using with podman
* Update changelogs/fragments/listen-ports-facts-return-no-facts.yml
---------
(cherry picked from commit 280d269d78)
Co-authored-by: Daniel Gonçalves <dangoncalves@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
add sssd_info module (#11120)
* add sssd_info module
* fix f-stings and remove support python2
* fix imports custom lib
* fix whitespace and add missing_required_lib
* fix str and add version
* try add mock test
* fix module and mock tests check
* fix required in main module
* fix spaces
* fix linters
* add final newline
* fix version of module
* fix description and error handling
* swap literal to dict
* fix str
* remove comment in methods
* remove _get in methods
* fix name method in test
* add botmeta
* fix description of server_type
* fix name of maintainer
* remove choices
* fix author
* fix type hint
* fix result
* fix spaces
* fix choices and empty returns
* fix mypy test result
* fix result
* run andebox yaml-doc
* remake simple try/exc for result
* fix tests
* add any type for testing mypy
* ruff formated
* fix docs
* remove unittest.main
* rename acc on git for official name
---------
(cherry picked from commit 61b559c4fd)
Co-authored-by: Aleksandr Gabidullin <101321307+a-gabidullin@users.noreply.github.com>
Co-authored-by: Александр Габидуллин <agabidullin@astralinux.ru>
Add support for missing validations in keycloak_userprofile (#11285)
* add missing validations-parameters as config options and add documentation for them; fixes https://github.com/ansible-collections/community.general/issues/9048
* fix parameter names
* extend unit tests
* support for camel casing for new validations and add changelog fragment
* Fix fragment format
* add 'version_added' documentation
* Update changelogs/fragments/11285-extended-keycloak-user-profile-validations.yml
mention fixed issue in fragment
* fix ruff formatting
---------
(cherry picked from commit a55884c921)
Co-authored-by: nwintering <33374766+nwintering@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Fix typo in auth_username in examples (#11295)
(cherry picked from commit a5aec7d61a)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
keycloak_authentication_required_actions: fix examples (#11284)
The correct parameter name is "required_actions" (plural).
(cherry picked from commit df34945991)
Co-authored-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>
use FQCN for extending docs with files and url (#11277)
* use FQCN for extending docs with files and url
* remove typo
(cherry picked from commit 1b15e595e0)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
