Add a module to set the keycloak client scope type (#6322)

The module keycloak_clientscope_type allows to set the client scope types (optional/default) either on realm or client level.
2025-07-08 14:20:04 -07:00 · 2023-04-22 22:55:46 +02:00 · 2023-04-22 22:55:46 +02:00 · 1f2c7b1731
commit 1f2c7b1731
parent f4dd4d5ace
7 changed files with 629 additions and 0 deletions
--- a/tests/integration/targets/keycloak_clientscope_type/README.md
+++ b/tests/integration/targets/keycloak_clientscope_type/README.md
@ -0,0 +1,16 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+The integration test can be performed as follows:
+
+```
+# 1. Start docker-compose:
+docker-compose -f tests/integration/targets/keycloak_clientscope_type/docker-compose.yml down
+docker-compose -f tests/integration/targets/keycloak_clientscope_type/docker-compose.yml up -d
+
+# 2. Run the integration tests:
+ansible-test integration keycloak_clientscope_type --allow-unsupported -v
+```
--- a/tests/integration/targets/keycloak_clientscope_type/docker-compose.yml
+++ b/tests/integration/targets/keycloak_clientscope_type/docker-compose.yml
@ -0,0 +1,16 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3.4'
+
+services:
+  keycloak:
+    image: quay.io/keycloak/keycloak:21.0.2
+    ports:
+      - 8080:8080
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: password
+    command: start-dev
--- a/tests/integration/targets/keycloak_clientscope_type/tasks/main.yml
+++ b/tests/integration/targets/keycloak_clientscope_type/tasks/main.yml
@ -0,0 +1,164 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+# Fixtures
+- name: Create keycloak realm
+  community.general.keycloak_realm:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    id: ""
+    state: present
+    enabled: true
+
+- name: Create keycloak client
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    state: present
+    enabled: true
+
+- name: Create a scope1 client scope
+  community.general.keycloak_clientscope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    name: scope1
+    description: "test 1"
+    protocol: openid-connect
+
+- name: Create a scope2 client scope
+  community.general.keycloak_clientscope:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    name: scope2
+    description: "test 2"
+    protocol: openid-connect
+
+### Tests
+### Realm
+- name: adjust client-scope types in realm
+  community.general.keycloak_clientscope_type:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    default_clientscopes: ['scope1', 'scope2']
+    optional_clientscopes: []
+  register: result
+
+- name: Assert that client scope types are set
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - '"scope1" in result.end_state.default_clientscopes'
+      - '"scope2" in result.end_state.default_clientscopes'
+      - result.end_state.default_clientscopes|length == 2
+      - result.end_state.optional_clientscopes|length == 0
+
+- name: adjust client-scope types in realm again
+  community.general.keycloak_clientscope_type:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    default_clientscopes: ['scope1', 'scope2']
+    optional_clientscopes: []
+  register: result
+  failed_when: result is changed
+
+- name: adjust client-scope types in realm move scope 2 to optional
+  community.general.keycloak_clientscope_type:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    default_clientscopes: ['scope1']
+    optional_clientscopes: ['scope2']
+  register: result
+
+- name: Assert that client scope types are set
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - '"scope1" in result.end_state.default_clientscopes'
+      - '"scope2" in result.end_state.optional_clientscopes'
+      - result.end_state.default_clientscopes|length == 1
+      - result.end_state.optional_clientscopes|length == 1
+
+### Client
+- name: adjust client-scope types in client
+  community.general.keycloak_clientscope_type:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    default_clientscopes: ['scope1', 'scope2']
+    optional_clientscopes: []
+  register: result
+
+- name: Assert that client scope types are set
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - '"scope1" in result.end_state.default_clientscopes'
+      - '"scope2" in result.end_state.default_clientscopes'
+      - result.end_state.default_clientscopes|length == 2
+      - result.end_state.optional_clientscopes|length == 0
+
+- name: adjust client-scope types in client again
+  community.general.keycloak_clientscope_type:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    default_clientscopes: ['scope1', 'scope2']
+    optional_clientscopes: []
+  register: result
+  failed_when: result is changed
+
+- name: adjust client-scope types in client move scope 2 to optional
+  community.general.keycloak_clientscope_type:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: "{{ client_id }}"
+    default_clientscopes: ['scope1']
+    optional_clientscopes: ['scope2']
+  register: result
+
+- name: Assert that client scope types are set
+  assert:
+    that:
+      - result is changed
+      - result.end_state != {}
+      - '"scope1" in result.end_state.default_clientscopes'
+      - '"scope2" in result.end_state.optional_clientscopes'
+      - result.end_state.default_clientscopes|length == 1
+      - result.end_state.optional_clientscopes|length == 1
--- a/tests/integration/targets/keycloak_clientscope_type/vars/main.yml
+++ b/tests/integration/targets/keycloak_clientscope_type/vars/main.yml
@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+url: http://localhost:8080
+admin_realm: master
+admin_user: admin
+admin_password: password
+realm: clientscope-type-realm
+client_id: clientscope-type-client