Bugfix keycloak client do not report changes when there is none (#3610)

* KeycloakClientDiffBugs - Introduce test that passes. * KeycloakClientDiffBugs - Add test to show that checking of redirect_uri's fails. * KeycloakClientDiffBugs - (Fix1) Update so that checking of `redirectUris` no longer shows a change. * KeycloakClientDiffBugs - Add test to show that checking of attributes's fails (sorting issue) * KeycloakClientDiffBugs - (Fix2) Update so that checking of `attributes` no longer shows a change. * KeycloakClientDiffBugs - Add test to show that checking of protocol_mappers's fail * KeycloakClientDiffBugs - (Fix3) Update so that checking of `protocol_mappers` no longer shows a change when there is none. * Introduce code fragment. * Update the changelog to be based on the PR instead of the issue. * Fix the readme * Fix yaml indentation. * Fix pep8 * Update changelogs/fragments/3610-fix-keycloak-client-diff-bugs-when-sorting.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/3610-fix-keycloak-client-diff-bugs-when-sorting.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/identity/keycloak/keycloak_client.py Co-authored-by: Felix Fontein <felix@fontein.de> * Remove need for .copy() after making normalise_cr not mutate the dict. Co-authored-by: Pierre Dumuid <pierre@knowyourdata.com.au> Co-authored-by: Felix Fontein <felix@fontein.de>
2025-05-25 10:29:09 -07:00 · 2021-10-30 16:48:31 +10:30 · 2021-10-30 16:48:31 +10:30 · ca5a2b291a
commit ca5a2b291a
parent 38e0d97c8b
6 changed files with 191 additions and 4 deletions
--- a/plugins/modules/identity/keycloak/keycloak_client.py
+++ b/plugins/modules/identity/keycloak/keycloak_client.py
@ -685,6 +685,36 @@ from ansible_collections.community.general.plugins.module_utils.identity.keycloa
 from ansible.module_utils.basic import AnsibleModule


+def normalise_cr(clientrep, remove_ids=False):
+    """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the
+    the change detection is more effective.
+
+    :param clientrep: the clientrep dict to be sanitized
+    :param remove_ids: If set to true, then the unique ID's of objects is removed to make the diff and checks for changed
+                       not alert when the ID's of objects are not usually known, (e.g. for protocol_mappers)
+    :return: normalised clientrep dict
+    """
+    # Avoid the dict passed in to be modified
+    clientrep = clientrep.copy()
+
+    if 'attributes' in clientrep:
+        clientrep['attributes'] = list(sorted(clientrep['attributes']))
+
+    if 'redirectUris' in clientrep:
+        clientrep['redirectUris'] = list(sorted(clientrep['redirectUris']))
+
+    if 'protocolMappers' in clientrep:
+        clientrep['protocolMappers'] = sorted(clientrep['protocolMappers'], key=lambda x: (x.get('name'), x.get('protocol'), x.get('protocolMapper')))
+        for mapper in clientrep['protocolMappers']:
+            if remove_ids:
+                mapper.pop('id', None)
+
+            # Set to a default value.
+            mapper['consentRequired'] = mapper.get('consentRequired', False)
+
+    return clientrep
+
+
 def sanitize_cr(clientrep):
    """ Removes probably sensitive details from a client representation.

@ -697,7 +727,7 @@ def sanitize_cr(clientrep):
    if 'attributes' in result:
        if 'saml.signing.private.key' in result['attributes']:
            result['attributes']['saml.signing.private.key'] = 'no_log'
-    return result
+    return normalise_cr(result)


 def main():
@ -865,10 +895,12 @@ def main():

            if module.check_mode:
                # We can only compare the current client with the proposed updates we have
+                before_norm = normalise_cr(before_client, remove_ids=True)
+                desired_norm = normalise_cr(desired_client, remove_ids=True)
                if module._diff:
-                    result['diff'] = dict(before=sanitize_cr(before_client),
-                                          after=sanitize_cr(desired_client))
-                result['changed'] = (before_client != desired_client)
+                    result['diff'] = dict(before=sanitize_cr(before_norm),
+                                          after=sanitize_cr(desired_norm))
+                result['changed'] = (before_norm != desired_norm)

                module.exit_json(**result)