Fix keycloak_client_rolemapping role removal and diff (#5619)

* Keycloak: Fix client rolemapping removal

Keycloak's delete_group_rolemapping API wrapper didn't pass data about
the roles to remove to keycloak, resulting in removal of all roles.

Follow the intended behaviour and delete only the roles listed in the
module invocation.

Signed-off-by: Florian Achleitner <flo@fopen.at>

* Keycloak: Fix client_rolemapping diff

The module's diff output wrongly showed the changed roles list as
'after' state. This is obviously wrong for role removal and also
wrong for role addition, if there are other roles assigned.

Use the result of the API query for 'end_state' for 'diff' as well.

Signed-off-by: Florian Achleitner <flo@fopen.at>

* Keycloak: Calculate client_rolemapping proposed state properly

Signed-off-by: Florian Achleitner <flo@fopen.at>

* Add changelog fragment

Signed-off-by: Florian Achleitner <flo@fopen.at>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>

* Fix for python2 unit test

Signed-off-by: Florian Achleitner <flo@fopen.at>
Co-authored-by: Felix Fontein <felix@fontein.de>

plugins/module_utils/identity/keycloak/keycloak.py

@@ -608,7 +608,7 @@ class KeycloakAPI(object):
         """
         available_rolemappings_url = URL_CLIENT_GROUP_ROLEMAPPINGS.format(url=self.baseurl, realm=realm, id=gid, client=cid)
         try:
-            open_url(available_rolemappings_url, method="DELETE", http_agent=self.http_agent, headers=self.restheaders,
+            open_url(available_rolemappings_url, method="DELETE", http_agent=self.http_agent, headers=self.restheaders, data=json.dumps(role_rep),
                      validate_certs=self.validate_certs, timeout=self.connection_timeout)
         except Exception as e:
             self.module.fail_json(msg="Could not delete available rolemappings for client %s in group %s, realm %s: %s"