---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

- name: Reset public login in master admin-cli (if potentially previous test failed)
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    auth_client_id: "admin-cli"
    auth_client_secret: "{{ client_secret }}"
    client_id: "admin-cli"
    secret: "{{ client_secret }}"
    public_client: true
    state: present

- name: Create realm
  community.general.keycloak_realm:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    id: "{{ realm }}"
    realm: "{{ realm }}"
    state: present

- name: Create client
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    client_id: "{{ client_id }}"
    state: present
  register: client

- name: Create new realm role with username/password authentication
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result

- name: Debug
  debug:
    var: result

- name: Remove created realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent
  register: result

- name: Debug
  debug:
    var: result

- name: Get Keycloak token
  ansible.builtin.uri:
    url: "{{ url }}/realms/{{ admin_realm }}/protocol/openid-connect/token"
    method: POST
    return_content: true
    status_code: 200
    body_format: form-urlencoded
    body:
      grant_type: "password"
      client_id: "admin-cli"
      username: "{{ admin_user }}"
      password: "{{ admin_password }}"
  register: token_response

- name: Extract tokens
  ansible.builtin.set_fact:
    access_token: "{{ token_response.json | json_query('access_token') }}"
    refresh_token: "{{ token_response.json | json_query('refresh_token') }}"

- name: Create new realm role with provided token authentication
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    token: "{{ access_token }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result

- name: Debug
  debug:
    var: result

- name: Remove created realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent
  register: result

- name: Debug
  debug:
    var: result

- name: Create new realm role with invalid auth token and valid refresh token
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    token: "invalidtoken!!!"
    refresh_token: "{{ refresh_token }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result

- name: Debug
  debug:
    var: result

- name: Remove created realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent
  register: result

- name: Debug
  debug:
    var: result

- name: Create new realm role with invalid auth token and valid username/password
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    token: "invalidtoken!!!"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result

- name: Debug
  debug:
    var: result

- name: Remove created realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent
  register: result

- name: Debug
  debug:
    var: result

- name: Create new realm role with invalid auth token, invalid refresh token, and valid username/password
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    token: "invalidtoken!!!"
    refresh_token: "invalidrefreshtoken!!!"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result

- name: Debug
  debug:
    var: result

- name: Remove created realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent
  register: result

- name: Debug
  debug:
    var: result

- name: PREPARE - Temporarily disable public login in master admin-cli
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    auth_client_id: "admin-cli"
    auth_client_secret: "{{ client_secret }}"
    client_id: "admin-cli"
    secret: "{{ client_secret }}"
    public_client: false
    service_accounts_enabled: true
    client_authenticator_type: "client-secret"
    state: present

- name: PREPARE - Get admin role id
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    auth_client_id: "admin-cli"
    auth_client_secret: "{{ client_secret }}"
    name: "admin"
  register: admin_role

- name: PREPARE - Assign admin role to admin-cli in master
  community.general.keycloak_user_rolemapping:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    auth_client_id: "admin-cli"
    auth_client_secret: "{{ client_secret }}"
    realm: "master"
    roles:
      - name: "admin"
    service_account_user_client_id: "admin-cli"

- name: Create new realm role with valid client_id and client_secret
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_client_id: "admin-cli"
    auth_client_secret: "{{ client_secret }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result

- name: Debug
  debug:
    var: result

- name: Reset temporarily disabled public login in master admin-cli
  community.general.keycloak_client:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    auth_client_id: "admin-cli"
    auth_client_secret: "{{ client_secret }}"
    client_id: "admin-cli"
    secret: "{{ client_secret }}"
    public_client: true
    state: present

- name: Remove created realm role
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "{{ admin_password }}"
    realm: "{{ realm }}"
    name: "{{ role }}"
    state: absent
  register: result

- name: Debug
  debug:
    var: result

### Unhappy path tests

- name: Fail to create new realm role with invalid username/password
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "invalid_password"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result
  failed_when: >
    ("HTTP Error 401: Unauthorized" not in result.msg)

- name: Fail to create new realm role with invalid auth token
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    token: "invalidtoken!!!"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result
  failed_when: >
    ("HTTP Error 401: Unauthorized" not in result.msg)

- name: Fail to create new realm role with invalid auth and refresh tokens, and invalid username/password
  community.general.keycloak_role:
    auth_keycloak_url: "{{ url }}"
    auth_realm: "{{ admin_realm }}"
    auth_username: "{{ admin_user }}"
    auth_password: "invalid_password"
    token: "invalidtoken!!!"
    refresh_token: "invalidtoken!!!"
    realm: "{{ realm }}"
    name: "{{ role }}"
    description: "{{ keycloak_role_description }}"
    state: present
  register: result
  failed_when: >
    ("HTTP Error 401: Unauthorized" not in result.msg)