From 5cd400b053d8a2a973fa5703f41df7f7dcbffdb0 Mon Sep 17 00:00:00 2001
From: Helmut Wolf <helmut.wolf@world-direct.at>
Date: Tue, 6 May 2025 15:16:50 +0200
Subject: [PATCH] feat: introduce `checksum` for keycloak_quarkus_providers
 (#279)

---
 molecule/quarkus/converge.yml            | 3 +++
 roles/keycloak_quarkus/README.md         | 4 ++++
 roles/keycloak_quarkus/tasks/install.yml | 2 ++
 3 files changed, 9 insertions(+)

diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml
index cb3b9f8..a836d1a 100644
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -36,6 +36,9 @@
             value: 10
       - id: spid-saml
         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+      - id: spid-saml-w-checksum
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
       - id: keycloak-kerberos-federation
         maven:
           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md
index 7f93a9f..b5e7686 100644
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -228,6 +228,10 @@ keycloak_quarkus_providers:
     properties:                             # optional, list of key-values
       - key: default-connection-pool-size
         value: 10
+    checksum: sha256:D98291AC[...]B6DC7B97  # optional, checksum used to verify integrity:
+                                            #  for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>;
+                                            #  for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum>
+                                            #  for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default
 ```
 
 the definition above will generate the following build command:
diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml
index c664d05..4719b64 100644
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@@ -215,6 +215,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
+    checksum: "{{ item.checksum | default(omit) }}"
   become: true
   loop: "{{ keycloak_quarkus_providers }}"
   when: item.url is defined and item.url | length > 0
@@ -244,6 +245,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
+    checksum: "{{ item.checksum | default(omit) }}"
   become: true
   loop: "{{ keycloak_quarkus_providers }}"
   when: item.maven is defined