From 658637dc700f6e795074a22071fa7a40ef7f11fb Mon Sep 17 00:00:00 2001 From: Victor Gaudard Date: Sat, 19 Oct 2024 16:03:49 -0400 Subject: [PATCH] =?UTF-8?q?keycloak=5Fgroup:=20fix=20subgroup=20creation?= =?UTF-8?q?=20in=20Keycloak=20=E2=89=A523=20(#8979)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * keycloak_group: fix subgroup creation in Keycloak ≥23 * Add changelog fragment * Include issue and pull request in changelog fragment Co-authored-by: Felix Fontein * Use new way to get subgroups when getting a subgroup chain * Fix indent --------- Co-authored-by: Felix Fontein --- .../8979-keycloak_group-fix-subgroups.yml | 2 ++ .../identity/keycloak/keycloak.py | 21 +++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/8979-keycloak_group-fix-subgroups.yml diff --git a/changelogs/fragments/8979-keycloak_group-fix-subgroups.yml b/changelogs/fragments/8979-keycloak_group-fix-subgroups.yml new file mode 100644 index 0000000000..c64a09add6 --- /dev/null +++ b/changelogs/fragments/8979-keycloak_group-fix-subgroups.yml @@ -0,0 +1,2 @@ +bugfixes: + - keycloak_group - fix crash caused in subgroup creation. The crash was caused by a missing or empty ``subGroups`` property in Keycloak ≥23 (https://github.com/ansible-collections/community.general/issues/8788, https://github.com/ansible-collections/community.general/pull/8979). diff --git a/plugins/module_utils/identity/keycloak/keycloak.py b/plugins/module_utils/identity/keycloak/keycloak.py index 128b0fee13..15603331b0 100644 --- a/plugins/module_utils/identity/keycloak/keycloak.py +++ b/plugins/module_utils/identity/keycloak/keycloak.py @@ -1499,6 +1499,23 @@ class KeycloakAPI(object): self.module.fail_json(msg="Could not fetch group %s in realm %s: %s" % (gid, realm, str(e))) + def get_subgroups(self, parent, realm="master"): + if 'subGroupCount' in parent: + # Since version 23, when GETting a group Keycloak does not + # return subGroups but only a subGroupCount. + # Children must be fetched in a second request. + if parent['subGroupCount'] == 0: + group_children = [] + else: + group_children_url = URL_GROUP_CHILDREN.format(url=self.baseurl, realm=realm, groupid=parent['id']) + group_children = json.loads(to_native(open_url(group_children_url, method="GET", http_agent=self.http_agent, headers=self.restheaders, + timeout=self.connection_timeout, + validate_certs=self.validate_certs).read())) + subgroups = group_children + else: + subgroups = parent['subGroups'] + return subgroups + def get_group_by_name(self, name, realm="master", parents=None): """ Fetch a keycloak group within a realm based on its name. @@ -1519,7 +1536,7 @@ class KeycloakAPI(object): if not parent: return None - all_groups = parent['subGroups'] + all_groups = self.get_subgroups(parent, realm) else: all_groups = self.get_groups(realm=realm) @@ -1568,7 +1585,7 @@ class KeycloakAPI(object): return None for p in name_chain[1:]: - for sg in tmp['subGroups']: + for sg in self.get_subgroups(tmp): pv, is_id = self._get_normed_group_parent(p) if is_id: