ansible-collections · felixfontein · Jun 18, 2023 · Jun 18, 2023
diff --git a/changelogs/fragments/6687-support-subgroups-for-keycloak-client-rolemapping.yml b/changelogs/fragments/6687-support-subgroups-for-keycloak-client-rolemapping.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - keycloak_client_rolemapping - adds support for subgroups with additional parameter ``parents`` (https://github.com/ansible-collections/community.general/pull/6687).
diff --git a/plugins/modules/keycloak_client_rolemapping.py b/plugins/modules/keycloak_client_rolemapping.py
@@ -63,6 +63,33 @@
             - Name of the group to be mapped.
             - This parameter is required (can be replaced by gid for less API call).
 
+    parents:
+        version_added: "7.1.0"
+        type: list
+        description:
+            - List of parent groups for the group to handle sorted top to bottom.
+            - >-
+              Set this if your group is a subgroup and you do not provide the GID in O(gid).
+        elements: dict
+        suboptions:
+          id:
+            type: str
+            description:
+              - Identify parent by ID.
+              - Needs less API calls than using O(parents[].name).
+              - A deep parent chain can be started at any point when first given parent is given as ID.
+              - Note that in principle both ID and name can be specified at the same time
+                but current implementation only always use just one of them, with ID
+                being preferred.
+          name:
+            type: str
+            description:
+              - Identify parent by name.
+              - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
+              - When giving a parent chain with only names it must be complete up to the top.
+              - Note that in principle both ID and name can be specified at the same time
+                but current implementation only always use just one of them, with ID
+                being preferred.
     gid:
         type: str
         description:
@@ -144,6 +171,24 @@
         id: role_id2
   delegate_to: localhost
 
+- name: Map a client role to a subgroup, authentication with token
+  community.general.keycloak_client_rolemapping:
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    token: TOKEN
+    state: present
+    client_id: client1
+    group_name: subgroup1
+    parents:
+      - name: parent-group
+    roles:
+      - name: role_name1
+        id: role_id1
+      - name: role_name2
+        id: role_id2
+  delegate_to: localhost
+
 - name: Unmap client role from a group
   community.general.keycloak_client_rolemapping:
     realm: MyCustomRealm
@@ -230,6 +275,13 @@ def main():
         realm=dict(default='master'),
         gid=dict(type='str'),
         group_name=dict(type='str'),
+        parents=dict(
+            type='list', elements='dict',
+            options=dict(
+                id=dict(type='str'),
+                name=dict(type='str')
+            ),
+        ),
         cid=dict(type='str'),
         client_id=dict(type='str'),
         roles=dict(type='list', elements='dict', options=roles_spec),
@@ -259,6 +311,7 @@ def main():
     gid = module.params.get('gid')
     group_name = module.params.get('group_name')
     roles = module.params.get('roles')
+    parents = module.params.get('parents')
 
     # Check the parameters
     if cid is None and client_id is None:
@@ -268,7 +321,7 @@ def main():
 
     # Get the potential missing parameters
     if gid is None:
-        group_rep = kc.get_group_by_name(group_name, realm=realm)
+        group_rep = kc.get_group_by_name(group_name, realm=realm, parents=parents)
         if group_rep is not None:
             gid = group_rep['id']
         else:

diff --git a/tests/unit/plugins/modules/test_keycloak_client_rolemapping.py b/tests/unit/plugins/modules/test_keycloak_client_rolemapping.py
@@ -120,6 +120,11 @@ def test_map_clientrole_to_group_with_name(self):
             'state': 'present',
             'client_id': 'test_client',
             'group_name': 'test_group',
+            'parents': [
+                {
+                    'name': 'parent_group'
+                }
+            ],
             'roles': [
                 {
                     'name': 'test_role1',
@@ -139,7 +144,7 @@ def test_map_clientrole_to_group_with_name(self):
             "clientRoles": "{}",
             "id": "92f2400e-0ecb-4185-8950-12dcef616c2b",
             "name": "test_group",
-            "path": "/test_group",
+            "path": "/parent_group/test_group",
             "realmRoles": "[]",
             "subGroups": "[]"
         }]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- keycloak_client_rolemapping - adds support for subgroups with additional parameter ``parents`` (https://github.com/ansible-collections/community.general/pull/6687).