Bugfix/keycloak userfed idempotency #5732
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
December 22, 2022 21:16
... federation read call not finding already existing federations properly because of bad parametrisation
... new integration test for module idempotency bugfix
ansibullbot
added
WIP
Docs Build 📝Thank you for contribution!✨ The docsite for this PR is available for download as an artifact from this run: File changes:
Click to see the diff comparison.NOTE: only file modifications are shown here. New and deleted files are excluded. diff --git a/home/runner/work/community.general/community.general/docsbuild/base/collections/community/general/htpasswd_module.html b/home/runner/work/community.general/community.general/docsbuild/head/collections/community/general/htpasswd_module.html
index 9870ce5..13f1d52 100644
--- a/home/runner/work/community.general/community.general/docsbuild/base/collections/community/general/htpasswd_module.html
+++ b/home/runner/work/community.general/community.general/docsbuild/head/collections/community/general/htpasswd_module.html
@@ -205,8 +205,9 @@ see <a class="reference internal" href="#ansible-collections-community-general-h
<div class="ansibleOptionAnchor" id="parameter-crypt_scheme"></div><p class="ansible-option-title" id="ansible-collections-community-general-htpasswd-module-parameter-crypt-scheme"><strong>crypt_scheme</strong></p>
<a class="ansibleOptionLink" href="#parameter-crypt_scheme" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
-<td><div class="ansible-option-cell"><p>Encryption scheme to be used. As well as the four choices listed here, you can also use any other hash supported by passlib, such as md5_crypt and sha256_crypt, which are linux passwd hashes. If you do so the password file will not be compatible with Apache or Nginx</p>
-<p>Some of the available choices might be: <code class="docutils literal notranslate"><span class="pre">apr_md5_crypt</span></code>, <code class="docutils literal notranslate"><span class="pre">des_crypt</span></code>, <code class="docutils literal notranslate"><span class="pre">ldap_sha1</span></code>, <code class="docutils literal notranslate"><span class="pre">plaintext</span></code></p>
+<td><div class="ansible-option-cell"><p>Encryption scheme to be used. As well as the four choices listed here, you can also use any other hash supported by passlib, such as <code class="docutils literal notranslate"><span class="pre">portable_apache22</span></code> and <code class="docutils literal notranslate"><span class="pre">host_apache24</span></code>; or <code class="docutils literal notranslate"><span class="pre">md5_crypt</span></code> and <code class="docutils literal notranslate"><span class="pre">sha256_crypt</span></code>, which are Linux passwd hashes. Only some schemes in addition to the four choices below will be compatible with Apache or Nginx, and supported schemes depend on passlib version and its dependencies.</p>
+<p>See <a class="reference external" href="https://passlib.readthedocs.io/en/stable/lib/passlib.apache.html#passlib.apache.HtpasswdFile">https://passlib.readthedocs.io/en/stable/lib/passlib.apache.html#passlib.apache.HtpasswdFile</a> parameter <code class="docutils literal notranslate"><span class="pre">default_scheme</span></code>.</p>
+<p>Some of the available choices might be: <code class="docutils literal notranslate"><span class="pre">apr_md5_crypt</span></code>, <code class="docutils literal notranslate"><span class="pre">des_crypt</span></code>, <code class="docutils literal notranslate"><span class="pre">ldap_sha1</span></code>, <code class="docutils literal notranslate"><span class="pre">plaintext</span></code>.</p>
<p class="ansible-option-line"><span class="ansible-option-default-bold">Default:</span> <code class="ansible-option-default docutils literal notranslate"><span class="pre">"apr_md5_crypt"</span></code></p>
</div></td>
</tr>
diff --git a/home/runner/work/community.general/community.general/docsbuild/base/collections/community/general/keycloak_user_federation_module.html b/home/runner/work/community.general/community.general/docsbuild/head/collections/community/general/keycloak_user_federation_module.html
index eaac1fd..af7b84f 100644
--- a/home/runner/work/community.general/community.general/docsbuild/base/collections/community/general/keycloak_user_federation_module.html
+++ b/home/runner/work/community.general/community.general/docsbuild/head/collections/community/general/keycloak_user_federation_module.html
@@ -156,7 +156,7 @@
<h2><a class="toc-backref" href="#id1">Synopsis</a><a class="headerlink" href="#synopsis" title="Permalink to this heading"></a></h2>
<ul class="simple">
<li><p>This module allows you to add, remove or modify Keycloak user federations via the Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.</p></li>
-<li><p>The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at <a class="reference external" href="https://www.keycloak.org/docs-api/15.0/rest-api/index.html">https://www.keycloak.org/docs-api/15.0/rest-api/index.html</a>.</p></li>
+<li><p>The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at <a class="reference external" href="https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html">https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html</a>.</p></li>
</ul>
</section>
<section id="parameters">
diff --git a/home/runner/work/community.general/community.general/docsbuild/base/collections/community/general/proxmox_module.html b/home/runner/work/community.general/community.general/docsbuild/head/collections/community/general/proxmox_module.html
index db18ad4..1d63982 100644
--- a/home/runner/work/community.general/community.general/docsbuild/base/collections/community/general/proxmox_module.html
+++ b/home/runner/work/community.general/community.general/docsbuild/head/collections/community/general/proxmox_module.html
@@ -486,6 +486,16 @@ see <a class="reference internal" href="#ansible-collections-community-general-p
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-tags"></div><p class="ansible-option-title" id="ansible-collections-community-general-proxmox-module-parameter-tags"><strong>tags</strong></p>
+<a class="ansibleOptionLink" href="#parameter-tags" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
+<p><span class="ansible-option-versionadded">added in community.general 6.2.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>List of tags to apply to the container.</p>
+<p>Tags must start with <code class="docutils literal notranslate"><span class="pre">[a-z0-9_]</span></code> followed by zero or more of the following characters <code class="docutils literal notranslate"><span class="pre">[a-z0-9_-+.]</span></code>.</p>
+<p>Tags are only available in Proxmox 7+.</p>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-general-proxmox-module-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
</div></td>
@@ -493,7 +503,7 @@ see <a class="reference internal" href="#ansible-collections-community-general-p
<p class="ansible-option-line"><span class="ansible-option-default-bold">Default:</span> <code class="ansible-option-default docutils literal notranslate"><span class="pre">30</span></code></p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-unprivileged"></div><p class="ansible-option-title" id="ansible-collections-community-general-proxmox-module-parameter-unprivileged"><strong>unprivileged</strong></p>
<a class="ansibleOptionLink" href="#parameter-unprivileged" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
@@ -506,7 +516,7 @@ see <a class="reference internal" href="#ansible-collections-community-general-p
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-general-proxmox-module-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
@@ -519,7 +529,7 @@ see <a class="reference internal" href="#ansible-collections-community-general-p
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-vmid"></div><p class="ansible-option-title" id="ansible-collections-community-general-proxmox-module-parameter-vmid"><strong>vmid</strong></p>
<a class="ansibleOptionLink" href="#parameter-vmid" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
</div></td>
|
There was a problem hiding this comment.
Thanks for your contribution! Could you please add a changelog fragment? Thanks.
felixfontein
added
check-before-release
|
@morco please note that this cannot be merged without a changelog fragment. Thanks. |
|
Okay, added the changelog fragment now. |
russoz
approved these changes
Jan 7, 2023
|
Same from my POV. If nobody objects in the next two weeks, I'll merge this. |
Backport to stable-5: 💚 backport PR created✅ Backport PR branch: Backported as #5873 🤖 @patchback |
felixfontein
removed
the
check-before-release
patchback bot
pushed a commit
that referenced
this pull request
Jan 22, 2023
* fix(modules/keycloak_user_federation): fixes ... ... federation read call not finding already existing federations properly because of bad parametrisation * fix(modules/keycloak_user_federation): added ... ... new integration test for module idempotency bugfix * added changelog fragment for pr Co-authored-by: Mirko Wilhelmi <Mirko.Wilhelmi@sma.de> (cherry picked from commit 0ca41de)
Backport to stable-6: 💚 backport PR created✅ Backport PR branch: Backported as #5874 🤖 @patchback |
patchback bot
pushed a commit
that referenced
this pull request
Jan 22, 2023
* fix(modules/keycloak_user_federation): fixes ... ... federation read call not finding already existing federations properly because of bad parametrisation * fix(modules/keycloak_user_federation): added ... ... new integration test for module idempotency bugfix * added changelog fragment for pr Co-authored-by: Mirko Wilhelmi <Mirko.Wilhelmi@sma.de> (cherry picked from commit 0ca41de)
felixfontein
pushed a commit
that referenced
this pull request
Jan 22, 2023
…tency (#5873) Bugfix/keycloak userfed idempotency (#5732) * fix(modules/keycloak_user_federation): fixes ... ... federation read call not finding already existing federations properly because of bad parametrisation * fix(modules/keycloak_user_federation): added ... ... new integration test for module idempotency bugfix * added changelog fragment for pr Co-authored-by: Mirko Wilhelmi <Mirko.Wilhelmi@sma.de> (cherry picked from commit 0ca41de) Co-authored-by: morco <thegreatwiper@web.de>
felixfontein
pushed a commit
that referenced
this pull request
Jan 22, 2023
…tency (#5874) Bugfix/keycloak userfed idempotency (#5732) * fix(modules/keycloak_user_federation): fixes ... ... federation read call not finding already existing federations properly because of bad parametrisation * fix(modules/keycloak_user_federation): added ... ... new integration test for module idempotency bugfix * added changelog fragment for pr Co-authored-by: Mirko Wilhelmi <Mirko.Wilhelmi@sma.de> (cherry picked from commit 0ca41de) Co-authored-by: morco <thegreatwiper@web.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Current version of
keycloak_user_federationhas some idempotency problems in some situations where an already existing user federation is not correctly recognized (detected) which then leads to the module falsely creating a new federationagain and again on each consequent playbook run.
One contributing factor seems to be the optional query param
parent=<realm-name>which is momentarely always set when checking the server for existing user federations. This param seems to be buggy in upstream keycloak rest api working sometimes as expected while other times not (when parent realm is for examplemaster).Although this is fundamentally an upstream issue fpr keycloak rest api I would still argue that there is something which can and should be done inside this ansible module. As the parent realm (name) is already part of the url-path specifying them again as query param seems superfluous. So simply not setting them as query param seems to have no disadvantadges while insulating against these kind of api flukes.
Fixes #4664: at least for some cases
Fixes #5286: not totally sure here but this might be related to issue above
ISSUE TYPE
Bugfix Pull Request
COMPONENT NAME
plugins/modules/keycloak_user_federation.py
ADDITIONAL INFORMATION
Tested with recent keycloak (api) version:
20.0.2.