keycloak_group: fix subgroup creation in Keycloak ≥23

vgaudard commented 1 month ago

SUMMARY

In Keycloak versions 23 and later, GroupRepresentation.subGroups has been replaced by GroupRepresentation.subGroupCount and another endpoint to get subgroups. This caused community.general.keycloak_group to fail when creating a group with a parent. We now execute this second request if needed.

Fixes ansible-collections/community.general#8788

See https://www.keycloak.org/docs/latest/upgrading/#grouprepresentation-changes

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

keycloak_group

ADDITIONAL INFORMATION

Related issue : ansible-collections/community.general#8788

Tested on Keycloak versions (Docker images) :

17.0.0
21.1.2
22.0.5
23.0.4
23.0.7
24.0.5
25.0.6

ansibullbot commented 1 month ago

cc @eikef @mattock @ndclt @thomasbach-dev click here for bot help

vgaudard commented 1 month ago

I wasn't able to run tests locally (either before or after my changes). Because they're marked unsupported, I assumed this is expected.

Console output of test execution

``` $ ansible-test integration keycloak_group --docker -v Configured locale: C.UTF-8 Falling back to tests in "tests/integration/targets/" because "roles/test/" was not found. WARNING: Excluding target tests marked "unsupported" which require --allow-unsupported or prefixing with "unsupported/": keycloak_group WARNING: All targets skipped. $ ansible-test integration keycloak_group --docker -v --allow-unsupported Configured locale: C.UTF-8 Falling back to tests in "tests/integration/targets/" because "roles/test/" was not found. Run command: docker -v Detected "docker" container runtime version: Docker version 26.1.4, build 5650f9b Run command: docker info --format '{{ json . }}' Run command: docker version --format '{{ json . }}' Container runtime: docker client=26.1.4 server=26.1.4 cgroup=v1 DD+WSL2 Run command: docker image inspect quay.io/ansible/ansible-test-utility-container:2.0.0 Run command: docker run --volume /sys/fs/cgroup:/probe:ro --name ansible-test-probe-yPUyPpLc --rm quay.io/ansible/ansible-test-utility-container:2.0.0 sh -c 'audit-status && cat /proc ... Container host audit status: EPERM (-1) Container host max open files: 1048576 Container loginuid: 4294967295 (not set) Assuming Docker is available on localhost. Run command with data: docker run --tmpfs /tmp:exec --tmpfs /run:exec --tmpfs /run/lock --volume /var/run/docker.sock:/var/run/docker.sock --cgroupns host --tmpfs /sys/fs/cgroup --vol ... ERROR: Host DockerConfig(python=NativePythonConfig(version='3.12', path='/usr/bin/python3.12'), name='default', image='quay.io/ansible/default-test-container:8.12.0', memory=None, privileged=False, seccomp='default', cgroup=CGroupVersion.V1_V2, audit=AuditMode.REQUIRED) job failed: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/ansible_test/_internal/provisioning.py", line 200, in dispatch_jobs thread.wait_for_result() File "/usr/lib/python3/dist-packages/ansible_test/_internal/thread.py", line 44, in wait_for_result raise exception[1].with_traceback(exception[2]) File "/usr/lib/python3/dist-packages/ansible_test/_internal/thread.py", line 34, in run self._result.put((self.action(), None)) ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/provisioning.py", line 134, in provision profile.provision() File "/usr/lib/python3/dist-packages/ansible_test/_internal/host_profiles.py", line 456, in provision container = run_support_container( ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/containers.py", line 135, in run_support_container current_container_id = get_docker_container_id() ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/thread.py", line 59, in wrapper return func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/util.py", line 151, in cache_func value = storage[None] = func() ^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/docker_util.py", line 599, in get_docker_container_id mounts = MountEntry.loads(mountinfo_path.read_text()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/cgroup.py", line 107, in loads return tuple(cls.parse(line) for line in value.splitlines()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/cgroup.py", line 107, in return tuple(cls.parse(line) for line in value.splitlines()) ^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ansible_test/_internal/cgroup.py", line 86, in parse assert separator == '-' ^^^^^^^^^^^^^^^^ AssertionError: FATAL: Host job(s) failed. See previous error(s) for details. ```

vgaudard commented 1 month ago

@UKFr-DIZ This is a fix for issue #8788 .

@vvanouytsel This PR might fix issue #8366 , could you confirm that the issue happened with Keycloak version 23? Details : I suspect this was caused by Keycloak returning a subGroupCount > 0 and subGroups == [] after creating the subgroup. This caused after_group to be set to None, and so the module failed when formatting the result message.

felixfontein commented 1 month ago

If nobody objects, I'll merge this in a week.

CC @fgruenbauer who lately worked a lot on keycloak_* modules.

vgaudard commented 1 month ago

Thank you both for your help.

You might want give it a try to andebox by yours truly:

I did, but I can't setup vagrant on my work computer, so I returned to classic ansible-test and fidgeting with dependencies.

I was able to run the tests before and after my changes, and both passed.

I ran the tests again but on Keycloak 25, and... they failed. I forgot to change another method where we want subgroups of a group (get_subgroup_by_chain), which caused sub-sub-groups to fail. It should be OK now.