From 4dd17692252f79b854c89a54f20d1000df39f0c2 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 28 Nov 2025 20:34:02 +0100
Subject: [PATCH] web-app-keycloak: sync Google reCAPTCHA config from realm
 dictionary

This adds update/06_recaptcha.yml to update the registration reCAPTCHA authenticator
from KEYCLOAK_DICTIONARY_REALM and wires it into the main Keycloak task flow.

Ref: https://chatgpt.com/share/6929f91c-cc98-800f-9562-1c6ea802d72d
---
 roles/web-app-keycloak/tasks/main.yml         |  5 ++
 .../tasks/update/06_recaptcha.yml             | 50 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 roles/web-app-keycloak/tasks/update/06_recaptcha.yml

diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml
index 57b9ecb1..326b6a6b 100644
--- a/roles/web-app-keycloak/tasks/main.yml
+++ b/roles/web-app-keycloak/tasks/main.yml
@@ -31,3 +31,8 @@
 - name: "Load LDAP Update routines for '{{ application_id }}'"
   include_tasks: update/05_ldap.yml
   when: KEYCLOAK_LDAP_ENABLED | bool
+
+- name: "Load reCAPTCHA Update routines for '{{ application_id }}'"
+  include_tasks: update/06_recaptcha.yml
+  when: applications | get_app_conf(application_id, 'features.recaptcha', False)
+
diff --git a/roles/web-app-keycloak/tasks/update/06_recaptcha.yml b/roles/web-app-keycloak/tasks/update/06_recaptcha.yml
new file mode 100644
index 00000000..7e8ed784
--- /dev/null
+++ b/roles/web-app-keycloak/tasks/update/06_recaptcha.yml
@@ -0,0 +1,50 @@
+- name: "Extract Google reCAPTCHA config from realm dictionary"
+  set_fact:
+    kc_recaptcha_cfg: >-
+      {{
+        KEYCLOAK_DICTIONARY_REALM.authenticatorConfig
+        | selectattr('alias','equalto','Google reCaptcha')
+        | map(attribute='config')
+        | first | default({}, true)
+      }}
+
+- name: "Sanity check: reCAPTCHA config exists in dictionary"
+  assert:
+    that:
+      - kc_recaptcha_cfg | length > 0
+    fail_msg: "Google reCAPTCHA config not found in KEYCLOAK_DICTIONARY_REALM.authenticatorConfig."
+  when: MODE_ASSERT | bool
+
+- name: "Fetch executions of 'registration form' flow"
+  shell: >
+    {{ KEYCLOAK_EXEC_KCADM }} get
+    "authentication/flows/registration%20form/executions"
+    -r {{ KEYCLOAK_REALM }} --format json
+  register: kc_reg_exec
+  changed_when: false
+
+- name: "Extract reCAPTCHA authenticator config id"
+  set_fact:
+    kc_recaptcha_cfg_id: >-
+      {{
+        kc_reg_exec.stdout | from_json
+        | selectattr('providerId','equalto','registration-recaptcha-action')
+        | map(attribute='authenticationConfig')
+        | first | default('')
+      }}
+
+- name: "Update Google reCAPTCHA authenticator config from dictionary"
+  when: kc_recaptcha_cfg_id | length > 0
+  shell: |
+    cat <<'JSON' | {{ KEYCLOAK_EXEC_KCADM }} update authentication/config/{{ kc_recaptcha_cfg_id }} -r {{ KEYCLOAK_REALM }} -f -
+    {{
+      {
+        'alias': 'Google reCaptcha',
+        'config': kc_recaptcha_cfg
+      } | to_json
+    }}
+    JSON
+  register: kc_recaptcha_update
+  changed_when: kc_recaptcha_update.rc == 0
+  failed_when: kc_recaptcha_update.rc != 0
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"