From b5d8ac54627386e24cbd683e4bb9f00b59e57712 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Mon, 11 Aug 2025 02:21:02 +0200 Subject: [PATCH] Reactivated keycloak docker and webserver tasks and implemented correct logic for element and synapse redirect handling --- .../filter_plugins/redirect_uris.py | 19 +++++++++++++++- roles/web-app-keycloak/tasks/main.yml | 12 +++++----- .../filter_plugins/test_redirect_uris.py | 22 +++++++++++++++++++ 3 files changed, 46 insertions(+), 7 deletions(-) diff --git a/roles/web-app-keycloak/filter_plugins/redirect_uris.py b/roles/web-app-keycloak/filter_plugins/redirect_uris.py index 6b189a50..756545e6 100644 --- a/roles/web-app-keycloak/filter_plugins/redirect_uris.py +++ b/roles/web-app-keycloak/filter_plugins/redirect_uris.py @@ -29,6 +29,23 @@ def _stable_dedup(items: Sequence[str]) -> list[str]: out.append(x) return out +def _iter_domains(v) -> Iterable[str]: + """Yield domains from str | list/tuple[str] | dict[*, str|list|tuple].""" + if v is None: + return + if isinstance(v, str): + yield v + elif isinstance(v, dict): + for val in v.values(): + yield from _iter_domains(val) + elif isinstance(v, (list, tuple)): + for val in v: + yield from _iter_domains(val) + else: + raise AnsibleFilterError( + "redirect_uris: domain_value must be str, list/tuple[str], or dict mapping to those" + ) + def redirect_uris(domains: dict, applications: dict, web_protocol: str = "https", @@ -60,7 +77,7 @@ def redirect_uris(domains: dict, continue # Normalize to iterable of domains - doms = [domain_value] if isinstance(domain_value, str) else list(domain_value or []) + doms = list(_iter_domains(domain_value)) for d in doms: # Use get_url() to produce "://" diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml index 8f3effcb..efdcfbfb 100644 --- a/roles/web-app-keycloak/tasks/main.yml +++ b/roles/web-app-keycloak/tasks/main.yml @@ -1,10 +1,10 @@ --- -#- name: "create import files for {{application_id}}" -# include_tasks: 01_import.yml -# -#- name: "load docker, db and proxy for {{application_id}}" -# include_role: -# name: cmp-db-docker-proxy +- name: "create import files for {{application_id}}" + include_tasks: 01_import.yml + +- name: "load docker, db and proxy for {{application_id}}" + include_role: + name: cmp-db-docker-proxy - name: "Apply client redirects without realm import" include_tasks: 02_update_client_redirects.yml diff --git a/tests/unit/roles/web-app-keycloak/filter_plugins/test_redirect_uris.py b/tests/unit/roles/web-app-keycloak/filter_plugins/test_redirect_uris.py index 5f59b451..d085a80f 100644 --- a/tests/unit/roles/web-app-keycloak/filter_plugins/test_redirect_uris.py +++ b/tests/unit/roles/web-app-keycloak/filter_plugins/test_redirect_uris.py @@ -154,6 +154,28 @@ class RedirectUrisTest(unittest.TestCase): result = self.plugin.redirect_uris(domains, applications) self.assertEqual(result, []) + def test_domain_value_dict_is_flattened_in_order(self): + # Dict with mixed value types and a duplicate to verify stable dedup + domains = { + "app1": { + "primary": "a.example.org", + "alt": ["b.example.org", "b.example.org"], + "nested": {"x": "c.example.org", "y": ["d.example.org"]}, + } + } + applications = {"app1": {"features": {"oauth2": True}}} + + result = self.plugin.redirect_uris(domains, applications) + + self.assertEqual( + result, + [ + "https://a.example.org/*", + "https://b.example.org/*", # duplicate trimmed + "https://c.example.org/*", + "https://d.example.org/*", + ], + ) if __name__ == "__main__": unittest.main()