Add declarative UserProfileProvider update routine and improve component providerId safety check

Implements automated merging of kc.user.profile.config using the generic _update.yml handler. Fixes missing safety guard for components without a 'name' attribute and aligns providerId validation logic. Reference: https://chatgpt.com/share/692b3337-a224-800f-8617-32f47a5af1df
2025-11-30 08:06:47 +00:00 · 2025-11-29 18:54:17 +01:00
parent 86760a4be7
commit ece4f493d3
3 changed files with 52 additions and 8 deletions
--- a/roles/web-app-keycloak/tasks/main.yml
+++ b/roles/web-app-keycloak/tasks/main.yml
@@ -37,3 +37,5 @@
  include_tasks: update/06_recaptcha.yml
  when: KEYCLOAK_RECAPTCHA_ENABLED | bool

+- name: "Load UserProfile (declarative) Update routines for '{{ application_id }}'"
+  include_tasks: update/07_userprofile.yml
--- a/roles/web-app-keycloak/tasks/update/07_userprofile.yml
+++ b/roles/web-app-keycloak/tasks/update/07_userprofile.yml
@@ -0,0 +1,43 @@
+---
+# Update the Declarative User Profile provider using the configuration
+# from KEYCLOAK_DICTIONARY_REALM.components (same pattern as LDAP).
+
+- name: "Extract UserProfileProvider component from realm dictionary"
+  set_fact:
+    kc_userprofile_tpl: >-
+      {{
+        KEYCLOAK_DICTIONARY_REALM.components['org.keycloak.userprofile.UserProfileProvider']
+        | list | first | default({})
+      }}
+
+- name: "Sanity check: UserProfileProvider exists in dictionary"
+  assert:
+    that:
+      - kc_userprofile_tpl | length > 0
+    fail_msg: "UserProfileProvider component not found in KEYCLOAK_DICTIONARY_REALM."
+  when: MODE_ASSERT | bool
+
+- name: "Resolve UserProfileProvider component ID"
+  shell: >
+    {{ KEYCLOAK_EXEC_KCADM }} get components
+    -r {{ KEYCLOAK_REALM }} --format json
+    | jq -r '
+        map(
+          select(
+            .providerType == "org.keycloak.userprofile.UserProfileProvider"
+            and .providerId  == "declarative-user-profile"
+          )
+        )
+        | .[0].id // ""
+      '
+  register: kc_userprofile_id
+  changed_when: false
+
+- name: "Update UserProfileProvider component (merge kc.user.profile.config)"
+  vars:
+    kc_object_kind:  "component"
+    kc_lookup_field: "id"
+    kc_lookup_value: "{{ kc_userprofile_id.stdout | trim }}"
+    kc_desired:      "{{ kc_userprofile_tpl }}"
+    kc_merge_path:   "config"
+  include_tasks: _update.yml
--- a/roles/web-app-keycloak/tasks/update/_update.yml
+++ b/roles/web-app-keycloak/tasks/update/_update.yml
@@ -89,16 +89,15 @@
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

 - name: "Safety check: providerId must match when updating a component"
-  when:
-    - kc_object_kind == 'component'
-    - (kc_desired.providerId is defined)
-    - MODE_ASSERT | bool
  assert:
    that:
-      - cur_obj.providerId == kc_desired.providerId
-    fail_msg: >
-      Refusing to update component '{{ cur_obj.name }}' (providerId={{ cur_obj.providerId }})
-      because desired providerId={{ kc_desired.providerId }}. Check your lookup/ID.
+      - (cur_obj.providerId | default('') ) == (kc_desired.providerId | default('') )
+    fail_msg: >-
+      Refusing to update component '{{ kc_obj_id | default("<unknown>") }}'
+      because providerId mismatch:
+      current='{{ cur_obj.providerId | default("<undefined>") }}'
+      desired='{{ kc_desired.providerId | default("<undefined>") }}'.
+  when: MODE_ASSERT | default(true) | bool

 - name: Prepare merge payload (subpath)
  when: kc_merge_path is defined and (kc_merge_path | length) > 0