- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
  uri:
    url: "{{ keycloak_server_host_url }}/realms/master"
    method: GET
    status_code: 200
    validate_certs: false
  register: keycloak_check
  retries: 30
  delay: 5
  until: keycloak_check.status == 200

# Configure Credentials
- name: Ensure Keycloak CLI credentials are configured
  shell: |
    {{ keycloak_kcadm_path }} config credentials \
      --server {{ keycloak_server_internal_url }} \
      --realm master \
      --user {{ keycloak_administrator_username }} \
      --password {{ keycloak_administrator_password }}

# LDAP Source
- name: Get ID of LDAP storage provider
  shell: |
    {{ keycloak_kcadm_path }} get components \
      -r {{ keycloak_realm }} \
      --query 'providerId=ldap' \
      --fields id,name \
      --format json
  register: ldap_components

- name: Extract LDAP component ID
  set_fact:
    ldap_component_id: "{{ (ldap_components.stdout | from_json)[0].id }}"

- name: Ensure {{ ldap.attributes.ssh_public_key }} LDAP Mapper exists
  shell: |
    docker exec -i keycloak_application bash -c '
      /opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \
      | grep -q "\"name\" : \"{{ ldap.attributes.ssh_public_key }}\"" \
      || printf "%s\n" "{
        \"name\": \"{{ ldap.attributes.ssh_public_key }}\",
        \"parentId\": \"{{ ldap_component_id }}\",
        \"providerId\": \"user-attribute-ldap-mapper\",
        \"providerType\": \"org.keycloak.storage.ldap.mappers.LDAPStorageMapper\",
        \"config\": {
          \"user.model.attribute\": [\"{{ ldap.attributes.ssh_public_key }}\"],
          \"ldap.attribute\": [\"{{ ldap.attributes.ssh_public_key }}\"],
          \"read.only\": [\"false\"],
          \"write.only\": [\"true\"],
          \"always.read.value.from.ldap\": [\"false\"],
          \"multivalued\": [\"true\"]
        }
      }" | /opt/keycloak/bin/kcadm.sh create components -r {{ keycloak_realm }} -f -'
  register: mapper_create
  changed_when: mapper_create.rc == 0 and mapper_create.stdout != ""

# GUI

- name: Enable user profile in realm
  shell: >
    {{ keycloak_kcadm_path }} update realms/{{ keycloak_realm }}
    -s 'attributes.userProfileEnabled=true'

- name: Re-authenticate to Keycloak after enabling user profile
  shell: |
    {{ keycloak_kcadm_path }} config credentials \
      --server {{ keycloak_server_internal_url }} \
      --realm master \
      --user {{ keycloak_administrator_username }} \
      --password {{ keycloak_administrator_password }}

- name: Render user-profile JSON for SSH key
  template:
    src:  import/user-profile.json.j2
    dest: "{{ import_directory_host }}/user-profile.json"
    mode: '0644'
  notify: docker compose up

- name: Apply SSH Public Key to user-profile via kcadm
  shell: |
    docker exec -i {{ container_name }} \
      /opt/keycloak/bin/kcadm.sh update realms/{{ keycloak_realm }} -f {{ import_directory_docker }}user-profile.json