computer-playbook/roles/web-app-keycloak/tasks/04_ssh_public_key.yml

# Configure Credentials
- name: Ensure Keycloak CLI credentials are configured
  shell: |
    {{ KEYCLOAK_KCADM_PATH }} config credentials \
      --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
      --realm master \
      --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
      --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}

# LDAP Source
- name: Get ID of LDAP storage provider
  shell: |
    {{ KEYCLOAK_KCADM_PATH }} get components \
      -r {{ KEYCLOAK_REALM }} \
      --query 'providerId=ldap' \
      --fields id,name \
      --format json
  register: ldap_components

- name: Extract LDAP component ID
  set_fact:
    ldap_component_id: "{{ (ldap_components.stdout | from_json)[0].id }}"

- name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists
  shell: |
    docker exec -i keycloak_application bash -c '
      /opt/keycloak/bin/kcadm.sh get components -r {{ KEYCLOAK_REALM }} \
      | grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \
      || printf "%s\n" "{
        \"name\": \"{{ ldap.user.attributes.ssh_public_key }}\",
        \"parentId\": \"{{ ldap_component_id }}\",
        \"providerId\": \"user-attribute-ldap-mapper\",
        \"providerType\": \"org.keycloak.storage.ldap.mappers.LDAPStorageMapper\",
        \"config\": {
          \"user.model.attribute\": [\"{{ ldap.user.attributes.ssh_public_key }}\"],
          \"ldap.attribute\": [\"{{ ldap.user.attributes.ssh_public_key }}\"],
          \"read.only\": [\"false\"],
          \"write.only\": [\"true\"],
          \"always.read.value.from.ldap\": [\"false\"],
          \"multivalued\": [\"true\"]
        }
      }" | /opt/keycloak/bin/kcadm.sh create components -r {{ KEYCLOAK_REALM }} -f -'
  register: mapper_create
  changed_when: mapper_create.rc == 0 and mapper_create.stdout != ""

# GUI

- name: Enable user profile in realm
  shell: >
    {{ KEYCLOAK_KCADM_PATH }} update realms/{{ KEYCLOAK_REALM }}
    -s 'attributes.userProfileEnabled=true'

- name: Re-authenticate to Keycloak after enabling user profile
  shell: |
    {{ KEYCLOAK_KCADM_PATH }} config credentials \
      --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
      --realm master \
      --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
      --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}

- name: Render user-profile JSON for SSH key
  template:
    src:  import/user-profile.json.j2
    dest: "{{ keycloak_host_import_directory }}/user-profile.json"
    mode: '0644'
  notify: docker compose up

- name: Apply SSH Public Key to user-profile via kcadm
  shell: |
    docker exec -i {{ KEYCLOAK_CONTAINER }} \
      /opt/keycloak/bin/kcadm.sh update realms/{{ KEYCLOAK_REALM }} -f {{ KEYCLOAK_DOCKER_IMPORT_DIR }}user-profile.json