computer-playbook/roles/web-app-keycloak/tasks/update/06_recaptcha.yml

- name: "Extract Google reCAPTCHA config from realm dictionary"
  set_fact:
    kc_recaptcha_cfg: >-
      {{
        KEYCLOAK_DICTIONARY_REALM.authenticatorConfig
        | selectattr('alias','equalto','Google reCaptcha')
        | map(attribute='config')
        | first | default({}, true)
      }}

- name: "Sanity check: reCAPTCHA config exists in dictionary"
  assert:
    that:
      - kc_recaptcha_cfg | length > 0
    fail_msg: "Google reCAPTCHA config not found in KEYCLOAK_DICTIONARY_REALM.authenticatorConfig."
  when: MODE_ASSERT | bool

- name: "Fetch executions of 'registration form' flow"
  shell: >
    {{ KEYCLOAK_EXEC_KCADM }} get
    "authentication/flows/registration%20form/executions"
    -r {{ KEYCLOAK_REALM }} --format json
  register: kc_reg_exec
  changed_when: false

- name: "Extract reCAPTCHA authenticator config id"
  set_fact:
    kc_recaptcha_cfg_id: >-
      {{
        kc_reg_exec.stdout | from_json
        | selectattr('providerId','equalto','registration-recaptcha-action')
        | map(attribute='authenticationConfig')
        | first | default('')
      }}

- name: "Update Google reCAPTCHA authenticator config from dictionary"
  when: kc_recaptcha_cfg_id | length > 0
  shell: |
    cat <<'JSON' | {{ KEYCLOAK_EXEC_KCADM }} update authentication/config/{{ kc_recaptcha_cfg_id }} -r {{ KEYCLOAK_REALM }} -f -
    {{
      {
        'alias': 'Google reCaptcha',
        'config': kc_recaptcha_cfg
      } | to_json
    }}
    JSON
  register: kc_recaptcha_update
  changed_when: kc_recaptcha_update.rc == 0
  failed_when: kc_recaptcha_update.rc != 0
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"