---
- name: Generate keycloak auth token
  uri:
    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
    method: POST
    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
    validate_certs: no
  register: keycloak_auth_response
  until: keycloak_auth_response.status == 200
  retries: 5
  delay: 2

- name: "Determine if realm exists"
  uri:
    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
    method: GET
    status_code:
      - 200
      - 404
    headers:
      Accept: "application/json"
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
  register: keycloak_realm_exists

- name: Create Realm
  uri:
    url: "{{ keycloak_url }}/auth/admin/realms"
    method: POST
    body: "{{ lookup('template','realm.json.j2') }}"
    validate_certs: no
    body_format: json
    headers:
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
    status_code: 201
  when: keycloak_realm_exists.status == 404

- name: Create user federation
  community.general.keycloak_user_federation:
    auth_keycloak_url: "{{ keycloak_url }}/auth"
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
    realm: "{{ item.realm }}"
    name: "{{ item.name }}"
    state: present
    provider_id: "{{ item.provider_id }}"
    provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" 
    config: "{{ item.config }}"
    mappers: "{{ item.mappers | default(omit) }}"
  register: create_user_federation_result
  loop: "{{ keycloak_user_federation | flatten }}"
  when: keycloak_user_federation is defined

- name: Create or update a Keycloak client
  community.general.keycloak_client:
    auth_client_id: "{{ keycloak_auth_client }}"
    auth_keycloak_url: "{{ keycloak_url }}/auth"
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
    realm: "{{ item.realm }}"
    default_roles: "{{ item.roles | default(omit) }}"
    client_id: "{{ item.client_id | default(omit) }}"
    id: "{{ item.id | default(omit) }}"
    name: "{{ item.name | default(omit) }}"
    description: "{{ item.description | default(omit) }}"
    root_url: "{{ item.root_url | default('') }}"
    admin_url: "{{ item.admin_url | default('') }}"
    base_url: "{{ item.base_url | default('') }}"
    enabled: "{{ item.enabled | default(True) }}"
    redirect_uris: "{{ item.redirect_uris | default(omit) }}"
    web_origins: "{{ item.web_origins | default('+') }}"
    bearer_only: "{{ item.bearer_only | default(omit) }}"
    standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}"
    implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}"
    direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(omit) }}"
    service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
    public_client: "{{ item.public_client | default(False) }}"
    protocol: "{{ item.protocol | default(omit) }}"
    state: present
  register: create_client_result
  loop: "{{ keycloak_clients | flatten }}"
  when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)

- name: Create client roles
  include_tasks: manage_client_roles.yml
  when: keycloak_rhsso_enable
  loop: "{{ keycloak_clients | flatten }}"
  loop_control:
    loop_var: client

- name: Create client users
  include_tasks: manage_client_users.yml
  loop: "{{ keycloak_clients | flatten }}"
  loop_control:
    loop_var: client
  when: "'users' in keycloak_clients"