Fix/workflow failure

.env

@@ -1,3 +1,3 @@
 # Used in docker-compose
 # shellcheck disable=SC2034
-KEYCLOAK_VERSION=26.0.5
+KEYCLOAK_VERSION=26.1.0

.github/workflows/ci.yaml

@@ -47,6 +47,8 @@ jobs:
             KEYCLOAK_CLIENT_VERSION: 25.0.1
           - KEYCLOAK_VERSION: 26.0.5
             KEYCLOAK_CLIENT_VERSION: 26.0.2
+          - KEYCLOAK_VERSION: 26.1.0
+            KEYCLOAK_CLIENT_VERSION: 26.0.4
     steps:
       - uses: actions/[email protected]
         with:
@@ -251,7 +253,7 @@ jobs:
         run: ./mvnw ${MAVEN_CLI_OPTS} -Dkeycloak.version=${{ matrix.env.KEYCLOAK_VERSION }} -Dkeycloak.client.version=${{ matrix.env.KEYCLOAK_CLIENT_VERSION }} -Dkeycloak.dockerTagSuffix="-legacy" ${ADJUSTED_RESTEASY_VERSION} clean verify ${COMPATIBILITY_PROFILE}
 
   lint-other-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
       - uses: actions/[email protected]

CHANGELOG.md

@@ -6,8 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
 
+### Fixed
+-  Fix Service Account User always triggers UPDATE USER event [#878](https://github.com/adorsys/keycloak-config-cli/issues/878)
 ### Added
 - Publish charts with github pages [#941](https://github.com/adorsys/keycloak-config-cli/issues/941)
+- Support for Keycloak 26.1
 
 ### Fixed
 -  Fix Initial Credentials Causes Update [819](https://github.com/adorsys/keycloak-config-cli/issues/819)

Dockerfile

@@ -2,12 +2,12 @@
 ARG BUILDER_IMAGE=eclipse-temurin:21-jdk
 ARG RUNTIME_IMAGE=eclipse-temurin:21-jre
 
 FROM ${BUILDER_IMAGE} AS BUILDER
 
 WORKDIR /app/
 
-ARG KEYCLOAK_VERSION=26.0.5
-ARG KEYCLOAK_CLIENT_VERSION=26.0.2
+ARG KEYCLOAK_VERSION=26.1.0
+ARG KEYCLOAK_CLIENT_VERSION=26.0.4
 ARG MAVEN_CLI_OPTS="-ntp -B"
 
 COPY .mvn .mvn
@@ -29,7 +29,7 @@
 ENV JAVA_OPTS="" KEYCLOAK_SSL_VERIFY=true IMPORT_FILES_LOCATIONS=file:/config/*
 
 # $0 represents the first CLI arg which is not inside $@
 ENTRYPOINT exec java $JAVA_OPTS -jar /app/keycloak-config-cli.jar $0 $@
 
 COPY --from=BUILDER /app/target/keycloak-config-cli.jar /app/keycloak-config-cli.jar
 

pom.xml

@@ -1043,8 +1043,8 @@ import org.keycloak.representations.userprofile.config.UPConfig;</token>
                 </property>
             </activation>
             <properties>
-                <keycloak.version>26.0.5</keycloak.version>
-                <keycloak.client.version>26.0.2</keycloak.client.version>
+                <keycloak.version>26.1.0</keycloak.version>
+                <keycloak.client.version>26.0.4</keycloak.client.version>
             </properties>
         </profile>
         <!-- Configure the JBoss GA Maven repository -->

src/main/java/de/adorsys/keycloak/config/repository/RealmRepository.java

@@ -23,13 +23,16 @@
 import de.adorsys.keycloak.config.exception.KeycloakRepositoryException;
 import de.adorsys.keycloak.config.provider.KeycloakProvider;
 import de.adorsys.keycloak.config.util.ResponseUtil;
+import org.apache.commons.lang3.ObjectUtils;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.RealmsResource;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+import java.util.HashMap;
+
 import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.WebApplicationException;
 
@@ -57,7 +60,10 @@ public RealmResource getResource(String realmName) {
     }
 
     public RealmRepresentation get(String realmName) {
-        return getResource(realmName).toRepresentation();
+        final var realm = getResource(realmName).toRepresentation();
+        realm.setAttributes(ObjectUtils.firstNonNull(realm.getAttributes(), new HashMap<>()));
+        realm.setEventsEnabled(ObjectUtils.firstNonNull(realm.isEventsEnabled(), false));
+        return realm;
     }
 
     public void create(RealmRepresentation realm) {

src/main/java/de/adorsys/keycloak/config/repository/UserRepository.java

@@ -56,6 +56,13 @@ public Optional<UserRepresentation> search(String realmName, String username) {
             user = Optional.of(foundUsers.get(0));
         }
 
+        // Retrieve the service account client id if it exists
+        user.ifPresent(u -> {
+            UserResource userResource = usersResource.get(u.getId());
+            UserRepresentation userRepresentation = userResource.toRepresentation();
+            u.setServiceAccountClientId(userRepresentation.getServiceAccountClientId());
+        });
+
         return user;
     }
 

src/main/java/de/adorsys/keycloak/config/service/UserImportService.java

@@ -45,7 +45,7 @@
 public class UserImportService {
     private static final Logger logger = LoggerFactory.getLogger(UserImportService.class);
 
-    private static final String[] IGNORED_PROPERTIES_FOR_UPDATE = {"realmRoles", "clientRoles"};
+    private static final String[] IGNORED_PROPERTIES_FOR_UPDATE = {"realmRoles", "clientRoles", "serviceAccountClientId", "attributes"};
     private static final String USER_LABEL_FOR_INITIAL_CREDENTIAL = "initial";
 
     private final RealmRepository realmRepository;
@@ -159,6 +159,9 @@ private void updateUser(UserRepresentation existingUser) {
                 patchedUser.setCredentials(userCredentials.isEmpty() ? null : userCredentials);
             }
 
+            logger.debug("Existing user: {}", existingUser);
+            logger.debug("Patched user: {}", patchedUser);
+
             if (!CloneUtil.deepEquals(existingUser, patchedUser, "access")) {
                 logger.debug("Update user '{}' in realm '{}'", userToImport.getUsername(), realmName);
                 userRepository.updateUser(realmName, patchedUser);

src/main/java/de/adorsys/keycloak/config/service/checksum/ChecksumService.java

@@ -54,6 +54,7 @@ public void doImport(RealmImport realmImport) {
         RealmRepresentation existingRealm = realmRepository.get(realmImport.getRealm());
         Map<String, String> customAttributes = existingRealm.getAttributes();
 
+
         String importChecksum = realmImport.getChecksum();
         String attributeKey = getCustomAttributeKey(realmImport);
         customAttributes.put(attributeKey, importChecksum);
@@ -69,6 +70,7 @@ public boolean hasToBeUpdated(RealmImport realmImport) {
         }
         Map<String, String> customAttributes = existingRealm.getAttributes();
 
+
         String readChecksum = customAttributes.get(getCustomAttributeKey(realmImport));
         if (readChecksum == null) {
             return true;

src/main/java/de/adorsys/keycloak/config/util/CloneUtil.java

@@ -108,6 +108,16 @@ public static <S, T> boolean deepEquals(S origin, T other, String... ignoredProp
         logger.trace("objects.deepEquals: ret: {} | origin: {} | other: {} | ignoredProperties: {}",
                 ret, originJsonNode, otherJsonNode, ignoredProperties
         );
+        if (!ret) {
+            logger.debug("Differences detected between origin and other:");
+            originJsonNode.fieldNames().forEachRemaining(fieldName -> {
+                JsonNode originValue = originJsonNode.get(fieldName);
+                JsonNode otherValue = otherJsonNode.get(fieldName);
+                if (!Objects.equals(originValue, otherValue)) {
+                    logger.debug("Field '{}' is different: origin = {}, other = {}", fieldName, originValue, otherValue);
+                }
+            });
+        }
 
         return ret;
     }

src/test/java/de/adorsys/keycloak/config/AbstractImportIT.java

@@ -61,6 +61,7 @@ abstract public class AbstractImportIT extends AbstractImportTest {
                 .withEnv("KEYCLOAK_ADMIN", "admin")
                 .withEnv("KEYCLOAK_ADMIN_PASSWORD", "admin123")
                 .withEnv("QUARKUS_PROFILE", "dev")
+                .withEnv("QUARKUS_HTTP_ACCESS_LOG_ENABLED", "true")
                 .withEnv("KC_LOG_LEVEL", KEYCLOAK_LOG_LEVEL)
                 .withExtraHost("host.docker.internal", "host-gateway")
                 .waitingFor(Wait.forHttp("/"))

src/test/java/de/adorsys/keycloak/config/service/ImportAuthenticationFlowsIT.java

@@ -761,12 +761,17 @@ void shouldUpdateMultipleExecutionsWithSameAuthenticator() throws IOException {
 
         List<AuthenticatorConfigRepresentation> authConfig;
         authConfig = getAuthenticatorConfig(realm, "id1");
-        assertThat(authConfig, hasSize(2));
-        assertThat(authConfig.get(0).getAlias(), is("id1"));
-        assertThat(authConfig.get(0).getConfig(), hasEntry(is("defaultProvider"), is("id1")));
-        assertThat(authConfig.get(1).getAlias(), is("id1"));
-        assertThat(authConfig.get(1).getConfig(), hasEntry(is("defaultProvider"), is("id1")));
-
+        if (VersionUtil.lt(KEYCLOAK_VERSION, "26.1")) {
+            assertThat(authConfig, hasSize(2));
+            assertThat(authConfig.get(0).getAlias(), is("id1"));
+            assertThat(authConfig.get(0).getConfig(), hasEntry(is("defaultProvider"), is("id1")));
+            assertThat(authConfig.get(1).getAlias(), is("id1"));
+            assertThat(authConfig.get(1).getConfig(), hasEntry(is("defaultProvider"), is("id1")));
+        } else {
+            assertThat(authConfig, hasSize(1));
+            assertThat(authConfig.get(0).getAlias(), is("id1"));
+            assertThat(authConfig.get(0).getConfig(), hasEntry(is("defaultProvider"), is("id1")));
+        }
         authConfig = getAuthenticatorConfig(realm, "id2");
         assertThat(authConfig, hasSize(1));
         assertThat(authConfig.get(0).getAlias(), is("id2"));
@@ -792,12 +797,17 @@ void shouldUpdateMultipleExecutionsWithSameAuthenticatorWithConfig() throws IOEx
 
         List<AuthenticatorConfigRepresentation> authConfig;
         authConfig = getAuthenticatorConfig(realm, "id1");
-        assertThat(authConfig, hasSize(2));
-        assertThat(authConfig.get(0).getAlias(), is("id1"));
-        assertThat(authConfig.get(0).getConfig(), hasEntry(is("defaultProvider"), is("id2")));
-        assertThat(authConfig.get(1).getAlias(), is("id1"));
-        assertThat(authConfig.get(1).getConfig(), hasEntry(is("defaultProvider"), is("id2")));
-
+        if (VersionUtil.lt(KEYCLOAK_VERSION, "26.1")) {
+            assertThat(authConfig, hasSize(2));
+            assertThat(authConfig.get(0).getAlias(), is("id1"));
+            assertThat(authConfig.get(0).getConfig(), hasEntry(is("defaultProvider"), is("id2")));
+            assertThat(authConfig.get(1).getAlias(), is("id1"));
+            assertThat(authConfig.get(1).getConfig(), hasEntry(is("defaultProvider"), is("id2")));
+        } else {
+            assertThat(authConfig, hasSize(1));
+            assertThat(authConfig.get(0).getAlias(), is("id1"));
+            assertThat(authConfig.get(0).getConfig(), hasEntry(is("defaultProvider"), is("id2")));
+        }
         authConfig = getAuthenticatorConfig(realm, "id2");
         assertThat(authConfig, hasSize(1));
         assertThat(authConfig.get(0).getAlias(), is("id2"));

src/test/java/de/adorsys/keycloak/config/service/ImportClientsIT.java

@@ -1991,7 +1991,11 @@ void shouldRemoveAuthzPoliciesForRealmManagement() throws IOException {
         assertThat(client.getAuthenticationFlowBindingOverrides(), anEmptyMap());
         assertThat(client.isFullScopeAllowed(), is(false));
         assertThat(client.getNodeReRegistrationTimeout(), is(0));
-        assertThat(client.getDefaultClientScopes(), containsInAnyOrder("web-origins", "profile", "roles", "email"));
+        if (VersionUtil.lt(KEYCLOAK_VERSION, "26.1")) {
+            assertThat(client.getDefaultClientScopes(), containsInAnyOrder("web-origins", "profile", "roles", "email"));
+        } else {
+            assertThat(client.getDefaultClientScopes(), containsInAnyOrder("web-origins", "profile", "roles", "email", "service_account"));
+        }
         assertThat(client.getOptionalClientScopes(), containsInAnyOrder("address", "phone", "offline_access", "microprofile-jwt"));
 
         if (VersionUtil.lt(KEYCLOAK_VERSION, "26")) {

src/test/java/de/adorsys/keycloak/config/service/ImportUsersIT.java

@@ -526,6 +526,39 @@ void shouldNotUpdateUserWhenOnlyInitialPasswordChanges() throws IOException {
         assertThat(token.getToken(), notNullValue());
     }
 
+    @Test
+    @Order(16)
+    void shouldNotTriggerUpdateUserEventForServiceAccountUserWithoutChanges() throws IOException {
+        doImport("60.1_update_realm_add_clientl_with_service_account.json");
+
+        // Re-import the same configuration to check if UPDATE USER event is not triggered
+        doImport("60.2_update_realm_add_clientl_with_service_account.json");
+
+        RealmRepresentation realm = keycloakProvider.getInstance().realm(REALM_NAME).toRepresentation();
+        assertThat(realm.getRealm(), is(REALM_NAME));
+        assertThat(realm.isEnabled(), is(true));
+        assertThat(realm.isRegistrationAllowed(), is(true));
+        assertThat(realm.isRegistrationEmailAsUsername(), is(true));
+
+        final ClientRepresentation client = keycloakRepository.getClient(REALM_NAME, "technical-client");
+        assertThat(client.getClientId(), is("technical-client"));
+
+        UserRepresentation user = keycloakProvider.getInstance().realm(REALM_NAME)
+                .clients()
+                .get(client.getId())
+                .getServiceAccountUser();
+        assertThat(user.getUsername(), is("service-account-technical-client"));
+
+        List<String> clientLevelRoles = keycloakRepository.getServiceAccountUserClientLevelRoles(
+                REALM_NAME, client.getClientId(), "moped-client");
+        assertThat(clientLevelRoles, containsInAnyOrder("test_client_role", "other_test_client_role"));
+
+        List<String> keycloakNativeClientLevelRoles = keycloakRepository.getServiceAccountUserClientLevelRoles(
+                REALM_NAME, client.getClientId(), "realm-management");
+        assertThat(keycloakNativeClientLevelRoles, contains("view-realm"));
+
+    }
+
     @Test
     @Order(50)
     void shouldUpdateUserWithEmailAsRegistration() throws IOException {