Fix Initial Credentials Causes Update

CHANGELOG.md

@@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Fixed
+-  Fix Initial Credentials Causes Update [819](https://github.com/adorsys/keycloak-config-cli/issues/819)
 
 ## Fixed
 - otpPolicyAlgorithm ignored during import [#847](https://github.com/adorsys/keycloak-config-cli/issues/847)

src/main/java/de/adorsys/keycloak/config/service/UserImportService.java

@@ -156,7 +156,7 @@ private void updateUser(UserRepresentation existingUser) {
                                 credentialRepresentation.getUserLabel(), USER_LABEL_FOR_INITIAL_CREDENTIAL
                         ))
                         .toList();
-                patchedUser.setCredentials(userCredentials);
+                patchedUser.setCredentials(userCredentials.isEmpty() ? null : userCredentials);
             }
 
             if (!CloneUtil.deepEquals(existingUser, patchedUser, "access")) {

src/main/java/de/adorsys/keycloak/config/util/CloneUtil.java

@@ -100,6 +100,10 @@ public static <S, T> boolean deepEquals(S origin, T other, String... ignoredProp
         removeIgnoredProperties(originJsonNode, ignoredProperties);
         removeIgnoredProperties(otherJsonNode, ignoredProperties);
 
+
+        handleEmptyCredentials(originJsonNode);
+        handleEmptyCredentials(otherJsonNode);
+
         boolean ret = Objects.equals(originJsonNode, otherJsonNode);
         logger.trace("objects.deepEquals: ret: {} | origin: {} | other: {} | ignoredProperties: {}",
                 ret, originJsonNode, otherJsonNode, ignoredProperties
@@ -108,6 +112,12 @@ public static <S, T> boolean deepEquals(S origin, T other, String... ignoredProp
         return ret;
     }
 
+    private static void handleEmptyCredentials(JsonNode jsonNode) {
+        if (jsonNode.has("credentials") && jsonNode.get("credentials").isEmpty()) {
+            ((ObjectNode) jsonNode).remove("credentials");
+        }
+    }
+
     private static void removeIgnoredProperties(JsonNode jsonNode, String[] ignoredProperties) {
         ((ObjectNode) jsonNode).remove(Arrays.asList(ignoredProperties));
     }

src/test/java/de/adorsys/keycloak/config/service/ImportUsersIT.java

@@ -494,6 +494,38 @@ void shouldUpdateRealmUpdateUserRemoveSubGroup() throws IOException {
         assertThat(group2.getName(), is("subgroup2"));
     }
 
+    @Test
+    @Order(15)
+    void shouldNotUpdateUserWhenOnlyInitialPasswordChanges() throws IOException {
+        doImport("15.0_update_realm_change_clientusers_password.json");
+
+        UserRepresentation userBefore = keycloakRepository.getUser(REALM_NAME, "myinitialclientuser");
+        String modifiedAtBefore = null;
+        if (userBefore.getAttributes() != null && userBefore.getAttributes().containsKey("modifiedAt")) {
+            modifiedAtBefore = userBefore.getAttributes().get("modifiedAt").get(0);
+        }
+
+        doImport("15.1_update_realm_change_clientusers_password.json");
+
+        UserRepresentation userAfter = keycloakRepository.getUser(REALM_NAME, "myinitialclientuser");
+        String modifiedAtAfter = null;
+        if (userAfter.getAttributes() != null && userAfter.getAttributes().containsKey("modifiedAt")) {
+            modifiedAtAfter = userAfter.getAttributes().get("modifiedAt").get(0);
+        }
+
+        assertThat(modifiedAtAfter, is(modifiedAtBefore));
+
+        AccessTokenResponse token = keycloakAuthentication.login(
+                REALM_NAME,
+                "moped-client",
+                "my-special-client-secret",
+                "myinitialclientuser",
+                "initialchangedclientuser123"
+        );
+
+        assertThat(token.getToken(), notNullValue());
+    }
+
     @Test
     @Order(50)
     void shouldUpdateUserWithEmailAsRegistration() throws IOException {

src/test/resources/import-files/users/15.0_update_realm_change_clientusers_password.json

@@ -0,0 +1,40 @@
+{
+  "enabled": true,
+  "realm": "realmWithUsers",
+  "users": [
+    {
+      "username": "myinitialclientuser",
+      "email": "[email protected]",
+      "enabled": true,
+      "firstName": "My clientuser's firstname",
+      "lastName": "My clientuser's lastname",
+      "attributes": {
+        "modifiedAt": ["2023-01-01T00:00:00Z"]
+      },
+      "credentials": [
+        {
+          "type": "password",
+          "userLabel": "initial",
+          "value": "initialchangedclientuser123"
+        }
+      ]
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "moped-client",
+      "name": "moped-client",
+      "description": "Moped-Client",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "my-special-client-secret",
+      "directAccessGrantsEnabled": true,
+      "redirectUris": [
+        "*"
+      ],
+      "webOrigins": [
+        "*"
+      ]
+    }
+  ]
+}

src/test/resources/import-files/users/15.1_update_realm_change_clientusers_password.json

@@ -0,0 +1,40 @@
+{
+  "enabled": true,
+  "realm": "realmWithUsers",
+  "users": [
+    {
+      "username": "myinitialclientuser",
+      "email": "[email protected]",
+      "enabled": true,
+      "firstName": "My clientuser's firstname",
+      "lastName": "My clientuser's lastname",
+      "attributes": {
+        "modifiedAt": ["2023-01-01T00:00:00Z"]
+      },
+      "credentials": [
+        {
+          "type": "password",
+          "userLabel": "initial",
+          "value": "newInitialPassword123"
+        }
+      ]
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "moped-client",
+      "name": "moped-client",
+      "description": "Moped-Client",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "my-special-client-secret",
+      "directAccessGrantsEnabled": true,
+      "redirectUris": [
+        "*"
+      ],
+      "webOrigins": [
+        "*"
+      ]
+    }
+  ]
+}