From 9f22d7ec6e243640758ded1d81f84cd8acc0b178 Mon Sep 17 00:00:00 2001
From: Michal Krawczyk <michal@corraldata.com>
Date: Mon, 3 Nov 2025 11:05:45 +0100
Subject: [PATCH 1/2] Add remove_realm_level_role_name! action on a GroupClient

---
 lib/keycloak-admin/client/group_client.rb | 17 ++++++
 spec/client/group_client_spec.rb          | 70 +++++++++++++++++++++++
 2 files changed, 87 insertions(+)

diff --git a/lib/keycloak-admin/client/group_client.rb b/lib/keycloak-admin/client/group_client.rb
index d632eda..dbc6fca 100644
--- a/lib/keycloak-admin/client/group_client.rb
+++ b/lib/keycloak-admin/client/group_client.rb
@@ -108,6 +108,23 @@ def add_realm_level_role_name!(group_id, role_name)
       role_representation
     end
 
+    # Remove a realm-level role from a group by the role name
+    def remove_realm_level_role_name!(group_id, role_name)
+      role_representation = RoleClient.new(@configuration, @realm_client).get(role_name)
+      url = "#{groups_url(group_id)}/role-mappings/realm"
+      execute_http do
+        RestClient::Request.execute(
+          @configuration.rest_client_options.merge(
+            url:,
+            method: :delete,
+            payload: create_payload([role_representation]),
+            headers: headers
+          )
+        )
+      end
+      true
+    end
+
     def groups_url(id=nil)
       if id
         "#{@realm_client.realm_admin_url}/groups/#{id}"
diff --git a/spec/client/group_client_spec.rb b/spec/client/group_client_spec.rb
index 2d1fb0e..6d35c75 100644
--- a/spec/client/group_client_spec.rb
+++ b/spec/client/group_client_spec.rb
@@ -255,4 +255,74 @@
       expect { @group_client.delete("test_group_id") }.to raise_error("error")
     end
   end
+
+  describe '#get_realm_level_roles' do
+    let(:realm_name) { 'valid-realm' }
+    before(:each) do
+      @group_client = KeycloakAdmin.realm(realm_name).groups
+      stub_token_client
+      allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"id":"role-id","name":"role-name"}]'
+    end
+
+    it 'gets all realm-level roles for a group' do
+      roles = @group_client.get_realm_level_roles('test-group-id')
+      expect(roles.length).to eq 1
+      expect(roles[0].id).to eq 'role-id'
+      expect(roles[0].name).to eq 'role-name'
+    end
+  end
+
+  describe '#add_realm_level_role_name!' do
+    let(:realm_name) { 'valid-realm' }
+
+    before(:each) do
+      @group_client = KeycloakAdmin.realm(realm_name).groups
+
+      stub_token_client
+      allow_any_instance_of(RestClient::Resource).to receive(:post).and_return ''
+    end
+
+    it 'adds a realm-level role to a group' do
+      role_representation = double
+      allow(role_representation).to receive(:name).and_return 'test-role-name'
+
+      role_client = double
+      allow(role_client).to receive(:get).with('test-role-name').and_return role_representation
+      allow(KeycloakAdmin::RoleClient).to receive(:new).and_return role_client
+
+      result = @group_client.add_realm_level_role_name!('test-group-id', 'test-role-name')
+      expect(result).to eq role_representation
+    end
+  end
+
+  describe '#remove_realm_level_role_name!' do
+    let(:realm_name) { 'valid-realm' }
+
+    before(:each) do
+      @group_client = KeycloakAdmin.realm(realm_name).groups
+
+      stub_token_client
+      allow(RestClient::Request).to receive(:execute).and_return ''
+    end
+
+    it 'deletes a realm-level role from a group' do
+      role_representation = double
+      allow(role_representation).to receive(:name).and_return 'test-role-name'
+
+      role_client = double
+      allow(role_client).to receive(:get).with('test-role-name').and_return role_representation
+      allow(KeycloakAdmin::RoleClient).to receive(:new).and_return role_client
+
+      result = @group_client.remove_realm_level_role_name!('test-group-id', 'test-role-name')
+      expect(result).to be(true)
+      expect(RestClient::Request).to have_received(:execute).with(
+        hash_including(
+          url: "http://auth.service.io/auth/admin/realms/valid-realm/groups/test-group-id/role-mappings/realm",
+          method: :delete,
+          payload: @group_client.send(:create_payload, [role_representation]),
+          headers: @group_client.send(:headers)
+        )
+      )
+    end
+  end
 end

From d14837d910433a7f8a800dd3527b93551acd9535 Mon Sep 17 00:00:00 2001
From: Michal Krawczyk <michal@corraldata.com>
Date: Mon, 3 Nov 2025 12:41:53 +0100
Subject: [PATCH 2/2] Update the latest setup-ruby GH actions

---
 .github/workflows/ci.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7f26779..f5a49a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -70,10 +70,7 @@ jobs:
 
     - uses: actions/checkout@v4
     - name: Set up Ruby
-    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
-    # change this to (see https://github.com/ruby/setup-ruby#versioning):
-    # uses: ruby/setup-ruby@v1
-      uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically