Merge pull request #4 from mrparkers/master

rebase
embracesbs · Jun 10, 2020 · a83b13b · a83b13b
2 parents 138a7f1 + 766d7b6
commit a83b13b
Show file tree

Hide file tree

Showing 50 changed files with 3,472 additions and 468 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,21 +1,30 @@
-version: 2
+version: 2.1
 workflows:
-  version: 2
   test:
     jobs:
-      - test-7.0.1
-      - test-8.0.1
+      - test:
+          matrix:
+            parameters:
+              keycloak-version:
+                - '10.0.1'
+                - '9.0.3'
+                - '8.0.2'
+                - '7.0.1'
+                - '6.0.1'
+                - '5.0.0'
+                - '4.8.3.Final'
   release:
     jobs:
-      - test-8.0.1:
+      - test:
+          keycloak-version: '8.0.1'
           filters:
             tags:
               only: /\d+\.\d+\.\d+(-rc.\d+)?/
             branches:
               ignore: /.*/
       - build-and-release:
           requires:
-            - test-8.0.1
+            - test
           filters:
             tags:
               only: /\d+\.\d+\.\d+(-rc.\d+)?/
@@ -26,31 +35,30 @@ defaults:
   go_image: &go_image
     - image: circleci/golang:1.13.5
 
-  test_env: &test_env
-    GO111MODULE: "on"
-    KEYCLOAK_CLIENT_ID: "terraform"
-    KEYCLOAK_CLIENT_SECRET: "884e0f95-0f42-4a63-9b1f-94274655669e"
-    KEYCLOAK_CLIENT_TIMEOUT: "5"
-    KEYCLOAK_URL: "http://localhost:8080"
-    KEYCLOAK_REALM: "master"
-    KEYCLOAK_TEST_PASSWORD_GRANT: "true"
-
-  keycloak_env: &keycloak_env
-    command: ["-b", "0.0.0.0", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
-    environment:
-      DB_VENDOR: H2
-      KEYCLOAK_LOGLEVEL: DEBUG
-      KEYCLOAK_USER: keycloak
-      KEYCLOAK_PASSWORD: password
+jobs:
+  test:
+    parameters:
+      keycloak-version:
+        type: string
+    docker:
+      - <<: *go_image
+      - image: jboss/keycloak:<< parameters.keycloak-version >>
+        command: ["-b", "0.0.0.0", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
+        environment:
+          DB_VENDOR: H2
+          KEYCLOAK_LOGLEVEL: DEBUG
+          KEYCLOAK_USER: keycloak
+          KEYCLOAK_PASSWORD: password
 
-  testacc_job: &testacc_job
     working_directory: /go/src/github.com/mrparkers/terraform-provider-keycloak
     steps:
       - checkout
       - restore_cache:
           keys:
             - go-cache-{{ checksum "go.sum" }}
       - run: go mod download
+      - run: go get github.com/jstemmer/go-junit-report
+      - run: mkdir $TEST_RESULTS
       - save_cache:
           key: go-cache-{{ checksum "go.sum" }}
           paths:
@@ -59,29 +67,20 @@ defaults:
           command: |
             ./scripts/wait-for-local-keycloak.sh
             ./scripts/create-terraform-client.sh
-            make testacc
-
-jobs:
-  test-7.0.1:
-    docker:
-      - <<: *go_image
-      - image: jboss/keycloak:7.0.1
-        <<: *keycloak_env
-    <<: *testacc_job
-    environment:
-      <<: *test_env
-      KEYCLOAK_VERSION: "7.0.1"
-
-
-  test-8.0.1:
-    docker:
-      - <<: *go_image
-      - image: jboss/keycloak:8.0.1
-        <<: *keycloak_env
-    <<: *testacc_job
+            trap "go-junit-report <${TEST_RESULTS}/go-test.out > ${TEST_RESULTS}/go-test-report.xml" EXIT
+            make testacc | tee ${TEST_RESULTS}/go-test.out
+      - store_test_results:
+          path: /tmp/test-results
     environment:
-      <<: *test_env
-      KEYCLOAK_VERSION: "8.0.1"
+      GO111MODULE: "on"
+      KEYCLOAK_CLIENT_ID: "terraform"
+      KEYCLOAK_CLIENT_SECRET: "884e0f95-0f42-4a63-9b1f-94274655669e"
+      KEYCLOAK_CLIENT_TIMEOUT: "5"
+      KEYCLOAK_URL: "http://localhost:8080"
+      KEYCLOAK_REALM: "master"
+      KEYCLOAK_TEST_PASSWORD_GRANT: "true"
+      KEYCLOAK_VERSION: "<< parameters.keycloak-version >>"
+      TEST_RESULTS: /tmp/test-results
 
 
   build-and-release:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,27 @@
+## 1.19.0 (June 5, 2020)
+
+FEATURES:
+
+- new resource: `keycloak_openid_user_client_role_protocol_mapper` ([#299](https://github.com/mrparkers/terraform-provider-keycloak/pull/299))
+- new resource: `keycloak_openid_user_session_note_protocol_mapper` ([#309](https://github.com/mrparkers/terraform-provider-keycloak/pull/309))
+
+IMPROVEMENTS:
+
+- add `login_theme` attribute to `keycloak_openid_client` resource ([#278](https://github.com/mrparkers/terraform-provider-keycloak/pull/278))
+- add `aggregate_attributes` attribute to `keycloak_openid_user_attribute_protocol_mapper` resource ([#272](https://github.com/mrparkers/terraform-provider-keycloak/pull/272))
+- add `user_managed_access` attribute to `keycloak_realm` resource ([#275](https://github.com/mrparkers/terraform-provider-keycloak/pull/275))
+- support deployed JavaScript policies for `keycloak_openid_client_js_policy` resource ([#275](https://github.com/mrparkers/terraform-provider-keycloak/pull/275))
+- add `internal_id` computed attribute to `keycloak_realm` resource and data source ([#270](https://github.com/mrparkers/terraform-provider-keycloak/pull/270))
+- surface Keycloak API errors to users during `terraform plan` and `terraform apply` ([#304](https://github.com/mrparkers/terraform-provider-keycloak/pull/304))
+- add `kerberos` configuration for `keycloak_ldap_user_federation` resource ([#290](https://github.com/mrparkers/terraform-provider-keycloak/pull/290))
+- test all major versions of Keycloak in CI ([#294](https://github.com/mrparkers/terraform-provider-keycloak/pull/294))
+- add import support for `keycloak_generic_client_role_mapper` resource ([#310](https://github.com/mrparkers/terraform-provider-keycloak/pull/310))
+- use terraform-plugin-sdk user agent string in http client ([#311](https://github.com/mrparkers/terraform-provider-keycloak/pull/311))
+
+BUG FIXES:
+
+- fix: mark `group_id` attribute as required for `keycloak_group_roles` resource ([#292](https://github.com/mrparkers/terraform-provider-keycloak/pull/292))
+
 ## 1.18.0 (April 17, 2020)
 
 FEATURES:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -25,7 +25,7 @@ services:
     environment:
     - KEYCLOAK_USER=keycloak
     - KEYCLOAK_PASSWORD=password
-    - KEYCLOAK_LOGLEVEL=DEBUG
+    - KEYCLOAK_LOGLEVEL=INFO
     - DB_VENDOR=POSTGRES
     - DB_ADDR=postgres
     - DB_PORT=5432

diff --git a/docs/resources/keycloak_generic_client_role_mapper.md b/docs/resources/keycloak_generic_client_role_mapper.md
@@ -0,0 +1,161 @@
+# keycloak_generic_client_role_mapper
+
+Allow for creating and managing a client's scope mappings within Keycloak.
+
+By default, all the user role mappings of the user are added as claims within
+the token or assertion. When `full_scope_allowed` is set to `false` for a
+client, role scope mapping allows you to limit the roles that get declared
+inside an access token for a client.
+
+### Example Usage (Realm Role to Client)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client" "client" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "client"
+  name      = "client"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "realm_role" {
+  realm_id    = keycloak_realm.realm.id
+  name        = "my-realm-role"
+  description = "My Realm Role"
+}
+
+resource "keycloak_generic_client_role_mapper" "client_role_mapper" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = keycloak_openid_client.client.id
+  role_id   = keycloak_role.realm_role.id
+}
+```
+
+### Example Usage (Client Role to Client)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client" "client_a" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "client-a"
+  name      = "client-a"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "client_role_a" {
+  realm_id    = keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.client_a.id
+  name        = "my-client-role"
+  description = "My Client Role"
+}
+
+resource "keycloak_openid_client" "client_b" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "client-b"
+  name      = "client-b"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "client_role_b" {
+  realm_id    = keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.client_b.id
+  name        = "my-client-role"
+  description = "My Client Role"
+}
+
+resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = keycloak_client.client_b.id
+  role_id   = keycloak_role.client_role_a.id
+}
+```
+
+### Example Usage (Realm Role to Client Scope)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client_scope" "client_scope" {
+  realm_id  = keycloak_realm.realm.id
+  name      = "my-client-scope"
+}
+
+resource "keycloak_role" "realm_role" {
+  realm_id    = keycloak_realm.realm.id
+  name        = "my-realm-role"
+  description = "My Realm Role"
+}
+
+resource "keycloak_generic_client_role_mapper" "client_role_mapper" {
+  realm_id        = keycloak_realm.realm.id
+  client_scope_id = keycloak_openid_client_scope.client_scope.id
+  role_id         = keycloak_role.realm_role.id
+}
+```
+
+### Example Usage (Client Role to Client Scope)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client" "client" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "client"
+  name      = "client"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "client_role" {
+  realm_id    = keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.client.id
+  name        = "my-client-role"
+  description = "My Client Role"
+}
+
+resource "keycloak_openid_client_scope" "client_scope" {
+  realm_id  = keycloak_realm.realm.id
+  name      = "my-client-scope"
+}
+
+resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" {
+  realm_id        = keycloak_realm.realm.id
+  client_scope_id = keycloak_client_scope.client_scope.id
+  role_id         = keycloak_role.client_role.id
+}
+```
+
+### Argument Reference
+
+The following arugments are supported:
+
+- `realm_id` - (Required) The realm this role mapper exists within
+- `client_id` - (Optional) The ID of the client this role mapper is added to
+- `client_scope_id` - (Optional) The ID of the client scope this role mapper is added to
+- `role_id` - (Required) The ID of the role to be added to this role mapper
+
diff --git a/docs/resources/keycloak_ldap_user_federation.md b/docs/resources/keycloak_ldap_user_federation.md
@@ -35,6 +35,12 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" {
 
 	connection_timeout      = "5s"
 	read_timeout            = "10s"
+
+    kerberos {
+        kerberos_realm = "FOO.LOCAL"
+        server_principal = "HTTP/host.foo.com@FOO.LOCAL"
+        keytab = "/etc/host.keytab"
+    }
 }
 ```
 
@@ -74,6 +80,11 @@ The following arguments are supported:
 - `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
 - `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
 - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.
+- `kerberos` - (Optional) A block containing the kerberos settings.
+  - `kerberos_realm` - (Required) The name of the kerberos realm, e.g. FOO.LOCAL.
+  - `server_principal` - (Required) The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
+  - `key_tab` - (Required) Path to the kerberos keytab file on the server with credentials of the service principal.
+  - `use_kerberos_for_password_authentication` - (Optional) Use kerberos login module instead of ldap service api. Defaults to `false`.
 
 ### Import