update keycloak_openid_client_authorization_permission to handle both…

… scope and resource permission types (#220)
mrparkers · Feb 25, 2020 · 3ac4399 · 3ac4399
1 parent 0eae43e
commit 3ac4399
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 19 deletions.
diff --git a/example/main.tf b/example/main.tf
@@ -606,6 +606,10 @@ resource "keycloak_openid_client_authorization_permission" "resource" {
   resources = [
     "${keycloak_openid_client_authorization_resource.resource.id}",
   ]
+
+  scopes = [
+    "${keycloak_openid_client_authorization_scope.resource.id}"
+  ]
 }
 
 resource "keycloak_openid_client_authorization_resource" "resource" {

diff --git a/keycloak/openid_client_authorization_permission.go b/keycloak/openid_client_authorization_permission.go
@@ -14,6 +14,7 @@ type OpenidClientAuthorizationPermission struct {
 	DecisionStrategy string   `json:"decisionStrategy"`
 	Policies         []string `json:"policies"`
 	Resources        []string `json:"resources"`
+	Scopes           []string `json:"scopes"`
 	Type             string   `json:"type"`
 }
 
@@ -26,8 +27,9 @@ func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(rea
 
 	policies := []OpenidClientAuthorizationPolicy{}
 	resources := []OpenidClientAuthorizationResource{}
+	scopes := []OpenidClientAuthorizationScope{}
 
-	err := keycloakClient.get(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/resource/%s", realm, resourceServerId, id), &permission, nil)
+	err := keycloakClient.get(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s", realm, resourceServerId, id), &permission, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -42,6 +44,11 @@ func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(rea
 		return nil, err
 	}
 
+	err = keycloakClient.get(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s/scopes", realm, resourceServerId, id), &scopes, nil)
+	if err != nil {
+		return nil, err
+	}
+
 	for _, policy := range policies {
 		permission.Policies = append(permission.Policies, policy.Id)
 	}
@@ -50,11 +57,15 @@ func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(rea
 		permission.Resources = append(permission.Resources, resource.Id)
 	}
 
+	for _, resource := range scopes {
+		permission.Scopes = append(permission.Scopes, resource.Id)
+	}
+
 	return &permission, nil
 }
 
 func (keycloakClient *KeycloakClient) NewOpenidClientAuthorizationPermission(permission *OpenidClientAuthorizationPermission) error {
-	body, _, err := keycloakClient.post(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission", permission.RealmId, permission.ResourceServerId), permission)
+	body, _, err := keycloakClient.post(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s", permission.RealmId, permission.ResourceServerId, permission.Type), permission)
 	if err != nil {
 		return err
 	}
@@ -66,7 +77,7 @@ func (keycloakClient *KeycloakClient) NewOpenidClientAuthorizationPermission(per
 }
 
 func (keycloakClient *KeycloakClient) UpdateOpenidClientAuthorizationPermission(permission *OpenidClientAuthorizationPermission) error {
-	err := keycloakClient.put(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/resource/%s", permission.RealmId, permission.ResourceServerId, permission.Id), permission)
+	err := keycloakClient.put(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s/%s", permission.RealmId, permission.ResourceServerId, permission.Type, permission.Id), permission)
 	if err != nil {
 		return err
 	}

diff --git a/provider/resource_keycloak_openid_client_authorization_permission.go b/provider/resource_keycloak_openid_client_authorization_permission.go
@@ -2,10 +2,11 @@ package provider
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"github.com/mrparkers/terraform-provider-keycloak/keycloak"
-	"strings"
 )
 
 var (
@@ -57,6 +58,11 @@ func resourceKeycloakOpenidClientAuthorizationPermission() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Optional: true,
 			},
+			"scopes": {
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Optional: true,
+			},
 			"type": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -70,6 +76,7 @@ func resourceKeycloakOpenidClientAuthorizationPermission() *schema.Resource {
 func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) *keycloak.OpenidClientAuthorizationPermission {
 	var policies []string
 	var resources []string
+	var scopes []string
 	if v, ok := data.GetOk("resources"); ok {
 		for _, resource := range v.(*schema.Set).List() {
 			resources = append(resources, resource.(string))
@@ -80,6 +87,12 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) *
 			policies = append(policies, policy.(string))
 		}
 	}
+	if v, ok := data.GetOk("scopes"); ok {
+		for _, scope := range v.(*schema.Set).List() {
+			scopes = append(scopes, scope.(string))
+		}
+	}
+
 	permission := keycloak.OpenidClientAuthorizationPermission{
 		Id:               data.Id(),
 		ResourceServerId: data.Get("resource_server_id").(string),
@@ -89,6 +102,7 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) *
 		DecisionStrategy: data.Get("decision_strategy").(string),
 		Type:             data.Get("type").(string),
 		Policies:         policies,
+		Scopes:           scopes,
 		Resources:        resources,
 	}
 	return &permission
@@ -103,6 +117,7 @@ func setOpenidClientAuthorizationPermissionData(data *schema.ResourceData, permi
 	data.Set("decision_strategy", permission.DecisionStrategy)
 	data.Set("type", permission.Type)
 	data.Set("policies", permission.Policies)
+	data.Set("scopes", permission.Scopes)
 	data.Set("resources", permission.Resources)
 }
 

diff --git a/provider/resource_keycloak_openid_client_authorization_permission_test.go b/provider/resource_keycloak_openid_client_authorization_permission_test.go
@@ -2,26 +2,28 @@ package provider
 
 import (
 	"fmt"
+	"testing"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
 	"github.com/mrparkers/terraform-provider-keycloak/keycloak"
-	"testing"
 )
 
 func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) {
 	realmName := "terraform-" + acctest.RandString(10)
 	clientId := "terraform-" + acctest.RandString(10)
 	resourceName := "terraform-" + acctest.RandString(10)
 	permissionName := "terraform-" + acctest.RandString(10)
+	scopeName := "terraform-" + acctest.RandString(10)
 
 	resource.Test(t, resource.TestCase{
 		Providers:    testAccProviders,
 		PreCheck:     func() { testAccPreCheck(t) },
 		CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(),
 		Steps: []resource.TestStep{
 			{
-				Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName, scopeName),
 				Check:  testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
 			},
 		},
@@ -35,14 +37,15 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy
 	clientId := "terraform-" + acctest.RandString(10)
 	resourceName := "terraform-" + acctest.RandString(10)
 	permissionName := "terraform-" + acctest.RandString(10)
+	scopeName := "terraform-" + acctest.RandString(10)
 
 	resource.Test(t, resource.TestCase{
 		Providers:    testAccProviders,
 		PreCheck:     func() { testAccPreCheck(t) },
 		CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(),
 		Steps: []resource.TestStep{
 			{
-				Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName, scopeName),
 				Check:  testAccCheckKeycloakOpenidClientAuthorizationPermissionFetch("keycloak_openid_client_authorization_permission.test", authorizationPermission),
 			},
 			{
@@ -54,7 +57,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy
 						t.Fatal(err)
 					}
 				},
-				Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName, scopeName),
 				Check:  testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
 			},
 		},
@@ -67,21 +70,22 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateRealm(t *test
 	clientId := "terraform-" + acctest.RandString(10)
 	resourceName := "terraform-" + acctest.RandString(10)
 	permissionName := "terraform-" + acctest.RandString(10)
+	scopeName := "terraform-" + acctest.RandString(10)
 
 	resource.Test(t, resource.TestCase{
 		Providers:    testAccProviders,
 		PreCheck:     func() { testAccPreCheck(t) },
 		CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(),
 		Steps: []resource.TestStep{
 			{
-				Config: testKeycloakOpenidClientAuthorizationPermission_basic(firstRealm, clientId, resourceName, permissionName),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basic(firstRealm, clientId, resourceName, permissionName, scopeName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
 					resource.TestCheckResourceAttr("keycloak_openid_client_authorization_permission.test", "realm_id", firstRealm),
 				),
 			},
 			{
-				Config: testKeycloakOpenidClientAuthorizationPermission_basic(secondRealm, clientId, resourceName, permissionName),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basic(secondRealm, clientId, resourceName, permissionName, scopeName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
 					resource.TestCheckResourceAttr("keycloak_openid_client_authorization_permission.test", "realm_id", secondRealm),
@@ -94,6 +98,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateRealm(t *test
 func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateAll(t *testing.T) {
 	realmName := "terraform-" + acctest.RandString(10)
 	clientId := "terraform-" + acctest.RandString(10)
+	scopeName := "terraform-" + acctest.RandString(10)
 
 	firstAuthrorizationPermission := &keycloak.OpenidClientAuthorizationPermission{
 		RealmId:     realmName,
@@ -113,11 +118,11 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateAll(t *testin
 		CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(),
 		Steps: []resource.TestStep{
 			{
-				Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, firstAuthrorizationPermission, acctest.RandString(10)),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, firstAuthrorizationPermission, acctest.RandString(10), scopeName),
 				Check:  testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
 			},
 			{
-				Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, secondAuthrorizationPermission, acctest.RandString(10)),
+				Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, secondAuthrorizationPermission, acctest.RandString(10), scopeName),
 				Check:  testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
 			},
 		},
@@ -193,7 +198,7 @@ func getKeycloakOpenidClientAuthorizationPermissionFromState(s *terraform.State,
 	return authorizationPermission, nil
 }
 
-func testKeycloakOpenidClientAuthorizationPermission_basic(realm, clientId, resourceName, permissionName string) string {
+func testKeycloakOpenidClientAuthorizationPermission_basic(realm, clientId, resourceName, permissionName, scopeName string) string {
 	return fmt.Sprintf(`
 resource keycloak_realm test {
 	realm = "%s"
@@ -225,17 +230,24 @@ resource keycloak_openid_client_authorization_resource test {
   ]
 }
 
+resource keycloak_openid_client_authorization_scope test {
+  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+  name               = "%s"
+  realm_id           = "${keycloak_realm.test.id}"
+}
+
 resource keycloak_openid_client_authorization_permission test {
 	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
 	realm_id           = "${keycloak_realm.test.id}"
 	name               = "%s"
 	policies           = ["${data.keycloak_openid_client_authorization_policy.default.id}"]
-   resources          = ["${keycloak_openid_client_authorization_resource.test.id}"]
+	resources          = ["${keycloak_openid_client_authorization_resource.test.id}"]
+
 }
-	`, realm, clientId, resourceName, permissionName)
+	`, realm, clientId, resourceName, scopeName, permissionName)
 }
 
-func testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId string, authorizationPermission *keycloak.OpenidClientAuthorizationPermission, resourceName string) string {
+func testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId string, authorizationPermission *keycloak.OpenidClientAuthorizationPermission, resourceName, scopeName string) string {
 	return fmt.Sprintf(`
 resource keycloak_realm test {
 	realm = "%s"
@@ -260,20 +272,27 @@ data keycloak_openid_client_authorization_policy default {
 resource keycloak_openid_client_authorization_resource resource {
   resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
   name               = "%s"
-  realm_id           = "${keycloak_realm.test.id}"
+	realm_id           = "${keycloak_realm.test.id}"
 
   uris = [
     "/endpoint/*"
   ]
 }
 
+resource keycloak_openid_client_authorization_scope test {
+  resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
+  name               = "%s"
+  realm_id           = "${keycloak_realm.test.id}"
+}
+
 resource keycloak_openid_client_authorization_permission test {
 	resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
 	realm_id           = "${keycloak_realm.test.id}"
 	name               = "%s"
 	policies           = ["${data.keycloak_openid_client_authorization_policy.default.id}"]
    resources          = ["${keycloak_openid_client_authorization_resource.resource.id}"]
-   description        = "%s"
+	 description        = "%s"
+	scopes = ["${keycloak_openid_client_authorization_scope.test.id}"]
 }
-	`, authorizationPermission.RealmId, clientId, resourceName, authorizationPermission.Name, authorizationPermission.Description)
+	`, authorizationPermission.RealmId, clientId, resourceName, scopeName, authorizationPermission.Name, authorizationPermission.Description)
 }