Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add resource_type on keycloak_openid_client_authorization_permission #702

Merged
merged 5 commits into from
Jul 28, 2022
Merged

Add resource_type on keycloak_openid_client_authorization_permission #702

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bc9aeac
Add support for resource_type on keycloak_openid_client_authorization…
Jun 28, 2022
3d825dd
Merge branch 'master' into feature/resource-type-authorization-permis…
JessieAMorris Jul 18, 2022
dd8614e
Merge branch 'master' into feature/resource-type-authorization-permis…
mrparkers Jul 28, 2022
534d6bb
docs: update docs to specify conflicts_with and import syntax
mrparkers Jul 28, 2022
1997def
chore: add conflicts_with for resources and resource_type
mrparkers Jul 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions docs/resources/openid_client_authorization_permission.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# keycloak_openid_client_authorization_permission

Allows you to manage openid Client Authorization Permissions.

### Example Usage

```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}

resource keycloak_openid_client test {
client_id = "client_id"
realm_id = keycloak_realm.realm.id
access_type = "CONFIDENTIAL"
service_accounts_enabled = true
authorization {
policy_enforcement_mode = "ENFORCING"
}
}

data keycloak_openid_client_authorization_policy default {
realm_id = keycloak_realm.realm.id
resource_server_id = keycloak_openid_client.test.resource_server_id
name = "default"
}

resource keycloak_openid_client_authorization_resource test {
resource_server_id = keycloak_openid_client.test.resource_server_id
name = "resource_name"
realm_id = keycloak_realm.realm.id

uris = [
"/endpoint/*"
]
}

resource keycloak_openid_client_authorization_scope test {
resource_server_id = keycloak_openid_client.test.resource_server_id
name = "scope_name"
realm_id = keycloak_realm.realm.id
}

resource keycloak_openid_client_authorization_permission test {
resource_server_id = keycloak_openid_client.test.resource_server_id
realm_id = keycloak_realm.realm.id
name = "permission_name"
policies = [data.keycloak_openid_client_authorization_policy.default.id]
resources = [keycloak_openid_client_authorization_resource.test.id]

}
```

### Argument Reference

The following arguments are supported:

- `realm_id` - (Required) The realm this group exists in.
- `resource_server_id` - (Required) The ID of the resource server.
- `name` - (Required) The name of the permission.
- `description` - (Optional) A description for the authorization permission.
- `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`.
- `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission.
- `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`.
- `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`.
- `scopes` - (Optional) A list of scope IDs that this permission must be applied to.
- `type` - (Optional) The type of permission, can be one of `resource` or `scope`.

### Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

- `id` - Permission ID representing the permission.

## Import

Client authorization permissions can be imported using the format: `{{realmId}}/{{resourceServerId}}/{{permissionId}}`.

Example:

```bash
$ terraform import keycloak_openid_client_authorization_permission.test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9
```
1 change: 0 additions & 1 deletion docs/resources/openid_client_client_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ This resource can be used to create client policy.

In this example, we'll create a new OpenID client, then enabled permissions for the client. A client without permissions disabled cannot be assigned by a client policy. We'll use the `keycloak_openid_client_client_policy` resource to create a new client policy, which could be applied to many clients, for a realm and a resource_server_id.


```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
Expand Down
1 change: 1 addition & 0 deletions keycloak/openid_client_authorization_permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ type OpenidClientAuthorizationPermission struct {
Resources []string `json:"resources"`
Scopes []string `json:"scopes"`
Type string `json:"type"`
ResourceType string `json:"resourceType,omitempty"`
}

func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(ctx context.Context, realm, resourceServerId, id string) (*OpenidClientAuthorizationPermission, error) {
Expand Down
17 changes: 13 additions & 4 deletions provider/resource_keycloak_openid_client_authorization_permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ package provider
import (
"context"
"fmt"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"strings"

"github.com/hashicorp/terraform-plugin-sdk/v2/diag"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/mrparkers/terraform-provider-keycloak/keycloak"
Expand Down Expand Up @@ -55,9 +56,15 @@ func resourceKeycloakOpenidClientAuthorizationPermission() *schema.Resource {
Optional: true,
},
"resources": {
Type: schema.TypeSet,
Elem: &schema.Schema{Type: schema.TypeString},
Optional: true,
Type: schema.TypeSet,
Elem: &schema.Schema{Type: schema.TypeString},
Optional: true,
ConflictsWith: []string{"resource_type"},
},
"resource_type": {
Type: schema.TypeString,
Optional: true,
ConflictsWith: []string{"resources"},
},
"scopes": {
Type: schema.TypeSet,
Expand Down Expand Up @@ -105,6 +112,7 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) *
Policies: policies,
Scopes: scopes,
Resources: resources,
ResourceType: data.Get("resource_type").(string),
}
return &permission
}
Expand All @@ -120,6 +128,7 @@ func setOpenidClientAuthorizationPermissionData(data *schema.ResourceData, permi
data.Set("policies", permission.Policies)
data.Set("scopes", permission.Scopes)
data.Set("resources", permission.Resources)
data.Set("resource_type", permission.ResourceType)
}

func resourceKeycloakOpenidClientAuthorizationPermissionCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
Expand Down
122 changes: 97 additions & 25 deletions provider/resource_keycloak_openid_client_authorization_permission_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,27 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) {
})
}

func TestAccKeycloakOpenidClientAuthorizationPermission_resourceType(t *testing.T) {
t.Parallel()
clientId := acctest.RandomWithPrefix("tf-acc")
resourceName := acctest.RandomWithPrefix("tf-acc")
resourceType := acctest.RandomWithPrefix("tf-acc")
permissionName := acctest.RandomWithPrefix("tf-acc")
scopeName := acctest.RandomWithPrefix("tf-acc")

resource.Test(t, resource.TestCase{
ProviderFactories: testAccProviderFactories,
PreCheck: func() { testAccPreCheck(t) },
CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(),
Steps: []resource.TestStep{
{
Config: testKeycloakOpenidClientAuthorizationPermission_resourceType(clientId, resourceName, resourceType, permissionName, scopeName),
Check: testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"),
},
},
})
}

func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy(t *testing.T) {
t.Parallel()
var authorizationPermission = &keycloak.OpenidClientAuthorizationPermission{}
Expand Down Expand Up @@ -178,25 +199,25 @@ resource keycloak_openid_client test {
}

data keycloak_openid_client_authorization_policy default {
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "default"
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "default"
}

resource keycloak_openid_client_authorization_resource test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id

uris = [
"/endpoint/*"
]
uris = [
"/endpoint/*"
]
}

resource keycloak_openid_client_authorization_scope test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id
}

resource keycloak_openid_client_authorization_permission test {
Expand All @@ -210,6 +231,57 @@ resource keycloak_openid_client_authorization_permission test {
`, testAccRealm.Realm, clientId, resourceName, scopeName, permissionName)
}

func testKeycloakOpenidClientAuthorizationPermission_resourceType(clientId, resourceName, resourceType, permissionName, scopeName string) string {
return fmt.Sprintf(`
data "keycloak_realm" "realm" {
realm = "%s"
}

resource keycloak_openid_client test {
client_id = "%s"
realm_id = data.keycloak_realm.realm.id
access_type = "CONFIDENTIAL"
service_accounts_enabled = true
authorization {
policy_enforcement_mode = "ENFORCING"
}
}

data keycloak_openid_client_authorization_policy default {
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "default"
}

resource keycloak_openid_client_authorization_resource test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id

type = "%s"

uris = [
"/endpoint/*"
]
}

resource keycloak_openid_client_authorization_scope test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id
}

resource keycloak_openid_client_authorization_permission test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
realm_id = data.keycloak_realm.realm.id
name = "%s"
policies = ["${data.keycloak_openid_client_authorization_policy.default.id}"]
resource_type = "%s"

}
`, testAccRealm.Realm, clientId, resourceName, resourceType, scopeName, permissionName, resourceType)
}

func testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId string, authorizationPermission *keycloak.OpenidClientAuthorizationPermission, resourceName, scopeName string) string {
return fmt.Sprintf(`
data "keycloak_realm" "realm" {
Expand All @@ -227,34 +299,34 @@ resource keycloak_openid_client test {
}

data keycloak_openid_client_authorization_policy default {
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "default"
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "default"
}

resource keycloak_openid_client_authorization_resource resource {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id

uris = [
"/endpoint/*"
]
uris = [
"/endpoint/*"
]
}

resource keycloak_openid_client_authorization_scope test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
name = "%s"
realm_id = data.keycloak_realm.realm.id
}

resource keycloak_openid_client_authorization_permission test {
resource_server_id = "${keycloak_openid_client.test.resource_server_id}"
realm_id = data.keycloak_realm.realm.id
name = "%s"
policies = ["${data.keycloak_openid_client_authorization_policy.default.id}"]
resources = ["${keycloak_openid_client_authorization_resource.resource.id}"]
description = "%s"
resources = ["${keycloak_openid_client_authorization_resource.resource.id}"]
description = "%s"
scopes = ["${keycloak_openid_client_authorization_scope.test.id}"]
}
`, testAccRealm.Realm, clientId, resourceName, scopeName, authorizationPermission.Name, authorizationPermission.Description)
Expand Down