Merge branch 'master' into mrparkersGH-424-Fix-local-development-envi…

…ronment

.circleci/config.yml

@@ -6,13 +6,13 @@ workflows:
           matrix:
             parameters:
               keycloak-version:
-                - '11.0.1'
+                - '12.0.1'
+                - '11.0.3'
                 - '10.0.2'
-                - '9.0.3'
 
 defaults:
   go_image: &go_image
-    - image: circleci/golang:1.13.5
+    - image: circleci/golang:1.15.5
 
 jobs:
   test:
@@ -22,10 +22,10 @@ jobs:
     docker:
       - <<: *go_image
       - image: jboss/keycloak:<< parameters.keycloak-version >>
-        command: ["-b", "0.0.0.0", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
+        command: ["-b", "0.0.0.0", "-Dkeycloak.profile.feature.upload_scripts=enabled", "-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled", "-Dkeycloak.profile.feature.token_exchange=enabled"]
         environment:
           DB_VENDOR: H2
-          KEYCLOAK_LOGLEVEL: DEBUG
+          KEYCLOAK_LOGLEVEL: INFO
           KEYCLOAK_USER: keycloak
           KEYCLOAK_PASSWORD: password
 
@@ -74,4 +74,4 @@ jobs:
       TEST_RESULTS: /tmp/test-results
       CHECKPOINT_DISABLE: "1"
       TF_ACC_TERRAFORM_PATH: "/usr/local/bin/terraform"
-      TF_VERSION: "0.13.0"
+      TF_VERSION: "0.13.5"

CHANGELOG.md

@@ -1,3 +1,27 @@
+## v2.1.0 (January 10, 2021)
+
+FEATURES:
+
+- new resource: `keycloak_openid_client_permissions` ([#364](https://github.com/mrparkers/terraform-provider-keycloak/pull/364))
+- new resource: `keycloak_users_permissions` ([#400](https://github.com/mrparkers/terraform-provider-keycloak/pull/400))
+- new resource: `keycloak_openid_client_script_protocol_mapper` ([#453](https://github.com/mrparkers/terraform-provider-keycloak/pull/453))
+
+IMPROVEMENTS:
+
+- add `authorization.decision_strategy` attribute to `keycloak_openid_client` resource ([#392](https://github.com/mrparkers/terraform-provider-keycloak/pull/392))
+- support `IMPORT` mode for `keycloak_ldap_group_mapper` resource ([#397](https://github.com/mrparkers/terraform-provider-keycloak/pull/397))
+- add client session length attributes to `keycloak_openid_client` resource ([#415](https://github.com/mrparkers/terraform-provider-keycloak/pull/415))
+- update to go 1.5 ([#445](https://github.com/mrparkers/terraform-provider-keycloak/pull/360))
+- add `groups_path` attribute to `keycloak_ldap_group_mapper` resource ([#436](https://github.com/mrparkers/terraform-provider-keycloak/pull/436))
+- add `authentication_flow_binding_overrides` attribute to `keycloak_saml_client` resource ([#448](https://github.com/mrparkers/terraform-provider-keycloak/pull/448))
+
+BUG FIXES:
+
+- fix inconsistent plan when enabling service account in `keycloak_openid_client` resource ([#437](https://github.com/mrparkers/terraform-provider-keycloak/pull/437))
+- fix import for `keycloak_openid_client_service_account_realm_role` resource ([#441](https://github.com/mrparkers/terraform-provider-keycloak/pull/441))
+- remove unneeded validation checks for registration attributes for `keycloak_realm` resource ([#438](https://github.com/mrparkers/terraform-provider-keycloak/pull/438))
+- allow commas in `config` attribute for `keycloak_custom_user_federation` resource ([#455](https://github.com/mrparkers/terraform-provider-keycloak/pull/455))
+
 ## v2.0.0 (September 20, 2020)
 
 BREAKING CHANGES:

README.md

@@ -37,9 +37,9 @@ This provider will officially support the latest three major versions of Keycloa
 
 The following versions are used when running acceptance tests in CI:
 
-- 11.0.1 (latest)
+- 12.0.1 (latest)
+- 11.0.3
 - 10.0.2
-- 9.0.3
 
 ## Releases
 
@@ -59,7 +59,7 @@ build you can use the `linux_amd64` build as long as `libc6-compat` is installed
 
 ## Development
 
-This project requires Go 1.13 and Terraform 0.13.
+This project requires Go 1.15 and Terraform 0.13.
 This project uses [Go Modules](https://github.com/golang/go/wiki/Modules) for dependency management, which allows this project to exist outside of an existing GOPATH.
 
 After cloning the repository, you can build the project by running `make build`.

custom-user-federation-example/build.gradle

@@ -1,6 +1,6 @@
 buildscript {
 	ext.kotlinVersion = '1.3.31'
-	ext.keycloakVersion = '7.0.0'
+	ext.keycloakVersion = '12.0.1'
 	ext.shadowJarVersion = '4.0.2'
 
     repositories {

custom-user-federation-example/src/main/kotlin/com/github/mrparkers/keycloak/CustomIdentityProviderFactory.kt

@@ -1,6 +1,5 @@
 package com.github.mrparkers.keycloak
 
-
 import org.keycloak.broker.oidc.OIDCIdentityProviderConfig
 import org.keycloak.broker.provider.AbstractIdentityProviderFactory
 import org.keycloak.models.IdentityProviderModel
@@ -43,4 +42,8 @@ class CustomIdentityProviderFactory : AbstractIdentityProviderFactory<CustomIden
 		}
 		return config.config
 	}
+
+	override fun createConfig(): IdentityProviderModel {
+		return IdentityProviderModel()
+	}
 }

docker-compose.yml

@@ -17,7 +17,7 @@ services:
     ports:
     - 8389:389
   keycloak:
-    image:  jboss/keycloak:10.0.2
+    image:  jboss/keycloak:12.0.1
     command: -b 0.0.0.0 -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled
     depends_on:
     - postgres

docs-old/resources/keycloak_ldap_group_mapper.md

@@ -70,6 +70,7 @@ The following arguments are supported:
 - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.
 - `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.
 - `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`.
+- `groups_path` - (Optional) Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. The configured group path must already exists in the Keycloak when creating this mapper. The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level.
 
 ### Import
 

docs/resources/ldap_group_mapper.md

@@ -71,6 +71,7 @@ resource "keycloak_ldap_group_mapper" "ldap_group_mapper" {
 - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.
 - `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.
 - `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`.
+- `groups_path` - (Optional) Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper.
 
 ## Import
 

docs/resources/openid_script_protocol_mapper.md

@@ -0,0 +1,93 @@
+---
+page_title: "keycloak_openid_script_protocol_mapper Resource"
+---
+
+# keycloak\_openid\_script\_protocol\_mapper Resource
+
+Allows for creating and managing script protocol mappers within Keycloak.
+
+Script protocol mappers evaluate a JavaScript function to produce a token claim based on context information.
+
+Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between
+multiple different clients.
+
+## Example Usage (Client)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client" "openid_client" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "client"
+
+  name    = "client"
+  enabled = true
+
+  access_type         = "CONFIDENTIAL"
+  valid_redirect_uris = [
+    "http://localhost:8080/openid-callback"
+  ]
+}
+
+resource "keycloak_openid_script_protocol_mapper" "script_mapper" {
+  realm_id    = keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.openid_client.id
+  name        = "script-mapper"
+
+  claim_name      = "foo"
+  script          = "exports = 'foo';"
+}
+```
+
+## Example Usage (Client Scope)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client_scope" "client_scope" {
+  realm_id = keycloak_realm.realm.id
+  name     = "client-scope"
+}
+
+resource "keycloak_openid_script_protocol_mapper" "script_mapper" {
+  realm_id        = keycloak_realm.realm.id
+  client_scope_id = keycloak_openid_client_scope.client_scope.id
+  name            = "script-mapper"
+
+  claim_name      = "foo"
+  script          = "exports = 'foo';"
+}
+```
+
+## Argument Reference
+
+- `realm_id` - (Required) The realm this protocol mapper exists within.
+- `name` - (Required) The display name of this protocol mapper in the GUI.
+- `claim_name` - (Required) The name of the claim to insert into a token.
+- `script` - (Required) JavaScript code to compute the claim value.
+- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.
+- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.
+- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.
+- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`.
+- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`.
+- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.
+- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`.
+
+## Import
+
+Protocol mappers can be imported using one of the following formats:
+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`
+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`
+
+Example:
+
+```bash
+$ terraform import keycloak_openid_script_protocol_mapper.script_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4
+$ terraform import keycloak_openid_script_protocol_mapper.script_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4
+```

docs/resources/saml_client.md

@@ -62,6 +62,9 @@ resource "keycloak_saml_client" "saml_client" {
 - `logout_service_post_binding_url` - (Optional) SAML POST Binding URL for the client's single logout service.
 - `logout_service_redirect_binding_url` - (Optional) SAML Redirect Binding URL for the client's single logout service.
 - `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token
+- `authentication_flow_binding_overrides` - (Optional) Override realm authentication flow bindings
+    - `browser_id` - (Optional) Browser flow id, (flow needs to exist)
+    - `direct_grant_id` - (Optional) Direct grant flow id (flow needs to exist)
 
 ## Import
 

docs/resources/users_permission.md

@@ -0,0 +1,144 @@
+---
+page_title: "keycloak_users_permissions Resource"
+---
+
+# keycloak_users_permissions
+
+Allows you to manage fine-grained permissions for all users in a realm: https://www.keycloak.org/docs/latest/server_admin/#_users-permissions
+
+This is part of a preview Keycloak feature: `admin_fine_grained_authz` (see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions).
+This feature can be enabled with the Keycloak option `-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled`. See the
+example [`docker-compose.yml`](https://github.com/mrparkers/terraform-provider-keycloak/blob/898094df6b3e01c3404981ce7ca268142d6ff0e5/docker-compose.yml#L21) file for an example.
+
+When enabling fine-grained permissions for users, Keycloak does several things automatically:
+1. Enable Authorization on built-in `realm-management` client (if not already enabled).
+1. Create a resource representing the users permissions.
+1. Create scopes `view`, `manage`, `map-roles`, `manage-group-membership`, `impersonate`, and `user-impersonated`.
+1. Create all scope based permission for the scopes and users resources.
+
+~> This resource should only be created once per realm.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm  = "my-realm"
+}
+
+data "keycloak_openid_client" "realm_management" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "realm-management"
+}
+
+// enable permissions for realm-management client
+resource "keycloak_openid_client_permissions" "realm_management_permission" {
+  realm_id   = keycloak_realm.realm.id
+  client_id  = data.keycloak_openid_client.realm_management.id
+  enabled    = true
+}
+
+// creating a user to use with the keycloak_openid_client_user_policy resource
+resource "keycloak_user" "test" {
+  realm_id = keycloak_realm.realm.id
+  username = "test-user"
+
+  email      = "test-user@fakedomain.com"
+  first_name = "Testy"
+  last_name  = "Tester"
+}
+
+resource "keycloak_openid_client_user_policy" "test" {
+  realm_id           = keycloak_realm.realm.id
+  resource_server_id = "${data.keycloak_openid_client.realm_management.id}"
+  name               = "client_user_policy_test"
+
+  users             = [keycloak_user.test.id]
+  logic             = "POSITIVE"
+  decision_strategy = "UNANIMOUS"
+
+  depends_on = [
+    keycloak_openid_client_permissions.realm-management_permission,
+  ]
+}
+
+resource "keycloak_users_permissions" "users_permissions" {
+  realm_id = keycloak_realm.realm.id
+
+  view_scope {
+    policies          = [
+      keycloak_openid_client_user_policy.test.id
+    ]
+    description       = "description"
+    decision_strategy = "UNANIMOUS"
+  }
+
+  manage_scope {
+    policies          = [
+      keycloak_openid_client_user_policy.test.id
+    ]
+    description       = "description"
+    decision_strategy = "UNANIMOUS"
+  }
+
+  map_roles_scope {
+    policies          = [
+      keycloak_openid_client_user_policy.test.id
+    ]
+    description       = "description"
+    decision_strategy = "UNANIMOUS"
+  }
+
+  manage_group_membership_scope {
+    policies          = [
+      keycloak_openid_client_user_policy.test.id
+    ]
+    description       = "description"
+    decision_strategy = "UNANIMOUS"
+  }
+
+  impersonate_scope {
+    policies          = [
+      keycloak_openid_client_user_policy.test.id
+    ]
+    description       = "description"
+    decision_strategy = "UNANIMOUS"
+  }
+
+  user_impersonated_scope {
+    policies          = [
+      keycloak_openid_client_user_policy.test.id
+    ]
+    description       = "description"
+    decision_strategy = "UNANIMOUS"
+  }
+}
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm in which to manage fine-grained user permissions.
+
+Each of the scopes that can be managed are defined below:
+
+- `view_scope` - (Optional) When specified, set the scope based view permission.
+- `manage_scope` - (Optional) When specified, set the scope based manage permission.
+- `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission.
+- `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission.
+- `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission.
+- `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission.
+
+The configuration block for each of these scopes supports the following arguments:
+
+- `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID.
+- `description` - (Optional) Description of the permission.
+- `decision_strategy` - (Optional) Decision strategy of the permission.
+
+### Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+- `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`.
+- `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed.
+