From a8f94b3c9ab1660f37dccba2b530c8f039997f87 Mon Sep 17 00:00:00 2001 From: Yoel Spotts Date: Wed, 12 Feb 2020 13:29:43 -0500 Subject: [PATCH 1/4] handle both scope and resource permission types --- .../openid_client_authorization_permission.go | 17 ++++++++++++++--- ...ak_openid_client_authorization_permission.go | 13 +++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/keycloak/openid_client_authorization_permission.go b/keycloak/openid_client_authorization_permission.go index f8403b008..a74bf6f8a 100644 --- a/keycloak/openid_client_authorization_permission.go +++ b/keycloak/openid_client_authorization_permission.go @@ -14,6 +14,7 @@ type OpenidClientAuthorizationPermission struct { DecisionStrategy string `json:"decisionStrategy"` Policies []string `json:"policies"` Resources []string `json:"resources"` + Scopes []string `json:"scopes"` Type string `json:"type"` } @@ -26,8 +27,9 @@ func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(rea policies := []OpenidClientAuthorizationPolicy{} resources := []OpenidClientAuthorizationResource{} + scopes := []OpenidClientAuthorizationScope{} - err := keycloakClient.get(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/resource/%s", realm, resourceServerId, id), &permission, nil) + err := keycloakClient.get(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s", realm, resourceServerId, id), &permission, nil) if err != nil { return nil, err } @@ -42,6 +44,11 @@ func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(rea return nil, err } + err = keycloakClient.get(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s/scopes", realm, resourceServerId, id), &scopes, nil) + if err != nil { + return nil, err + } + for _, policy := range policies { permission.Policies = append(permission.Policies, policy.Id) } @@ -50,11 +57,15 @@ func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationPermission(rea permission.Resources = append(permission.Resources, resource.Id) } + for _, resource := range scopes { + permission.Scopes = append(permission.Scopes, resource.Id) + } + return &permission, nil } func (keycloakClient *KeycloakClient) NewOpenidClientAuthorizationPermission(permission *OpenidClientAuthorizationPermission) error { - body, _, err := keycloakClient.post(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission", permission.RealmId, permission.ResourceServerId), permission) + body, _, err := keycloakClient.post(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s", permission.RealmId, permission.ResourceServerId, permission.Type), permission) if err != nil { return err } @@ -66,7 +77,7 @@ func (keycloakClient *KeycloakClient) NewOpenidClientAuthorizationPermission(per } func (keycloakClient *KeycloakClient) UpdateOpenidClientAuthorizationPermission(permission *OpenidClientAuthorizationPermission) error { - err := keycloakClient.put(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/resource/%s", permission.RealmId, permission.ResourceServerId, permission.Id), permission) + err := keycloakClient.put(fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/permission/%s/%s", permission.RealmId, permission.ResourceServerId, permission.Type, permission.Id), permission) if err != nil { return err } diff --git a/provider/resource_keycloak_openid_client_authorization_permission.go b/provider/resource_keycloak_openid_client_authorization_permission.go index 1d19b6432..0ce890f00 100644 --- a/provider/resource_keycloak_openid_client_authorization_permission.go +++ b/provider/resource_keycloak_openid_client_authorization_permission.go @@ -57,6 +57,11 @@ func resourceKeycloakOpenidClientAuthorizationPermission() *schema.Resource { Elem: &schema.Schema{Type: schema.TypeString}, Optional: true, }, + "scopes": { + Type: schema.TypeSet, + Elem: &schema.Schema{Type: schema.TypeString}, + Optional: true, + }, "type": { Type: schema.TypeString, Optional: true, @@ -70,6 +75,7 @@ func resourceKeycloakOpenidClientAuthorizationPermission() *schema.Resource { func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) *keycloak.OpenidClientAuthorizationPermission { var policies []string var resources []string + var scopes []string if v, ok := data.GetOk("resources"); ok { for _, resource := range v.(*schema.Set).List() { resources = append(resources, resource.(string)) @@ -80,6 +86,11 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) * policies = append(policies, policy.(string)) } } + if v, ok := data.GetOk("scopes"); ok { + for _, scope := range v.(*schema.Set).List() { + scopes = append(scopes, scope.(string)) + } + } permission := keycloak.OpenidClientAuthorizationPermission{ Id: data.Id(), ResourceServerId: data.Get("resource_server_id").(string), @@ -89,6 +100,7 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) * DecisionStrategy: data.Get("decision_strategy").(string), Type: data.Get("type").(string), Policies: policies, + Scopes: scopes, Resources: resources, } return &permission @@ -103,6 +115,7 @@ func setOpenidClientAuthorizationPermissionData(data *schema.ResourceData, permi data.Set("decision_strategy", permission.DecisionStrategy) data.Set("type", permission.Type) data.Set("policies", permission.Policies) + data.Set("scopes", permission.Scopes) data.Set("resources", permission.Resources) } From 5698072b1e892df465990fce9ad8a86d0ee31b41 Mon Sep 17 00:00:00 2001 From: Aria Date: Tue, 18 Feb 2020 14:46:54 -0500 Subject: [PATCH 2/4] working on tests for scopes --- makefile | 2 +- ..._openid_client_authorization_permission.go | 9 +++++++- ...id_client_authorization_permission_test.go | 21 ++++++++++++------- 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/makefile b/makefile index aa01f57f7..fe0e6eda5 100644 --- a/makefile +++ b/makefile @@ -22,7 +22,7 @@ fmt: gofmt -w -s $(GOFMT_FILES) test: fmtcheck vet - go test $(TEST) + go test $(TEST) -v -run TestAccKeycloakOpenidClientAuthorizationPermission* testacc: fmtcheck vet TF_ACC=1 go test -timeout 20m $(TEST) -v $(TESTARGS) diff --git a/provider/resource_keycloak_openid_client_authorization_permission.go b/provider/resource_keycloak_openid_client_authorization_permission.go index 0ce890f00..ecc5845b8 100644 --- a/provider/resource_keycloak_openid_client_authorization_permission.go +++ b/provider/resource_keycloak_openid_client_authorization_permission.go @@ -1,11 +1,13 @@ package provider import ( + "encoding/json" "fmt" + "strings" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/helper/validation" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "strings" ) var ( @@ -87,10 +89,15 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) * } } if v, ok := data.GetOk("scopes"); ok { + fmt.Println("im a cowowowowowowoowow i can do this") for _, scope := range v.(*schema.Set).List() { scopes = append(scopes, scope.(string)) } } + + da, _ := json.Marshal(scopes) + fmt.Println(string(da), "im hererhe", string(data.Id())) + permission := keycloak.OpenidClientAuthorizationPermission{ Id: data.Id(), ResourceServerId: data.Get("resource_server_id").(string), diff --git a/provider/resource_keycloak_openid_client_authorization_permission_test.go b/provider/resource_keycloak_openid_client_authorization_permission_test.go index 721a61784..8b7e8a356 100644 --- a/provider/resource_keycloak_openid_client_authorization_permission_test.go +++ b/provider/resource_keycloak_openid_client_authorization_permission_test.go @@ -2,11 +2,12 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "testing" ) func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) { @@ -31,10 +32,10 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) { func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy(t *testing.T) { var authorizationPermission = &keycloak.OpenidClientAuthorizationPermission{} - realmName := "terraform-" + acctest.RandString(10) - clientId := "terraform-" + acctest.RandString(10) - resourceName := "terraform-" + acctest.RandString(10) - permissionName := "terraform-" + acctest.RandString(10) + realmName := "terraform-cow-" + acctest.RandString(10) + clientId := "terraform-cow-" + acctest.RandString(10) + resourceName := "terraform-cow-" + acctest.RandString(10) + permissionName := "terraform-cow-" + acctest.RandString(10) resource.Test(t, resource.TestCase{ Providers: testAccProviders, @@ -190,6 +191,9 @@ func getKeycloakOpenidClientAuthorizationPermissionFromState(s *terraform.State, return nil, fmt.Errorf("error getting authorization permission config with id %s: %s", id, err) } + // fmap, _ := json.Marshal(authorizationPermission) + // fmt.Println(string(fmap)) + return authorizationPermission, nil } @@ -230,7 +234,9 @@ resource keycloak_openid_client_authorization_permission test { realm_id = "${keycloak_realm.test.id}" name = "%s" policies = ["${data.keycloak_openid_client_authorization_policy.default.id}"] - resources = ["${keycloak_openid_client_authorization_resource.test.id}"] + resources = ["${keycloak_openid_client_authorization_resource.test.id}"] + scopes = ["ff251544-cdbf-4ba4-b473-fca63e54e95d"] + } `, realm, clientId, resourceName, permissionName) } @@ -260,7 +266,8 @@ data keycloak_openid_client_authorization_policy default { resource keycloak_openid_client_authorization_resource resource { resource_server_id = "${keycloak_openid_client.test.resource_server_id}" name = "%s" - realm_id = "${keycloak_realm.test.id}" + realm_id = "${keycloak_realm.test.id}" + scopes = ["email", "admin"] uris = [ "/endpoint/*" From 4c438fa009427f39a32542b80ccf839351705e8d Mon Sep 17 00:00:00 2001 From: Aria Date: Wed, 19 Feb 2020 15:04:06 -0500 Subject: [PATCH 3/4] added tests for scope permissions --- makefile | 2 +- ..._openid_client_authorization_permission.go | 5 -- ...id_client_authorization_permission_test.go | 54 +++++++++++-------- 3 files changed, 34 insertions(+), 27 deletions(-) diff --git a/makefile b/makefile index fe0e6eda5..aa01f57f7 100644 --- a/makefile +++ b/makefile @@ -22,7 +22,7 @@ fmt: gofmt -w -s $(GOFMT_FILES) test: fmtcheck vet - go test $(TEST) -v -run TestAccKeycloakOpenidClientAuthorizationPermission* + go test $(TEST) testacc: fmtcheck vet TF_ACC=1 go test -timeout 20m $(TEST) -v $(TESTARGS) diff --git a/provider/resource_keycloak_openid_client_authorization_permission.go b/provider/resource_keycloak_openid_client_authorization_permission.go index ecc5845b8..2fc16aa54 100644 --- a/provider/resource_keycloak_openid_client_authorization_permission.go +++ b/provider/resource_keycloak_openid_client_authorization_permission.go @@ -1,7 +1,6 @@ package provider import ( - "encoding/json" "fmt" "strings" @@ -89,15 +88,11 @@ func getOpenidClientAuthorizationPermissionFromData(data *schema.ResourceData) * } } if v, ok := data.GetOk("scopes"); ok { - fmt.Println("im a cowowowowowowoowow i can do this") for _, scope := range v.(*schema.Set).List() { scopes = append(scopes, scope.(string)) } } - da, _ := json.Marshal(scopes) - fmt.Println(string(da), "im hererhe", string(data.Id())) - permission := keycloak.OpenidClientAuthorizationPermission{ Id: data.Id(), ResourceServerId: data.Get("resource_server_id").(string), diff --git a/provider/resource_keycloak_openid_client_authorization_permission_test.go b/provider/resource_keycloak_openid_client_authorization_permission_test.go index 8b7e8a356..3e7ef4da0 100644 --- a/provider/resource_keycloak_openid_client_authorization_permission_test.go +++ b/provider/resource_keycloak_openid_client_authorization_permission_test.go @@ -15,6 +15,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) { clientId := "terraform-" + acctest.RandString(10) resourceName := "terraform-" + acctest.RandString(10) permissionName := "terraform-" + acctest.RandString(10) + scopeName := "terraform-" + acctest.RandString(10) resource.Test(t, resource.TestCase{ Providers: testAccProviders, @@ -22,7 +23,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) { CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(), Steps: []resource.TestStep{ { - Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName), + Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName, scopeName), Check: testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"), }, }, @@ -32,10 +33,11 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basic(t *testing.T) { func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy(t *testing.T) { var authorizationPermission = &keycloak.OpenidClientAuthorizationPermission{} - realmName := "terraform-cow-" + acctest.RandString(10) - clientId := "terraform-cow-" + acctest.RandString(10) - resourceName := "terraform-cow-" + acctest.RandString(10) - permissionName := "terraform-cow-" + acctest.RandString(10) + realmName := "terraform-" + acctest.RandString(10) + clientId := "terraform-" + acctest.RandString(10) + resourceName := "terraform-" + acctest.RandString(10) + permissionName := "terraform-" + acctest.RandString(10) + scopeName := "terraform-" + acctest.RandString(10) resource.Test(t, resource.TestCase{ Providers: testAccProviders, @@ -43,7 +45,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(), Steps: []resource.TestStep{ { - Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName), + Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName, scopeName), Check: testAccCheckKeycloakOpenidClientAuthorizationPermissionFetch("keycloak_openid_client_authorization_permission.test", authorizationPermission), }, { @@ -55,7 +57,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_createAfterManualDestroy t.Fatal(err) } }, - Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName), + Config: testKeycloakOpenidClientAuthorizationPermission_basic(realmName, clientId, resourceName, permissionName, scopeName), Check: testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"), }, }, @@ -68,6 +70,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateRealm(t *test clientId := "terraform-" + acctest.RandString(10) resourceName := "terraform-" + acctest.RandString(10) permissionName := "terraform-" + acctest.RandString(10) + scopeName := "terraform-" + acctest.RandString(10) resource.Test(t, resource.TestCase{ Providers: testAccProviders, @@ -75,14 +78,14 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateRealm(t *test CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(), Steps: []resource.TestStep{ { - Config: testKeycloakOpenidClientAuthorizationPermission_basic(firstRealm, clientId, resourceName, permissionName), + Config: testKeycloakOpenidClientAuthorizationPermission_basic(firstRealm, clientId, resourceName, permissionName, scopeName), Check: resource.ComposeTestCheckFunc( testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"), resource.TestCheckResourceAttr("keycloak_openid_client_authorization_permission.test", "realm_id", firstRealm), ), }, { - Config: testKeycloakOpenidClientAuthorizationPermission_basic(secondRealm, clientId, resourceName, permissionName), + Config: testKeycloakOpenidClientAuthorizationPermission_basic(secondRealm, clientId, resourceName, permissionName, scopeName), Check: resource.ComposeTestCheckFunc( testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"), resource.TestCheckResourceAttr("keycloak_openid_client_authorization_permission.test", "realm_id", secondRealm), @@ -95,6 +98,7 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateRealm(t *test func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateAll(t *testing.T) { realmName := "terraform-" + acctest.RandString(10) clientId := "terraform-" + acctest.RandString(10) + scopeName := "terraform-" + acctest.RandString(10) firstAuthrorizationPermission := &keycloak.OpenidClientAuthorizationPermission{ RealmId: realmName, @@ -114,11 +118,11 @@ func TestAccKeycloakOpenidClientAuthorizationPermission_basicUpdateAll(t *testin CheckDestroy: testAccCheckKeycloakOpenidClientAuthorizationPermissionDestroy(), Steps: []resource.TestStep{ { - Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, firstAuthrorizationPermission, acctest.RandString(10)), + Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, firstAuthrorizationPermission, acctest.RandString(10), scopeName), Check: testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"), }, { - Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, secondAuthrorizationPermission, acctest.RandString(10)), + Config: testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId, secondAuthrorizationPermission, acctest.RandString(10), scopeName), Check: testAccCheckKeycloakOpenidClientAuthorizationPermissionExists("keycloak_openid_client_authorization_permission.test"), }, }, @@ -191,13 +195,10 @@ func getKeycloakOpenidClientAuthorizationPermissionFromState(s *terraform.State, return nil, fmt.Errorf("error getting authorization permission config with id %s: %s", id, err) } - // fmap, _ := json.Marshal(authorizationPermission) - // fmt.Println(string(fmap)) - return authorizationPermission, nil } -func testKeycloakOpenidClientAuthorizationPermission_basic(realm, clientId, resourceName, permissionName string) string { +func testKeycloakOpenidClientAuthorizationPermission_basic(realm, clientId, resourceName, permissionName, scopeName string) string { return fmt.Sprintf(` resource keycloak_realm test { realm = "%s" @@ -229,19 +230,24 @@ resource keycloak_openid_client_authorization_resource test { ] } +resource keycloak_openid_client_authorization_scope test { + resource_server_id = "${keycloak_openid_client.test.resource_server_id}" + name = "%s" + realm_id = "${keycloak_realm.test.id}" +} + resource keycloak_openid_client_authorization_permission test { resource_server_id = "${keycloak_openid_client.test.resource_server_id}" realm_id = "${keycloak_realm.test.id}" name = "%s" policies = ["${data.keycloak_openid_client_authorization_policy.default.id}"] resources = ["${keycloak_openid_client_authorization_resource.test.id}"] - scopes = ["ff251544-cdbf-4ba4-b473-fca63e54e95d"] } - `, realm, clientId, resourceName, permissionName) + `, realm, clientId, resourceName, scopeName, permissionName) } -func testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId string, authorizationPermission *keycloak.OpenidClientAuthorizationPermission, resourceName string) string { +func testKeycloakOpenidClientAuthorizationPermission_basicFromInterface(clientId string, authorizationPermission *keycloak.OpenidClientAuthorizationPermission, resourceName, scopeName string) string { return fmt.Sprintf(` resource keycloak_realm test { realm = "%s" @@ -267,20 +273,26 @@ resource keycloak_openid_client_authorization_resource resource { resource_server_id = "${keycloak_openid_client.test.resource_server_id}" name = "%s" realm_id = "${keycloak_realm.test.id}" - scopes = ["email", "admin"] uris = [ "/endpoint/*" ] } +resource keycloak_openid_client_authorization_scope test { + resource_server_id = "${keycloak_openid_client.test.resource_server_id}" + name = "%s" + realm_id = "${keycloak_realm.test.id}" +} + resource keycloak_openid_client_authorization_permission test { resource_server_id = "${keycloak_openid_client.test.resource_server_id}" realm_id = "${keycloak_realm.test.id}" name = "%s" policies = ["${data.keycloak_openid_client_authorization_policy.default.id}"] resources = ["${keycloak_openid_client_authorization_resource.resource.id}"] - description = "%s" + description = "%s" + scopes = ["${keycloak_openid_client_authorization_scope.test.id}"] } - `, authorizationPermission.RealmId, clientId, resourceName, authorizationPermission.Name, authorizationPermission.Description) + `, authorizationPermission.RealmId, clientId, resourceName, scopeName, authorizationPermission.Name, authorizationPermission.Description) } From e8ceb9e0e4573c63204c6bab67a9014fd82927af Mon Sep 17 00:00:00 2001 From: Aria Date: Wed, 19 Feb 2020 15:14:08 -0500 Subject: [PATCH 4/4] added example to main.tf for keycloak_openid_client_authorization_permission scopes --- example/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/example/main.tf b/example/main.tf index 0284e68b4..d9848e3a2 100644 --- a/example/main.tf +++ b/example/main.tf @@ -606,6 +606,10 @@ resource "keycloak_openid_client_authorization_permission" "resource" { resources = [ "${keycloak_openid_client_authorization_resource.resource.id}", ] + + scopes = [ + "${keycloak_openid_client_authorization_scope.resource.id}" + ] } resource "keycloak_openid_client_authorization_resource" "resource" {