-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added user attributes, client auth resources, service account roles #104
Conversation
…rm-provider-keycloak into client-resources
@mrparkers
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contributions!
I'm okay with the addition of all of these resources and data sources in one PR, but I'm a little uneasy about also upgrading Keycloak to 6.0.1 in the same PR. Would you be okay with opening a smaller PR that only contains the changes needed for the 6.0.1 upgrade? I can merge that one first, and you can rebase this PR with master to continue with these changes.
Also, since this is the first time data sources will be supported (thank you for this by the way), we may need to make some significant changes to the file names. The convention for all of the other Terraform providers I've seen prefixes all resources with resource_
and all data sources with data_
. I'm not sure why I didn't do this from the start 😢. Would you be okay with opening a separate PR that contains only those changes, as well as the new data sources? I'm afraid this PR will be massive if we make all of the file name changes here.
keycloak/group.go
Outdated
} | ||
|
||
func (keycloakClient *KeycloakClient) ListGroupsWithName(realmId, name string) ([]*Group, error) { | ||
var groups []*Group | ||
|
||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/groups?search=%s", realmId, url.QueryEscape(name)), &groups) | ||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/groups?search=%s", realmId, url.QueryEscape(name)), &groups, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you added the params
argument to the get
method, would you mind updating this line to use that argument for the search
param here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
keycloak/openid_client.go
Outdated
|
||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/clients?clientId=%s", realmId, clientId), &clients) | ||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/clients?clientId=%s", realmId, clientId), &clients, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you update this line to use the new params
argument for the clientId
param?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
keycloak/user.go
Outdated
} | ||
|
||
func (keycloakClient *KeycloakClient) GetUserByUsername(realmId, username string) (*User, error) { | ||
var users []*User | ||
|
||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/users?username=%s", realmId, url.QueryEscape(username)), &users) | ||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/users?username=%s", realmId, url.QueryEscape(username)), &users, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you update this line to use the new params
argument for the username
param?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
) | ||
|
||
func dataSourceKeycloakOpenidClient() *schema.Resource { | ||
return &schema.Resource{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could the schema for the openid_client
resource be re-used here instead of defining it again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume the answer is no since the data
attributes will almost all be Computed
, but I want to hear your thoughts on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, now the only difference is that data source attributes are computed, but usually data source scheme has bigger differences. I would like to leave it as it is
type OpenidClientAuthorizationSettings struct { | ||
PolicyEnforcementMode string `json:"policyEnforcementMode,omitempty"` | ||
AllowRemoteResourceManagement bool `json:"allowRemoteResourceManagement,omitempty"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these new structs and methods can probably be moved to their own files, unless there is a specific reason you wanted them here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -129,6 +129,10 @@ func TestAccKeycloakOpenidClient_updateInPlace(t *testing.T) { | |||
directAccessGrantsEnabled := randomBool() | |||
serviceAccountsEnabled := randomBool() | |||
|
|||
if !standardFlowEnabled { | |||
implicitFlowEnabled = !standardFlowEnabled | |||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the reason for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least standard or implicit flow should be enabled to set valid redirect URI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that new behavior with version 5.0.0 or 6.0.0 of Keycloak. I realize that there is no point in setting valid redirect uris without either of these two flows enabled, but I don't believe Keycloak 4.8.3 requires it.
I'm fine with keeping this change, I was just curious what the context was.
provider/keycloak_openid_client.go
Outdated
serviceAccountUserId = serviceAccountUser.Id | ||
} | ||
|
||
setOpenidClientData(data, client, serviceAccountUserId) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block of code (lines 301 - 311) seems to be repeated multiple times. Could you update the setOpenidClientData
to do this instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
keycloak/openid_client.go
Outdated
ContainerId: clientId, | ||
ServiceAccountUserId: serviceAccountUserId, | ||
}) | ||
err := keycloakClient.get(fmt.Sprintf("/realms/%s/users/%s/role-mappings/clients/%s", realm, serviceAccountUserId, clientId), &serviceAccountRoles, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand what's going on here. It looks like you're initializing the serviceAccountRoles
slice with a single element, but then it's immediately being overwritten by this line. Is there a reason for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
keycloak/openid_client.go
Outdated
|
||
func (keycloakClient *KeycloakClient) DeleteOpenidClientServiceAccountRole(realm, serviceAccountUserId, clientId, roleId string) error { | ||
serviceAccountRoles := []OpenidClientServiceAccountRole{} | ||
serviceAccountRoles = append(serviceAccountRoles, OpenidClientServiceAccountRole{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
keycloak/openid_client.go
Outdated
} | ||
serviceAccountRole.Id = role.Id | ||
serviceAccountRoles := []OpenidClientServiceAccountRole{} | ||
serviceAccountRoles = append(serviceAccountRoles, *serviceAccountRole) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need to use append
here? I think you could just initialize the slice with the single element instead of making it empty and adding to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
…r-keycloak into client-resources
…rm-provider-keycloak into client-resources
…rm-provider-keycloak into client-resources
@mrparkers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks for the continued contributions!
No description provided.