Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add client auth policies #246

Merged
merged 28 commits into from
Mar 10, 2020
Merged

Conversation

chopshop1
Copy link

moved @yspotts pr #221

@@ -64,16 +64,20 @@ jobs:
docker:
- <<: *go_image
- image: jboss/keycloak:7.0.1
command: ["-b", "0.0.0.0", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can add this snippet to the keycloak_env anchor so it can be reused in the other test job

@@ -0,0 +1,174 @@
resource keycloak_realm test {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think most of these examples are going to conflict with the pre-existing main.tf file in the example folder. Could you rename the resources in this file so they don't conflict with main.tf? It's okay to hardcode any strings you want here, these files really just serve as an example of how to use the provider.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are also free to reuse the resources that have already been created in main.tf, meaning that you can just leave them in that file and use variable interpolation to depend on them (like you are on line 12).

@@ -280,6 +281,7 @@ func (keycloakClient *KeycloakClient) sendRequest(request *http.Request) ([]byte
}

if response.StatusCode >= 400 {
fmt.Println(string(body), "Error with the response")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're already printing the body on line 280, is there a reason this is needed?

In case you weren't aware, you can set the environment variable TF_LOG to DEBUG to enable debug logging which should print out a bunch of http request/response information.

resource.Test(t, resource.TestCase{
Providers: testAccProviders,
PreCheck: func() { testAccPreCheck(t) },
// CheckDestroy: testResourceKeycloakOpenidClientAuthorizationAggregatePolicyDestroy(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason this is commented out?

})
}

func testResourceKeycloakOpenidClientAuthorizationAggregatePolicy_basic(realm, clientId string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: could you move this function to the bottom of this file?

})
}

func testResourceKeycloakOpenidClientAuthorizationGroupPolicy_basic(realm, clientId string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: can you move this to the bottom of the file?

})
}

func testResourceKeycloakOpenidClientAuthorizationJSPolicy_basic(realm, clientId string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: can you move this to the bottom of the file?

Type: schema.TypeString,
Optional: true,
},
"role": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see in the GUI that this policy supports realm roles and client roles, which is this attribute supposed to represent? And it looks like I can add more than one role to the policy, is there a reason you specified MinItems to be 1?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just checked the Chrome network inspector when creating a role policy, and I see that while bifurcated in the UI, the API call combines all the roles into one object:
image

Note the request above had one realm role and one client role.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the reason for min items equaling 1 is because a role policy essentially does nothing if there are no roles specified.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Ryan!
@mrparkers I can remove the MinItems if you'd like.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad, I misread MinItems to be MaxItems. Thanks for the clarification on the roles.

})
}

func testResourceKeycloakOpenidClientAuthorizationTimePolicy_basic(realm, policyName, clientId string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: can you move this to the bottom of the file?

})
}

func testResourceKeycloakOpenidClientAuthorizationUserPolicy_basic(realm, clientId string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: can you move this to the bottom of the file?

@chopshop1
Copy link
Author

@mrparkers I made the requested changes! Could you please take another look.

@mrparkers
Copy link
Contributor

The changes you made so far look good, although there are still 5 other comments I left that I didn't see changes for.

I think GitHub collapses comments when there are too many, I had to click "Load More" on the part of the page that says "5 hidden conversations"

@chopshop1
Copy link
Author

Woops! Just made the last 5 changes. Let me know what you think.
@mrparkers

"fmt"
)

func logicKeyValidation(val interface{}, key string) (warns []string, errs []error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this! Although I probably should have let you know about the validation package which gives you the StringInSlice function that could have made this implementation easier. Take a look at this example: https://github.com/mrparkers/terraform-provider-keycloak/blob/f4770b0a3726a82d0fd0176cba328b4b2dda1389/provider/resource_keycloak_ldap_user_federation.go#L65

Could you change this to use this function?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh cool! Just replaced that with the validation package. 👍

@mrparkers
Copy link
Contributor

I left another comment that might be hard to see since it's in the collapsed conversation: #246 (comment)

Copy link
Contributor

@mrparkers mrparkers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making the changes I suggested, LGTM

@mrparkers mrparkers merged commit c78a9c3 into keycloak:master Mar 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants