diff --git a/docs/resources/openid_default_client_scope.md b/docs/resources/openid_default_client_scope.md new file mode 100644 index 000000000..b631cbc6b --- /dev/null +++ b/docs/resources/openid_default_client_scope.md @@ -0,0 +1,35 @@ +--- +page_title: "keycloak_openid_default_client_scope Resource" +--- + +# keycloak\_openid\_default\_client\_scope Resource + +Manages a **realm-wide default client scope** in Keycloak. When a default client scope is assigned at the realm level, it is automatically applied to all new clients in the realm that use the OpenID Connect protocol. The protocol mappers defined within the scope are included by default in the claims for all clients, regardless of the provided OAuth2.0 `scope` parameter. + +> **Note:** Using `keycloak_openid_default_client_scope` will conflict with `keycloak_realm.default_default_client_scopes`. + +Unlike the list-based resource (`keycloak_openid_client_default_scopes`), this resource is **not** authoritative for realm-wide default client scopes. Instead, it allows you to add or manage a single client scope without modifying other default client scopes already present in the realm. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "openid_client_scope" { + realm_id = keycloak_realm.realm.id + name = "groups" +} + +resource "keycloak_openid_default_client_scope" "openid_default_client_scope" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client scope belongs to. +- `client_scope_id` - (Required) The client scope to manage. diff --git a/docs/resources/openid_optional_client_scope.md b/docs/resources/openid_optional_client_scope.md new file mode 100644 index 000000000..4a48ab97e --- /dev/null +++ b/docs/resources/openid_optional_client_scope.md @@ -0,0 +1,35 @@ +--- +page_title: "keycloak_openid_optional_client_scope Resource" +--- + +# keycloak\_openid\_optional\_client\_scope Resource + +Manages a **realm-wide optional client scope** in Keycloak. When an optional client scope is assigned at the realm level, it automatically applies to all new clients in the realm that use the OpenID Connect protocol. The protocol mappers defined within the scope become available to build claims for any client that requests them by including the OAuth2.0 `scope` parameter. + +> **Note:** Using `keycloak_openid_optional_client_scope` will conflict with `keycloak_realm.default_optional_client_scopes`. + +Unlike the list-based resource (`keycloak_openid_client_optional_scopes`), this resource is **not** authoritative for realm-wide optional client scopes. Instead, it allows you to add or manage a single client scope without modifying other optional client scopes already present in the realm. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "openid_client_scope" { + realm_id = keycloak_realm.realm.id + name = "groups" +} + +resource "keycloak_openid_optional_client_scope" "openid_optional_client_scope" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client scope belongs to. +- `client_scope_id` - (Required) The client scope to manage. diff --git a/keycloak/openid_default_client_scope.go b/keycloak/openid_default_client_scope.go new file mode 100644 index 000000000..956b92eb4 --- /dev/null +++ b/keycloak/openid_default_client_scope.go @@ -0,0 +1,31 @@ +package keycloak + +import ( + "context" + "fmt" +) + +func (keycloakClient *KeycloakClient) GetOpenidRealmDefaultClientScope(ctx context.Context, realmId, clientScopeId string) (*OpenidClientScope, error) { + var clientScopes []OpenidClientScope + + err := keycloakClient.get(ctx, fmt.Sprintf("/realms/%s/default-default-client-scopes", realmId), &clientScopes, nil) + if err != nil { + return nil, err + } + + for _, clientScope := range clientScopes { + if clientScope.Id == clientScopeId { + return &clientScope, nil + } + } + + return nil, err +} + +func (keycloakClient *KeycloakClient) PutOpenidRealmDefaultClientScope(ctx context.Context, realmId, clientScopeId string) error { + return keycloakClient.put(ctx, fmt.Sprintf("/realms/%s/default-default-client-scopes/%s", realmId, clientScopeId), nil) +} + +func (keycloakClient *KeycloakClient) DeleteOpenidRealmDefaultClientScope(ctx context.Context, realmId, clientScopeId string) error { + return keycloakClient.delete(ctx, fmt.Sprintf("/realms/%s/default-default-client-scopes/%s", realmId, clientScopeId), nil) +} diff --git a/keycloak/openid_optional_client_scope.go b/keycloak/openid_optional_client_scope.go new file mode 100644 index 000000000..07786b433 --- /dev/null +++ b/keycloak/openid_optional_client_scope.go @@ -0,0 +1,31 @@ +package keycloak + +import ( + "context" + "fmt" +) + +func (keycloakClient *KeycloakClient) GetOpenidRealmOptionalClientScope(ctx context.Context, realmId, clientScopeId string) (*OpenidClientScope, error) { + var clientScopes []OpenidClientScope + + err := keycloakClient.get(ctx, fmt.Sprintf("/realms/%s/default-optional-client-scopes", realmId), &clientScopes, nil) + if err != nil { + return nil, err + } + + for _, clientScope := range clientScopes { + if clientScope.Id == clientScopeId { + return &clientScope, nil + } + } + + return nil, err +} + +func (keycloakClient *KeycloakClient) PutOpenidRealmOptionalClientScope(ctx context.Context, realmId, clientScopeId string) error { + return keycloakClient.put(ctx, fmt.Sprintf("/realms/%s/default-optional-client-scopes/%s", realmId, clientScopeId), nil) +} + +func (keycloakClient *KeycloakClient) DeleteOpenidRealmOptionalClientScope(ctx context.Context, realmId, clientScopeId string) error { + return keycloakClient.delete(ctx, fmt.Sprintf("/realms/%s/default-optional-client-scopes/%s", realmId, clientScopeId), nil) +} diff --git a/provider/provider.go b/provider/provider.go index a30091284..01656580d 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -49,6 +49,8 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider { "keycloak_user_roles": resourceKeycloakUserRoles(), "keycloak_openid_client": resourceKeycloakOpenidClient(), "keycloak_openid_client_scope": resourceKeycloakOpenidClientScope(), + "keycloak_openid_default_client_scope": resourceKeycloakOpenidDefaultClientScope(), + "keycloak_openid_optional_client_scope": resourceKeycloakOpenidOptionalClientScope(), "keycloak_ldap_user_federation": resourceKeycloakLdapUserFederation(), "keycloak_ldap_user_attribute_mapper": resourceKeycloakLdapUserAttributeMapper(), "keycloak_ldap_group_mapper": resourceKeycloakLdapGroupMapper(), diff --git a/provider/resource_keycloak_openid_client_scope.go b/provider/resource_keycloak_openid_client_scope.go index 77e626a92..846765854 100644 --- a/provider/resource_keycloak_openid_client_scope.go +++ b/provider/resource_keycloak_openid_client_scope.go @@ -3,11 +3,12 @@ package provider import ( "context" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/keycloak/terraform-provider-keycloak/keycloak/types" "strconv" "strings" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/keycloak/terraform-provider-keycloak/keycloak/types" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/keycloak/terraform-provider-keycloak/keycloak" ) diff --git a/provider/resource_keycloak_openid_default_client_scope.go b/provider/resource_keycloak_openid_default_client_scope.go new file mode 100644 index 000000000..a8c33820e --- /dev/null +++ b/provider/resource_keycloak_openid_default_client_scope.go @@ -0,0 +1,81 @@ +package provider + +import ( + "context" + "fmt" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/keycloak/terraform-provider-keycloak/keycloak" +) + +func resourceKeycloakOpenidDefaultClientScope() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceKeycloakOpenidDefaultClientScopeCreate, + ReadContext: resourceKeycloakOpenidDefaultClientScopesRead, + DeleteContext: resourceKeycloakOpenidDefaultClientScopeDelete, + Importer: &schema.ResourceImporter{ + StateContext: resourceKeycloakOpenidDefaultClientScopeImport, + }, + + Schema: map[string]*schema.Schema{ + "realm_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "client_scope_id": { + Type: schema.TypeString, + Required: true, + }, + }, + } +} + +func resourceKeycloakOpenidDefaultClientScopeCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + clientScopeId := data.Get("client_scope_id").(string) + + return diag.FromErr(keycloakClient.PutOpenidRealmDefaultClientScope(ctx, realmId, clientScopeId)) +} + +func resourceKeycloakOpenidDefaultClientScopesRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + clientScopeId := data.Get("client_scope_id").(string) + + clientScope, err := keycloakClient.GetOpenidRealmDefaultClientScope(ctx, realmId, clientScopeId) + if err != nil { + return handleNotFoundError(ctx, err, data) + } + + data.Set("client_scope_id", clientScope.Id) + data.Set("client_scope_name", clientScope.Name) + + return nil +} + +func resourceKeycloakOpenidDefaultClientScopeDelete(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + clientScopeId := data.Get("client_scope_id").(string) + + return diag.FromErr(keycloakClient.DeleteOpenidRealmDefaultClientScope(ctx, realmId, clientScopeId)) +} + +func resourceKeycloakOpenidDefaultClientScopeImport(_ context.Context, d *schema.ResourceData, _ interface{}) ([]*schema.ResourceData, error) { + parts := strings.Split(d.Id(), "/") + if len(parts) != 2 { + return nil, fmt.Errorf("Invalid import. Supported import formats: {{realmId}}/{{openidClientScopeId}}") + } + + d.Set("realm_id", parts[0]) + d.SetId(parts[1]) + + return []*schema.ResourceData{d}, nil +} diff --git a/provider/resource_keycloak_openid_default_client_scope_test.go b/provider/resource_keycloak_openid_default_client_scope_test.go new file mode 100644 index 000000000..d57ffaa2b --- /dev/null +++ b/provider/resource_keycloak_openid_default_client_scope_test.go @@ -0,0 +1,91 @@ +package provider + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccKeycloakDataSourceOpenidDefaultClientScope_basic(t *testing.T) { + t.Parallel() + clientId := acctest.RandomWithPrefix("tf-acc") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Steps: []resource.TestStep{ + { + Config: testAccKeycloakOpenidDefaultClientScope_basic(clientId), + Check: testAccCheckKeycloakOpenidClientHasDefaultScope("keycloak_openid_default_client_scope"), + }, + }, + }) +} + +func testAccCheckKeycloakOpenidClientHasDefaultScope(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("resource not found: %s", resourceName) + } + + realm := rs.Primary.Attributes["realm_id"] + clientScopeId := rs.Primary.Attributes["client_scope_id"] + + var client string + if strings.HasPrefix(resourceName, "keycloak_openid_client.") { + client = rs.Primary.Attributes["client_id"] + } else { + client = rs.Primary.ID + } + + keycloakDefaultClientScopes, err := keycloakClient.GetOpenidClientDefaultScopes(testCtx, realm, client) + + if err != nil { + return err + } + + var found = false + for _, keycloakDefaultScope := range keycloakDefaultClientScopes { + if keycloakDefaultScope.Id == clientScopeId { + found = true + + break + } + } + + if !found { + return fmt.Errorf("default scope %s is not assigned to client", clientScopeId) + } + + return nil + } +} + +func testAccKeycloakOpenidDefaultClientScope_basic(clientId string) string { + return fmt.Sprintf(` +resource "keycloak_realm" "realm" { + realm = "%s" + enabled = true +} + +resource "keycloak_openid_client_scope" "openid_client_scope" { + realm_id = keycloak_realm.realm.id + name = "groups" +} + +resource "keycloak_openid_default_client_scope" "openid_default_client_scope" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "%s" +} +`, testAccRealm.Realm, clientId) +} diff --git a/provider/resource_keycloak_openid_optional_client_scope.go b/provider/resource_keycloak_openid_optional_client_scope.go new file mode 100644 index 000000000..62c9385b7 --- /dev/null +++ b/provider/resource_keycloak_openid_optional_client_scope.go @@ -0,0 +1,81 @@ +package provider + +import ( + "context" + "fmt" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/keycloak/terraform-provider-keycloak/keycloak" +) + +func resourceKeycloakOpenidOptionalClientScope() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceKeycloakOpenidOptionalClientScopeCreate, + ReadContext: resourceKeycloakOpenidOptionalClientScopesRead, + DeleteContext: resourceKeycloakOpenidOptionalClientScopeDelete, + Importer: &schema.ResourceImporter{ + StateContext: resourceKeycloakOpenidOptionalClientScopeImport, + }, + + Schema: map[string]*schema.Schema{ + "realm_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "client_scope_id": { + Type: schema.TypeString, + Required: true, + }, + }, + } +} + +func resourceKeycloakOpenidOptionalClientScopeCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + clientScopeId := data.Get("client_scope_id").(string) + + return diag.FromErr(keycloakClient.PutOpenidRealmOptionalClientScope(ctx, realmId, clientScopeId)) +} + +func resourceKeycloakOpenidOptionalClientScopesRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + clientScopeId := data.Get("client_scope_id").(string) + + clientScope, err := keycloakClient.GetOpenidRealmOptionalClientScope(ctx, realmId, clientScopeId) + if err != nil { + return handleNotFoundError(ctx, err, data) + } + + data.Set("client_scope_id", clientScope.Id) + data.Set("client_scope_name", clientScope.Name) + + return nil +} + +func resourceKeycloakOpenidOptionalClientScopeDelete(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + clientScopeId := data.Get("client_scope_id").(string) + + return diag.FromErr(keycloakClient.DeleteOpenidRealmOptionalClientScope(ctx, realmId, clientScopeId)) +} + +func resourceKeycloakOpenidOptionalClientScopeImport(_ context.Context, d *schema.ResourceData, _ interface{}) ([]*schema.ResourceData, error) { + parts := strings.Split(d.Id(), "/") + if len(parts) != 2 { + return nil, fmt.Errorf("Invalid import. Supported import formats: {{realmId}}/{{openidClientScopeId}}") + } + + d.Set("realm_id", parts[0]) + d.SetId(parts[1]) + + return []*schema.ResourceData{d}, nil +} diff --git a/provider/resource_keycloak_openid_optional_client_scope_test.go b/provider/resource_keycloak_openid_optional_client_scope_test.go new file mode 100644 index 000000000..22e8b304c --- /dev/null +++ b/provider/resource_keycloak_openid_optional_client_scope_test.go @@ -0,0 +1,91 @@ +package provider + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccKeycloakDataSourceOpenidOptionalClientScope_basic(t *testing.T) { + t.Parallel() + clientId := acctest.RandomWithPrefix("tf-acc") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Steps: []resource.TestStep{ + { + Config: testAccKeycloakOpenidOptionalClientScope_basic(clientId), + Check: testAccCheckKeycloakOpenidClientHasOptionalScope("keycloak_openid_optional_client_scope"), + }, + }, + }) +} + +func testAccCheckKeycloakOpenidClientHasOptionalScope(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("resource not found: %s", resourceName) + } + + realm := rs.Primary.Attributes["realm_id"] + clientScopeId := rs.Primary.Attributes["client_scope_id"] + + var client string + if strings.HasPrefix(resourceName, "keycloak_openid_client.") { + client = rs.Primary.Attributes["client_id"] + } else { + client = rs.Primary.ID + } + + keycloakOptionalClientScopes, err := keycloakClient.GetOpenidClientOptionalScopes(testCtx, realm, client) + + if err != nil { + return err + } + + var found = false + for _, keycloakOptionalScope := range keycloakOptionalClientScopes { + if keycloakOptionalScope.Id == clientScopeId { + found = true + + break + } + } + + if !found { + return fmt.Errorf("default scope %s is not assigned to client", clientScopeId) + } + + return nil + } +} + +func testAccKeycloakOpenidOptionalClientScope_basic(clientId string) string { + return fmt.Sprintf(` +resource "keycloak_realm" "realm" { + realm = "%s" + enabled = true +} + +resource "keycloak_openid_client_scope" "openid_client_scope" { + realm_id = keycloak_realm.realm.id + name = "groups" +} + +resource "keycloak_openid_default_client_scope" "openid_default_client_scope" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "%s" +} +`, testAccRealm.Realm, clientId) +}