Skip to content

Commit

Permalink
fixes #965 by loading the authorization settings
Browse files Browse the repository at this point in the history
  • Loading branch information
missedone committed Jun 1, 2024
1 parent 3f6b75b commit 2ad9361
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 0 deletions.
9 changes: 9 additions & 0 deletions provider/resource_keycloak_openid_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,15 @@ func setOpenidClientData(ctx context.Context, keycloakClient *keycloak.KeycloakC
data.Set("access_type", "CONFIDENTIAL")
}

if client.AuthorizationSettings != nil {
authorizationSettings := make(map[string]any)
authorizationSettings["policy_enforcement_mode"] = client.AuthorizationSettings.PolicyEnforcementMode
authorizationSettings["decision_strategy"] = client.AuthorizationSettings.DecisionStrategy
authorizationSettings["allow_remote_resource_management"] = client.AuthorizationSettings.AllowRemoteResourceManagement
authorizationSettings["keep_defaults"] = client.AuthorizationSettings.KeepDefaults
data.Set("authorization", []interface{}{authorizationSettings})
}

if (keycloak.OpenidAuthenticationFlowBindingOverrides{}) == client.AuthenticationFlowBindingOverrides {
data.Set("authentication_flow_binding_overrides", nil)
} else {
Expand Down
65 changes: 65 additions & 0 deletions provider/resource_keycloak_openid_client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,23 @@ func TestAccKeycloakOpenidClient_basic_with_consent(t *testing.T) {
})
}

func TestAccKeycloakOpenidClient_basic_with_authorization(t *testing.T) {
t.Parallel()
clientId := acctest.RandomWithPrefix("tf-acc")

resource.Test(t, resource.TestCase{
ProviderFactories: testAccProviderFactories,
PreCheck: func() { testAccPreCheck(t) },
CheckDestroy: testAccCheckKeycloakOpenidClientDestroy(),
Steps: []resource.TestStep{
{
Config: testKeycloakOpenidClient_basic_with_authorization(clientId),
Check: testAccCheckKeycloakOpenidClientExistsWithCorrectAuthorizationSettings("keycloak_openid_client.client"),
},
},
})
}

func TestAccKeycloakOpenidClient_createAfterManualDestroy(t *testing.T) {
t.Parallel()
var client = &keycloak.OpenidClient{}
Expand Down Expand Up @@ -814,6 +831,29 @@ func testAccCheckKeycloakOpenidClientExistsWithCorrectConsentSettings(resourceNa
}
}

func testAccCheckKeycloakOpenidClientExistsWithCorrectAuthorizationSettings(resourceName string) resource.TestCheckFunc {
return func(s *terraform.State) error {
client, err := getOpenidClientFromState(s, resourceName)
if err != nil {
return err
}

if client.AuthorizationSettings == nil {
return fmt.Errorf("expected openid client to have authorization settings")
}

if client.AuthorizationSettings.DecisionStrategy != "AFFIRMATIVE" {
return fmt.Errorf("expected openid client to have decision_strategy %v, but got %v", "AFFIRMATIVE", client.AuthorizationSettings.DecisionStrategy)
}

if client.AuthorizationSettings.PolicyEnforcementMode != "ENFORCING" {
return fmt.Errorf("expected openid client to have policy_enforcement_mode %v, but got %v", "ENFORCING", client.AuthorizationSettings.PolicyEnforcementMode)
}

return nil
}
}

func testAccCheckKeycloakOpenidClientHasBackchannelSettings(resourceName, backchannelLogoutUrl string, backchannelLogoutSessionRequired, backchannelLogoutRevokeOfflineSessions bool) resource.TestCheckFunc {
return func(s *terraform.State) error {
client, err := getOpenidClientFromState(s, resourceName)
Expand Down Expand Up @@ -1284,6 +1324,31 @@ resource "keycloak_openid_client" "client" {
`, testAccRealm.Realm, clientId)
}

func testKeycloakOpenidClient_basic_with_authorization(clientId string) string {
return fmt.Sprintf(`
data "keycloak_realm" "realm" {
realm = "%s"
}
resource "keycloak_openid_client" "client" {
client_id = "%s"
realm_id = data.keycloak_realm.realm.id
access_type = "CONFIDENTIAL"
client_authenticator_type = "client-secret"
standard_flow_enabled = false
implicit_flow_enabled = false
direct_access_grants_enabled = false
service_accounts_enabled = true
authorization {
policy_enforcement_mode = "ENFORCING"
decision_strategy = "AFFIRMATIVE"
allow_remote_resource_management = "true"
}
}
`, testAccRealm.Realm, clientId)
}

func testKeycloakOpenidClient_AccessToken_basic(clientId, accessTokenLifespan string) string {
return fmt.Sprintf(`
data "keycloak_realm" "realm" {
Expand Down

0 comments on commit 2ad9361

Please sign in to comment.