From 359135abb311e16306ee457edc3530410ee0d180 Mon Sep 17 00:00:00 2001 From: Daniel Hoeggerl Date: Tue, 19 Oct 2021 13:32:37 +0200 Subject: [PATCH 1/4] feat: fine grained permissions for groups --- keycloak/groups_permissions.go | 39 ++++ provider/provider.go | 1 + .../resource_keycloak_groups_permissions.go | 187 ++++++++++++++++++ 3 files changed, 227 insertions(+) create mode 100644 keycloak/groups_permissions.go create mode 100644 provider/resource_keycloak_groups_permissions.go diff --git a/keycloak/groups_permissions.go b/keycloak/groups_permissions.go new file mode 100644 index 000000000..8c60420e7 --- /dev/null +++ b/keycloak/groups_permissions.go @@ -0,0 +1,39 @@ +package keycloak + +import ( + "fmt" +) + +type GroupsPermissionsInput struct { + Enabled bool `json:"enabled"` +} + +type GroupsPermissions struct { + RealmId string `json:"-"` + GroupId string `json:"-"` + Enabled bool `json:"enabled"` + Resource string `json:"resource"` + ScopePermissions map[string]interface{} `json:"scopePermissions"` +} + +func (keycloakClient *KeycloakClient) EnableGroupsPermissions(realmId, groupId string) error { + return keycloakClient.put(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), GroupsPermissionsInput{Enabled: true}) +} + +func (keycloakClient *KeycloakClient) DisableGroupsPermissions(realmId, groupId string) error { + return keycloakClient.put(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), GroupsPermissionsInput{Enabled: false}) +} + +func (keycloakClient *KeycloakClient) GetGroupsPermissions(realmId, groupId string) (*GroupsPermissions, error) { + var openidClientPermissions GroupsPermissions + + err := keycloakClient.get(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), &openidClientPermissions, nil) + if err != nil { + return nil, err + } + + openidClientPermissions.RealmId = realmId + openidClientPermissions.GroupId = groupId + + return &openidClientPermissions, nil +} diff --git a/provider/provider.go b/provider/provider.go index 726393ee4..2d106e9cb 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -109,6 +109,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider { "keycloak_openid_client_permissions": resourceKeycloakOpenidClientPermissions(), "keycloak_users_permissions": resourceKeycloakUsersPermissions(), "keycloak_user_groups": resourceKeycloakUserGroups(), + "keycloak_groups_permissions": resourceKeycloakGroupsPermissions(), }, Schema: map[string]*schema.Schema{ "client_id": { diff --git a/provider/resource_keycloak_groups_permissions.go b/provider/resource_keycloak_groups_permissions.go new file mode 100644 index 000000000..74c1bf9b0 --- /dev/null +++ b/provider/resource_keycloak_groups_permissions.go @@ -0,0 +1,187 @@ +package provider + +import ( + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/mrparkers/terraform-provider-keycloak/keycloak" + "strings" +) + +func resourceKeycloakGroupsPermissions() *schema.Resource { + return &schema.Resource{ + Create: resourceKeycloakGroupsPermissionsCreate, + Read: resourceKeycloakGroupsPermissionsRead, + Delete: resourceKeycloakGroupsPermissionsDelete, + Update: resourceKeycloakGroupsPermissionsUpdate, + Importer: &schema.ResourceImporter{ + State: resourceKeycloakGroupsPermissionsImport, + }, + Schema: map[string]*schema.Schema{ + "realm_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "enabled": { + Type: schema.TypeBool, + Computed: true, + }, + "group_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "authorization_resource_server_id": { + Type: schema.TypeString, + Computed: true, + Description: "Resource server id representing the realm management client on which this permission is managed", + }, + "view_scope": scopePermissionsSchema(), + "manage_scope": scopePermissionsSchema(), + "view_members_scope": scopePermissionsSchema(), + "manage_members_scope": scopePermissionsSchema(), + "manage_membership_scope": scopePermissionsSchema(), + }, + } +} + +func groupPermissionsId(realmId, groupId string) string { + return fmt.Sprintf("%s/%s", realmId, groupId) +} + +func resourceKeycloakGroupsPermissionsCreate(data *schema.ResourceData, meta interface{}) error { + return resourceKeycloakGroupsPermissionsUpdate(data, meta) +} + +func resourceKeycloakGroupsPermissionsUpdate(data *schema.ResourceData, meta interface{}) error { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + groupId := data.Get("group_id").(string) + + // the existence of this resource implies that it is enabled. + err := keycloakClient.EnableGroupsPermissions(realmId, groupId) + if err != nil { + return err + } + + // setting scope permissions requires us to fetch the users permissions details, as well as the realm management client + groupPermissions, err := keycloakClient.GetGroupsPermissions(realmId, groupId) + if err != nil { + return err + } + + realmManagementClient, err := keycloakClient.GetOpenidClientByClientId(realmId, "realm-management") + if err != nil { + return err + } + + if viewScope, ok := data.GetOk("view_scope"); ok { + err := setOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["view"].(string), viewScope.(*schema.Set)) + if err != nil { + return err + } + } + if manageScope, ok := data.GetOk("manage_scope"); ok { + err := setOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage"].(string), manageScope.(*schema.Set)) + if err != nil { + return err + } + } + if viewMembersScope, ok := data.GetOk("view_members_scope"); ok { + err := setOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["view-members"].(string), viewMembersScope.(*schema.Set)) + if err != nil { + return err + } + } + if manageMembersScope, ok := data.GetOk("manage_members_scope"); ok { + err := setOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage-members"].(string), manageMembersScope.(*schema.Set)) + if err != nil { + return err + } + } + if manageMembershipScope, ok := data.GetOk("manage_membership_scope"); ok { + err := setOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage-membership"].(string), manageMembershipScope.(*schema.Set)) + if err != nil { + return err + } + } + + return resourceKeycloakGroupsPermissionsRead(data, meta) +} + +func resourceKeycloakGroupsPermissionsRead(data *schema.ResourceData, meta interface{}) error { + keycloakClient := meta.(*keycloak.KeycloakClient) + realmId := data.Get("realm_id").(string) + groupId := data.Get("group_id").(string) + + realmManagementClient, err := keycloakClient.GetOpenidClientByClientId(realmId, "realm-management") + if err != nil { + return err + } + + groupPermissions, err := keycloakClient.GetGroupsPermissions(realmId, groupId) + if err != nil { + return handleNotFoundError(err, data) + } + + data.SetId(groupPermissions.RealmId) + data.Set("realm_id", groupPermissions.RealmId) + data.Set("group_id", groupPermissions.GroupId) + data.Set("enabled", groupPermissions.Enabled) + data.Set("authorization_resource_server_id", realmManagementClient.Id) + + if viewScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["view"].(string)); err == nil && viewScope != nil { + data.Set("view_scope", []interface{}{viewScope}) + } else if err != nil { + return err + } + + if manageScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage"].(string)); err == nil && manageScope != nil { + data.Set("manage_scope", []interface{}{manageScope}) + } else if err != nil { + return err + } + + if viewMembersScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["view-members"].(string)); err == nil && viewMembersScope != nil { + data.Set("map_roles_scope", []interface{}{viewMembersScope}) + } else if err != nil { + return err + } + + if manageMembersScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage-members"].(string)); err == nil && manageMembersScope != nil { + data.Set("manage_group_membership_scope", []interface{}{manageMembersScope}) + } else if err != nil { + return err + } + + if manageMembershipScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage-membership"].(string)); err == nil && manageMembershipScope != nil { + data.Set("impersonate_scope", []interface{}{manageMembershipScope}) + } else if err != nil { + return err + } + + return nil +} + +func resourceKeycloakGroupsPermissionsDelete(data *schema.ResourceData, meta interface{}) error { + keycloakClient := meta.(*keycloak.KeycloakClient) + + realmId := data.Get("realm_id").(string) + groupId := data.Get("group_id").(string) + + return keycloakClient.DisableGroupsPermissions(realmId, groupId) +} + +func resourceKeycloakGroupsPermissionsImport(d *schema.ResourceData, _ interface{}) ([]*schema.ResourceData, error) { + parts := strings.Split(d.Id(), "/") + if len(parts) != 2 { + return nil, fmt.Errorf("Invalid import. Supported import formats: {{realmId}}/{{groupId}}") + } + d.Set("realm_id", parts[0]) + d.Set("group_id", parts[1]) + + d.SetId(groupPermissionsId(parts[0], parts[1])) + + return []*schema.ResourceData{d}, nil +} From 024b8a7687e1df3efcd661d29c5fd3b380dec41b Mon Sep 17 00:00:00 2001 From: Daniel Hoeggerl Date: Tue, 19 Oct 2021 17:05:03 +0200 Subject: [PATCH 2/4] feat: add basic test case --- keycloak/groups_permissions.go | 10 +- .../resource_keycloak_groups_permissions.go | 11 +- ...source_keycloak_groups_permissions_test.go | 160 ++++++++++++++++++ 3 files changed, 171 insertions(+), 10 deletions(-) create mode 100644 provider/resource_keycloak_groups_permissions_test.go diff --git a/keycloak/groups_permissions.go b/keycloak/groups_permissions.go index 8c60420e7..7065ec31d 100644 --- a/keycloak/groups_permissions.go +++ b/keycloak/groups_permissions.go @@ -25,15 +25,15 @@ func (keycloakClient *KeycloakClient) DisableGroupsPermissions(realmId, groupId } func (keycloakClient *KeycloakClient) GetGroupsPermissions(realmId, groupId string) (*GroupsPermissions, error) { - var openidClientPermissions GroupsPermissions + var groupPermissions GroupsPermissions - err := keycloakClient.get(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), &openidClientPermissions, nil) + err := keycloakClient.get(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), &groupPermissions, nil) if err != nil { return nil, err } - openidClientPermissions.RealmId = realmId - openidClientPermissions.GroupId = groupId + groupPermissions.RealmId = realmId + groupPermissions.GroupId = groupId - return &openidClientPermissions, nil + return &groupPermissions, nil } diff --git a/provider/resource_keycloak_groups_permissions.go b/provider/resource_keycloak_groups_permissions.go index 74c1bf9b0..a99a678b0 100644 --- a/provider/resource_keycloak_groups_permissions.go +++ b/provider/resource_keycloak_groups_permissions.go @@ -2,9 +2,10 @@ package provider import ( "fmt" + "strings" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "strings" ) func resourceKeycloakGroupsPermissions() *schema.Resource { @@ -125,7 +126,7 @@ func resourceKeycloakGroupsPermissionsRead(data *schema.ResourceData, meta inter return handleNotFoundError(err, data) } - data.SetId(groupPermissions.RealmId) + data.SetId(groupPermissionsId(groupPermissions.RealmId, groupPermissions.GroupId)) data.Set("realm_id", groupPermissions.RealmId) data.Set("group_id", groupPermissions.GroupId) data.Set("enabled", groupPermissions.Enabled) @@ -144,19 +145,19 @@ func resourceKeycloakGroupsPermissionsRead(data *schema.ResourceData, meta inter } if viewMembersScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["view-members"].(string)); err == nil && viewMembersScope != nil { - data.Set("map_roles_scope", []interface{}{viewMembersScope}) + data.Set("view_members_scope", []interface{}{viewMembersScope}) } else if err != nil { return err } if manageMembersScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage-members"].(string)); err == nil && manageMembersScope != nil { - data.Set("manage_group_membership_scope", []interface{}{manageMembersScope}) + data.Set("manage_members_scope", []interface{}{manageMembersScope}) } else if err != nil { return err } if manageMembershipScope, err := getOpenidClientScopePermissionPolicy(keycloakClient, realmId, realmManagementClient.Id, groupPermissions.ScopePermissions["manage-membership"].(string)); err == nil && manageMembershipScope != nil { - data.Set("impersonate_scope", []interface{}{manageMembershipScope}) + data.Set("manage_membership_scope", []interface{}{manageMembershipScope}) } else if err != nil { return err } diff --git a/provider/resource_keycloak_groups_permissions_test.go b/provider/resource_keycloak_groups_permissions_test.go new file mode 100644 index 000000000..6843a4a0a --- /dev/null +++ b/provider/resource_keycloak_groups_permissions_test.go @@ -0,0 +1,160 @@ +package provider + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/mrparkers/terraform-provider-keycloak/keycloak" +) + +func TestAccKeycloakGroupPermission_basic(t *testing.T) { + groupName := acctest.RandomWithPrefix("tf-acc") + + resource.Test(t, resource.TestCase{ + ProviderFactories: testAccProviderFactories, + PreCheck: func() { testAccPreCheck(t) }, + Steps: []resource.TestStep{ + { + Config: testKeycloakGroupPermission_basic(groupName), + Check: testAccCheckKeycloakGroupPermissionExists("keycloak_groups_permissions.test"), + }, + { + ResourceName: "keycloak_groups_permissions.test", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccCheckKeycloakGroupPermissionExists(resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + permissions, err := getGroupPermissionsFromState(s, resourceName) + if err != nil { + return err + } + rs, ok := s.RootModule().Resources[resourceName] + + if !ok { + return fmt.Errorf("resource not found: %s", resourceName) + } + authorizationResourceServerId := rs.Primary.Attributes["authorization_resource_server_id"] + + var realmManagementId string + clients, _ := keycloakClient.GetOpenidClients(permissions.RealmId, false) + for _, client := range clients { + if client.ClientId == "realm-management" { + realmManagementId = client.Id + break + } + } + + if authorizationResourceServerId != realmManagementId { + return fmt.Errorf("computed authorizationResourceServerId %s was not equal to %s (the id of the realm-management client)", authorizationResourceServerId, realmManagementId) + } + // manage_members_scope + manageMembersScopePolicyId := rs.Primary.Attributes["manage_members_scope.0.policies.0"] + manageMembersScopeDescription := rs.Primary.Attributes["manage_members_scope.0.description"] + manageMembersScopeDecisionStrategy := rs.Primary.Attributes["manage_members_scope.0.decision_strategy"] + + authzClientManageMembersScope, err := keycloakClient.GetOpenidClientAuthorizationPermission(permissions.RealmId, realmManagementId, permissions.ScopePermissions["manage-members"].(string)) + if err != nil { + return err + } + policyId := authzClientManageMembersScope.Policies[0] + + if manageMembersScopePolicyId != policyId { + return fmt.Errorf("computed manageMembersScopePolicyId %s was not equal to policyId %s", manageMembersScopePolicyId, policyId) + } + + if authzClientManageMembersScope.Description != manageMembersScopeDescription { + return fmt.Errorf("DecisionStrategy %s was not equal to %s", authzClientManageMembersScope.DecisionStrategy, manageMembersScopeDescription) + } + + if authzClientManageMembersScope.DecisionStrategy != manageMembersScopeDecisionStrategy { + return fmt.Errorf("DecisionStrategy %s was not equal to %s", authzClientManageMembersScope.DecisionStrategy, manageMembersScopeDecisionStrategy) + } + + manageMembershipScope := rs.Primary.Attributes["manage_membership_scope"] + + if manageMembershipScope != "" { + return fmt.Errorf("manage_membership_scope found") + } + + return nil + } +} + +func getGroupPermissionsFromState(s *terraform.State, resourceName string) (*keycloak.GroupsPermissions, error) { + keycloakClient := testAccProvider.Meta().(*keycloak.KeycloakClient) + + rs, ok := s.RootModule().Resources[resourceName] + if !ok { + return nil, fmt.Errorf("resource not found: %s", resourceName) + } + + realmId := rs.Primary.Attributes["realm_id"] + groupId := rs.Primary.Attributes["group_id"] + + permissions, err := keycloakClient.GetGroupsPermissions(realmId, groupId) + if err != nil { + return nil, fmt.Errorf("error getting group permissions with realm id %s and group id %s : %s", realmId, groupId, err) + } + + return permissions, nil +} + +func testKeycloakGroupPermission_basic(groupName string) string { + return fmt.Sprintf(` +data "keycloak_realm" "realm" { + realm = "%s" +} + +data "keycloak_openid_client" "realm_management" { + realm_id = data.keycloak_realm.realm.id + client_id = "realm-management" +} + +resource "keycloak_openid_client_permissions" "realm-management_permission" { + realm_id = data.keycloak_realm.realm.id + client_id = data.keycloak_openid_client.realm_management.id +} + +resource "keycloak_group" "group" { + realm_id = data.keycloak_realm.realm.id + name = "%s" +} + +resource "keycloak_openid_client_group_policy" "test" { + realm_id = data.keycloak_realm.realm.id + resource_server_id = data.keycloak_openid_client.realm_management.id + name = "client_group_policy_test" + groups { + id = keycloak_group.group.id + path = keycloak_group.group.path + extend_children = false + } + logic = "POSITIVE" + decision_strategy = "UNANIMOUS" + depends_on = [ + keycloak_openid_client_permissions.realm-management_permission, + ] +} + +resource "keycloak_groups_permissions" "test" { + realm_id = data.keycloak_realm.realm.id + group_id = keycloak_group.group.id + manage_members_scope { + policies = [ + keycloak_openid_client_group_policy.test.id + ] + description = "mangage_members_scope" + decision_strategy = "UNANIMOUS" + } + +} + `, testAccRealm.Realm, groupName) +} From 2b62b3609ef44f4d0b73a18468c65c51dbbd1bb3 Mon Sep 17 00:00:00 2001 From: Daniel Hoeggerl Date: Wed, 20 Oct 2021 09:44:39 +0200 Subject: [PATCH 3/4] feat: add documentation --- docs/resources/groups_permissions.md | 99 ++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 docs/resources/groups_permissions.md diff --git a/docs/resources/groups_permissions.md b/docs/resources/groups_permissions.md new file mode 100644 index 000000000..ee49eb4ab --- /dev/null +++ b/docs/resources/groups_permissions.md @@ -0,0 +1,99 @@ +--- +page_title: "keycloak_groups_permissions Resource" +--- + +# keycloak_groups_permissions + +Allows you to manage all group Scope Based Permissions https://www.keycloak.org/docs/latest/server_admin/#group. + +This is part of a preview Keycloak feature: `admin_fine_grained_authz` (see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions). +This feature can be enabled with the Keycloak option `-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled`. See the +example [`docker-compose.yml`](https://github.com/mrparkers/terraform-provider-keycloak/blob/898094df6b3e01c3404981ce7ca268142d6ff0e5/docker-compose.yml#L21) file for an example. + +When enabling Roles Permissions, Keycloak does several things automatically: +1. Enable Authorization on built-in `realm-management` client (if not already enabled). +1. Create a resource representing the role permissions. +1. Create scopes `view`, `manage`, `view-members`, `manage-members`, `manage-membership`. +1. Create all scope based permission for the scopes and role resource + + +### Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my_realm" +} + +data "keycloak_openid_client" "realm_management" { + realm_id = keycloak_realm.realm.id + client_id = "realm-management" +} + +resource "keycloak_openid_client_permissions" "realm-management_permission" { + realm_id = keycloak_realm.realm.id + client_id = data.keycloak_openid_client.realm_management.id +} + +resource "keycloak_group" "group" { + realm_id = keycloak_realm.realm.id + name = "%s" +} + +resource "keycloak_openid_client_group_policy" "test" { + realm_id = keycloak_realm.realm.id + resource_server_id = data.keycloak_openid_client.realm_management.id + name = "client_group_policy_test" + groups { + id = keycloak_group.group.id + path = keycloak_group.group.path + extend_children = false + } + logic = "POSITIVE" + decision_strategy = "UNANIMOUS" + depends_on = [ + keycloak_openid_client_permissions.realm-management_permission, + ] +} + +resource "keycloak_groups_permissions" "test" { + realm_id = keycloak_realm.realm.id + group_id = keycloak_group.group.id + manage_members_scope { + policies = [ + keycloak_openid_client_group_policy.test.id + ] + description = "mangage_members_scope" + decision_strategy = "UNANIMOUS" + } + +} +``` + +### Argument Reference + +The following arguments are supported: + +- `realm_id` - (Required) The realm in which to manage fine-grained role permissions. +- `group_id` - (Required) The id of the group. + + +Each of the scopes that can be managed are defined below: + +- `view_scope` - (Optional) Policies that decide if the admin can view information about the group. +- `manage_scope` - (Optional) Policies that decide if the admin can manage the configuration of the group. +- `view_members_scope` - (Optional) Policies that decide if the admin can view the user details of members of the group. +- `manage_members_scope` - (Optional) Policies that decide if the admin can manage the users that belong to this group. +- `manage_membership_scope` - (Optional) Policies that decide if an admin can change the membership of the group. Add or remove members from the group. + +The configuration block for each of these scopes supports the following arguments: + +- `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. +- `description` - (Optional) Description of the permission. +- `decision_strategy` - (Optional) Decision strategy of the permission. + +### Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + +- `enabled` - When true, this indicates that fine-grained role permissions are enabled. This will always be `true`. +- `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed. From 3ef2a684d8c9a34ea94f619041478878cc757174 Mon Sep 17 00:00:00 2001 From: Daniel Hoeggerl Date: Wed, 27 Oct 2021 10:07:41 +0200 Subject: [PATCH 4/4] chore: rename groups -> group --- ...ps_permissions.md => group_permissions.md} | 6 ++-- ...ps_permissions.go => group_permissions.go} | 16 ++++----- provider/provider.go | 2 +- ...=> resource_keycloak_group_permissions.go} | 34 +++++++++---------- ...source_keycloak_group_permissions_test.go} | 10 +++--- 5 files changed, 34 insertions(+), 34 deletions(-) rename docs/resources/{groups_permissions.md => group_permissions.md} (96%) rename keycloak/{groups_permissions.go => group_permissions.go} (59%) rename provider/{resource_keycloak_groups_permissions.go => resource_keycloak_group_permissions.go} (82%) rename provider/{resource_keycloak_groups_permissions_test.go => resource_keycloak_group_permissions_test.go} (95%) diff --git a/docs/resources/groups_permissions.md b/docs/resources/group_permissions.md similarity index 96% rename from docs/resources/groups_permissions.md rename to docs/resources/group_permissions.md index ee49eb4ab..1ced4818e 100644 --- a/docs/resources/groups_permissions.md +++ b/docs/resources/group_permissions.md @@ -1,8 +1,8 @@ --- -page_title: "keycloak_groups_permissions Resource" +page_title: "keycloak_group_permissions Resource" --- -# keycloak_groups_permissions +# keycloak_group_permissions Allows you to manage all group Scope Based Permissions https://www.keycloak.org/docs/latest/server_admin/#group. @@ -55,7 +55,7 @@ resource "keycloak_openid_client_group_policy" "test" { ] } -resource "keycloak_groups_permissions" "test" { +resource "keycloak_group_permissions" "test" { realm_id = keycloak_realm.realm.id group_id = keycloak_group.group.id manage_members_scope { diff --git a/keycloak/groups_permissions.go b/keycloak/group_permissions.go similarity index 59% rename from keycloak/groups_permissions.go rename to keycloak/group_permissions.go index 7065ec31d..313afb4c7 100644 --- a/keycloak/groups_permissions.go +++ b/keycloak/group_permissions.go @@ -4,11 +4,11 @@ import ( "fmt" ) -type GroupsPermissionsInput struct { +type GroupPermissionsInput struct { Enabled bool `json:"enabled"` } -type GroupsPermissions struct { +type GroupPermissions struct { RealmId string `json:"-"` GroupId string `json:"-"` Enabled bool `json:"enabled"` @@ -16,16 +16,16 @@ type GroupsPermissions struct { ScopePermissions map[string]interface{} `json:"scopePermissions"` } -func (keycloakClient *KeycloakClient) EnableGroupsPermissions(realmId, groupId string) error { - return keycloakClient.put(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), GroupsPermissionsInput{Enabled: true}) +func (keycloakClient *KeycloakClient) EnableGroupPermissions(realmId, groupId string) error { + return keycloakClient.put(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), GroupPermissionsInput{Enabled: true}) } -func (keycloakClient *KeycloakClient) DisableGroupsPermissions(realmId, groupId string) error { - return keycloakClient.put(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), GroupsPermissionsInput{Enabled: false}) +func (keycloakClient *KeycloakClient) DisableGroupPermissions(realmId, groupId string) error { + return keycloakClient.put(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), GroupPermissionsInput{Enabled: false}) } -func (keycloakClient *KeycloakClient) GetGroupsPermissions(realmId, groupId string) (*GroupsPermissions, error) { - var groupPermissions GroupsPermissions +func (keycloakClient *KeycloakClient) GetGroupPermissions(realmId, groupId string) (*GroupPermissions, error) { + var groupPermissions GroupPermissions err := keycloakClient.get(fmt.Sprintf("/realms/%s/groups/%s/management/permissions", realmId, groupId), &groupPermissions, nil) if err != nil { diff --git a/provider/provider.go b/provider/provider.go index 2d106e9cb..fd34b43a1 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -109,7 +109,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider { "keycloak_openid_client_permissions": resourceKeycloakOpenidClientPermissions(), "keycloak_users_permissions": resourceKeycloakUsersPermissions(), "keycloak_user_groups": resourceKeycloakUserGroups(), - "keycloak_groups_permissions": resourceKeycloakGroupsPermissions(), + "keycloak_group_permissions": resourceKeycloakGroupPermissions(), }, Schema: map[string]*schema.Schema{ "client_id": { diff --git a/provider/resource_keycloak_groups_permissions.go b/provider/resource_keycloak_group_permissions.go similarity index 82% rename from provider/resource_keycloak_groups_permissions.go rename to provider/resource_keycloak_group_permissions.go index a99a678b0..ef0cb729e 100644 --- a/provider/resource_keycloak_groups_permissions.go +++ b/provider/resource_keycloak_group_permissions.go @@ -8,14 +8,14 @@ import ( "github.com/mrparkers/terraform-provider-keycloak/keycloak" ) -func resourceKeycloakGroupsPermissions() *schema.Resource { +func resourceKeycloakGroupPermissions() *schema.Resource { return &schema.Resource{ - Create: resourceKeycloakGroupsPermissionsCreate, - Read: resourceKeycloakGroupsPermissionsRead, - Delete: resourceKeycloakGroupsPermissionsDelete, - Update: resourceKeycloakGroupsPermissionsUpdate, + Create: resourceKeycloakGroupPermissionsCreate, + Read: resourceKeycloakGroupPermissionsRead, + Delete: resourceKeycloakGroupPermissionsDelete, + Update: resourceKeycloakGroupPermissionsUpdate, Importer: &schema.ResourceImporter{ - State: resourceKeycloakGroupsPermissionsImport, + State: resourceKeycloakGroupPermissionsImport, }, Schema: map[string]*schema.Schema{ "realm_id": { @@ -50,24 +50,24 @@ func groupPermissionsId(realmId, groupId string) string { return fmt.Sprintf("%s/%s", realmId, groupId) } -func resourceKeycloakGroupsPermissionsCreate(data *schema.ResourceData, meta interface{}) error { - return resourceKeycloakGroupsPermissionsUpdate(data, meta) +func resourceKeycloakGroupPermissionsCreate(data *schema.ResourceData, meta interface{}) error { + return resourceKeycloakGroupPermissionsUpdate(data, meta) } -func resourceKeycloakGroupsPermissionsUpdate(data *schema.ResourceData, meta interface{}) error { +func resourceKeycloakGroupPermissionsUpdate(data *schema.ResourceData, meta interface{}) error { keycloakClient := meta.(*keycloak.KeycloakClient) realmId := data.Get("realm_id").(string) groupId := data.Get("group_id").(string) // the existence of this resource implies that it is enabled. - err := keycloakClient.EnableGroupsPermissions(realmId, groupId) + err := keycloakClient.EnableGroupPermissions(realmId, groupId) if err != nil { return err } // setting scope permissions requires us to fetch the users permissions details, as well as the realm management client - groupPermissions, err := keycloakClient.GetGroupsPermissions(realmId, groupId) + groupPermissions, err := keycloakClient.GetGroupPermissions(realmId, groupId) if err != nil { return err } @@ -108,10 +108,10 @@ func resourceKeycloakGroupsPermissionsUpdate(data *schema.ResourceData, meta int } } - return resourceKeycloakGroupsPermissionsRead(data, meta) + return resourceKeycloakGroupPermissionsRead(data, meta) } -func resourceKeycloakGroupsPermissionsRead(data *schema.ResourceData, meta interface{}) error { +func resourceKeycloakGroupPermissionsRead(data *schema.ResourceData, meta interface{}) error { keycloakClient := meta.(*keycloak.KeycloakClient) realmId := data.Get("realm_id").(string) groupId := data.Get("group_id").(string) @@ -121,7 +121,7 @@ func resourceKeycloakGroupsPermissionsRead(data *schema.ResourceData, meta inter return err } - groupPermissions, err := keycloakClient.GetGroupsPermissions(realmId, groupId) + groupPermissions, err := keycloakClient.GetGroupPermissions(realmId, groupId) if err != nil { return handleNotFoundError(err, data) } @@ -165,16 +165,16 @@ func resourceKeycloakGroupsPermissionsRead(data *schema.ResourceData, meta inter return nil } -func resourceKeycloakGroupsPermissionsDelete(data *schema.ResourceData, meta interface{}) error { +func resourceKeycloakGroupPermissionsDelete(data *schema.ResourceData, meta interface{}) error { keycloakClient := meta.(*keycloak.KeycloakClient) realmId := data.Get("realm_id").(string) groupId := data.Get("group_id").(string) - return keycloakClient.DisableGroupsPermissions(realmId, groupId) + return keycloakClient.DisableGroupPermissions(realmId, groupId) } -func resourceKeycloakGroupsPermissionsImport(d *schema.ResourceData, _ interface{}) ([]*schema.ResourceData, error) { +func resourceKeycloakGroupPermissionsImport(d *schema.ResourceData, _ interface{}) ([]*schema.ResourceData, error) { parts := strings.Split(d.Id(), "/") if len(parts) != 2 { return nil, fmt.Errorf("Invalid import. Supported import formats: {{realmId}}/{{groupId}}") diff --git a/provider/resource_keycloak_groups_permissions_test.go b/provider/resource_keycloak_group_permissions_test.go similarity index 95% rename from provider/resource_keycloak_groups_permissions_test.go rename to provider/resource_keycloak_group_permissions_test.go index 6843a4a0a..60e3e3ef6 100644 --- a/provider/resource_keycloak_groups_permissions_test.go +++ b/provider/resource_keycloak_group_permissions_test.go @@ -19,10 +19,10 @@ func TestAccKeycloakGroupPermission_basic(t *testing.T) { Steps: []resource.TestStep{ { Config: testKeycloakGroupPermission_basic(groupName), - Check: testAccCheckKeycloakGroupPermissionExists("keycloak_groups_permissions.test"), + Check: testAccCheckKeycloakGroupPermissionExists("keycloak_group_permissions.test"), }, { - ResourceName: "keycloak_groups_permissions.test", + ResourceName: "keycloak_group_permissions.test", ImportState: true, ImportStateVerify: true, }, @@ -88,7 +88,7 @@ func testAccCheckKeycloakGroupPermissionExists(resourceName string) resource.Tes } } -func getGroupPermissionsFromState(s *terraform.State, resourceName string) (*keycloak.GroupsPermissions, error) { +func getGroupPermissionsFromState(s *terraform.State, resourceName string) (*keycloak.GroupPermissions, error) { keycloakClient := testAccProvider.Meta().(*keycloak.KeycloakClient) rs, ok := s.RootModule().Resources[resourceName] @@ -99,7 +99,7 @@ func getGroupPermissionsFromState(s *terraform.State, resourceName string) (*key realmId := rs.Primary.Attributes["realm_id"] groupId := rs.Primary.Attributes["group_id"] - permissions, err := keycloakClient.GetGroupsPermissions(realmId, groupId) + permissions, err := keycloakClient.GetGroupPermissions(realmId, groupId) if err != nil { return nil, fmt.Errorf("error getting group permissions with realm id %s and group id %s : %s", realmId, groupId, err) } @@ -144,7 +144,7 @@ resource "keycloak_openid_client_group_policy" "test" { ] } -resource "keycloak_groups_permissions" "test" { +resource "keycloak_group_permissions" "test" { realm_id = data.keycloak_realm.realm.id group_id = keycloak_group.group.id manage_members_scope {