Add client auth policies #246
Conversation
merge master
… scope and resource permission types (keycloak#220)
.circleci/config.yml
Outdated
| @@ -64,16 +64,20 @@ jobs: | |||
| docker: | |||
| - <<: *go_image | |||
| - image: jboss/keycloak:7.0.1 | |||
| command: ["-b", "0.0.0.0", "-Dkeycloak.profile.feature.upload_scripts=enabled"] | |||
There was a problem hiding this comment.
You can add this snippet to the keycloak_env anchor so it can be reused in the other test job
| @@ -0,0 +1,174 @@ | |||
| resource keycloak_realm test { | |||
There was a problem hiding this comment.
I think most of these examples are going to conflict with the pre-existing main.tf file in the example folder. Could you rename the resources in this file so they don't conflict with main.tf? It's okay to hardcode any strings you want here, these files really just serve as an example of how to use the provider.
There was a problem hiding this comment.
You are also free to reuse the resources that have already been created in main.tf, meaning that you can just leave them in that file and use variable interpolation to depend on them (like you are on line 12).
keycloak/keycloak_client.go
Outdated
| @@ -280,6 +281,7 @@ func (keycloakClient *KeycloakClient) sendRequest(request *http.Request) ([]byte | |||
| } | |||
|
|
|||
| if response.StatusCode >= 400 { | |||
| fmt.Println(string(body), "Error with the response") | |||
There was a problem hiding this comment.
We're already printing the body on line 280, is there a reason this is needed?
In case you weren't aware, you can set the environment variable TF_LOG to DEBUG to enable debug logging which should print out a bunch of http request/response information.
| resource.Test(t, resource.TestCase{ | ||
| Providers: testAccProviders, | ||
| PreCheck: func() { testAccPreCheck(t) }, | ||
| // CheckDestroy: testResourceKeycloakOpenidClientAuthorizationAggregatePolicyDestroy(), |
There was a problem hiding this comment.
is there a reason this is commented out?
| }) | ||
| } | ||
|
|
||
| func testResourceKeycloakOpenidClientAuthorizationAggregatePolicy_basic(realm, clientId string) string { |
There was a problem hiding this comment.
nitpick: could you move this function to the bottom of this file?
| }) | ||
| } | ||
|
|
||
| func testResourceKeycloakOpenidClientAuthorizationGroupPolicy_basic(realm, clientId string) string { |
There was a problem hiding this comment.
nitpick: can you move this to the bottom of the file?
| }) | ||
| } | ||
|
|
||
| func testResourceKeycloakOpenidClientAuthorizationJSPolicy_basic(realm, clientId string) string { |
There was a problem hiding this comment.
nitpick: can you move this to the bottom of the file?
| Type: schema.TypeString, | ||
| Optional: true, | ||
| }, | ||
| "role": { |
There was a problem hiding this comment.
I can see in the GUI that this policy supports realm roles and client roles, which is this attribute supposed to represent? And it looks like I can add more than one role to the policy, is there a reason you specified MinItems to be 1?
There was a problem hiding this comment.
I just checked the Chrome network inspector when creating a role policy, and I see that while bifurcated in the UI, the API call combines all the roles into one object:
Note the request above had one realm role and one client role.
There was a problem hiding this comment.
I think the reason for min items equaling 1 is because a role policy essentially does nothing if there are no roles specified.
There was a problem hiding this comment.
Thanks Ryan!
@mrparkers I can remove the MinItems if you'd like.
There was a problem hiding this comment.
My bad, I misread MinItems to be MaxItems. Thanks for the clarification on the roles.
| }) | ||
| } | ||
|
|
||
| func testResourceKeycloakOpenidClientAuthorizationTimePolicy_basic(realm, policyName, clientId string) string { |
There was a problem hiding this comment.
nitpick: can you move this to the bottom of the file?
| }) | ||
| } | ||
|
|
||
| func testResourceKeycloakOpenidClientAuthorizationUserPolicy_basic(realm, clientId string) string { |
There was a problem hiding this comment.
nitpick: can you move this to the bottom of the file?
…rization_user_policy_test to fix tests
|
@mrparkers I made the requested changes! Could you please take another look. |
|
The changes you made so far look good, although there are still 5 other comments I left that I didn't see changes for. I think GitHub collapses comments when there are too many, I had to click "Load More" on the part of the page that says "5 hidden conversations" |
|
Woops! Just made the last 5 changes. Let me know what you think. |
provider/validation_helpers.go
Outdated
| "fmt" | ||
| ) | ||
|
|
||
| func logicKeyValidation(val interface{}, key string) (warns []string, errs []error) { |
There was a problem hiding this comment.
Thanks for adding this! Although I probably should have let you know about the validation package which gives you the StringInSlice function that could have made this implementation easier. Take a look at this example: /~https://github.com/mrparkers/terraform-provider-keycloak/blob/f4770b0a3726a82d0fd0176cba328b4b2dda1389/provider/resource_keycloak_ldap_user_federation.go#L65
Could you change this to use this function?
There was a problem hiding this comment.
Oh cool! Just replaced that with the validation package. 👍
|
I left another comment that might be hard to see since it's in the collapsed conversation: #246 (comment) |
moved @yspotts pr #221