feat: add keycloak_openid_client_authorization_client_scope_policy resource (#1128)

Signed-off-by: Tadas Sutkaitis <[email protected]>

Author: fitbeard

docs/resources/openid_client_authorization_client_scope_policy.md

@@ -0,0 +1,105 @@
+---
+page_title: "keycloak_openid_client_authorization_client_scope_policy Resource"
+---
+
+# keycloak\_openid\_client\_authorization\_client\_scope\_policy Resource
+
+Allows you to manage openid Client Authorization Client Scope type Policies.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client" "test" {
+  client_id                = "client_id"
+  realm_id                 = keycloak_realm.realm.id
+  access_type              = "CONFIDENTIAL"
+  service_accounts_enabled = true
+  authorization {
+    policy_enforcement_mode = "ENFORCING"
+  }
+}
+
+resource "keycloak_openid_client_scope" "test1" {
+    realm_id    = keycloak_realm.realm.id
+    name        = "test1"
+    description = "test1"
+}
+
+resource "keycloak_openid_client_scope" "test2" {
+    realm_id    = keycloak_realm.realm.id
+    name        = "test2"
+    description = "test2"
+}
+
+resource "keycloak_openid_client_authorization_client_scope_policy" "test" {
+    resource_server_id = keycloak_openid_client.test.resource_server_id
+    realm_id           = keycloak_realm.realm.id
+    name               = "test_policy_single"
+    description        = "test"
+    decision_strategy  = "AFFIRMATIVE"
+    logic              = "POSITIVE"
+
+    scope {
+      id       = keycloak_openid_client_scope.test1.id
+      required = false
+    }
+}
+
+resource "keycloak_openid_client_authorization_client_scope_policy" "test_multiple" {
+    resource_server_id = keycloak_openid_client.test.resource_server_id
+    realm_id           = keycloak_realm.realm.id
+    name               = "test_policy_multiple"
+    description        = "test"
+    decision_strategy  = "AFFIRMATIVE"
+    logic              = "POSITIVE"
+
+    scope {
+      id       = keycloak_openid_client_scope.test1.id
+      required = false
+    }
+
+    scope {
+      id       = keycloak_openid_client_scope.test2.id
+      required = true
+    }
+}
+
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm this group exists in.
+- `resource_server_id` - (Required) The ID of the resource server.
+- `name` - (Required) The name of the policy.
+- `description` - (Optional) A description for the authorization policy.
+- `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`.
+- `logic` - (Optional) The logic, can be one of `POSITIVE` or `NEGATIVE`. Defaults to `POSITIVE`.
+- `scope` - An client scope to add [client scope](#scope-arguments). At least one should be defined.
+
+### Scope Arguments
+
+- `id` - (Required) Id of client scope.
+- `required` - (Optional) When `true`, then this client scope will be set as required. Defaults to `false`.
+
+### Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+- `id` - Policy ID representing the policy.
+
+## Import
+
+Client authorization policies can be imported using the format: `{{realmId}}/{{resourceServerId}}/{{policyId}}`.
+
+Example:
+
+```bash
+$ terraform import keycloak_openid_client_authorization_client_scope_policy.test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9
+```

keycloak/openid_client_authorization_client_scope_policy.go

@@ -0,0 +1,63 @@
+package keycloak
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+)
+
+type OpenidClientAuthorizationClientScopePolicy struct {
+	Id               string                                 `json:"id,omitempty"`
+	RealmId          string                                 `json:"-"`
+	ResourceServerId string                                 `json:"-"`
+	Name             string                                 `json:"name"`
+	DecisionStrategy string                                 `json:"decisionStrategy"`
+	Logic            string                                 `json:"logic"`
+	Type             string                                 `json:"type"`
+	Scope            []OpenidClientAuthorizationClientScope `json:"clientScopes"`
+	Description      string                                 `json:"description"`
+}
+
+type OpenidClientAuthorizationClientScope struct {
+	Id       string `json:"id,omitempty"`
+	Required bool   `json:"required,omitempty"`
+}
+
+func (keycloakClient *KeycloakClient) NewOpenidClientAuthorizationClientScopePolicy(ctx context.Context, policy *OpenidClientAuthorizationClientScopePolicy) error {
+	body, _, err := keycloakClient.post(ctx, fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/policy/client-scope", policy.RealmId, policy.ResourceServerId), policy)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(body, &policy)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (keycloakClient *KeycloakClient) UpdateOpenidClientAuthorizationClientScopePolicy(ctx context.Context, policy *OpenidClientAuthorizationClientScopePolicy) error {
+	err := keycloakClient.put(ctx, fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/policy/client-scope/%s", policy.RealmId, policy.ResourceServerId, policy.Id), policy)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (keycloakClient *KeycloakClient) DeleteOpenidClientAuthorizationClientScopePolicy(ctx context.Context, realmId, resourceServerId, policyId string) error {
+	return keycloakClient.delete(ctx, fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/policy/client-scope/%s", realmId, resourceServerId, policyId), nil)
+}
+
+func (keycloakClient *KeycloakClient) GetOpenidClientAuthorizationClientScopePolicy(ctx context.Context, realmId, resourceServerId, policyId string) (*OpenidClientAuthorizationClientScopePolicy, error) {
+
+	policy := OpenidClientAuthorizationClientScopePolicy{
+		Id:               policyId,
+		ResourceServerId: resourceServerId,
+		RealmId:          realmId,
+	}
+	err := keycloakClient.get(ctx, fmt.Sprintf("/realms/%s/clients/%s/authz/resource-server/policy/client-scope/%s", realmId, resourceServerId, policyId), &policy, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return &policy, nil
+}

provider/provider.go

@@ -105,6 +105,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 			"keycloak_openid_client_time_policy":                         resourceKeycloakOpenidClientAuthorizationTimePolicy(),
 			"keycloak_openid_client_user_policy":                         resourceKeycloakOpenidClientAuthorizationUserPolicy(),
 			"keycloak_openid_client_client_policy":                       resourceKeycloakOpenidClientAuthorizationClientPolicy(),
+			"keycloak_openid_client_authorization_client_scope_policy":   resourceKeycloakOpenidClientAuthorizationClientScopePolicy(),
 			"keycloak_openid_client_authorization_scope":                 resourceKeycloakOpenidClientAuthorizationScope(),
 			"keycloak_openid_client_authorization_permission":            resourceKeycloakOpenidClientAuthorizationPermission(),
 			"keycloak_openid_client_service_account_role":                resourceKeycloakOpenidClientServiceAccountRole(),

provider/resource_keycloak_openid_client_authorization_client_scope_policy.go

@@ -0,0 +1,190 @@
+package provider
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/keycloak/terraform-provider-keycloak/keycloak"
+)
+
+func resourceKeycloakOpenidClientAuthorizationClientScopePolicy() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceKeycloakOpenidClientAuthorizationClientScopePolicyCreate,
+		ReadContext:   resourceKeycloakOpenidClientAuthorizationClientScopePolicyRead,
+		DeleteContext: resourceKeycloakOpenidClientAuthorizationClientScopePolicyDelete,
+		UpdateContext: resourceKeycloakOpenidClientAuthorizationClientScopePolicyUpdate,
+		Importer: &schema.ResourceImporter{
+			StateContext: genericResourcePolicyImport,
+		},
+		Schema: map[string]*schema.Schema{
+			"resource_server_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"realm_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"decision_strategy": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice(keycloakOpenidClientResourcePermissionDecisionStrategies, false),
+				Default:      "UNANIMOUS",
+			},
+			"logic": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice(keycloakPolicyLogicTypes, false),
+				Default:      "POSITIVE",
+			},
+			"description": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"scope": {
+				Type:     schema.TypeSet,
+				Required: true,
+				MinItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"required": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func getOpenidClientAuthorizationClientScopePolicyResourceFromData(data *schema.ResourceData) *keycloak.OpenidClientAuthorizationClientScopePolicy {
+	var clientScopes []keycloak.OpenidClientAuthorizationClientScope
+
+	if v, ok := data.Get("scope").(*schema.Set); ok {
+		for _, clientScope := range v.List() { // Use List() for TypeSet
+			clientScopeMap := clientScope.(map[string]interface{})
+			clientScopes = append(clientScopes, keycloak.OpenidClientAuthorizationClientScope{
+				Id:       clientScopeMap["id"].(string),
+				Required: clientScopeMap["required"].(bool),
+			})
+		}
+	}
+
+	resource := keycloak.OpenidClientAuthorizationClientScopePolicy{
+		Id:               data.Id(),
+		ResourceServerId: data.Get("resource_server_id").(string),
+		RealmId:          data.Get("realm_id").(string),
+		DecisionStrategy: data.Get("decision_strategy").(string),
+		Logic:            data.Get("logic").(string),
+		Name:             data.Get("name").(string),
+		Type:             "client-scope",
+		Scope:            clientScopes,
+		Description:      data.Get("description").(string),
+	}
+
+	return &resource
+}
+
+func setOpenidClientAuthorizationClientScopePolicyResourceData(ctx context.Context, keycloakClient *keycloak.KeycloakClient, policy *keycloak.OpenidClientAuthorizationClientScopePolicy, data *schema.ResourceData) error {
+	data.SetId(policy.Id)
+
+	data.Set("resource_server_id", policy.ResourceServerId)
+	data.Set("realm_id", policy.RealmId)
+	data.Set("name", policy.Name)
+	data.Set("decision_strategy", policy.DecisionStrategy)
+	data.Set("logic", policy.Logic)
+	data.Set("description", policy.Description)
+
+	// Convert scope slice to a set for consistent Terraform state
+	clientScopesSet := make([]interface{}, len(policy.Scope))
+	for i, g := range policy.Scope {
+		clientScopesSet[i] = map[string]interface{}{
+			"id":       g.Id,
+			"required": g.Required,
+		}
+	}
+
+	if err := data.Set("scope", clientScopesSet); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func resourceKeycloakOpenidClientAuthorizationClientScopePolicyCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	resource := getOpenidClientAuthorizationClientScopePolicyResourceFromData(data)
+
+	err := keycloakClient.NewOpenidClientAuthorizationClientScopePolicy(ctx, resource)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = setOpenidClientAuthorizationClientScopePolicyResourceData(ctx, keycloakClient, resource, data)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return resourceKeycloakOpenidClientAuthorizationClientScopePolicyRead(ctx, data, meta)
+}
+
+func resourceKeycloakOpenidClientAuthorizationClientScopePolicyRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId := data.Get("realm_id").(string)
+	resourceServerId := data.Get("resource_server_id").(string)
+	id := data.Id()
+
+	resource, err := keycloakClient.GetOpenidClientAuthorizationClientScopePolicy(ctx, realmId, resourceServerId, id)
+	if err != nil {
+		return handleNotFoundError(ctx, err, data)
+	}
+
+	err = setOpenidClientAuthorizationClientScopePolicyResourceData(ctx, keycloakClient, resource, data)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceKeycloakOpenidClientAuthorizationClientScopePolicyUpdate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	resource := getOpenidClientAuthorizationClientScopePolicyResourceFromData(data)
+
+	err := keycloakClient.UpdateOpenidClientAuthorizationClientScopePolicy(ctx, resource)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = setOpenidClientAuthorizationClientScopePolicyResourceData(ctx, keycloakClient, resource, data)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceKeycloakOpenidClientAuthorizationClientScopePolicyDelete(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId := data.Get("realm_id").(string)
+	resourceServerId := data.Get("resource_server_id").(string)
+	id := data.Id()
+
+	return diag.FromErr(keycloakClient.DeleteOpenidClientAuthorizationClientScopePolicy(ctx, realmId, resourceServerId, id))
+}