github.com/GoogleCloudPlatform/terraformer@v0.8.18/providers/keycloak/openid_client.go (about) 1 // Copyright 2018 The Terraformer Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package keycloak 16 17 import ( 18 "github.com/GoogleCloudPlatform/terraformer/terraformutils" 19 "github.com/mrparkers/terraform-provider-keycloak/keycloak" 20 ) 21 22 func (g RealmGenerator) createOpenIDClientResources(openIDClients []*keycloak.OpenidClient) []terraformutils.Resource { 23 var resources []terraformutils.Resource 24 for _, openIDClient := range openIDClients { 25 resources = append(resources, terraformutils.NewResource( 26 openIDClient.Id, 27 "openid_client_"+normalizeResourceName(openIDClient.RealmId)+"_"+normalizeResourceName(openIDClient.ClientId), 28 "keycloak_openid_client", 29 "keycloak", 30 map[string]string{ 31 "realm_id": openIDClient.RealmId, 32 }, 33 []string{"web_origins"}, 34 map[string]interface{}{}, 35 )) 36 } 37 return resources 38 } 39 40 func (g RealmGenerator) createServiceAccountClientRolesResources(realmID string, clientRoles []*keycloak.Role, usersInRole []keycloak.UsersInRole, mapServiceAccountIds map[string]map[string]string, mapClientIDs map[string]string) []terraformutils.Resource { 41 var resources []terraformutils.Resource 42 for _, role := range clientRoles { 43 for _, users := range usersInRole { 44 if len(*users.Users) == 0 || role.Id != users.Role.Id { 45 continue 46 } 47 for _, user := range *users.Users { 48 // Test if role is mapped to a User, and not a ServiceAccountUser 49 if mapServiceAccountIds[user.Id] == nil { 50 continue 51 } 52 resources = append(resources, terraformutils.NewResource( 53 realmID+"/"+user.Id+"/"+role.ClientId+"/"+role.Name, 54 "openid_client_service_account_role_"+normalizeResourceName(realmID)+"_"+normalizeResourceName(mapServiceAccountIds[user.Id]["ClientId"])+"_"+normalizeResourceName(mapClientIDs[role.ClientId])+"_"+normalizeResourceName(role.Name), 55 "keycloak_openid_client_service_account_role", 56 "keycloak", 57 map[string]string{ 58 "realm_id": realmID, 59 "service_account_user_id": user.Id, 60 "client_id": role.ClientId, 61 "role": role.Name, 62 }, 63 []string{}, 64 map[string]interface{}{}, 65 )) 66 } 67 } 68 } 69 70 return resources 71 } 72 73 func (g RealmGenerator) createOpenIDGenericProtocolMapperResource(protocolMapperType, protocolMapperID, protocolMapperName, realmID, clientID, clientName string) terraformutils.Resource { 74 return terraformutils.NewResource( 75 protocolMapperID, 76 "openid_"+protocolMapperType+"_protocol_mapper_"+normalizeResourceName(realmID)+"_"+normalizeResourceName(clientName)+"_"+normalizeResourceName(protocolMapperName), 77 "keycloak_openid_"+protocolMapperType+"_protocol_mapper", 78 "keycloak", 79 map[string]string{ 80 "realm_id": realmID, 81 "client_id": clientID, 82 }, 83 []string{}, 84 map[string]interface{}{}, 85 ) 86 } 87 88 func (g RealmGenerator) createOpenIDProtocolMapperResources(clientID string, openidClient *keycloak.OpenidClientWithGenericClientProtocolMappers) []terraformutils.Resource { 89 var resources []terraformutils.Resource 90 for _, protocolMapper := range openidClient.ProtocolMappers { 91 switch protocolMapper.ProtocolMapper { 92 case "oidc-audience-mapper": 93 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("audience", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 94 case "oidc-full-name-mapper": 95 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("full_name", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 96 case "oidc-group-membership-mapper": 97 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("group_membership", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 98 case "oidc-hardcoded-claim-mapper": 99 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("hardcoded_claim", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 100 case "oidc-hardcoded-group-mapper": 101 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("hardcoded_group", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 102 case "oidc-hardcoded-role-mapper": 103 // Only works with client roles 104 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("hardcoded_role", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 105 case "oidc-usermodel-attribute-mapper": 106 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("user_attribute", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 107 case "oidc-usermodel-property-mapper": 108 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("user_property", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 109 case "oidc-usermodel-realm-role-mapper": 110 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("user_realm_role", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 111 case "oidc-usermodel-client-role-mapper": 112 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("user_client_role", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 113 case "oidc-usersessionmodel-note-mapper": 114 resources = append(resources, g.createOpenIDGenericProtocolMapperResource("user_session_note", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 115 case "oidc-address-mapper": 116 // Not supported for the moment 117 // resources = append(resources, g.createOpenIDGenericProtocolMapperResource("address", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 118 continue 119 case "oidc-role-name-mapper": 120 // Not supported for the moment 121 // resources = append(resources, g.createOpenIDGenericProtocolMapperResource("role_name", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 122 continue 123 case "oidc-sha256-pairwise-sub-mapper": 124 // Not supported for the moment 125 // resources = append(resources, g.createOpenIDGenericProtocolMapperResource("pairwise_subject_identifier", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 126 continue 127 case "oidc-allowed-origins-mapper": 128 // Not supported for the moment 129 // resources = append(resources, g.createOpenIDGenericProtocolMapperResource("allowed_web_origins", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 130 continue 131 case "oidc-audience-resolve-mapper": 132 // Not supported for the moment 133 // resources = append(resources, g.createOpenIDGenericProtocolMapperResource("audience_resolve", protocolMapper.Id, protocolMapper.Name, openidClient.RealmId, openidClient.ClientId, clientID)) 134 continue 135 } 136 } 137 return resources 138 }