Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add resource keycloak_user_roles #315

Merged
merged 4 commits into from
Jun 28, 2020

Conversation

elmarx
Copy link
Contributor

@elmarx elmarx commented Jun 9, 2020

Hey,

I know there are already two open PRs to add user-role-support, but they both look stale and not ready…

This one is done, it's based heavily upon the keycloak_group_roles, although in some details the implementation differs, since the group-endpoint returns mapped roles, but the user-endpoint not.

On the other hand, explicitly querying the user's role-mapping endpoints returns full roles (opposed to role-names), thus the implementation is simpler, once the role-mapping endpoint has been queried.

I also tested the resource manually, so as far as I know it's done/it works, but I'm looking forward to your feedback.

@elmarx elmarx changed the title Add resource user role Add resource keycloak_user_role Jun 9, 2020
@elmarx elmarx changed the title Add resource keycloak_user_role Add resource keycloak_user_roles Jun 9, 2020
@n0rig
Copy link

n0rig commented Jun 15, 2020

This looks great; this is something I was trying to solve. Can we get more eyes on this?

if role.ClientRole {
roles[role.ClientId] = append(roles[role.ClientId], role)
} else {
roles["realm"] = append(roles["realm"], role)
Copy link
Contributor

@tomrutsaert tomrutsaert Jun 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you use "realm" as a keyword in the map of roles. But what if there is a client called "realm"?
Is there a reason for not using the UserRoleMapping struct instead of this map of roles?
I see you moved this method from resource_keycloak_group_roles, so probably that is the way it used there as well...., But the same remark still applies

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, I moved this function to reuse it. And I reused this "pattern" with 'realm' as a special-keywork for clients without challenging it.
But looking at the code, using a dedicated struct might simplify the handling/code, and would avoid the edge-case with clients named "realm".

I will look into this and see if I can change this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah feel free to blame me for this one. Using a dedicated struct is probably better, but I won't force you to fix this since it was my decision to do this in the first place.

Required: true,
ForceNew: true,
},
"role_ids": {
Copy link
Contributor

@tomrutsaert tomrutsaert Jun 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand correctly that "role_ids" contains both realm role ids and client role ids?
(I guess as they are uuids they can never a duplicate id between client role ids and realm role ids?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. That's once again adopted from keycloak_group_roles.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, Keycloak doesn't actually care if its a realm or client role, so in this sense, the provider doesn't either. So if you have multiple keycloak_role resources, you can add each keycloak_role.*.id to this set without having to worry about whether the roles are attached to realms or clients.

@mrparkers
Copy link
Contributor

I think this can be merged as-is, but I'll give you the opportunity to make the improvement that @tomrutsaert suggested if you're interested. If not, we can merge this as-is.

Thanks for the PR!

@elmarx
Copy link
Contributor Author

elmarx commented Jun 17, 2020

Thanks for your feedback!

Well I played around with the code, and yes, using a dedicated struct is much cleaner and should be simple. I will update this PR in the next few days :)

@elmarx elmarx force-pushed the add-resource-user-role branch from ca3cfa4 to a38e451 Compare June 26, 2020 09:08
@elmarx elmarx force-pushed the add-resource-user-role branch from a38e451 to 4f2c456 Compare June 26, 2020 09:23
@elmarx
Copy link
Contributor Author

elmarx commented Jun 26, 2020

OK, PR has been updated.

Short summary of changes:

The map is gone and I replaced it with a dedicated structure roleMapping, which is similar to Keycloak's UserRoleMapping, but not the same (the map for client-roles uses the uuid instead of the clientid which keycloak uses).
Thus keycloak UserRoleMapping needs to be transformed into the internal roleMapping.

This of course means the previous "diff-function" removeDuplicationRoles from resource_keycloak_group_roles can't be reused, so there's calculateRoleMappingUpdates to figure out the updates.

Copy link
Contributor

@mrparkers mrparkers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

your new implementation for this is great! thanks for your work on this.

I'm going to update the group roles implementation to match yours.

thank you for the PR!

@mrparkers mrparkers merged commit 31d39ea into keycloak:master Jun 28, 2020
@elmarx
Copy link
Contributor Author

elmarx commented Jun 29, 2020

Awesome, thanks for merging and thanks for adding documentation ;)

@elmarx elmarx deleted the add-resource-user-role branch June 29, 2020 07:55
@ryanmac8
Copy link

ryanmac8 commented Jul 6, 2020

Any idea when the documentation will be updated? Would like to try this out but don't know what variables the resource requires.

@elmarx
Copy link
Contributor Author

elmarx commented Jul 6, 2020

mrparkers already updated the documentation: https://github.com/mrparkers/terraform-provider-keycloak/blob/master/docs/resources/keycloak_user_roles.md

But please be aware that since the merge of this PR no version has been released, yet. So you need to compile the provider on your own.

@ryanmac8
Copy link

ryanmac8 commented Jul 8, 2020

Ah ok. Thanks! I was reading the documentation from https://mrparkers.github.io/terraform-provider-keycloak and couldn't find it. I did end up compelling and testing it out. Works perfectly! :D

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants