Add support for sub mapper (#1323)

Signed-off-by: Eunseok Kang <[email protected]>

Author: ethan-k

docs/resources/openid_sub_protocol_mapper.md

@@ -0,0 +1,82 @@
+---
+page_title: "keycloak_openid_sub_protocol_mapper Resource"
+---
+
+# keycloak\_openid\_sub\_protocol\_mapper Resource
+
+Allows for creating and managing sub protocol mappers within Keycloak.
+
+Sub protocol mappers add the Subject (sub) claim to tokens. The sub claim contains the user ID and is a standard claim in OpenID Connect tokens.
+
+Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between
+multiple different clients.
+
+## Example Usage (Client)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client" "openid_client" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "client"
+
+  name    = "client"
+  enabled = true
+
+  access_type         = "CONFIDENTIAL"
+  valid_redirect_uris = [
+    "http://localhost:8080/openid-callback"
+  ]
+}
+
+resource "keycloak_openid_sub_protocol_mapper" "sub_mapper" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = keycloak_openid_client.openid_client.id
+  name      = "sub-mapper"
+}
+```
+
+## Example Usage (Client Scope)
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_openid_client_scope" "client_scope" {
+  realm_id = keycloak_realm.realm.id
+  name     = "client-scope"
+}
+
+resource "keycloak_openid_sub_protocol_mapper" "sub_mapper" {
+  realm_id        = keycloak_realm.realm.id
+  client_scope_id = keycloak_openid_client_scope.client_scope.id
+  name            = "sub-mapper"
+}
+```
+
+## Argument Reference
+
+- `realm_id` - (Required) The realm this protocol mapper exists within.
+- `name` - (Required) The display name of this protocol mapper in the GUI.
+- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.
+- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.
+- `add_to_access_token` - (Optional) Indicates if the sub claim should be added to the access token. Defaults to `true`.
+- `add_to_token_introspection` - (Optional) Indicates if the sub claim should be added to the token introspection response. Defaults to `true`.
+
+## Import
+
+Protocol mappers can be imported using one of the following formats:
+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`
+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`
+
+Example:
+
+```bash
+$ terraform import keycloak_openid_sub_protocol_mapper.sub_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4
+$ terraform import keycloak_openid_sub_protocol_mapper.sub_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4
+```

keycloak/openid_sub_protocol_mapper.go

@@ -0,0 +1,107 @@
+package keycloak
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+)
+
+type OpenIdSubProtocolMapper struct {
+	Id            string
+	Name          string
+	RealmId       string
+	ClientId      string
+	ClientScopeId string
+
+	AddToAccessToken        bool
+	AddToTokenIntrospection bool
+}
+
+func (mapper *OpenIdSubProtocolMapper) convertToGenericProtocolMapper() *protocolMapper {
+	return &protocolMapper{
+		Id:             mapper.Id,
+		Name:           mapper.Name,
+		Protocol:       "openid-connect",
+		ProtocolMapper: "oidc-sub-mapper",
+		Config: map[string]string{
+			addToAccessTokenField:        strconv.FormatBool(mapper.AddToAccessToken),
+			addToTokenIntrospectionField: strconv.FormatBool(mapper.AddToTokenIntrospection),
+		},
+	}
+}
+
+func (protocolMapper *protocolMapper) convertToOpenIdSubProtocolMapper(realmId, clientId, clientScopeId string) (*OpenIdSubProtocolMapper, error) {
+	addToAccessToken, err := parseBoolAndTreatEmptyStringAsFalse(protocolMapper.Config[addToAccessTokenField])
+	if err != nil {
+		return nil, err
+	}
+
+	addToTokenIntrospection, err := parseBoolAndTreatEmptyStringAsFalse(protocolMapper.Config[addToTokenIntrospectionField])
+	if err != nil {
+		return nil, err
+	}
+
+	return &OpenIdSubProtocolMapper{
+		Id:            protocolMapper.Id,
+		Name:          protocolMapper.Name,
+		RealmId:       realmId,
+		ClientId:      clientId,
+		ClientScopeId: clientScopeId,
+
+		AddToAccessToken:        addToAccessToken,
+		AddToTokenIntrospection: addToTokenIntrospection,
+	}, nil
+}
+
+func (keycloakClient *KeycloakClient) GetOpenIdSubProtocolMapper(ctx context.Context, realmId, clientId, clientScopeId, mapperId string) (*OpenIdSubProtocolMapper, error) {
+	var protoMapper *protocolMapper
+
+	err := keycloakClient.get(ctx, individualProtocolMapperPath(realmId, clientId, clientScopeId, mapperId), &protoMapper, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return protoMapper.convertToOpenIdSubProtocolMapper(realmId, clientId, clientScopeId)
+}
+
+func (keycloakClient *KeycloakClient) DeleteOpenIdSubProtocolMapper(ctx context.Context, realmId, clientId, clientScopeId, mapperId string) error {
+	return keycloakClient.delete(ctx, individualProtocolMapperPath(realmId, clientId, clientScopeId, mapperId), nil)
+}
+
+func (keycloakClient *KeycloakClient) NewOpenIdSubProtocolMapper(ctx context.Context, mapper *OpenIdSubProtocolMapper) error {
+	path := protocolMapperPath(mapper.RealmId, mapper.ClientId, mapper.ClientScopeId)
+
+	_, location, err := keycloakClient.post(ctx, path, mapper.convertToGenericProtocolMapper())
+	if err != nil {
+		return err
+	}
+
+	mapper.Id = getIdFromLocationHeader(location)
+
+	return nil
+}
+
+func (keycloakClient *KeycloakClient) UpdateOpenIdSubProtocolMapper(ctx context.Context, mapper *OpenIdSubProtocolMapper) error {
+	path := individualProtocolMapperPath(mapper.RealmId, mapper.ClientId, mapper.ClientScopeId, mapper.Id)
+
+	return keycloakClient.put(ctx, path, mapper.convertToGenericProtocolMapper())
+}
+
+func (keycloakClient *KeycloakClient) ValidateOpenIdSubProtocolMapper(ctx context.Context, mapper *OpenIdSubProtocolMapper) error {
+	if mapper.ClientId == "" && mapper.ClientScopeId == "" {
+		return fmt.Errorf("validation error: one of ClientId or ClientScopeId must be set")
+	}
+
+	protocolMappers, err := keycloakClient.listGenericProtocolMappers(ctx, mapper.RealmId, mapper.ClientId, mapper.ClientScopeId)
+	if err != nil {
+		return err
+	}
+
+	for _, protocolMapper := range protocolMappers {
+		if protocolMapper.Name == mapper.Name && protocolMapper.Id != mapper.Id {
+			return fmt.Errorf("validation error: a protocol mapper with name %s already exists for this client", mapper.Name)
+		}
+	}
+
+	return nil
+}

provider/provider.go

@@ -72,6 +72,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 			"keycloak_openid_user_property_protocol_mapper":              resourceKeycloakOpenIdUserPropertyProtocolMapper(),
 			"keycloak_openid_group_membership_protocol_mapper":           resourceKeycloakOpenIdGroupMembershipProtocolMapper(),
 			"keycloak_openid_full_name_protocol_mapper":                  resourceKeycloakOpenIdFullNameProtocolMapper(),
+			"keycloak_openid_sub_protocol_mapper":                        resourceKeycloakOpenIdSubProtocolMapper(),
 			"keycloak_openid_hardcoded_claim_protocol_mapper":            resourceKeycloakOpenIdHardcodedClaimProtocolMapper(),
 			"keycloak_openid_audience_protocol_mapper":                   resourceKeycloakOpenIdAudienceProtocolMapper(),
 			"keycloak_openid_audience_resolve_protocol_mapper":           resourceKeycloakOpenIdAudienceResolveProtocolMapper(),

provider/resource_keycloak_openid_sub_protocol_mapper.go

@@ -0,0 +1,156 @@
+package provider
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/keycloak/terraform-provider-keycloak/keycloak"
+)
+
+func resourceKeycloakOpenIdSubProtocolMapper() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceKeycloakOpenIdSubProtocolMapperCreate,
+		ReadContext:   resourceKeycloakOpenIdSubProtocolMapperRead,
+		UpdateContext: resourceKeycloakOpenIdSubProtocolMapperUpdate,
+		DeleteContext: resourceKeycloakOpenIdSubProtocolMapperDelete,
+		Importer: &schema.ResourceImporter{
+			// import a mapper tied to a client:
+			// {{realmId}}/client/{{clientId}}/{{protocolMapperId}}
+			// or a client scope:
+			// {{realmId}}/client-scope/{{clientScopeId}}/{{protocolMapperId}}
+			StateContext: genericProtocolMapperImport,
+		},
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "A human-friendly name that will appear in the Keycloak console.",
+			},
+			"realm_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The realm id where the associated client or client scope exists.",
+			},
+			"client_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				Description:   "The mapper's associated client. Cannot be used at the same time as client_scope_id.",
+				ConflictsWith: []string{"client_scope_id"},
+			},
+			"client_scope_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				Description:   "The mapper's associated client scope. Cannot be used at the same time as client_id.",
+				ConflictsWith: []string{"client_id"},
+			},
+			"add_to_access_token": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+				Description: "Indicates if the attribute should be a claim in the access token.",
+			},
+			"add_to_token_introspection": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+				Description: "Indicates if the attribute should be a claim in the token introspection response body.",
+			},
+		},
+	}
+}
+
+func mapFromDataToOpenIdSubProtocolMapper(data *schema.ResourceData) *keycloak.OpenIdSubProtocolMapper {
+	return &keycloak.OpenIdSubProtocolMapper{
+		Id:                      data.Id(),
+		Name:                    data.Get("name").(string),
+		RealmId:                 data.Get("realm_id").(string),
+		ClientId:                data.Get("client_id").(string),
+		ClientScopeId:           data.Get("client_scope_id").(string),
+		AddToAccessToken:        data.Get("add_to_access_token").(bool),
+		AddToTokenIntrospection: data.Get("add_to_token_introspection").(bool),
+	}
+}
+
+func mapFromOpenIdSubMapperToData(mapper *keycloak.OpenIdSubProtocolMapper, data *schema.ResourceData) {
+	data.SetId(mapper.Id)
+	data.Set("name", mapper.Name)
+	data.Set("realm_id", mapper.RealmId)
+
+	if mapper.ClientId != "" {
+		data.Set("client_id", mapper.ClientId)
+	} else {
+		data.Set("client_scope_id", mapper.ClientScopeId)
+	}
+
+	data.Set("add_to_access_token", mapper.AddToAccessToken)
+	data.Set("add_to_token_introspection", mapper.AddToTokenIntrospection)
+}
+
+func resourceKeycloakOpenIdSubProtocolMapperCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	openIdSubMapper := mapFromDataToOpenIdSubProtocolMapper(data)
+
+	err := keycloakClient.ValidateOpenIdSubProtocolMapper(ctx, openIdSubMapper)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = keycloakClient.NewOpenIdSubProtocolMapper(ctx, openIdSubMapper)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	mapFromOpenIdSubMapperToData(openIdSubMapper, data)
+
+	return resourceKeycloakOpenIdSubProtocolMapperRead(ctx, data, meta)
+}
+
+func resourceKeycloakOpenIdSubProtocolMapperRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+	realmId := data.Get("realm_id").(string)
+	clientId := data.Get("client_id").(string)
+	clientScopeId := data.Get("client_scope_id").(string)
+
+	openIdSubMapper, err := keycloakClient.GetOpenIdSubProtocolMapper(ctx, realmId, clientId, clientScopeId, data.Id())
+	if err != nil {
+		return handleNotFoundError(ctx, err, data)
+	}
+
+	mapFromOpenIdSubMapperToData(openIdSubMapper, data)
+
+	return nil
+}
+
+func resourceKeycloakOpenIdSubProtocolMapperUpdate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	openIdSubMapper := mapFromDataToOpenIdSubProtocolMapper(data)
+
+	err := keycloakClient.ValidateOpenIdSubProtocolMapper(ctx, openIdSubMapper)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = keycloakClient.UpdateOpenIdSubProtocolMapper(ctx, openIdSubMapper)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return resourceKeycloakOpenIdSubProtocolMapperRead(ctx, data, meta)
+}
+
+func resourceKeycloakOpenIdSubProtocolMapperDelete(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId := data.Get("realm_id").(string)
+	clientId := data.Get("client_id").(string)
+	clientScopeId := data.Get("client_scope_id").(string)
+
+	return diag.FromErr(keycloakClient.DeleteOpenIdSubProtocolMapper(ctx, realmId, clientId, clientScopeId, data.Id()))
+}