fix: support additional default client scopes

christianwoehrle · christianwoehrle · commit 2049f86eae11 · 2024-06-28T11:43:41.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20.13 as builder
+FROM golang:1.21.11 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
diff --git a/README.md b/README.md
@@ -16,6 +16,10 @@ A basic configuration for the keycloakcontroller consists of
   
 * optional secret credential-keycloak-client-secret-seed in namespace des controllers
   * SECRET_SEED if the secret for each client should be created via a sha code of (secret-seed + client-name). This is sometimes necessary if a controller should be running in twho separate k8s clusters.
+* optional defaultClientScope for public KeycloakClients. For KeycloakClients, the defaultClientScopes are configured in the KeycloakClient CustomResource.
+If a certain defaultClientScope is needed in every KeycloakClient, e.g. the Scope "Nonce" for alle the public KeycloakClients, then this can be configured with the environment Variable ADDITIONAL_DEFAULT_CLIENT_SCOPE and in the case the value "Nonce".
+
+
 
 
 
diff --git a/controllers/keycloakclient_reconciler.go b/controllers/keycloakclient_reconciler.go
@@ -3,11 +3,13 @@ package controllers
 import (
 	"bytes"
 	"fmt"
+	"os"
 
 	kc "github.com/movewp3/keycloakclient-controller/api/v1alpha1"
 	"github.com/movewp3/keycloakclient-controller/pkg/common"
 	"github.com/movewp3/keycloakclient-controller/pkg/model"
 	"github.com/movewp3/keycloakclient-controller/pkg/util"
+	"k8s.io/utils/strings/slices"
 )
 
 const (
@@ -169,8 +171,36 @@ func (i *DedicatedKeycloakClientReconciler) ReconcileScopeMappings(state *common
 	}
 }
 
+func getAdditionalDefaultClientScope() string {
+	additionalDefaultClientScope, found := os.LookupEnv("ADDITIONAL_DEFAULT_CLIENT_SCOPE")
+	if !found {
+		return ""
+	}
+	return additionalDefaultClientScope
+}
+
 func (i *DedicatedKeycloakClientReconciler) ReconcileClientScopes(state *common.ClientState, cr *kc.KeycloakClient, desired *common.DesiredClusterState) {
-	defaultClientScopes := model.FilterClientScopesByNames(state.AvailableClientScopes, cr.Spec.Client.DefaultClientScopes)
+
+	logKcc.Info(fmt.Sprintf("ReconcileClientScopes %s", cr.Spec.Client.Name))
+
+	oldClientScopes := []string{}
+	//addedDefaultClientScope := false
+
+	additionalDefaultClientScopes := cr.Spec.Client.DefaultClientScopes
+	if getAdditionalDefaultClientScope() != "" && !slices.Contains(cr.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope()) && cr.Spec.Client.PublicClient {
+		logKcc.Info(fmt.Sprintf("Add default client scope %v",
+			getAdditionalDefaultClientScope()))
+
+		oldClientScopes = cr.Spec.Client.DefaultClientScopes
+		//addedDefaultClientScope = true
+		additionalDefaultClientScopes = append(cr.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope())
+
+		defer func() {
+			cr.Spec.Client.DefaultClientScopes = oldClientScopes
+		}()
+	}
+
+	defaultClientScopes := model.FilterClientScopesByNames(state.AvailableClientScopes, additionalDefaultClientScopes)
 
 	defaultClientScopesNew, _ := model.ClientScopeDifferenceIntersection(defaultClientScopes, state.DefaultClientScopes)
 	for _, clientScope := range defaultClientScopesNew {
@@ -449,6 +479,7 @@ func (i *DedicatedKeycloakClientReconciler) getDeletedClientClientScopeMappingsS
 }
 
 func (i *DedicatedKeycloakClientReconciler) getCreatedClientDefaultClientScopeState(state *common.ClientState, cr *kc.KeycloakClient, clientScope *kc.KeycloakClientScope) common.ClusterAction {
+
 	return common.UpdateClientDefaultClientScopeAction{
 		ClientScope: clientScope,
 		Ref:         cr,
diff --git a/pkg/common/cluster_actions.go b/pkg/common/cluster_actions.go
@@ -3,6 +3,8 @@ package common
 import (
 	"context"
 	"fmt"
+	"os"
+	"slices"
 
 	"github.com/movewp3/keycloakclient-controller/api/v1alpha1"
 	"github.com/movewp3/keycloakclient-controller/pkg/util"
@@ -133,11 +135,38 @@ func (i *ClusterActionRunner) CreateRealm(obj *v1alpha1.KeycloakRealm) error {
 	return err
 }
 
+func getAdditionalDefaultClientScope() string {
+
+	additionalDefaultClientScope, found := os.LookupEnv("ADDITIONAL_DEFAULT_CLIENT_SCOPE")
+	if !found {
+		return ""
+	}
+	return additionalDefaultClientScope
+}
+
 func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm string) error {
+
 	if i.keycloakClient == nil {
 		return errors.Errorf("cannot perform client create when client is nil")
 	}
 
+	oldClientScopes := []string{}
+	addedDefaultClientScope := false
+
+	if getAdditionalDefaultClientScope() != "" && !slices.Contains(obj.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope()) && obj.Spec.Client.PublicClient {
+		log.Info(fmt.Sprintf("Add default client scope %v",
+			getAdditionalDefaultClientScope()))
+
+		oldClientScopes = obj.Spec.Client.DefaultClientScopes
+		addedDefaultClientScope = true
+		obj.Spec.Client.DefaultClientScopes = append(obj.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope())
+
+		defer func() {
+			obj.Spec.Client.DefaultClientScopes = oldClientScopes
+		}()
+
+	}
+
 	uid, err := i.keycloakClient.CreateClient(obj.Spec.Client, realm)
 
 	if err == nil {
@@ -153,6 +182,11 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 			log.Info(fmt.Sprintf("Removed secret (generated from secretSeed) from keycloak client %v",
 				obj.Name))
 		}
+		if addedDefaultClientScope {
+			obj.Spec.Client.DefaultClientScopes = oldClientScopes
+			log.Info(fmt.Sprintf("Removed additional client scope (%s) from keycloak client %v",
+				getAdditionalDefaultClientScope(), obj.Name))
+		}
 
 		return i.client.Update(i.context, obj)
 	}
@@ -182,6 +216,7 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 	}
 
 	return err
+
 }
 
 func (i *ClusterActionRunner) UpdateClient(obj *v1alpha1.KeycloakClient, realm string) error {
