Merge pull request #10 from movewp3/fix/SupportMultipleAdditionalDefaultClientSCopes

r3kzi · web-flow · commit 5c0901388155 · 2024-07-02T11:29:16.000+02:00
feat: [PACLOUD-386] Support Multiple Additional Default Client Scopes
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.21.11 as builder
+FROM golang:1.21.11 AS builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
diff --git a/README.md b/README.md
@@ -16,8 +16,8 @@ A basic configuration for the keycloakcontroller consists of
   
 * optional secret credential-keycloak-client-secret-seed in namespace des controllers
   * SECRET_SEED if the secret for each client should be created via a sha code of (secret-seed + client-name). This is sometimes necessary if a controller should be running in twho separate k8s clusters.
-* optional defaultClientScope for public KeycloakClients. For KeycloakClients, the defaultClientScopes are usually configured in the KeycloakClient CustomResource.
-If a certain defaultClientScope is needed in every KeycloakClient, e.g. the Scope "Nonce" for all the public KeycloakClients after the Keycloak25 Update, then this can be configured with the environment Variable ADDITIONAL_DEFAULT_CLIENT_SCOPE and in the case the value "Nonce" (without changing all the KeycloakClient CustomResources)
+* optional defaultClientScopes for public KeycloakClients. For KeycloakClients, the defaultClientScopes are usually configured in the KeycloakClient CustomResource.
+If a certain defaultClientScope is needed in every KeycloakClient, e.g. the Scopes "Nonce" and "basic" for all the public KeycloakClients after the Keycloak25 Update, then this can be configured with the environment Variable ADDITIONAL_DEFAULT_CLIENT_SCOPES and in the case the value "Nonce,basic" (without changing all the KeycloakClient CustomResources)
 
 
 
diff --git a/pkg/common/cluster_actions.go b/pkg/common/cluster_actions.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"slices"
+	"strings"
 
 	"github.com/movewp3/keycloakclient-controller/api/v1alpha1"
 	"github.com/movewp3/keycloakclient-controller/pkg/util"
@@ -135,13 +136,13 @@ func (i *ClusterActionRunner) CreateRealm(obj *v1alpha1.KeycloakRealm) error {
 	return err
 }
 
-func getAdditionalDefaultClientScope() string {
-
-	additionalDefaultClientScope, found := os.LookupEnv("ADDITIONAL_DEFAULT_CLIENT_SCOPE")
+func getAdditionalDefaultClientScopes() []string {
+	additionalDefaultClientScopes, found := os.LookupEnv("ADDITIONAL_DEFAULT_CLIENT_SCOPES")
 	if !found {
-		return ""
+		return []string{}
 	}
-	return additionalDefaultClientScope
+
+	return strings.Split(additionalDefaultClientScopes, ",")
 }
 
 func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm string) error {
@@ -150,22 +151,25 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 		return errors.Errorf("cannot perform client create when client is nil")
 	}
 
-	oldClientScopes := []string{}
+	oldClientScopes := obj.Spec.Client.DefaultClientScopes
 	addedDefaultClientScope := false
 
-	if getAdditionalDefaultClientScope() != "" && !slices.Contains(obj.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope()) && obj.Spec.Client.PublicClient {
-		log.Info(fmt.Sprintf("Add default client scope %v",
-			getAdditionalDefaultClientScope()))
-
-		oldClientScopes = obj.Spec.Client.DefaultClientScopes
-		addedDefaultClientScope = true
-		obj.Spec.Client.DefaultClientScopes = append(obj.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope())
-
+	additionalDefaultClientScopes := obj.Spec.Client.DefaultClientScopes
+	if obj.Spec.Client.PublicClient {
+		for _, scope := range getAdditionalDefaultClientScopes() {
+			if !slices.Contains(obj.Spec.Client.DefaultClientScopes, scope) {
+				addedDefaultClientScope = true
+				log.Info(fmt.Sprintf("Add default client scope %v",
+					getAdditionalDefaultClientScopes()))
+				additionalDefaultClientScopes = append(additionalDefaultClientScopes, scope)
+			}
+		}
 		defer func() {
 			obj.Spec.Client.DefaultClientScopes = oldClientScopes
 		}()
 
 	}
+	obj.Spec.Client.DefaultClientScopes = additionalDefaultClientScopes
 
 	uid, err := i.keycloakClient.CreateClient(obj.Spec.Client, realm)
 
@@ -184,8 +188,8 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 		}
 		if addedDefaultClientScope {
 			obj.Spec.Client.DefaultClientScopes = oldClientScopes
-			log.Info(fmt.Sprintf("Removed additional client scope (%s) from keycloak client %v",
-				getAdditionalDefaultClientScope(), obj.Name))
+			log.Info(fmt.Sprintf("Removed additional client scope from keycloak client %v",
+				obj.Name))
 		}
 
 		return i.client.Update(i.context, obj)
@@ -211,6 +215,23 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 
 		if err == nil {
 			obj.Spec.Client.ID = uid
+			//  keycloak CR is updated here with uid
+			log.Info(fmt.Sprintf("Update K8S Keycloakclient %v",
+				obj.Name))
+
+			// if secret was generated via seed secret, then dont store it
+			sha, errsha := util.GetClientShaCode(obj.Spec.Client.ClientID)
+			if errsha == nil && sha == obj.Spec.Client.Secret {
+				obj.Spec.Client.Secret = ""
+				log.Info(fmt.Sprintf("Removed secret (generated from secretSeed) from keycloak client %v",
+					obj.Name))
+			}
+			if addedDefaultClientScope {
+				obj.Spec.Client.DefaultClientScopes = oldClientScopes
+				log.Info(fmt.Sprintf("Removed additional client scope from keycloak client %v",
+					obj.Name))
+			}
+
 			return i.client.Update(i.context, obj)
 		}
 	}
