Merge pull request #9 from movewp3/fix/SupportAdditionalDefaultClientSCopes

r3kzi · web-flow · commit ca2070943be8 · 2024-06-28T13:27:05.000+02:00
fix: support additional default client scopes
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -12,7 +12,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - name: Run tests
         run: | 
           make test
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -8,7 +8,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.21
       id: go
     - name: checkout project
       uses: actions/checkout@v3
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -8,7 +8,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: 1.21
       id: go
     - name: Check out code into the Go module directory
       uses: actions/checkout@v3
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20.13 as builder
+FROM golang:1.21.11 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
diff --git a/README.md b/README.md
@@ -16,6 +16,10 @@ A basic configuration for the keycloakcontroller consists of
   
 * optional secret credential-keycloak-client-secret-seed in namespace des controllers
   * SECRET_SEED if the secret for each client should be created via a sha code of (secret-seed + client-name). This is sometimes necessary if a controller should be running in twho separate k8s clusters.
+* optional defaultClientScope for public KeycloakClients. For KeycloakClients, the defaultClientScopes are usually configured in the KeycloakClient CustomResource.
+If a certain defaultClientScope is needed in every KeycloakClient, e.g. the Scope "Nonce" for all the public KeycloakClients after the Keycloak25 Update, then this can be configured with the environment Variable ADDITIONAL_DEFAULT_CLIENT_SCOPE and in the case the value "Nonce" (without changing all the KeycloakClient CustomResources)
+
+
 
 
 
diff --git a/controllers/keycloakclient_reconciler.go b/controllers/keycloakclient_reconciler.go
@@ -3,11 +3,13 @@ package controllers
 import (
 	"bytes"
 	"fmt"
+	"os"
 
 	kc "github.com/movewp3/keycloakclient-controller/api/v1alpha1"
 	"github.com/movewp3/keycloakclient-controller/pkg/common"
 	"github.com/movewp3/keycloakclient-controller/pkg/model"
 	"github.com/movewp3/keycloakclient-controller/pkg/util"
+	"k8s.io/utils/strings/slices"
 )
 
 const (
@@ -169,8 +171,36 @@ func (i *DedicatedKeycloakClientReconciler) ReconcileScopeMappings(state *common
 	}
 }
 
+func getAdditionalDefaultClientScope() string {
+	additionalDefaultClientScope, found := os.LookupEnv("ADDITIONAL_DEFAULT_CLIENT_SCOPE")
+	if !found {
+		return ""
+	}
+	return additionalDefaultClientScope
+}
+
 func (i *DedicatedKeycloakClientReconciler) ReconcileClientScopes(state *common.ClientState, cr *kc.KeycloakClient, desired *common.DesiredClusterState) {
-	defaultClientScopes := model.FilterClientScopesByNames(state.AvailableClientScopes, cr.Spec.Client.DefaultClientScopes)
+
+	logKcc.Info(fmt.Sprintf("ReconcileClientScopes %s", cr.Spec.Client.Name))
+
+	oldClientScopes := []string{}
+	//addedDefaultClientScope := false
+
+	additionalDefaultClientScopes := cr.Spec.Client.DefaultClientScopes
+	if getAdditionalDefaultClientScope() != "" && !slices.Contains(cr.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope()) && cr.Spec.Client.PublicClient {
+		logKcc.Info(fmt.Sprintf("Add default client scope %v",
+			getAdditionalDefaultClientScope()))
+
+		oldClientScopes = cr.Spec.Client.DefaultClientScopes
+		//addedDefaultClientScope = true
+		additionalDefaultClientScopes = append(cr.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope())
+
+		defer func() {
+			cr.Spec.Client.DefaultClientScopes = oldClientScopes
+		}()
+	}
+
+	defaultClientScopes := model.FilterClientScopesByNames(state.AvailableClientScopes, additionalDefaultClientScopes)
 
 	defaultClientScopesNew, _ := model.ClientScopeDifferenceIntersection(defaultClientScopes, state.DefaultClientScopes)
 	for _, clientScope := range defaultClientScopesNew {
@@ -449,6 +479,7 @@ func (i *DedicatedKeycloakClientReconciler) getDeletedClientClientScopeMappingsS
 }
 
 func (i *DedicatedKeycloakClientReconciler) getCreatedClientDefaultClientScopeState(state *common.ClientState, cr *kc.KeycloakClient, clientScope *kc.KeycloakClientScope) common.ClusterAction {
+
 	return common.UpdateClientDefaultClientScopeAction{
 		ClientScope: clientScope,
 		Ref:         cr,
diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.28.3
 	k8s.io/apimachinery v0.28.3
 	k8s.io/client-go v0.28.3
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	sigs.k8s.io/controller-runtime v0.15.3
 )
 
@@ -68,7 +69,6 @@ require (
 	k8s.io/component-base v0.28.3 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
diff --git a/pkg/common/cluster_actions.go b/pkg/common/cluster_actions.go
@@ -3,6 +3,8 @@ package common
 import (
 	"context"
 	"fmt"
+	"os"
+	"slices"
 
 	"github.com/movewp3/keycloakclient-controller/api/v1alpha1"
 	"github.com/movewp3/keycloakclient-controller/pkg/util"
@@ -133,11 +135,38 @@ func (i *ClusterActionRunner) CreateRealm(obj *v1alpha1.KeycloakRealm) error {
 	return err
 }
 
+func getAdditionalDefaultClientScope() string {
+
+	additionalDefaultClientScope, found := os.LookupEnv("ADDITIONAL_DEFAULT_CLIENT_SCOPE")
+	if !found {
+		return ""
+	}
+	return additionalDefaultClientScope
+}
+
 func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm string) error {
+
 	if i.keycloakClient == nil {
 		return errors.Errorf("cannot perform client create when client is nil")
 	}
 
+	oldClientScopes := []string{}
+	addedDefaultClientScope := false
+
+	if getAdditionalDefaultClientScope() != "" && !slices.Contains(obj.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope()) && obj.Spec.Client.PublicClient {
+		log.Info(fmt.Sprintf("Add default client scope %v",
+			getAdditionalDefaultClientScope()))
+
+		oldClientScopes = obj.Spec.Client.DefaultClientScopes
+		addedDefaultClientScope = true
+		obj.Spec.Client.DefaultClientScopes = append(obj.Spec.Client.DefaultClientScopes, getAdditionalDefaultClientScope())
+
+		defer func() {
+			obj.Spec.Client.DefaultClientScopes = oldClientScopes
+		}()
+
+	}
+
 	uid, err := i.keycloakClient.CreateClient(obj.Spec.Client, realm)
 
 	if err == nil {
@@ -153,6 +182,11 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 			log.Info(fmt.Sprintf("Removed secret (generated from secretSeed) from keycloak client %v",
 				obj.Name))
 		}
+		if addedDefaultClientScope {
+			obj.Spec.Client.DefaultClientScopes = oldClientScopes
+			log.Info(fmt.Sprintf("Removed additional client scope (%s) from keycloak client %v",
+				getAdditionalDefaultClientScope(), obj.Name))
+		}
 
 		return i.client.Update(i.context, obj)
 	}
@@ -182,6 +216,7 @@ func (i *ClusterActionRunner) CreateClient(obj *v1alpha1.KeycloakClient, realm s
 	}
 
 	return err
+
 }
 
 func (i *ClusterActionRunner) UpdateClient(obj *v1alpha1.KeycloakClient, realm string) error {
