fix: Client creation fails due to admin fine grained permissions (#180)

- Added a new method to check if the ADMIN_FINE_GRAINED_AUTHZ feature flag
is enabled in Keycloak.
- Added condition to not process admin fine grained permissions
  if ADMIN_FINE_GRAINED_AUTHZ is not enabled.
- Prevents client creation failures when the feature flag is disabled in Keycloak server.

Author: zmotso

.mockery.yaml

@@ -5,6 +5,8 @@ mockname: "Mock{{.InterfaceName}}"
 outpkg: "mocks"
 filename: "{{.InterfaceName | lower}}_mock.go"
 issue-845-fix: True
+resolve-type-alias: False
+disable-version-string: True
 packages:
   github.com/epam/edp-keycloak-operator/pkg/client/keycloak:
     interfaces:

api/v1/keycloakclient_types.go

@@ -132,6 +132,7 @@ type KeycloakClientSpec struct {
 	AuthorizationServicesEnabled bool `json:"authorizationServicesEnabled,omitempty"`
 
 	// AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for a client.
+	// Feature flag ADMIN_FINE_GRAINED_AUTHZ should be enabled in Keycloak server.
 	// +optional
 	AdminFineGrainedPermissionsEnabled bool `json:"adminFineGrainedPermissionsEnabled,omitempty"`
 

config/crd/bases/v1.edp.epam.com_keycloakclients.yaml

@@ -45,8 +45,9 @@ spec:
             description: KeycloakClientSpec defines the desired state of KeycloakClient.
             properties:
               adminFineGrainedPermissionsEnabled:
-                description: AdminFineGrainedPermissionsEnabled enable/disable fine-grained
-                  admin permissions for a client.
+                description: |-
+                  AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for a client.
+                  Feature flag ADMIN_FINE_GRAINED_AUTHZ should be enabled in Keycloak server.
                 type: boolean
               adminUrl:
                 description: |-

deploy-templates/crds/v1.edp.epam.com_keycloakclients.yaml

@@ -45,8 +45,9 @@ spec:
             description: KeycloakClientSpec defines the desired state of KeycloakClient.
             properties:
               adminFineGrainedPermissionsEnabled:
-                description: AdminFineGrainedPermissionsEnabled enable/disable fine-grained
-                  admin permissions for a client.
+                description: |-
+                  AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for a client.
+                  Feature flag ADMIN_FINE_GRAINED_AUTHZ should be enabled in Keycloak server.
                 type: boolean
               adminUrl:
                 description: |-

docs/api.md

@@ -1966,7 +1966,8 @@ KeycloakClientSpec defines the desired state of KeycloakClient.
         <td><b>adminFineGrainedPermissionsEnabled</b></td>
         <td>boolean</td>
         <td>
-          AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for a client.<br/>
+          AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for a client.
+Feature flag ADMIN_FINE_GRAINED_AUTHZ should be enabled in Keycloak server.<br/>
         </td>
         <td>false</td>
       </tr><tr>

internal/controller/keycloakclient/chain/put_client_admin_fine_grained_perms.go

@@ -26,6 +26,18 @@ func NewPutAdminFineGrainedPermissions(keycloakApiClient keycloak.Client) *PutAd
 }
 
 func (el *PutAdminFineGrainedPermissions) Serve(ctx context.Context, keycloakClient *keycloakApi.KeycloakClient, realmName string) error {
+	featureFlagEnabled, err := el.keycloakApiClient.FeatureFlagEnabled(ctx, adapter.FeatureFlagAdminFineGrainedAuthz)
+	if err != nil {
+		return fmt.Errorf("failed to check feature flag ADMIN_FINE_GRAINED_AUTHZ: %w", err)
+	}
+
+	if !featureFlagEnabled {
+		log := ctrl.LoggerFrom(ctx)
+		log.Info("Feature flag is not enabled, skipping admin fine grained permissions", "featureFlag", adapter.FeatureFlagAdminFineGrainedAuthz)
+
+		return nil
+	}
+
 	clientID, err := el.keycloakApiClient.GetClientID(keycloakClient.Spec.ClientId, realmName)
 	if err != nil {
 		return fmt.Errorf("failed to get client id: %w", err)

internal/controller/keycloakclient/chain/put_client_admin_fine_grained_perms_test.go

@@ -2,6 +2,7 @@ package chain
 
 import (
 	"context"
+	"fmt"
 	"testing"
 
 	"github.com/Nerzal/gocloak/v12"
@@ -67,6 +68,10 @@ func TestPutAdminFineGrainedPermissions_Serve(t *testing.T) {
 					"map-role": "321",
 				}
 
+				m.On("FeatureFlagEnabled", ctrl.LoggerInto(context.Background(), logr.Discard()), "ADMIN_FINE_GRAINED_AUTHZ").
+					Return(true, nil).
+					Once()
+
 				m.On("GetClientID", "test-client-id", "realm").
 					Return("123", nil).
 					Once()
@@ -102,6 +107,90 @@ func TestPutAdminFineGrainedPermissions_Serve(t *testing.T) {
 			},
 			wantErr: require.NoError,
 		},
+		{
+			name: "with feature flag disabled",
+			client: func(t *testing.T) client.Client {
+				s := runtime.NewScheme()
+				require.NoError(t, keycloakApi.AddToScheme(s))
+				require.NoError(t, corev1.AddToScheme(s))
+
+				return fake.NewClientBuilder().WithScheme(s).WithObjects(
+					&keycloakApi.KeycloakClient{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "test-client",
+							Namespace: "default",
+						},
+						Spec: keycloakApi.KeycloakClientSpec{
+							ClientId:                           "test-client-id",
+							AdminFineGrainedPermissionsEnabled: true,
+							Permission: &keycloakApi.AdminFineGrainedPermission{
+								ScopePermissions: []keycloakApi.ScopePermissions{
+									{
+										Name:     "map-role",
+										Policies: []string{"scope permission"},
+									},
+								},
+							},
+						},
+					}).Build()
+			},
+			keycloakClient: client.ObjectKey{
+				Name:      "test-client",
+				Namespace: "default",
+			},
+			keycloakApiClient: func(t *testing.T) *mocks.MockClient {
+				m := mocks.NewMockClient(t)
+
+				m.On("FeatureFlagEnabled", ctrl.LoggerInto(context.Background(), logr.Discard()), "ADMIN_FINE_GRAINED_AUTHZ").
+					Return(false, nil).
+					Once()
+
+				return m
+			},
+			wantErr: require.NoError,
+		},
+		{
+			name: "with feature flag check error",
+			client: func(t *testing.T) client.Client {
+				s := runtime.NewScheme()
+				require.NoError(t, keycloakApi.AddToScheme(s))
+				require.NoError(t, corev1.AddToScheme(s))
+
+				return fake.NewClientBuilder().WithScheme(s).WithObjects(
+					&keycloakApi.KeycloakClient{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "test-client",
+							Namespace: "default",
+						},
+						Spec: keycloakApi.KeycloakClientSpec{
+							ClientId:                           "test-client-id",
+							AdminFineGrainedPermissionsEnabled: true,
+							Permission: &keycloakApi.AdminFineGrainedPermission{
+								ScopePermissions: []keycloakApi.ScopePermissions{
+									{
+										Name:     "map-role",
+										Policies: []string{"scope permission"},
+									},
+								},
+							},
+						},
+					}).Build()
+			},
+			keycloakClient: client.ObjectKey{
+				Name:      "test-client",
+				Namespace: "default",
+			},
+			keycloakApiClient: func(t *testing.T) *mocks.MockClient {
+				m := mocks.NewMockClient(t)
+
+				m.On("FeatureFlagEnabled", ctrl.LoggerInto(context.Background(), logr.Discard()), "ADMIN_FINE_GRAINED_AUTHZ").
+					Return(false, fmt.Errorf("feature flag check failed")).
+					Once()
+
+				return m
+			},
+			wantErr: require.Error,
+		},
 	}
 
 	for _, tt := range tests {

internal/controller/keycloakclient/keycloakclient_controller_integration_test.go

@@ -22,6 +22,29 @@ import (
 
 var _ = Describe("KeycloakClient controller", Ordered, func() {
 	It("Should create KeycloakClient with secret reference", func() {
+		By("Checking feature flag ADMIN_FINE_GRAINED_AUTHZ")
+		By("Creating a KeycloakClient to check feature flag")
+		keycloakApiClient, err := controllerHelper.CreateKeycloakClientFromRealmRef(
+			ctx,
+			&keycloakApi.KeycloakClient{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-keycloak-client-to-check-feature-flag",
+					Namespace: ns,
+				},
+				Spec: keycloakApi.KeycloakClientSpec{
+					RealmRef: common.RealmRef{
+						Name: KeycloakRealmCR,
+						Kind: keycloakApi.KeycloakRealmKind,
+					},
+				},
+			},
+		)
+		Expect(err).ShouldNot(HaveOccurred())
+
+		featureFlagEnabled, err := keycloakApiClient.FeatureFlagEnabled(ctx, "ADMIN_FINE_GRAINED_AUTHZ")
+		Expect(err).ShouldNot(HaveOccurred())
+		Expect(featureFlagEnabled).Should(BeTrue(), "Feature flag ADMIN_FINE_GRAINED_AUTHZ should be enabled")
+
 		By("Creating a client secret")
 		clientSecret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
@@ -66,7 +89,7 @@ var _ = Describe("KeycloakClient controller", Ordered, func() {
 					Browser:     "browser",
 					DirectGrant: "direct grant",
 				},
-				//AdminFineGrainedPermissionsEnabled: true,
+				AdminFineGrainedPermissionsEnabled: true,
 			},
 		}
 

internal/controller/keycloakclient/suite_test.go

@@ -32,12 +32,13 @@ import (
 )
 
 var (
-	cfg         *rest.Config
-	k8sClient   client.Client
-	testEnv     *envtest.Environment
-	ctx         context.Context
-	cancel      context.CancelFunc
-	keycloakURL string
+	cfg              *rest.Config
+	k8sClient        client.Client
+	testEnv          *envtest.Environment
+	ctx              context.Context
+	cancel           context.CancelFunc
+	keycloakURL      string
+	controllerHelper *helper.Helper
 )
 
 const (
@@ -94,17 +95,17 @@ var _ = BeforeSuite(func() {
 	})
 	Expect(err).ToNot(HaveOccurred())
 
-	h := helper.MakeHelper(k8sManager.GetClient(), k8sManager.GetScheme(), "default")
+	controllerHelper = helper.MakeHelper(k8sManager.GetClient(), k8sManager.GetScheme(), "default")
 
-	err = keycloak.NewReconcileKeycloak(k8sManager.GetClient(), k8sManager.GetScheme(), h).
+	err = keycloak.NewReconcileKeycloak(k8sManager.GetClient(), k8sManager.GetScheme(), controllerHelper).
 		SetupWithManager(k8sManager, 0)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = keycloakrealm.NewReconcileKeycloakRealm(k8sManager.GetClient(), k8sManager.GetScheme(), h).
+	err = keycloakrealm.NewReconcileKeycloakRealm(k8sManager.GetClient(), k8sManager.GetScheme(), controllerHelper).
 		SetupWithManager(k8sManager, 0)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = NewReconcileKeycloakClient(k8sManager.GetClient(), h).
+	err = NewReconcileKeycloakClient(k8sManager.GetClient(), controllerHelper).
 		SetupWithManager(k8sManager, 0)
 	Expect(err).ToNot(HaveOccurred())
 

pkg/client/keycloak/adapter/gocloak_adapter.go

@@ -69,6 +69,7 @@ const (
 	getChildGroups                  = "/admin/realms/{realm}/groups/{groupID}/children"
 	getGroup                        = "/admin/realms/{realm}/groups/{groupID}"
 	clientManagementPermissions     = "/admin/realms/{realm}/clients/{id}/management/permissions"
+	serverInfo                      = "/admin/serverinfo"
 	logClientDTO                    = "client dto"
 )