feat: Add childRequirement for KeycloakAuthFlow (#82)

zmotso · zmotso · commit 5e27be86b9be · 2024-08-07T11:33:34.000+03:00
diff --git a/api/v1/keycloakauthflow_types.go b/api/v1/keycloakauthflow_types.go
@@ -45,6 +45,10 @@ type KeycloakAuthFlowSpec struct {
 	// ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow
 	// +optional
 	ChildType string `json:"childType,omitempty"`
+
+	// ChildRequirement is requirement for child execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.
+	// +optional
+	ChildRequirement string `json:"childRequirement,omitempty"`
 }
 
 // AuthenticationExecution defines keycloak authentication execution.
diff --git a/config/crd/bases/v1.edp.epam.com_keycloakauthflows.yaml b/config/crd/bases/v1.edp.epam.com_keycloakauthflows.yaml
@@ -91,6 +91,10 @@ spec:
               builtIn:
                 description: BuiltIn is true if this is built-in auth flow.
                 type: boolean
+              childRequirement:
+                description: 'ChildRequirement is requirement for child execution.
+                  Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.'
+                type: string
               childType:
                 description: 'ChildType is type for auth flow if it has a parent,
                   available options: basic-flow, form-flow'
diff --git a/controllers/keycloakauthflow/keycloakauthflow_controller.go b/controllers/keycloakauthflow/keycloakauthflow_controller.go
@@ -198,6 +198,7 @@ func authFlowSpecToAdapterAuthFlow(spec *keycloakApi.KeycloakAuthFlowSpec) *adap
 		AuthenticationExecutions: make([]adapter.AuthenticationExecution, 0, len(spec.AuthenticationExecutions)),
 		ParentName:               spec.ParentName,
 		ChildType:                spec.ChildType,
+		ChildRequirement:         spec.ChildRequirement,
 	}
 
 	for _, ae := range spec.AuthenticationExecutions {
diff --git a/controllers/keycloakauthflow/keycloakrauthflow_controller_integration_test.go b/controllers/keycloakauthflow/keycloakrauthflow_controller_integration_test.go
@@ -125,4 +125,56 @@ var _ = Describe("KeycloakAuthFlow controller", Ordered, func() {
 			g.Expect(createdAuthFlow.Status.Value).Should(ContainSubstring("unable to sync auth flow"))
 		}).WithTimeout(time.Second * 10).WithPolling(time.Second).Should(Succeed())
 	})
+	It("Should create child KeycloakAuthFlow", func() {
+		By("Creating a parent KeycloakAuthFlow")
+		parentAuthFlow := &keycloakApi.KeycloakAuthFlow{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-auth-flow-parent",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakAuthFlowSpec{
+				RealmRef: common.RealmRef{
+					Kind: keycloakApi.KeycloakRealmKind,
+					Name: KeycloakRealmCR,
+				},
+				Alias:       "test-auth-flow-parent",
+				Description: "test-auth-flow-parent",
+				ProviderID:  "basic-flow",
+				TopLevel:    true,
+			},
+		}
+		Expect(k8sClient.Create(ctx, parentAuthFlow)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			createdParentAuthFlow := &keycloakApi.KeycloakAuthFlow{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: createdParentAuthFlow.Name, Namespace: ns}, createdParentAuthFlow)
+			g.Expect(err).ShouldNot(HaveOccurred())
+			g.Expect(createdParentAuthFlow.Status.Value).Should(Equal(helper.StatusOK))
+		}).WithTimeout(time.Second * 20).WithPolling(time.Second).Should(Succeed())
+		By("Creating a child KeycloakAuthFlow")
+		childAuthFlow := &keycloakApi.KeycloakAuthFlow{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-auth-flow-child",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakAuthFlowSpec{
+				RealmRef: common.RealmRef{
+					Kind: keycloakApi.KeycloakRealmKind,
+					Name: KeycloakRealmCR,
+				},
+				Alias:            "test-auth-flow-child",
+				Description:      "test-auth-flow-child",
+				ProviderID:       "basic-flow",
+				ParentName:       parentAuthFlow.Name,
+				ChildType:        "basic-flow",
+				ChildRequirement: "REQUIRED",
+			},
+		}
+		Expect(k8sClient.Create(ctx, childAuthFlow)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			createdChildAuthFlow := &keycloakApi.KeycloakAuthFlow{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: createdChildAuthFlow.Name, Namespace: ns}, createdChildAuthFlow)
+			g.Expect(err).ShouldNot(HaveOccurred())
+			g.Expect(createdChildAuthFlow.Status.Value).Should(Equal(helper.StatusOK))
+		}).WithTimeout(time.Second * 20).WithPolling(time.Second).Should(Succeed())
+	})
 })
diff --git a/deploy-templates/crds/v1.edp.epam.com_keycloakauthflows.yaml b/deploy-templates/crds/v1.edp.epam.com_keycloakauthflows.yaml
@@ -91,6 +91,10 @@ spec:
               builtIn:
                 description: BuiltIn is true if this is built-in auth flow.
                 type: boolean
+              childRequirement:
+                description: 'ChildRequirement is requirement for child execution.
+                  Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.'
+                type: string
               childType:
                 description: 'ChildType is type for auth flow if it has a parent,
                   available options: basic-flow, form-flow'
diff --git a/docs/api.md b/docs/api.md
@@ -890,6 +890,13 @@ KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.
           AuthenticationExecutions is list of authentication executions for this auth flow.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>childRequirement</b></td>
+        <td>string</td>
+        <td>
+          ChildRequirement is requirement for child execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>childType</b></td>
         <td>string</td>
diff --git a/pkg/client/keycloak/adapter/gocloak_adapter_auth_flow.go b/pkg/client/keycloak/adapter/gocloak_adapter_auth_flow.go
@@ -13,6 +13,8 @@ import (
 	"github.com/pkg/errors"
 )
 
+var errAuthFlowNotFound = NotFoundError("auth flow not found")
+
 type KeycloakAuthFlow struct {
 	ID                       string                    `json:"id,omitempty"`
 	Alias                    string                    `json:"alias"`
@@ -22,6 +24,7 @@ type KeycloakAuthFlow struct {
 	BuiltIn                  bool                      `json:"builtIn"`
 	ParentName               string                    `json:"-"`
 	ChildType                string                    `json:"-"`
+	ChildRequirement         string                    `json:"-"`
 	AuthenticationExecutions []AuthenticationExecution `json:"-"`
 }
 
@@ -172,6 +175,20 @@ func (a GoCloakAdapter) syncBaseAuthFlow(realmName string, flow *KeycloakAuthFlo
 
 		authFlowID = id
 	} else {
+		if flow.ParentName != "" && flow.ChildRequirement != "" {
+			exec, err := a.getFlowExecution(realmName, flow)
+			if err != nil {
+				return "", err
+			}
+
+			// We cant set child flow requirement during creation, so we need to update it.
+			exec.Requirement = flow.ChildRequirement
+
+			if err := a.updateFlowExecution(realmName, flow.ParentName, exec); err != nil {
+				return "", err
+			}
+		}
+
 		if err := a.clearFlowExecutions(realmName, flow.Alias); err != nil {
 			return "", errors.Wrap(err, "unable to clear flow executions")
 		}
@@ -269,7 +286,7 @@ func (a GoCloakAdapter) getFlowExecutionID(realmName string, flow *KeycloakAuthF
 		}
 	}
 
-	return "", NotFoundError("auth flow not found")
+	return "", errAuthFlowNotFound
 }
 
 func (a GoCloakAdapter) getAuthFlowID(realmName string, flow *KeycloakAuthFlow) (string, error) {
@@ -285,7 +302,7 @@ func (a GoCloakAdapter) getAuthFlowID(realmName string, flow *KeycloakAuthFlow)
 			}
 		}
 
-		return "", NotFoundError("auth flow not found")
+		return "", errAuthFlowNotFound
 	}
 
 	flows, err := a.getRealmAuthFlows(realmName)
@@ -299,7 +316,22 @@ func (a GoCloakAdapter) getAuthFlowID(realmName string, flow *KeycloakAuthFlow)
 		}
 	}
 
-	return "", NotFoundError("auth flow not found")
+	return "", errAuthFlowNotFound
+}
+
+func (a GoCloakAdapter) getFlowExecution(realmName string, flow *KeycloakAuthFlow) (*FlowExecution, error) {
+	execs, err := a.getFlowExecutions(realmName, flow.ParentName)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get auth flow executions: %w", err)
+	}
+
+	for i := range execs {
+		if execs[i].DisplayName == flow.Alias {
+			return &execs[i], nil
+		}
+	}
+
+	return nil, errAuthFlowNotFound
 }
 
 func (a GoCloakAdapter) getRealmAuthFlows(realmName string) ([]KeycloakAuthFlow, error) {
diff --git a/pkg/client/keycloak/adapter/gocloak_adapter_auth_flow_test.go b/pkg/client/keycloak/adapter/gocloak_adapter_auth_flow_test.go
@@ -233,7 +233,7 @@ func (e *ExecFlowTestSuite) TestGetAuthFlowID() {
 	id, err := e.adapter.getAuthFlowID(e.realmName, &flow)
 
 	assert.NoError(e.T(), err)
-	assert.Equal(e.T(), id, flowID)
+	assert.Equal(e.T(), flowID, id)
 }
 
 func (e *ExecFlowTestSuite) TestSetRealmBrowserFlow() {

Original file line number	Diff line number	Diff line change
`@@ -198,6 +198,7 @@ func authFlowSpecToAdapterAuthFlow(spec keycloakApi.KeycloakAuthFlowSpec) adap`
`198`	`198`	`AuthenticationExecutions: make([]adapter.AuthenticationExecution, 0, len(spec.AuthenticationExecutions)),`
`199`	`199`	`ParentName: spec.ParentName,`
`200`	`200`	`ChildType: spec.ChildType,`
	`201`	`+ ChildRequirement: spec.ChildRequirement,`
`201`	`202`	`}`
`202`	`203`
`203`	`204`	`for _, ae := range spec.AuthenticationExecutions {`
Original file line number	Diff line number	Diff line change
`@@ -233,7 +233,7 @@ func (e *ExecFlowTestSuite) TestGetAuthFlowID() {`
`233`	`233`	`id, err := e.adapter.getAuthFlowID(e.realmName, &flow)`
`234`	`234`
`235`	`235`	`assert.NoError(e.T(), err)`
`236`		`- assert.Equal(e.T(), id, flowID)`
	`236`	`+ assert.Equal(e.T(), flowID, id)`
`237`	`237`	`}`
`238`	`238`
`239`	`239`	`func (e *ExecFlowTestSuite) TestSetRealmBrowserFlow() {`