feat: Add ability to add Permissions to KeycloakRealmIdentityProvider

Signed-off-by: Douglass Kirkley <doug.kirkley@gmail.com>

Author: dougkirkley

api/v1/keycloakrealmidentityprovider_types.go

@@ -59,6 +59,17 @@ type KeycloakRealmIdentityProviderSpec struct {
 	// +nullable
 	// +optional
 	Mappers []IdentityProviderMapper `json:"mappers,omitempty"`
+
+	// AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+	// Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+	// Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.
+	// +optional
+	AdminFineGrainedPermissionsEnabled bool `json:"adminFineGrainedPermissionsEnabled,omitempty"`
+
+	// Permission is a identity provider permissions configuration
+	// +nullable
+	// +optional
+	Permission *AdminFineGrainedPermission `json:"permission,omitempty"`
 }
 
 type IdentityProviderMapper struct {

api/v1/zz_generated.deepcopy.go

@@ -308,7 +308,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = keycloakrealmidentityprovider.NewReconcile(mgr.GetClient(), h, secretref.NewSecretRef(mgr.GetClient())).
+	if err = keycloakrealmidentityprovider.NewReconcile(mgr.GetClient(), h).
 		SetupWithManager(mgr, successReconcileTimeoutValue); err != nil {
 		setupLog.Error(err, "unable to create keycloak-realm-identity-provider controller")
 		os.Exit(1)

cmd/main.go

@@ -50,6 +50,12 @@ spec:
                 description: AddReadTokenRoleOnCreate is a flag to add read token
                   role on create.
                 type: boolean
+              adminFineGrainedPermissionsEnabled:
+                description: |-
+                  AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+                  Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+                  Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.
+                type: boolean
               alias:
                 description: Alias is a alias of identity provider.
                 type: string
@@ -102,6 +108,26 @@ spec:
                   type: object
                 nullable: true
                 type: array
+              permission:
+                description: Permission is a identity provider permissions configuration
+                nullable: true
+                properties:
+                  scopePermissions:
+                    description: ScopePermissions mapping of scope and the policies
+                      attached
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        policies:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
               providerId:
                 description: ProviderID is a provider ID of identity provider.
                 type: string

config/crd/bases/v1.edp.epam.com_keycloakrealmidentityproviders.yaml

@@ -50,6 +50,12 @@ spec:
                 description: AddReadTokenRoleOnCreate is a flag to add read token
                   role on create.
                 type: boolean
+              adminFineGrainedPermissionsEnabled:
+                description: |-
+                  AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+                  Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+                  Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.
+                type: boolean
               alias:
                 description: Alias is a alias of identity provider.
                 type: string
@@ -102,6 +108,26 @@ spec:
                   type: object
                 nullable: true
                 type: array
+              permission:
+                description: Permission is a identity provider permissions configuration
+                nullable: true
+                properties:
+                  scopePermissions:
+                    description: ScopePermissions mapping of scope and the policies
+                      attached
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        policies:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
               providerId:
                 description: ProviderID is a provider ID of identity provider.
                 type: string

deploy-templates/crds/v1.edp.epam.com_keycloakrealmidentityproviders.yaml

@@ -4342,6 +4342,15 @@ Any value can be a reference to k8s secret, in this case value should be in form
           AddReadTokenRoleOnCreate is a flag to add read token role on create.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>adminFineGrainedPermissionsEnabled</b></td>
+        <td>boolean</td>
+        <td>
+          AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>authenticateByDefault</b></td>
         <td>boolean</td>
@@ -4377,6 +4386,13 @@ Any value can be a reference to k8s secret, in this case value should be in form
           Mappers is a list of identity provider mappers.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#keycloakrealmidentityproviderspecpermission">permission</a></b></td>
+        <td>object</td>
+        <td>
+          Permission is a identity provider permissions configuration<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>storeToken</b></td>
         <td>boolean</td>
@@ -4480,6 +4496,67 @@ RealmRef is reference to Realm custom resource.
 </table>
 
 
+### KeycloakRealmIdentityProvider.spec.permission
+<sup><sup>[↩ Parent](#keycloakrealmidentityproviderspec)</sup></sup>
+
+
+
+Permission is a identity provider permissions configuration
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b><a href="#keycloakrealmidentityproviderspecpermissionscopepermissionsindex">scopePermissions</a></b></td>
+        <td>[]object</td>
+        <td>
+          ScopePermissions mapping of scope and the policies attached<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
+### KeycloakRealmIdentityProvider.spec.permission.scopePermissions[index]
+<sup><sup>[↩ Parent](#keycloakrealmidentityproviderspecpermission)</sup></sup>
+
+
+
+
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>name</b></td>
+        <td>string</td>
+        <td>
+          <br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>policies</b></td>
+        <td>[]string</td>
+        <td>
+          <br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### KeycloakRealmIdentityProvider.status
 <sup><sup>[↩ Parent](#keycloakrealmidentityprovider)</sup></sup>
 

docs/api.md

@@ -0,0 +1,69 @@
+package chain
+
+import (
+	"context"
+	"fmt"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	keycloakApi "github.com/epam/edp-keycloak-operator/api/v1"
+	"github.com/epam/edp-keycloak-operator/pkg/client/keycloak"
+	"github.com/epam/edp-keycloak-operator/pkg/secretref"
+)
+
+type ClientHandler interface {
+	Serve(
+		ctx context.Context,
+		keycloakRealmIDP *keycloakApi.KeycloakRealmIdentityProvider,
+		realmName string,
+	) error
+}
+
+type Chain struct {
+	handlers []ClientHandler
+}
+
+func (ch *Chain) Use(handlers ...ClientHandler) {
+	ch.handlers = append(ch.handlers, handlers...)
+}
+
+func (ch *Chain) Serve(
+	ctx context.Context,
+	keycloakRealmIDP *keycloakApi.KeycloakRealmIdentityProvider,
+	realmName string,
+) error {
+	log := ctrl.LoggerFrom(ctx)
+
+	log.Info("Starting KeycloakIDP chain")
+
+	for i := 0; i < len(ch.handlers); i++ {
+		h := ch.handlers[i]
+
+		err := h.Serve(ctx, keycloakRealmIDP, realmName)
+		if err != nil {
+			log.Info("KeycloakIDP chain finished with error")
+
+			return fmt.Errorf("failed to serve handler: %w", err)
+		}
+	}
+
+	log.Info("Handling of KeycloakIDP has been finished")
+
+	return nil
+}
+
+func MakeChain(
+	keycloakApiClient keycloak.Client,
+	k8sClient client.Client,
+) *Chain {
+	c := &Chain{}
+
+	c.Use(
+		NewPutIDP(keycloakApiClient, k8sClient, secretref.NewSecretRef(k8sClient)),
+		NewPutIDPMappers(keycloakApiClient, k8sClient, secretref.NewSecretRef(k8sClient)),
+		NewPutAdminFineGrainedPermissions(keycloakApiClient),
+	)
+
+	return c
+}