adds attribute signature_algorithm to resource keycloak_saml_client (#…

…345) Co-authored-by: Hannes Nagel <[email protected]> Co-authored-by: Michael Parker <[email protected]>
keycloak · Jul 17, 2020 · 4d39dbf · 4d39dbf
1 parent 10a1c2d
commit 4d39dbf
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 1 deletion.
diff --git a/docs/resources/keycloak_saml_client.md b/docs/resources/keycloak_saml_client.md
@@ -46,6 +46,7 @@ The following arguments are supported:
 - `front_channel_logout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout.
 - `name_id_format` - (Optional) Sets the Name ID format for the subject.
 - `force_name_id_format` - (Optional) Ignore requested NameID subject format and use the one defined in `name_id_format` instead.
+- `signature_algorithm` - (Optional) The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA512", or "DSA_SHA1".
 - `root_url` - (Optional) When specified, this value is prepended to all relative URLs.
 - `valid_redirect_uris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.
 - `base_url` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client.

diff --git a/keycloak/saml_client.go b/keycloak/saml_client.go
@@ -13,6 +13,7 @@ type SamlClientAttributes struct {
 	ForcePostBinding        *string `json:"saml.force.post.binding"`
 	ForceNameIdFormat       *string `json:"saml_force_name_id_format"`
 	// attributes above are actually booleans, but the Keycloak API expects strings
+	SignatureAlgorithm              string  `json:"saml.signature.algorithm"`
 	NameIdFormat                    string  `json:"saml_name_id_format"`
 	SigningCertificate              *string `json:"saml.signing.certificate,omitempty"`
 	SigningPrivateKey               *string `json:"saml.signing.private.key"`

diff --git a/provider/resource_keycloak_saml_client.go b/provider/resource_keycloak_saml_client.go
@@ -11,7 +11,8 @@ import (
 )
 
 var (
-	keycloakSamlClientNameIdFormats = []string{"username", "email", "transient", "persistent"}
+	keycloakSamlClientNameIdFormats       = []string{"username", "email", "transient", "persistent"}
+	keycloakSamlClientSignatureAlgorithms = []string{"RSA_SHA1", "RSA_SHA256", "RSA_SHA512", "DSA_SHA1"}
 )
 
 func resourceKeycloakSamlClient() *schema.Resource {
@@ -87,6 +88,11 @@ func resourceKeycloakSamlClient() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"signature_algorithm": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice(keycloakSamlClientSignatureAlgorithms, false),
+			},
 			"name_id_format": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -195,6 +201,7 @@ func mapToSamlClientFromData(data *schema.ResourceData) *keycloak.SamlClient {
 	}
 
 	samlAttributes := &keycloak.SamlClientAttributes{
+		SignatureAlgorithm:              data.Get("signature_algorithm").(string),
 		NameIdFormat:                    data.Get("name_id_format").(string),
 		IDPInitiatedSSOURLName:          data.Get("idp_initiated_sso_url_name").(string),
 		IDPInitiatedSSORelayState:       data.Get("idp_initiated_sso_relay_state").(string),
@@ -360,6 +367,7 @@ func mapToDataFromSamlClient(data *schema.ResourceData, client *keycloak.SamlCli
 	data.Set("valid_redirect_uris", client.ValidRedirectUris)
 	data.Set("base_url", client.BaseUrl)
 	data.Set("master_saml_processing_url", client.MasterSamlProcessingUrl)
+	data.Set("signature_algorithm", client.Attributes.SignatureAlgorithm)
 	data.Set("name_id_format", client.Attributes.NameIdFormat)
 	data.Set("idp_initiated_sso_url_name", client.Attributes.IDPInitiatedSSOURLName)
 	data.Set("idp_initiated_sso_relay_state", client.Attributes.IDPInitiatedSSORelayState)

diff --git a/provider/resource_keycloak_saml_client_test.go b/provider/resource_keycloak_saml_client_test.go
@@ -162,6 +162,7 @@ func TestAccKeycloakSamlClient_updateInPlace(t *testing.T) {
 			ClientSignatureRequired:         &clientSignatureRequired,
 			ForcePostBinding:                randomBoolAsStringPointer(),
 			ForceNameIdFormat:               randomBoolAsStringPointer(),
+			SignatureAlgorithm:              randomStringInSlice(keycloakSamlClientSignatureAlgorithms),
 			NameIdFormat:                    randomStringInSlice(keycloakSamlClientNameIdFormats),
 			EncryptionCertificate:           &encryptionCertificateBefore,
 			SigningCertificate:              &signingCertificateBefore,
@@ -200,6 +201,7 @@ func TestAccKeycloakSamlClient_updateInPlace(t *testing.T) {
 			ClientSignatureRequired:         &clientSignatureRequired,
 			ForcePostBinding:                randomBoolAsStringPointer(),
 			ForceNameIdFormat:               randomBoolAsStringPointer(),
+			SignatureAlgorithm:              randomStringInSlice(keycloakSamlClientSignatureAlgorithms),
 			NameIdFormat:                    randomStringInSlice(keycloakSamlClientNameIdFormats),
 			EncryptionCertificate:           &encryptionCertificateAfter,
 			SigningCertificate:              &signingCertificateAfter,
@@ -559,6 +561,7 @@ resource "keycloak_saml_client" "saml_client" {
 	force_name_id_format       = %s
 
 	front_channel_logout       = %t
+	signature_algorithm        = "%s"
 	name_id_format             = "%s"
 	root_url                   = "%s"
 	valid_redirect_uris        = %s
@@ -590,6 +593,7 @@ resource "keycloak_saml_client" "saml_client" {
 		*client.Attributes.ForcePostBinding,
 		*client.Attributes.ForceNameIdFormat,
 		client.FrontChannelLogout,
+		client.Attributes.SignatureAlgorithm,
 		client.Attributes.NameIdFormat,
 		client.RootUrl,
 		arrayOfStringsForTerraformResource(client.ValidRedirectUris),