3 # ============LICENSE_START===============================================
4 # Copyright (C) 2023 Nordix Foundation. All rights reserved.
5 # ========================================================================
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
17 # ============LICENSE_END=================================================
20 # Script intended to be sourced by other script to add functions to the keycloak rest API
22 KC_URL=http://localhost:8462
23 echo "Keycloak url: "$KC_URL
26 echo "Get admin token"
28 while [ "${#ADMIN_TOKEN}" -lt 20 ]; do
29 ADMIN_TOKEN=$(curl -s -X POST --max-time 2 "$KC_URL/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=admin" -d 'grant_type=password' -d "client_id=admin-cli" | jq -r '.access_token')
30 if [ "${#ADMIN_TOKEN}" -lt 20 ]; then
31 echo "Could not get admin token, retrying..."
32 echo "Retrieved token: $ADMIN_TOKEN"
35 echo "Admin token: ${ADMIN_TOKEN:0:10}..."
36 echo $ADMIN_TOKEN > .admin_token
37 __ADM_TOKEN_TS=$SECONDS
40 __check_admin_token() {
41 __diff=$(($SECONDS-$__ADM_TOKEN_TS))
42 if [ $__diff -gt 15 ]; then
49 indent1() { sed 's/^/ /'; }
50 indent2() { sed 's/^/ /'; }
53 echo "Decoding access_token"
54 echo $1 | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
59 echo $1 | jq -r .access_token | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
63 echo "Listing all realms"
67 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
68 "$KC_URL/admin/realms" | jq -r '.[].id' | indent2
73 echo "Attempt to delete realm: $realm"
77 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
78 "$KC_URL/admin/realms/$realm" | indent1
88 echo "Creating realms: $@"
89 while [ $# -gt 0 ]; do
90 echo " Attempt to create realm: $1"
92 cat > .jsonfile1 <<- "EOF"
94 "realm":"$__realm_name",
98 export __realm_name=$1
99 envsubst < .jsonfile1 > .jsonfile2
102 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
103 -H "Content-Type: application/json" \
105 "$KC_URL/admin/realms" | indent2
106 if [ $? -ne 0 ]; then
107 echo "Command failed"
118 echo "Attempt to create clients $@ for realm: $__realm"
120 cat > .jsonfile1 <<- "EOF"
122 "clientId":"$__client_name",
123 "publicClient": false,
124 "serviceAccountsEnabled": true,
125 "rootUrl":"https://example.com/example/",
126 "adminUrl":"https://example.com/example/"
129 while [ $# -gt 0 ]; do
130 echo " Creating client: $1"
132 export __client_name=$1
133 envsubst < .jsonfile1 > .jsonfile2
136 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
137 -H "Content-Type: application/json" \
139 "$KC_URL/admin/realms/$__realm/clients" | indent1
140 if [ $? -ne 0 ]; then
141 echo "Command failed"
150 __client_data=$(curl -s \
152 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
153 "$KC_URL/admin/realms/$1/clients?clientId=$2")
154 if [ $? -ne 0 ]; then
157 __client_id=$(echo $__client_data | jq -r '.[0].id')
162 generate_client_secrets() {
165 echo "Attempt to generate secret for clients $@ in realm $__realm"
166 while [ $# -gt 0 ]; do
168 __client_id=$(__get_client_id $__realm $1)
169 if [ $? -ne 0 ]; then
170 echo "Command failed"
173 echo " Client id for client $1 in realm $__realm: "$__client_id | indent1
174 echo " Creating secret"
175 __client_secret=$(curl -s \
177 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
178 "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
179 if [ $? -ne 0 ]; then
180 echo "Command failed"
183 __client_secret=$(curl -s \
185 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
186 "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
187 if [ $? -ne 0 ]; then
188 echo "Command failed"
191 __client_secret=$(echo $__client_secret | jq -r .value)
192 echo " Client secret for client $1 in realm $__realm: "$__client_secret | indent1
193 echo $__client_secret > ".sec_$__realm""_$1"
199 create_client_roles() {
200 # <realm-name> <client-name> [<role-name>]+
202 __client_id=$(__get_client_id $1 $2)
203 if [ $? -ne 0 ]; then
204 echo "Command failed"
209 while [ $# -gt 0 ]; do
211 cat > .jsonfile1 <<- "EOF"
217 envsubst < .jsonfile1 > .jsonfile2
220 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
221 -H "Content-Type: application/json" \
223 "$KC_URL/admin/realms/$__realm/clients/$__client_id/roles" | indent1
224 if [ $? -ne 0 ]; then
225 echo "Command failed"
232 __get_service_account_id() {
233 # <realm-name> <client-id>
234 __service_account_data=$(curl -s \
236 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
237 "$KC_URL/admin/realms/$1/clients/$2/service-account-user")
238 if [ $? -ne 0 ]; then
241 __service_account_id=$(echo $__service_account_data | jq -r '.id')
242 echo $__service_account_id
246 __get_client_available_role_id() {
247 # <realm-name> <service-account-id> <client-id> <client-role-name>
248 __client_role_data=$(curl -s \
250 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
251 "$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3/available")
252 if [ $? -ne 0 ]; then
255 #__client_role_id=$(echo $__client_role_data | jq -r '.id')
256 __client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ')
257 echo $__client_role_id
261 __get_client_mapped_role_id() {
262 # <realm-name> <service-account-id> <client-id> <client-role-name>
263 __client_role_data=$(curl -s \
265 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
266 "$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3")
267 if [ $? -ne 0 ]; then
270 #__client_role_id=$(echo $__client_role_data | jq -r '.id')
271 __client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ')
272 echo $__client_role_id
276 add_client_roles_mapping() {
277 # <realm-name> <client-name> [<role-name>]+
278 echo "Attempt to add roles ${@:3} to client $2 in realm $1"
282 __client_id=$(__get_client_id $__realm $__client)
283 if [ $? -ne 0 ]; then
284 echo "Command failed"
287 echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
288 __service_account_id=$(__get_service_account_id $__realm $__client_id)
289 if [ $? -ne 0 ]; then
290 echo "Command failed"
293 echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1
297 while [ $# -gt 0 ]; do
298 if [ $__cntr -eq 0 ]; then
299 echo "[" > .jsonfile2
301 __client_role_id=$(__get_client_available_role_id $__realm $__service_account_id $__client_id $1)
302 if [ $? -ne 0 ]; then
303 echo "Command failed"
307 __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
308 if [ $__cntr -gt 0 ]; then
309 echo "," >> .jsonfile2
311 echo $__role >> .jsonfile2
315 echo "]" >> .jsonfile2
316 echo " Adding roles $__all_roles to client $__client in realm $__realm"
320 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
321 -H "Content-Type: application/json" \
323 "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" | indent2
324 if [ $? -ne 0 ]; then
325 echo "Command failed"
333 remove_client_roles_mapping() {
334 # <realm-name> <client-name> [<role-name>]+
335 echo "Attempt to removed roles ${@:3} from client $2 in realm $1"
339 __client_id=$(__get_client_id $__realm $__client)
340 if [ $? -ne 0 ]; then
341 echo "Command failed"
344 echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
345 __service_account_id=$(__get_service_account_id $__realm $__client_id)
346 if [ $? -ne 0 ]; then
347 echo "Command failed"
350 echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1
354 while [ $# -gt 0 ]; do
355 if [ $__cntr -eq 0 ]; then
356 echo "[" > .jsonfile2
358 __client_role_id=$(__get_client_mapped_role_id $__realm $__service_account_id $__client_id $1)
359 if [ $? -ne 0 ]; then
360 echo "Command failed"
364 __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
365 if [ $__cntr -gt 0 ]; then
366 echo "," >> .jsonfile2
368 echo $__role >> .jsonfile2
372 echo "]" >> .jsonfile2
373 echo " Removing roles $__all_roles from client $__client in realm $__realm"
377 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
378 -H "Content-Type: application/json" \
380 "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" | indent2
381 if [ $? -ne 0 ]; then
382 echo "Command failed"
388 add_client_hardcoded-claim-mapper() {
389 # <realm-name> <client-name> <mapper-name> <claim-name> <claim-value>
393 export __mapper_name=$3
394 export __claim_name=$4
395 export __claim_value=$5
397 __client_id=$(__get_client_id $__realm $__client)
398 if [ $? -ne 0 ]; then
399 echo " Fatal error when getting client id, response: "$?
402 cat > .jsonfile1 <<- "EOF"
404 "name": "$__mapper_name",
405 "protocol": "openid-connect",
406 "protocolMapper": "oidc-hardcoded-claim-mapper",
407 "consentRequired": false,
409 "claim.value": "$__claim_value",
410 "userinfo.token.claim": "true",
411 "id.token.claim": "true",
412 "access.token.claim": "true",
413 "claim.name": "$__claim_name",
414 "access.tokenResponse.claim": "false"
418 envsubst < .jsonfile1 > .jsonfile2
421 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
422 -H "Content-Type: application/json" \
424 "$KC_URL/admin/realms/nonrtric-realm/clients/"$__client_id"/protocol-mappers/models" | indent2
425 if [ $? -ne 0 ]; then
426 echo "Command failed"
435 # args: <realm-name> <client-name>
440 __client_id=$(__get_client_id $__realm $__client)
441 if [ $? -ne 0 ]; then
442 echo " Fatal error when getting client id, response: "$?
446 __client_secret=$(curl -s -f \
448 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
449 "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
450 if [ $? -ne 0 ]; then
451 echo " Fatal error when getting client secret, response: "$?
455 __client_secret=$(echo $__client_secret | jq -r .value)
457 __TMP_TOKEN=$(curl -s -f -X POST $KC_URL/realms/$__realm/protocol/openid-connect/token \
458 -H Content-Type:application/x-www-form-urlencoded \
459 -d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials)
460 if [ $? -ne 0 ]; then
461 echo " Fatal error when getting client token, response: "$?
465 echo $__TMP_TOKEN| jq -r .access_token