3 # ============LICENSE_START===============================================
4 # Copyright (C) 2023 Nordix Foundation. All rights reserved.
5 # ========================================================================
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
17 # ============LICENSE_END=================================================
20 # Script intended to be sourced by other script to add functions to the keycloak rest API
22 echo "Cluster ip: $KUBERNETESHOST"
24 KC_PROXY_PORT=$(kubectl get svc -n nonrtric keycloak-proxy --output jsonpath='{.spec.ports[?(@.name=="http")].nodePort}')
25 echo "Nodeport to keycloak proxy: "$KC_PROXY_PORT
28 echo "Get admin token"
30 while [ "${#ADMIN_TOKEN}" -lt 20 ]; do
31 ADMIN_TOKEN=$(curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/realms/master/protocol/openid-connect/token" \
33 -H "Content-Type: application/x-www-form-urlencoded" \
36 -d 'grant_type=password' \
37 -d "client_id=admin-cli" \
38 | jq -r '.access_token')
40 if [ "${#ADMIN_TOKEN}" -lt 20 ]; then
41 echo "Could not get admin token, retrying..."
42 echo "Retrieved token: $ADMIN_TOKEN"
45 echo "Admin token: ${ADMIN_TOKEN:0:10}..."
46 echo $ADMIN_TOKEN > .admin_token
47 __ADM_TOKEN_TS=$SECONDS
50 __check_admin_token() {
51 __diff=$(($SECONDS-$__ADM_TOKEN_TS))
52 if [ $__diff -gt 15 ]; then
59 indent1() { sed 's/^/ /'; }
60 indent2() { sed 's/^/ /'; }
63 echo "Decoding access_token"
64 echo $1 | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
69 echo $1 | jq -r .access_token | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
73 echo "Listing all realms"
76 curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms" \
77 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
78 | jq -r '.[].id' | indent2
83 echo "Attempt to delete realm: $realm"
86 curl -s -X DELETE "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$realm" \
87 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
91 echo "Command failed, delete_realms"
94 echo " OK, delete_realms"
99 echo "Creating realms: $@"
100 while [ $# -gt 0 ]; do
101 echo " Attempt to create realm: $1"
103 cat > .jsonfile1 <<- "EOF"
105 "realm":"$__realm_name",
109 export __realm_name=$1
110 envsubst < .jsonfile1 > .jsonfile2
111 curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms" \
112 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
113 -H "Content-Type: application/json" \
117 if [ $? -ne 0 ]; then
118 echo "Command failed, create_realms"
121 echo " OK, create_realms"
129 echo "Attempt to create clients $@ for realm: $__realm"
131 cat > .jsonfile1 <<- "EOF"
133 "clientId":"$__client_name",
134 "publicClient": false,
135 "serviceAccountsEnabled": true,
136 "rootUrl":"https://example.com/example/",
137 "adminUrl":"https://example.com/example/"
140 while [ $# -gt 0 ]; do
141 echo " Creating client: $1"
143 export __client_name=$1
144 envsubst < .jsonfile1 > .jsonfile2
146 curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients" \
147 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
148 -H "Content-Type: application/json" \
152 if [ $? -ne 0 ]; then
153 echo "Command failed, create_clients"
156 echo " OK, create_clients"
162 __client_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/clients?clientId=$2" \
163 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
165 if [ $? -ne 0 ]; then
168 __client_id=$(echo $__client_data | jq -r '.[0].id')
173 generate_client_secrets() {
176 echo "Attempt to generate secret for clients $@ in realm $__realm"
177 while [ $# -gt 0 ]; do
179 __client_id=$(__get_client_id $__realm $1)
180 if [ $? -ne 0 ]; then
181 echo "Command failed, generate_client_secrets, __get_client_id"
184 echo " Client id for client $1 in realm $__realm: "$__client_id | indent1
185 echo " Creating secret"
187 __client_secret=$(curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \
188 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
190 if [ $? -ne 0 ]; then
191 echo "Command failed, generate_client_secrets, client_secret POST"
195 __client_secret=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \
196 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
198 if [ $? -ne 0 ]; then
199 echo "Command failed, generate_client_secrets, client_secret GET"
203 __client_secret=$(echo $__client_secret | jq -r .value)
204 echo " Client secret for client $1 in realm $__realm: "$__client_secret | indent1
205 echo $__client_secret > ".sec_$__realm""_$1"
206 echo " OK, generate_client_secrets"
211 create_client_roles() {
212 # <realm-name> <client-name> [<role-name>]+
214 __client_id=$(__get_client_id $1 $2)
215 if [ $? -ne 0 ]; then
216 echo "Command failed, create_client_roles, __get_client_id"
221 while [ $# -gt 0 ]; do
223 cat > .jsonfile1 <<- "EOF"
229 envsubst < .jsonfile1 > .jsonfile2
231 curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/roles" \
232 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
233 -H "Content-Type: application/json" \
237 if [ $? -ne 0 ]; then
238 echo "Command failed, create_client_roles"
245 __get_service_account_id() {
246 # <realm-name> <client-id>
248 __service_account_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/clients/$2/service-account-user" \
249 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
251 if [ $? -ne 0 ]; then
255 __service_account_id=$(echo $__service_account_data | jq -r '.id')
256 echo $__service_account_id
260 __get_client_available_role_id() {
261 # <realm-name> <service-account-id> <client-id> <client-role-name>
263 __client_role_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/users/$2/role-mappings/clients/$3/available" \
264 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
266 if [ $? -ne 0 ]; then
269 __client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ')
270 echo $__client_role_id
274 __get_client_mapped_role_id() {
275 # <realm-name> <service-account-id> <client-id> <client-role-name>
277 __client_role_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/users/$2/role-mappings/clients/$3" \
278 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
280 if [ $? -ne 0 ]; then
283 __client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ')
284 echo $__client_role_id
288 add_client_roles_mapping() {
289 # <realm-name> <client-name> [<role-name>]+
290 echo "Attempt to add roles ${@:3} to client $2 in realm $1"
294 __client_id=$(__get_client_id $__realm $__client)
295 if [ $? -ne 0 ]; then
296 echo "Command failed, add_client_roles_mapping, __get_client_id"
299 echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
300 __service_account_id=$(__get_service_account_id $__realm $__client_id)
301 if [ $? -ne 0 ]; then
302 echo "Command failed, add_client_roles_mapping, __get_service_account_id"
305 echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1
311 while [ $# -gt 0 ]; do
312 if [ $__cntr -eq 0 ]; then
313 echo "[" > .jsonfile2
315 __client_role_id=$(__get_client_available_role_id $__realm $__service_account_id $__client_id $1)
316 if [ $? -ne 0 ]; then
317 echo "Command failed, add_client_roles_mapping, __get_client_available_role_id"
320 #echo "CLIENT ROLE ID $1 "$__client_role_id
321 #echo " Role id for role $1 and client $__client in realm $__realm: "$__client_role_id | indent1
322 __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
323 if [ $__cntr -gt 0 ]; then
324 echo "," >> .jsonfile2
326 echo $__role >> .jsonfile2
331 echo "]" >> .jsonfile2
332 echo " Adding roles $__all_roles to client $__client in realm $__realm"
334 curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" \
335 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
336 -H "Content-Type: application/json" \
340 if [ $? -ne 0 ]; then
341 echo "Command failed, add_client_roles_mapping, adding roles"
344 echo " OK, add_client_roles_mapping"
349 remove_client_roles_mapping() {
350 # <realm-name> <client-name> [<role-name>]+
351 echo "Attempt to removed roles ${@:3} from client $2 in realm $1"
355 __client_id=$(__get_client_id $__realm $__client)
356 if [ $? -ne 0 ]; then
357 echo "Command failed, remove_client_roles_mapping, __get_client_id"
360 echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
361 __service_account_id=$(__get_service_account_id $__realm $__client_id)
362 if [ $? -ne 0 ]; then
363 echo "Command failed, remove_client_roles_mapping, __get_service_account_id"
366 echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1
370 while [ $# -gt 0 ]; do
371 if [ $__cntr -eq 0 ]; then
372 echo "[" > .jsonfile2
374 __client_role_id=$(__get_client_mapped_role_id $__realm $__service_account_id $__client_id $1)
375 if [ $? -ne 0 ]; then
376 echo "Command failed, remove_client_roles_mapping, __get_client_mapped_role_id"
379 #echo "CLIENT ROLE ID $1 "$__client_role_id
380 #echo " Role id for role $1 and client $__client in realm $__realm: "$__client_role_id | indent1
381 __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
382 if [ $__cntr -gt 0 ]; then
383 echo "," >> .jsonfile2
385 echo $__role >> .jsonfile2
389 echo "]" >> .jsonfile2
390 echo " Removing roles $__all_roles from client $__client in realm $__realm"
392 curl -s -X DELETE "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" \
393 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
394 -H "Content-Type: application/json" \
398 if [ $? -ne 0 ]; then
399 echo "Command failed, remove_client_roles_mapping, delete"
402 echo " OK, remove client roles mapping"
405 add_client_hardcoded-claim-mapper() {
406 # <realm-name> <client-name> <mapper-name> <claim-name> <claim-value>
410 export __mapper_name=$3
411 export __claim_name=$4
412 export __claim_value=$5
414 __client_id=$(__get_client_id $__realm $__client)
415 if [ $? -ne 0 ]; then
416 echo " Fatal error when getting client id, response: "$?
419 cat > .jsonfile1 <<- "EOF"
421 "name": "$__mapper_name",
422 "protocol": "openid-connect",
423 "protocolMapper": "oidc-hardcoded-claim-mapper",
424 "consentRequired": false,
426 "claim.value": "$__claim_value",
427 "userinfo.token.claim": "true",
428 "id.token.claim": "true",
429 "access.token.claim": "true",
430 "claim.name": "$__claim_name",
431 "access.tokenResponse.claim": "false"
435 envsubst < .jsonfile1 > .jsonfile2
437 curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/nonrtric-realm/clients/"$__client_id"/protocol-mappers/models" \
438 -H "Authorization: Bearer ${ADMIN_TOKEN}" \
439 -H "Content-Type: application/json" \
443 if [ $? -ne 0 ]; then
444 echo "Command failed, add_client_hardcoded-claim-mapper"
449 echo " OK, add_client_hardcoded-claim-mapper"
453 # args: <realm-name> <client-name>
458 __client_id=$(__get_client_id $__realm $__client)
459 if [ $? -ne 0 ]; then
460 echo " Fatal error when getting client id, response: "$?
463 #echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
465 __client_secret=$(curl -s -f -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \
466 -H "Authorization: Bearer ${ADMIN_TOKEN}" )
468 if [ $? -ne 0 ]; then
469 echo " Fatal error when getting client secret, response: "$?
473 __client_secret=$(echo $__client_secret | jq -r .value)
475 __TMP_TOKEN=$(curl -s -f -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/realms/$__realm/protocol/openid-connect/token" \
476 -H Content-Type:application/x-www-form-urlencoded \
477 -d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials)
479 if [ $? -ne 0 ]; then
480 echo " Fatal error when getting client token, response: "$?
484 echo $__TMP_TOKEN| jq -r .access_token