# Script intended to be sourced by other script to add functions to the keycloak rest API
-echo "Cluster ip: $KHOST"
+echo "Cluster ip: $KUBERNETESHOST"
-echo "Keycloak nodeport: $KC_PORT"
-
-#KC_URL="http://$KHOST:$KC_PORT"
KC_URL=http://keycloak.nonrtric:8080
echo "Keycloak url: "$KC_URL
+KC_PROXY_PORT=$(kubectl get svc -n nonrtric keycloak-proxy --output jsonpath='{.spec.ports[?(@.name=="http")].nodePort}')
+echo "Nodeport to keycloak proxy: "$KC_PROXY_PORT
+
__get_admin_token() {
echo "Get admin token"
ADMIN_TOKEN=""
while [ "${#ADMIN_TOKEN}" -lt 20 ]; do
- ADMIN_TOKEN=$(curl --proxy localhost:31784 -s -X POST --max-time 2 "$KC_URL/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=admin" -d 'grant_type=password' -d "client_id=admin-cli" | jq -r '.access_token')
+ ADMIN_TOKEN=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s -X POST --max-time 2 "$KC_URL/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=admin" -d 'grant_type=password' -d "client_id=admin-cli" | jq -r '.access_token')
if [ "${#ADMIN_TOKEN}" -lt 20 ]; then
echo "Could not get admin token, retrying..."
echo "Retrieved token: $ADMIN_TOKEN"
decode_token() {
echo "Decoding access_token"
echo $1 | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
- #echo $1 | jq -r .access_token | jq -R 'split(".") | .[1] | @base64d | fromjson'
}
decode_jwt() {
list_realms() {
echo "Listing all realms"
- curl --proxy localhost:31784 -s \
+ __check_admin_token
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms" | jq -r '.[].id' | indent2
echo "$@"
for realm in "$@"; do
echo "Attempt to delete realm: $realm"
- curl --proxy localhost:31784 -s \
+ __check_admin_token
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X DELETE \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$realm" | indent1
echo "Creating realms: $@"
while [ $# -gt 0 ]; do
echo " Attempt to create realm: $1"
-
+ __check_admin_token
cat > .jsonfile1 <<- "EOF"
{
"realm":"$__realm_name",
EOF
export __realm_name=$1
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X POST \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
__realm=$1
shift
echo "Attempt to create clients $@ for realm: $__realm"
- __check_admin_token
cat > .jsonfile1 <<- "EOF"
{
EOF
while [ $# -gt 0 ]; do
echo " Creating client: $1"
+ __check_admin_token
export __client_name=$1
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X POST \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
}
__get_client_id() {
- __client_data=$(curl --proxy localhost:31784 -s \
+ __client_data=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$1/clients?clientId=$2")
__realm=$1
shift
echo "Attempt to generate secret for clients $@ in realm $__realm"
- __check_admin_token
while [ $# -gt 0 ]; do
+ __check_admin_token
__client_id=$(__get_client_id $__realm $1)
if [ $? -ne 0 ]; then
echo "Command failed"
fi
echo " Client id for client $1 in realm $__realm: "$__client_id | indent1
echo " Creating secret"
- __client_secret=$(curl --proxy localhost:31784 -s \
+ __client_secret=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X POST \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
echo "Command failed"
exit 1
fi
- __client_secret=$(curl --proxy localhost:31784 -s \
+ __client_secret=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
create_client_roles() {
# <realm-name> <client-name> [<role-name>]+
+ __check_admin_token
__client_id=$(__get_client_id $1 $2)
if [ $? -ne 0 ]; then
echo "Command failed"
EOF
export __role=$1
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X POST \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
__get_service_account_id() {
# <realm-name> <client-id>
- __service_account_data=$(curl --proxy localhost:31784 -s \
+ __service_account_data=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$1/clients/$2/service-account-user")
return 0
}
-# curl --proxy localhost:31784 -s \
+# curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
# -X GET \
# -H "Authorization: Bearer ${ADMIN_TOKEN}" \
# "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id/available"
__get_client_available_role_id() {
# <realm-name> <service-account-id> <client-id> <client-role-name>
- __client_role_data=$(curl --proxy localhost:31784 -s \
+ __client_role_data=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3/available")
__get_client_mapped_role_id() {
# <realm-name> <service-account-id> <client-id> <client-role-name>
- __client_role_data=$(curl --proxy localhost:31784 -s \
+ __client_role_data=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3")
add_client_roles_mapping() {
# <realm-name> <client-name> [<role-name>]+
echo "Attempt to add roles ${@:3} to client $2 in realm $1"
+ __check_admin_token
__realm=$1
__client=$2
__client_id=$(__get_client_id $__realm $__client)
echo "]" >> .jsonfile2
echo " Adding roles $__all_roles to client $__client in realm $__realm"
- curl --proxy localhost:31784 -s \
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X POST \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
remove_client_roles_mapping() {
# <realm-name> <client-name> [<role-name>]+
echo "Attempt to removed roles ${@:3} from client $2 in realm $1"
+ __check_admin_token
__realm=$1
__client=$2
__client_id=$(__get_client_id $__realm $__client)
echo "]" >> .jsonfile2
echo " Removing roles $__all_roles from client $__client in realm $__realm"
- curl --proxy localhost:31784 -s \
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X DELETE \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
add_client_hardcoded-claim-mapper() {
# <realm-name> <client-name> <mapper-name> <claim-name> <claim-value>
+ __check_admin_token
__realm=$1
__client=$2
export __mapper_name=$3
export __claim_name=$4
export __claim_value=$5
-set -x
+
__client_id=$(__get_client_id $__realm $__client)
if [ $? -ne 0 ]; then
echo " Fatal error when getting client id, response: "$?
}
EOF
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
+ curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s \
-X POST \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
# Get a client token
# args: <realm-name> <client-name>
get_client_token() {
+ __check_admin_token
__realm=$1
__client=$2
__client_id=$(__get_client_id $__realm $__client)
fi
#echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
- __client_secret=$(curl --proxy localhost:31784 -s -f \
+ __client_secret=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -s -f \
-X GET \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
"$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
__client_secret=$(echo $__client_secret | jq -r .value)
- __TMP_TOKEN=$(curl --proxy localhost:31784 -f -s -X POST $KC_URL/realms/$__realm/protocol/openid-connect/token \
+ __TMP_TOKEN=$(curl --proxy $KUBERNETESHOST:$KC_PROXY_PORT -f -s -X POST $KC_URL/realms/$__realm/protocol/openid-connect/token \
-H Content-Type:application/x-www-form-urlencoded \
-d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials)
if [ $? -ne 0 ]; then
Code Review / nonrtric / plt / ranpm.git / blobdiff