# Script intended to be sourced by other script to add functions to the keycloak rest API
-echo "Cluster ip: $KHOST"
+echo "Cluster ip: $KUBERNETESHOST"
-echo "Keycloak nodeport: $KC_PORT"
-
-#KC_URL="http://$KHOST:$KC_PORT"
-KC_URL=http://keycloak.nonrtric:8080
-echo "Keycloak url: "$KC_URL
+KC_PROXY_PORT=$(kubectl get svc -n nonrtric keycloak-proxy --output jsonpath='{.spec.ports[?(@.name=="http")].nodePort}')
+echo "Nodeport to keycloak proxy: "$KC_PROXY_PORT
__get_admin_token() {
echo "Get admin token"
ADMIN_TOKEN=""
while [ "${#ADMIN_TOKEN}" -lt 20 ]; do
- ADMIN_TOKEN=$(curl --proxy localhost:31784 -s -X POST --max-time 2 "$KC_URL/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=admin" -d 'grant_type=password' -d "client_id=admin-cli" | jq -r '.access_token')
+ ADMIN_TOKEN=$(curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/realms/master/protocol/openid-connect/token" \
+ --max-time 2 \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d "username=admin" \
+ -d "password=admin" \
+ -d 'grant_type=password' \
+ -d "client_id=admin-cli" \
+ | jq -r '.access_token')
+
if [ "${#ADMIN_TOKEN}" -lt 20 ]; then
echo "Could not get admin token, retrying..."
echo "Retrieved token: $ADMIN_TOKEN"
decode_token() {
echo "Decoding access_token"
echo $1 | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
- #echo $1 | jq -r .access_token | jq -R 'split(".") | .[1] | @base64d | fromjson'
}
decode_jwt() {
list_realms() {
echo "Listing all realms"
- curl --proxy localhost:31784 -s \
- -X GET \
+ __check_admin_token
+
+ curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms" \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms" | jq -r '.[].id' | indent2
+ | jq -r '.[].id' | indent2
}
delete_realms() {
echo "$@"
for realm in "$@"; do
echo "Attempt to delete realm: $realm"
- curl --proxy localhost:31784 -s \
- -X DELETE \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$realm" | indent1
+ __check_admin_token
+
+ curl -s -X DELETE "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$realm" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ | indent1
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, delete_realms"
exit 1
fi
- echo " OK"
+ echo " OK, delete_realms"
done
}
echo "Creating realms: $@"
while [ $# -gt 0 ]; do
echo " Attempt to create realm: $1"
-
+ __check_admin_token
cat > .jsonfile1 <<- "EOF"
{
"realm":"$__realm_name",
EOF
export __realm_name=$1
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
- -X POST \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- -H "Content-Type: application/json" \
- -d @".jsonfile2" \
- "$KC_URL/admin/realms" | indent2
+ curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -d @".jsonfile2" \
+ | indent2
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, create_realms"
exit 1
fi
- echo " OK"
+ echo " OK, create_realms"
shift
done
}
__realm=$1
shift
echo "Attempt to create clients $@ for realm: $__realm"
- __check_admin_token
cat > .jsonfile1 <<- "EOF"
{
EOF
while [ $# -gt 0 ]; do
echo " Creating client: $1"
+ __check_admin_token
export __client_name=$1
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
- -X POST \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- -H "Content-Type: application/json" \
- -d @".jsonfile2" \
- "$KC_URL/admin/realms/$__realm/clients" | indent1
+
+ curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -d @".jsonfile2" \
+ | indent1
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, create_clients"
exit 1
fi
- echo " OK"
+ echo " OK, create_clients"
shift
done
}
__get_client_id() {
- __client_data=$(curl --proxy localhost:31784 -s \
- -X GET \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$1/clients?clientId=$2")
+ __client_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/clients?clientId=$2" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
return 1
fi
__realm=$1
shift
echo "Attempt to generate secret for clients $@ in realm $__realm"
- __check_admin_token
while [ $# -gt 0 ]; do
+ __check_admin_token
__client_id=$(__get_client_id $__realm $1)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, generate_client_secrets, __get_client_id"
exit 1
fi
echo " Client id for client $1 in realm $__realm: "$__client_id | indent1
echo " Creating secret"
- __client_secret=$(curl --proxy localhost:31784 -s \
- -X POST \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
+
+ __client_secret=$(curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, generate_client_secrets, client_secret POST"
exit 1
fi
- __client_secret=$(curl --proxy localhost:31784 -s \
- -X GET \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
+
+ __client_secret=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, generate_client_secrets, client_secret GET"
exit 1
fi
+
__client_secret=$(echo $__client_secret | jq -r .value)
echo " Client secret for client $1 in realm $__realm: "$__client_secret | indent1
echo $__client_secret > ".sec_$__realm""_$1"
- echo " OK"
+ echo " OK, generate_client_secrets"
shift
done
}
create_client_roles() {
# <realm-name> <client-name> [<role-name>]+
+ __check_admin_token
__client_id=$(__get_client_id $1 $2)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, create_client_roles, __get_client_id"
exit 1
fi
__realm=$1
EOF
export __role=$1
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
- -X POST \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- -H "Content-Type: application/json" \
- -d @".jsonfile2" \
- "$KC_URL/admin/realms/$__realm/clients/$__client_id/roles" | indent1
+
+ curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/roles" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -d @".jsonfile2" \
+ | indent1
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, create_client_roles"
exit 1
fi
shift
__get_service_account_id() {
# <realm-name> <client-id>
- __service_account_data=$(curl --proxy localhost:31784 -s \
- -X GET \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$1/clients/$2/service-account-user")
+
+ __service_account_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/clients/$2/service-account-user" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
return 1
fi
+
__service_account_id=$(echo $__service_account_data | jq -r '.id')
echo $__service_account_id
return 0
}
-# curl --proxy localhost:31784 -s \
-# -X GET \
-# -H "Authorization: Bearer ${ADMIN_TOKEN}" \
-# "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id/available"
__get_client_available_role_id() {
# <realm-name> <service-account-id> <client-id> <client-role-name>
- __client_role_data=$(curl --proxy localhost:31784 -s \
- -X GET \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3/available")
+
+ __client_role_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/users/$2/role-mappings/clients/$3/available" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
return 1
fi
- #__client_role_id=$(echo $__client_role_data | jq -r '.id')
__client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ')
echo $__client_role_id
return 0
__get_client_mapped_role_id() {
# <realm-name> <service-account-id> <client-id> <client-role-name>
- __client_role_data=$(curl --proxy localhost:31784 -s \
- -X GET \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3")
+
+ __client_role_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/users/$2/role-mappings/clients/$3" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
return 1
fi
- #__client_role_id=$(echo $__client_role_data | jq -r '.id')
__client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ')
echo $__client_role_id
return 0
add_client_roles_mapping() {
# <realm-name> <client-name> [<role-name>]+
echo "Attempt to add roles ${@:3} to client $2 in realm $1"
+ __check_admin_token
__realm=$1
__client=$2
__client_id=$(__get_client_id $__realm $__client)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, add_client_roles_mapping, __get_client_id"
exit 1
fi
echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
__service_account_id=$(__get_service_account_id $__realm $__client_id)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, add_client_roles_mapping, __get_service_account_id"
exit 1
fi
echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1
shift; shift
+
__cntr=0
__all_roles=$@
+
while [ $# -gt 0 ]; do
if [ $__cntr -eq 0 ]; then
echo "[" > .jsonfile2
fi
__client_role_id=$(__get_client_available_role_id $__realm $__service_account_id $__client_id $1)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, add_client_roles_mapping, __get_client_available_role_id"
exit 1
fi
#echo "CLIENT ROLE ID $1 "$__client_role_id
let __cntr=__cntr+1
shift
done
+
echo "]" >> .jsonfile2
echo " Adding roles $__all_roles to client $__client in realm $__realm"
- curl --proxy localhost:31784 -s \
- -X POST \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- -H "Content-Type: application/json" \
- -d @".jsonfile2" \
- "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" | indent2
+ curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -d @".jsonfile2" \
+ | indent2
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, add_client_roles_mapping, adding roles"
exit 1
fi
- echo " OK"
+ echo " OK, add_client_roles_mapping"
}
remove_client_roles_mapping() {
# <realm-name> <client-name> [<role-name>]+
echo "Attempt to removed roles ${@:3} from client $2 in realm $1"
+ __check_admin_token
__realm=$1
__client=$2
__client_id=$(__get_client_id $__realm $__client)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, remove_client_roles_mapping, __get_client_id"
exit 1
fi
echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
__service_account_id=$(__get_service_account_id $__realm $__client_id)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, remove_client_roles_mapping, __get_service_account_id"
exit 1
fi
echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1
fi
__client_role_id=$(__get_client_mapped_role_id $__realm $__service_account_id $__client_id $1)
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, remove_client_roles_mapping, __get_client_mapped_role_id"
exit 1
fi
#echo "CLIENT ROLE ID $1 "$__client_role_id
echo "]" >> .jsonfile2
echo " Removing roles $__all_roles from client $__client in realm $__realm"
- curl --proxy localhost:31784 -s \
- -X DELETE \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- -H "Content-Type: application/json" \
- -d @".jsonfile2" \
- "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" | indent2
+ curl -s -X DELETE "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -d @".jsonfile2" \
+ | indent2
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, remove_client_roles_mapping, delete"
exit 1
fi
- echo " OK"
+ echo " OK, remove client roles mapping"
}
add_client_hardcoded-claim-mapper() {
# <realm-name> <client-name> <mapper-name> <claim-name> <claim-value>
+ __check_admin_token
__realm=$1
__client=$2
export __mapper_name=$3
export __claim_name=$4
export __claim_value=$5
-set -x
+
__client_id=$(__get_client_id $__realm $__client)
if [ $? -ne 0 ]; then
echo " Fatal error when getting client id, response: "$?
}
EOF
envsubst < .jsonfile1 > .jsonfile2
- curl --proxy localhost:31784 -s \
- -X POST \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- -H "Content-Type: application/json" \
- -d @".jsonfile2" \
- "$KC_URL/admin/realms/nonrtric-realm/clients/"$__client_id"/protocol-mappers/models" | indent2
+
+ curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/nonrtric-realm/clients/"$__client_id"/protocol-mappers/models" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -d @".jsonfile2" \
+ | indent2
+
if [ $? -ne 0 ]; then
- echo "Command failed"
+ echo "Command failed, add_client_hardcoded-claim-mapper"
exit 1
fi
set +x
cat .jsonfile2
- echo " OK"
+ echo " OK, add_client_hardcoded-claim-mapper"
}
# Get a client token
# args: <realm-name> <client-name>
get_client_token() {
+ __check_admin_token
__realm=$1
__client=$2
__client_id=$(__get_client_id $__realm $__client)
fi
#echo " Client id for client $__client in realm $__realm: "$__client_id | indent1
- __client_secret=$(curl --proxy localhost:31784 -s -f \
- -X GET \
- -H "Authorization: Bearer ${ADMIN_TOKEN}" \
- "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret")
+ __client_secret=$(curl -s -f -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \
+ -H "Authorization: Bearer ${ADMIN_TOKEN}" )
+
if [ $? -ne 0 ]; then
echo " Fatal error when getting client secret, response: "$?
exit 1
__client_secret=$(echo $__client_secret | jq -r .value)
- __TMP_TOKEN=$(curl --proxy localhost:31784 -f -s -X POST $KC_URL/realms/$__realm/protocol/openid-connect/token \
- -H Content-Type:application/x-www-form-urlencoded \
- -d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials)
+ __TMP_TOKEN=$(curl -s -f -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/realms/$__realm/protocol/openid-connect/token" \
+ -H Content-Type:application/x-www-form-urlencoded \
+ -d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials)
+
if [ $? -ne 0 ]; then
echo " Fatal error when getting client token, response: "$?
exit 1
Code Review / nonrtric / plt / ranpm.git / blobdiff