X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=install%2Fscripts%2Fpopulate_keycloak.sh;h=eed5492a0acd7b47798ce7c0c51957d098cfd961;hb=41a1c82b8b1b30644c85b90487f013ccc8ff7f92;hp=230ac2ff380b9b2350df83432a7a1412be663135;hpb=d806dbef4f43bb9c631c818e96c1a39e440c5e6c;p=nonrtric%2Fplt%2Franpm.git diff --git a/install/scripts/populate_keycloak.sh b/install/scripts/populate_keycloak.sh index 230ac2f..eed5492 100755 --- a/install/scripts/populate_keycloak.sh +++ b/install/scripts/populate_keycloak.sh @@ -19,19 +19,24 @@ # Script intended to be sourced by other script to add functions to the keycloak rest API -echo "Cluster ip: $KHOST" +echo "Cluster ip: $KUBERNETESHOST" -echo "Keycloak nodeport: $KC_PORT" - -#KC_URL="http://$KHOST:$KC_PORT" -KC_URL=http://keycloak.nonrtric:8080 -echo "Keycloak url: "$KC_URL +KC_PROXY_PORT=$(kubectl get svc -n nonrtric keycloak-proxy --output jsonpath='{.spec.ports[?(@.name=="http")].nodePort}') +echo "Nodeport to keycloak proxy: "$KC_PROXY_PORT __get_admin_token() { echo "Get admin token" ADMIN_TOKEN="" while [ "${#ADMIN_TOKEN}" -lt 20 ]; do - ADMIN_TOKEN=$(curl --proxy localhost:31784 -s -X POST --max-time 2 "$KC_URL/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=admin" -d 'grant_type=password' -d "client_id=admin-cli" | jq -r '.access_token') + ADMIN_TOKEN=$(curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/realms/master/protocol/openid-connect/token" \ + --max-time 2 \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "username=admin" \ + -d "password=admin" \ + -d 'grant_type=password' \ + -d "client_id=admin-cli" \ + | jq -r '.access_token') + if [ "${#ADMIN_TOKEN}" -lt 20 ]; then echo "Could not get admin token, retrying..." echo "Retrieved token: $ADMIN_TOKEN" @@ -57,7 +62,6 @@ indent2() { sed 's/^/ /'; } decode_token() { echo "Decoding access_token" echo $1 | jq -R 'split(".") | .[0,1] | @base64d | fromjson' - #echo $1 | jq -r .access_token | jq -R 'split(".") | .[1] | @base64d | fromjson' } decode_jwt() { @@ -67,24 +71,27 @@ decode_jwt() { list_realms() { echo "Listing all realms" - curl --proxy localhost:31784 -s \ - -X GET \ + __check_admin_token + + curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms" \ -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms" | jq -r '.[].id' | indent2 + | jq -r '.[].id' | indent2 } delete_realms() { echo "$@" for realm in "$@"; do echo "Attempt to delete realm: $realm" - curl --proxy localhost:31784 -s \ - -X DELETE \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$realm" | indent1 + __check_admin_token + + curl -s -X DELETE "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$realm" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + | indent1 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, delete_realms" exit 1 fi - echo " OK" + echo " OK, delete_realms" done } @@ -92,7 +99,7 @@ create_realms() { echo "Creating realms: $@" while [ $# -gt 0 ]; do echo " Attempt to create realm: $1" - + __check_admin_token cat > .jsonfile1 <<- "EOF" { "realm":"$__realm_name", @@ -101,17 +108,17 @@ cat > .jsonfile1 <<- "EOF" EOF export __realm_name=$1 envsubst < .jsonfile1 > .jsonfile2 - curl --proxy localhost:31784 -s \ - -X POST \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @".jsonfile2" \ - "$KC_URL/admin/realms" | indent2 + curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @".jsonfile2" \ + | indent2 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, create_realms" exit 1 fi - echo " OK" + echo " OK, create_realms" shift done } @@ -120,7 +127,6 @@ create_clients() { __realm=$1 shift echo "Attempt to create clients $@ for realm: $__realm" - __check_admin_token cat > .jsonfile1 <<- "EOF" { @@ -133,28 +139,29 @@ cat > .jsonfile1 <<- "EOF" EOF while [ $# -gt 0 ]; do echo " Creating client: $1" + __check_admin_token export __client_name=$1 envsubst < .jsonfile1 > .jsonfile2 - curl --proxy localhost:31784 -s \ - -X POST \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @".jsonfile2" \ - "$KC_URL/admin/realms/$__realm/clients" | indent1 + + curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @".jsonfile2" \ + | indent1 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, create_clients" exit 1 fi - echo " OK" + echo " OK, create_clients" shift done } __get_client_id() { - __client_data=$(curl --proxy localhost:31784 -s \ - -X GET \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$1/clients?clientId=$2") + __client_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/clients?clientId=$2" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then return 1 fi @@ -167,44 +174,46 @@ generate_client_secrets() { __realm=$1 shift echo "Attempt to generate secret for clients $@ in realm $__realm" - __check_admin_token while [ $# -gt 0 ]; do + __check_admin_token __client_id=$(__get_client_id $__realm $1) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, generate_client_secrets, __get_client_id" exit 1 fi echo " Client id for client $1 in realm $__realm: "$__client_id | indent1 echo " Creating secret" - __client_secret=$(curl --proxy localhost:31784 -s \ - -X POST \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret") + + __client_secret=$(curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, generate_client_secrets, client_secret POST" exit 1 fi - __client_secret=$(curl --proxy localhost:31784 -s \ - -X GET \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret") + + __client_secret=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, generate_client_secrets, client_secret GET" exit 1 fi + __client_secret=$(echo $__client_secret | jq -r .value) echo " Client secret for client $1 in realm $__realm: "$__client_secret | indent1 echo $__client_secret > ".sec_$__realm""_$1" - echo " OK" + echo " OK, generate_client_secrets" shift done } create_client_roles() { # []+ + __check_admin_token __client_id=$(__get_client_id $1 $2) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, create_client_roles, __get_client_id" exit 1 fi __realm=$1 @@ -218,14 +227,15 @@ cat > .jsonfile1 <<- "EOF" EOF export __role=$1 envsubst < .jsonfile1 > .jsonfile2 - curl --proxy localhost:31784 -s \ - -X POST \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @".jsonfile2" \ - "$KC_URL/admin/realms/$__realm/clients/$__client_id/roles" | indent1 + + curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/roles" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @".jsonfile2" \ + | indent1 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, create_client_roles" exit 1 fi shift @@ -234,32 +244,28 @@ EOF __get_service_account_id() { # - __service_account_data=$(curl --proxy localhost:31784 -s \ - -X GET \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$1/clients/$2/service-account-user") + + __service_account_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/clients/$2/service-account-user" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then return 1 fi + __service_account_id=$(echo $__service_account_data | jq -r '.id') echo $__service_account_id return 0 } -# curl --proxy localhost:31784 -s \ -# -X GET \ -# -H "Authorization: Bearer ${ADMIN_TOKEN}" \ -# "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id/available" __get_client_available_role_id() { # - __client_role_data=$(curl --proxy localhost:31784 -s \ - -X GET \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3/available") + + __client_role_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/users/$2/role-mappings/clients/$3/available" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then return 1 fi - #__client_role_id=$(echo $__client_role_data | jq -r '.id') __client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ') echo $__client_role_id return 0 @@ -267,14 +273,13 @@ __get_client_available_role_id() { __get_client_mapped_role_id() { # - __client_role_data=$(curl --proxy localhost:31784 -s \ - -X GET \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$1/users/$2/role-mappings/clients/$3") + + __client_role_data=$(curl -s -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$1/users/$2/role-mappings/clients/$3" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then return 1 fi - #__client_role_id=$(echo $__client_role_data | jq -r '.id') __client_role_id=$(echo $__client_role_data | jq -r '.[] | select(.name=="'$4'") | .id ') echo $__client_role_id return 0 @@ -283,30 +288,33 @@ __get_client_mapped_role_id() { add_client_roles_mapping() { # []+ echo "Attempt to add roles ${@:3} to client $2 in realm $1" + __check_admin_token __realm=$1 __client=$2 __client_id=$(__get_client_id $__realm $__client) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, add_client_roles_mapping, __get_client_id" exit 1 fi echo " Client id for client $__client in realm $__realm: "$__client_id | indent1 __service_account_id=$(__get_service_account_id $__realm $__client_id) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, add_client_roles_mapping, __get_service_account_id" exit 1 fi echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1 shift; shift + __cntr=0 __all_roles=$@ + while [ $# -gt 0 ]; do if [ $__cntr -eq 0 ]; then echo "[" > .jsonfile2 fi __client_role_id=$(__get_client_available_role_id $__realm $__service_account_id $__client_id $1) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, add_client_roles_mapping, __get_client_available_role_id" exit 1 fi #echo "CLIENT ROLE ID $1 "$__client_role_id @@ -319,20 +327,21 @@ add_client_roles_mapping() { let __cntr=__cntr+1 shift done + echo "]" >> .jsonfile2 echo " Adding roles $__all_roles to client $__client in realm $__realm" - curl --proxy localhost:31784 -s \ - -X POST \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @".jsonfile2" \ - "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" | indent2 + curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @".jsonfile2" \ + | indent2 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, add_client_roles_mapping, adding roles" exit 1 fi - echo " OK" + echo " OK, add_client_roles_mapping" } @@ -340,17 +349,18 @@ add_client_roles_mapping() { remove_client_roles_mapping() { # []+ echo "Attempt to removed roles ${@:3} from client $2 in realm $1" + __check_admin_token __realm=$1 __client=$2 __client_id=$(__get_client_id $__realm $__client) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, remove_client_roles_mapping, __get_client_id" exit 1 fi echo " Client id for client $__client in realm $__realm: "$__client_id | indent1 __service_account_id=$(__get_service_account_id $__realm $__client_id) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, remove_client_roles_mapping, __get_service_account_id" exit 1 fi echo " Service account id for client $__client in realm $__realm: "$__service_account_id | indent1 @@ -363,7 +373,7 @@ remove_client_roles_mapping() { fi __client_role_id=$(__get_client_mapped_role_id $__realm $__service_account_id $__client_id $1) if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, remove_client_roles_mapping, __get_client_mapped_role_id" exit 1 fi #echo "CLIENT ROLE ID $1 "$__client_role_id @@ -379,27 +389,28 @@ remove_client_roles_mapping() { echo "]" >> .jsonfile2 echo " Removing roles $__all_roles from client $__client in realm $__realm" - curl --proxy localhost:31784 -s \ - -X DELETE \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @".jsonfile2" \ - "$KC_URL/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" | indent2 + curl -s -X DELETE "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/users/$__service_account_id/role-mappings/clients/$__client_id" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @".jsonfile2" \ + | indent2 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, remove_client_roles_mapping, delete" exit 1 fi - echo " OK" + echo " OK, remove client roles mapping" } add_client_hardcoded-claim-mapper() { # + __check_admin_token __realm=$1 __client=$2 export __mapper_name=$3 export __claim_name=$4 export __claim_value=$5 -set -x + __client_id=$(__get_client_id $__realm $__client) if [ $? -ne 0 ]; then echo " Fatal error when getting client id, response: "$? @@ -422,24 +433,26 @@ set -x } EOF envsubst < .jsonfile1 > .jsonfile2 - curl --proxy localhost:31784 -s \ - -X POST \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @".jsonfile2" \ - "$KC_URL/admin/realms/nonrtric-realm/clients/"$__client_id"/protocol-mappers/models" | indent2 + + curl -s -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/nonrtric-realm/clients/"$__client_id"/protocol-mappers/models" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @".jsonfile2" \ + | indent2 + if [ $? -ne 0 ]; then - echo "Command failed" + echo "Command failed, add_client_hardcoded-claim-mapper" exit 1 fi set +x cat .jsonfile2 - echo " OK" + echo " OK, add_client_hardcoded-claim-mapper" } # Get a client token # args: get_client_token() { + __check_admin_token __realm=$1 __client=$2 __client_id=$(__get_client_id $__realm $__client) @@ -449,10 +462,9 @@ get_client_token() { fi #echo " Client id for client $__client in realm $__realm: "$__client_id | indent1 - __client_secret=$(curl --proxy localhost:31784 -s -f \ - -X GET \ - -H "Authorization: Bearer ${ADMIN_TOKEN}" \ - "$KC_URL/admin/realms/$__realm/clients/$__client_id/client-secret") + __client_secret=$(curl -s -f -X GET "$KUBERNETESHOST:$KC_PROXY_PORT/admin/realms/$__realm/clients/$__client_id/client-secret" \ + -H "Authorization: Bearer ${ADMIN_TOKEN}" ) + if [ $? -ne 0 ]; then echo " Fatal error when getting client secret, response: "$? exit 1 @@ -460,9 +472,10 @@ get_client_token() { __client_secret=$(echo $__client_secret | jq -r .value) - __TMP_TOKEN=$(curl --proxy localhost:31784 -f -s -X POST $KC_URL/realms/$__realm/protocol/openid-connect/token \ - -H Content-Type:application/x-www-form-urlencoded \ - -d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials) + __TMP_TOKEN=$(curl -s -f -X POST "$KUBERNETESHOST:$KC_PROXY_PORT/realms/$__realm/protocol/openid-connect/token" \ + -H Content-Type:application/x-www-form-urlencoded \ + -d client_id="$__client" -d client_secret="$__client_secret" -d grant_type=client_credentials) + if [ $? -ne 0 ]; then echo " Fatal error when getting client token, response: "$? exit 1