keycloak-admin 0.1 → 0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 107fe1a9772c1ca9f9014e1e089d5eb4a9c66a6a
-  data.tar.gz: f4c5918e8e3f3654bb6f8e8f63d0480b2f7b5d98
+  metadata.gz: 530efac24194a86644d0924ffd5a0aa931c6928d
+  data.tar.gz: 9e42d8ceed9f876549dbd2cf2fd86c12ad01c500
 SHA512:
-  metadata.gz: c5be1ffcad5a514578de150dae7a6b55d1ca7af1466fe3f45ec007c17da164ea877b190357fa50227f1e68ac3861a3daea793389cd2044b31ef9c5c0f1e30aa9
-  data.tar.gz: 40932b69af9e0ba619a3d267cd50bbf0146f4a5573aee005e9d362c57e2536f39c4ba77320cbb0b0323cb37b9a07e1a347a05919da040cead84022368f1daf4c
+  metadata.gz: 6586f5fbd3b14cc579f8d77ff8cb8ee963eb013da1bd5d3807c6cfabe366b6b8340356c8d8cbc0207d4bf8eefaf8964a0717e0a25145d679b23d427f46641683
+  data.tar.gz: 4891b3ad7ffc41969c8e9a7b3624315f57edef8f9253dea0218c195c5a3eec1b019356ca2d75e0e1cc180ccb731f3ce7e47534335ea1ed915dcee63003604767

data/.gitignore

@@ -5,3 +5,4 @@ test/dummy/db/*.sqlite3
 test/dummy/db/*.sqlite3-journal
 test/dummy/log/*.log
 test/dummy/tmp/
+*.gem

data/Gemfile.lock

@@ -1,98 +1,13 @@
 PATH
   remote: .
   specs:
-    keycloak-admin (0.1)
+    keycloak-admin (0.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.1.4)
-      actionpack (= 5.1.4)
-      nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.4)
-      actionpack (= 5.1.4)
-      actionview (= 5.1.4)
-      activejob (= 5.1.4)
-      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 2.0)
-    actionpack (5.1.4)
-      actionview (= 5.1.4)
-      activesupport (= 5.1.4)
-      rack (~> 2.0)
-      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.4)
-      activesupport (= 5.1.4)
-      builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.4)
-      activesupport (= 5.1.4)
-      globalid (>= 0.3.6)
-    activemodel (5.1.4)
-      activesupport (= 5.1.4)
-    activerecord (5.1.4)
-      activemodel (= 5.1.4)
-      activesupport (= 5.1.4)
-      arel (~> 8.0)
-    activesupport (5.1.4)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-    arel (8.0.0)
-    builder (3.2.3)
     byebug (9.1.0)
-    concurrent-ruby (1.0.5)
-    crass (1.0.3)
     diff-lcs (1.3)
-    erubi (1.7.0)
-    globalid (0.4.1)
-      activesupport (>= 4.2.0)
-    i18n (0.9.1)
-      concurrent-ruby (~> 1.0)
-    loofah (2.1.1)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
-    mail (2.7.0)
-      mini_mime (>= 0.1.1)
-    method_source (0.9.0)
-    mini_mime (1.0.0)
-    mini_portile2 (2.3.0)
-    minitest (5.11.1)
-    nio4r (2.2.0)
-    nokogiri (1.8.1)
-      mini_portile2 (~> 2.3.0)
-    rack (2.0.3)
-    rack-test (0.8.2)
-      rack (>= 1.0, < 3)
-    rails (5.1.4)
-      actioncable (= 5.1.4)
-      actionmailer (= 5.1.4)
-      actionpack (= 5.1.4)
-      actionview (= 5.1.4)
-      activejob (= 5.1.4)
-      activemodel (= 5.1.4)
-      activerecord (= 5.1.4)
-      activesupport (= 5.1.4)
-      bundler (>= 1.3.0)
-      railties (= 5.1.4)
-      sprockets-rails (>= 2.0.0)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
-      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    railties (5.1.4)
-      actionpack (= 5.1.4)
-      activesupport (= 5.1.4)
-      method_source
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (12.3.0)
     rspec (3.7.0)
       rspec-core (~> 3.7.0)
       rspec-expectations (~> 3.7.0)
@@ -106,20 +21,6 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.7.0)
     rspec-support (3.7.0)
-    sprockets (3.7.1)
-      concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.2.1)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (>= 3.0.0)
-    thor (0.20.0)
-    thread_safe (0.3.6)
-    tzinfo (1.2.4)
-      thread_safe (~> 0.1)
-    websocket-driver (0.6.5)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
 
 PLATFORMS
   ruby

data/README.md

@@ -9,23 +9,53 @@ _Warning: This beta gem is currently used for personal used. Most Keycloak Admin
 ## Install
 
 This gem *does not* require Rails.
+For example, using `bundle`, add this line to your Gemfile.
 
 ```ruby
-gem "keycloak-admin"
+gem "keycloak-admin", "0.2"
 ```
 
+## Login
+
+You can choose your login process between two different login methods: `username/password` and `Account Service`.
+
+### Login with username/password
+
+Using this login method requires to create a user (and her credentials).
+* In Keycloak 
+  * Make your client `confidential` or `public`
+  * Do not check `Service Accounts Enabled`
+* In this gem's configuration
+  * Set `use_service_account` to `false`
+  * Setup `username` and `password`
+  * Setup `client_secret` if your client is `confidential`
+
+### Login with an Account Service
+
+Using a service account to use the REST Admin API does not require to create a dedicated user (http://www.keycloak.org/docs/2.5/server_admin/topics/clients/oidc/service-accounts.html).
+
+* In Keycloak 
+  * Make your client `confidential`
+  * Check its toggle `Service Accounts Enabled`
+  * A Redirect URL is required, set it to `*`
+  * After saving this client, open the `Service Account Roles` and add relevant `realm-management.` client's roles. For instance: `view-users` if you want to search for users using this gem.
+* In this gem's configuration
+  * Set `use_service_account` to `true`
+  * Setup `client_secret`
+
 ## Configuration
 
 To configure this gem, call `KeycloakAdmin.configure`. 
 For instance, to configure this gem based on environment variables, write (and load if required) a `keycloak_admin.rb`:
 ```ruby
 KeycloakAdmin.configure do |config|
-  config.server_url       = ENV["KEYCLOAK_SERVER_URL"]
-  config.client_id        = ENV["KEYCLOAK_ADMIN_CLIENT_ID"]
-  config.user_realm_name  = ENV["KEYCLOAK_REALM_ID"]
-  config.username         = ENV["KEYCLOAK_ADMIN_USER"]
-  config.password         = ENV["KEYCLOAK_ADMIN_PASSWORD"]
-  config.logger           = Rails.logger
+  config.use_service_account = false
+  config.server_url          = ENV["KEYCLOAK_SERVER_URL"]
+  config.client_id           = ENV["KEYCLOAK_ADMIN_CLIENT_ID"]
+  config.client_realm_name   = ENV["KEYCLOAK_REALM_ID"]
+  config.username            = ENV["KEYCLOAK_ADMIN_USER"]
+  config.password            = ENV["KEYCLOAK_ADMIN_PASSWORD"]
+  config.logger              = Rails.logger
 end
 ```
 This example is autoloaded in a Rails environment.
@@ -37,10 +67,12 @@ All options have a default value. However, all of them can be changed in your in
 | Option | Default Value | Type | Required? | Description  | Example |
 | ---- | ----- | ------ | ----- | ------ | ----- |
 | `server_url` | `nil`| String | Required | The base url where your Keycloak server is located. This value can be retrieved in your Keycloak client configuration. | `auth:8080/auth` |
-| `user_realm_name` | `""`| String | Required | Name of the realm that contain the admin client and user. | `master` |
+| `client_realm_name` | `""`| String | Required | Name of the realm that contain the admin client. | `master` |
 | `client_id` | `admin-cli`| String | Required | Client that should be used to access admin capabilities. | `api-cli` |
-| `username` | `nil`| String | Required | Username that access to the Admin REST API | `mummy` |
-| `password` | `nil`| String | Required | Clear password that access to the Admin REST API | `bobby` |
+| `client_secret` | `nil`| String | Optional | If your client is `confidential`, this parameter must be specified. | `4e3c481c-f823-4a6a-b8a7-bf8c86e3eac3` |
+| `use_service_account` | `true` | Boolean | Required | `true` if the connection to the client uses a Service Account. `false` if the connetio nto the client uses a username/password credential | `false` | 
+| `username` | `nil`| String | Optional | Username that access to the Admin REST API. Recommended if `user_service_account` is set to `false`. | `mummy` |
+| `password` | `nil`| String | Optional | Clear password that access to the Admin REST API. Recommended if `user_service_account` is set to `false`. | `bobby` |
 | `logger` | `Logger.new(STDOUT)`| Logger | Optional | The logger used by `keycloak-admin` | `Rails.logger` | 
 
 
@@ -105,3 +137,7 @@ From the `keycloak-admin-api` directory:
   $ docker build . -t keycloak-admin:test
   $ docker run -v `pwd`:/usr/src/app/ keycloak-admin:test bundle exec rspec spec
 ```
+
+## Future work
+
+* Allow authentication using JWT assertions

data/keycloak-admin.gemspec

@@ -15,6 +15,6 @@ Gem::Specification.new do |spec|
   spec.files = `git ls-files -z`.split("\x0")
   spec.require_paths = ["lib"]
   
-  spec.add_development_dependency "rspec",   "3.7.0"
+  spec.add_development_dependency "rspec",  "3.7.0"
   spec.add_development_dependency "byebug", "9.1.0"
 end

data/lib/keycloak-admin.rb

@@ -31,12 +31,13 @@ module KeycloakAdmin
 
   def self.load_configuration
     configure do |config|
-      config.server_url      = nil
-      config.user_realm_name = ""
-      config.client_id       = "admin-cli"
-      config.logger          = ::Logger.new(STDOUT)
-      config.username        = nil
-      config.password        = nil
+      config.server_url          = nil
+      config.client_realm_name   = ""
+      config.client_id           = "admin-cli"
+      config.logger              = ::Logger.new(STDOUT)
+      config.use_service_account = true
+      config.username            = nil
+      config.password            = nil
     end
   end
 

data/lib/keycloak-admin/client/client.rb

@@ -10,7 +10,7 @@ module KeycloakAdmin
     end
 
     def token
-      @token ||= KeycloakAdmin.realm(@configuration.user_realm_name).token.get
+      @token ||= KeycloakAdmin.realm(@configuration.client_realm_name).token.get
     end
 
     def headers
@@ -21,9 +21,15 @@ module KeycloakAdmin
       }
     end
 
+    def execute_http
+      yield
+    rescue RestClient::ExceptionWithResponse => e
+      http_error(e.response)
+    end
+
     private
 
-    def error(response)
+    def http_error(response)
       raise "Keycloak: The request failed with response code #{response.code} and message: #{response.body}"
     end
   end

data/lib/keycloak-admin/client/token_client.rb

@@ -15,17 +15,10 @@ module KeycloakAdmin
     end
 
     def get
-      response = RestClient.post(token_url,
-        username: @configuration.username,
-        password: @configuration.password,
-        grant_type: "password",
-        client_id: @configuration.client_id
-      )
-      if response.code == 200
-        TokenRepresentation.from_json(response.body)
-      else
-        error(response)
+      response = execute_http do
+        RestClient.post(token_url, @configuration.body_for_token_retrieval, @configuration.headers_for_token_retrieval)
       end
+      TokenRepresentation.from_json(response.body)
     end
   end
 end

data/lib/keycloak-admin/client/user_client.rb

@@ -12,39 +12,35 @@ module KeycloakAdmin
     end
 
     def save(user_representation)
-      response = RestClient.post(users_url, user_representation.to_json, headers)
-      if response.code == 201
-        user_representation
-      else
-        error(response)
+      execute_http do
+        RestClient.post(users_url, user_representation.to_json, headers)
       end
+      user_representation
     end
 
     def search(query)
-      response = RestClient.get(users_url, headers.merge({params: { search: query }}))
-      if response.code == 200
-        JSON.parse(response).map { |user_as_hash| UserRepresentation.from_hash(user_as_hash) }
-      else
-        error(response)
+      response = execute_http do
+        RestClient.get(users_url, headers.merge({params: { search: query }}))
       end
+      JSON.parse(response).map { |user_as_hash| UserRepresentation.from_hash(user_as_hash) }
     end
 
     def delete(user_id)
-      response = RestClient.delete(users_url(user_id), headers)
-      response.code == 204 || error(response)
+      execute_http do
+        RestClient.delete(users_url(user_id), headers)
+      end
+      true
     end
 
     def update_password(user_id, new_password)
-      response = RestClient.put(reset_password_url(user_id), {
-        type: "password",
-        value: new_password,
-        temporary: false
-      }.to_json, headers)
-      if response.code == 204
-        user_id
-      else
-        error(response)
+      execute_http do
+        RestClient.put(reset_password_url(user_id), {
+          type: "password",
+          value: new_password,
+          temporary: false
+        }.to_json, headers)
       end
+      user_id
     end
 
     def users_url(id=nil)

data/lib/keycloak-admin/configuration.rb

@@ -1,5 +1,52 @@
+require "base64"
+
 module KeycloakAdmin
   class Configuration
-    attr_accessor :server_url, :client_id, :user_realm_name, :username, :password, :logger
+    attr_accessor :server_url, :client_id, :client_secret, :client_realm_name, :use_service_account, :username, :password, :logger
+
+    def body_for_token_retrieval
+      if use_service_account
+        body_for_service_account
+      else
+        body_for_username_and_password
+      end
+    end
+
+    def headers_for_token_retrieval
+      if use_service_account
+        headers_for_service_account
+      else
+        headers_for_username_and_password
+      end
+    end
+
+    private
+
+    def body_for_service_account
+      {
+        grant_type:    "client_credentials"
+      }
+    end
+
+    def body_for_username_and_password
+      {
+        username:      username,
+        password:      password,
+        grant_type:    "password",
+        client_id:     client_id,
+        client_secret: client_secret
+      }
+    end
+
+    def headers_for_service_account
+      id_and_secret = Base64::strict_encode64("#{client_id}:#{client_secret}")
+      {
+        Authorization: "Basic #{id_and_secret}"
+      }
+    end
+
+    def headers_for_username_and_password
+      {}
+    end
   end
-end
+end

data/lib/keycloak-admin/representation/token_representation.rb

@@ -1,14 +1,39 @@
 
 module KeycloakAdmin
   class TokenRepresentation < Representation
-    attr_accessor :access_token
+    attr_accessor :access_token,
+      :token_type,
+      :expires_in,
+      :refresh_token,
+      :refresh_expires_in,
+      :id_token,
+      :not_before_policy,
+      :session_state
 
-    def initialize(access_token)
-      @access_token = access_token
+    def initialize(access_token, token_type, expires_in, refresh_token, refresh_expires_in, id_token, not_before_policy, session_state)
+      @access_token       = access_token
+      @token_type         = token_type
+      @expires_in         = expires_in
+      @refresh_token      = refresh_token
+      @refresh_expires_in = refresh_expires_in
+      @id_token           = id_token
+      @not_before_policy  = not_before_policy
+      @session_state      = session_state
     end
 
     def self.from_hash(hash)
-      new(hash["access_token"])
+      new(
+        hash["access_token"],
+        hash["token_type"],
+        hash["expires_in"],
+        hash["refresh_token"],
+        hash["refresh_expires_in"],
+        hash["id_token"],
+        hash["not-before-policy"],
+        hash["session_state"],
+        )
     end
   end
 end
+
+

data/lib/keycloak-admin/version.rb

@@ -1,3 +1,3 @@
 module KeycloakAdmin
-  VERSION = "0.1"
+  VERSION = "0.2"
 end

data/spec/spec_helper.rb

@@ -4,11 +4,11 @@ require "byebug"
 
 def configure
   KeycloakAdmin.configure do |config|
-    config.server_url       = "http://auth.service.io/auth"
-    config.client_id        = "admin-cli"
-    config.user_realm_name  = "master2"
-    config.username         = "bobby"
-    config.password         = "coucou"
+    config.server_url          = "http://auth.service.io/auth"
+    config.client_id           = "admin-cli"
+    config.client_secret       = "aaaaaaaa"
+    config.client_realm_name   = "master2"
+    config.use_service_account = true
   end 
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: keycloak-admin
 version: !ruby/object:Gem::Version
-  version: '0.1'
+  version: '0.2'
 platform: ruby
 authors:
 - Lorent Lempereur