keycloak-admin 0.7.6 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4496dbc0b6fbd52610640546a149a2bc42cc7fb114acc210876c88c8b3626216
-  data.tar.gz: f9426c7701e10cac266df4a75a39fc20a717d3d31e92de88ca7bd3a6e2716a92
+  metadata.gz: 4e6887f2f57beb2339c74a7600a787b3f19cc5eaa171cbf43e94c1c899b75152
+  data.tar.gz: 10639852645add2d77c73719f5ab315ccb0bf9f5e34a4e716b72a919c087d5a5
 SHA512:
-  metadata.gz: 17ce324b2a3e555c756a095443902fbb616f88a91168b2f07245ca055c3714bd0aff0435afd1346b81fa456f60eaf5a07b3b1d4a01d66f0af3b3e39490d916f2
-  data.tar.gz: c7e81693e55556d5bb8f6fa4ead25a1172c9e5cb3f5e77a34ed420c92baa1b574a4b0746e5dfc314097a3a3f28c9d97e4f651444fee76a60dda89bda65e6a8ff
+  metadata.gz: ea1fded8289d7d3cd89d816cf0949eed2aa07f2cab0bf86afb2a56e26d60dc30d218ce40ef51a4091e3d9c27369c7e4c8316997aa2a5fbed129c457728056de4
+  data.tar.gz: 65301ff7dd19a5240bdd389f61e23615b8aeee911e08d833fac0c9102a27d5ed279c5bf7ba2adc7726fa12583c4b18ab2d297b38e17555beab1b47caa7b5fcdd

data/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.0] - 2021-08-03
+
+* Add `totp` on Users
+* Add `required_actions` on Users
+
+## [0.7.9] - 2020-10-22
+
+* Extend `search` function to use complex queries (thanks to @hobbypunk90)
+
+## [0.7.8] - 2020-10-15
+
+* Bug: `rest_client_options` default value does not match the documentation (was `nil` by default, should be `{}`)
+* Update documentation about client setup (based on Keycloak 11)
+
+## [0.7.7] - 2020-07-10
+
+* Fix: `Replace request method shorthand with .execute for proper RestClient option support` (thanks to @RomanHargrave)
+* When sending action emails, add lifespan as an optional parameter (thanks to @hobbypunk90)
+
 ## [0.7.6] - 2020-06-22
 
 Thanks to @hobbypunk90 
@@ -21,7 +40,7 @@ Thanks to @RomanHargrave
 
 ## [0.7.3] - 2019-07-11
 
-Thanks to @cederigo=
+Thanks to @cederigo:
 * For a given user, get her list of groups
 
 ## [0.7.2] - 2019-06-17

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    keycloak-admin (0.7.6)
+    keycloak-admin (1.0.0)
       http-cookie (~> 1.0, >= 1.0.3)
       rest-client (~> 2.0)
 
@@ -13,11 +13,11 @@ GEM
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
     http-accept (1.7.0)
-    http-cookie (1.0.3)
+    http-cookie (1.0.4)
       domain_name (~> 0.5)
     mime-types (3.3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2020.0512)
+    mime-types-data (3.2021.0704)
     netrc (0.11.0)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)

data/README.md

@@ -12,37 +12,59 @@ This gem *does not* require Rails.
 For example, using `bundle`, add this line to your Gemfile.
 
 ```ruby
-gem "keycloak-admin", "0.7.6"
+gem "keycloak-admin", "1.0.0"
 ```
 
 ## Login
 
-You can choose your login process between two different login methods: `username/password` and `Account Service`.
-
-### Login with username/password
-
-Using this login method requires to create a user (and her credentials).
-* In Keycloak 
-  * Make your client `confidential` or `public`
-  * Do not check `Service Accounts Enabled`
-* In this gem's configuration
-  * Set `use_service_account` to `false`
-  * Setup `username` and `password`
-  * Setup `client_secret` if your client is `confidential`
-
-### Login with an Account Service
-
-Using a service account to use the REST Admin API does not require to create a dedicated user (http://www.keycloak.org/docs/2.5/server_admin/topics/clients/oidc/service-accounts.html).
-
-* In Keycloak 
-  * Make your client `confidential`
-  * Check its toggle `Service Accounts Enabled`
-  * Disable both `Standard Flow Enabled` and `Implicit Flow Enabled `
-  * Enable `Direct Access Grants Enabled`
-  * After saving this client, open the `Service Account Roles` and add relevant `realm-management.` client's roles. For instance: `view-users` if you want to search for users using this gem.
-* In this gem's configuration
+To login on Keycloak's Admin API, you first need to setup a client.
+
+Go to your realm administration page and open `Clients`. Then, click on the `Create` button.
+On the first screen, enter:
+* `Client ID`: _e.g. my-app-admin-client_ 
+* `Client Protocol`: select `openid-connect`
+* `Root URL`: let it blank
+
+The next screen must be configured depending on how you want to authenticate:
+* `username/password` with a user of the realm
+* `Direct Access Grants` with a service account
+
+### Login with username/password (realm user)
+
+* In Keycloak, during the client setup:
+  * `Access Type`: `public` or `confidential`
+  * `Service Accounts Enabled` (when `confidential`): `false`
+  * After saving your client, if you have chosen a `confidential` client, go to `Credentials` tab and copy the `Client Secret`
+
+* In Keycloak, create a dedicated user (and her credentials):
+  * Go to `Users`
+  * Click on the `Add user` button
+  * Setup her mandatory information, depending on your realm's configuration
+  * On the `Credentials` tab, create her a password (toggle off `Temporary`)
+
+* In this gem's configuration (see Section `Configuration`):
+  * Setup `username` and `password` according to your user's configuration
+  * Setup `client_id` with your `Client ID` (_e.g. my-app-admin-client_)
+  * If your client is `confidential`, copy its Client Secret to `client_secret` 
+
+### Login with `Direct Access Grants` (Service account)
+
+Using a service account to use the REST Admin API does not require to create a dedicated user (https://www.keycloak.org/docs/latest/server_admin/#_service_accounts).
+
+* In Keycloak, during the client setup:
+  * `Access Type`:  `confidential`
+  * `Service Accounts Enabled` (when `confidential`): `true`
+  * `Standard Flow Enabled`: `false`
+  * `Implicit Flow Enabled`: `false`
+  * `Direct Access Grants Enabled`: `true`
+  * After saving this client
+    * open the `Service Account Roles` and add relevant `realm-management.` client's roles. For instance: `view-users` if you want to search for users using this gem.
+    * open the `Credentials` tab and copy the `Client Secret`
+  
+* In this gem's configuration  (see Section `Configuration`):
   * Set `use_service_account` to `true`
-  * Setup `client_secret`
+  * Setup `client_id` with your `Client ID` (_e.g. my-app-admin-client_)
+  * Copy its Client Secret to `client_secret` 
 
 ## Configuration
 
@@ -69,7 +91,8 @@ All options have a default value. However, all of them can be changed in your in
 
 | Option | Default Value | Type | Required? | Description  | Example |
 | ---- | ----- | ------ | ----- | ------ | ----- |
-| `server_url` | `nil`| String | Required | The base url where your Keycloak server is located. This value can be retrieved in your Keycloak client configuration. | `server_domain` | `nil`| String | Required | Public domain that identify your authentication cookies. | `auth.service.io` |
+| `server_url` | `nil` | String | Required | The base url where your Keycloak server is located (a URL that starts with `http` and that ends with `/auth`). This value can be retrieved in your Keycloak client configuration. | `http://auth:8080/auth`
+| `server_domain` | `nil`| String | Required | Public domain that identify your authentication cookies. | `auth.service.io` |
 | `client_realm_name` | `""`| String | Required | Name of the realm that contains the admin client. | `master` |
 | `client_id` | `admin-cli`| String | Required | Client that should be used to access admin capabilities. | `api-cli` |
 | `client_secret` | `nil`| String | Optional | If your client is `confidential`, this parameter must be specified. | `4e3c481c-f823-4a6a-b8a7-bf8c86e3eac3` |
@@ -122,10 +145,18 @@ KeycloakAdmin.realm("a_realm").users.get(user_id)
 
 Returns an array of `KeycloakAdmin::UserRepresentation`.
 
+According to [the documentation](https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_users_resource):
+* When providing a `String` parameter, this produces an arbitrary search string
+* When providing a `Hash`, you can search for specific field (_e.g_ an email)
+
 ```ruby
 KeycloakAdmin.realm("a_realm").users.search("a_username_or_an_email")
 ```
 
+```ruby
+KeycloakAdmin.realm("a_realm").users.search({ email: "john@doe.com" })
+```
+
 ### List all users in a realm
 
 Returns an array of `KeycloakAdmin::UserRepresentation`.
@@ -343,8 +374,4 @@ From the `keycloak-admin-api` directory:
 ```
   $ docker build . -t keycloak-admin:test
   $ docker run -v `pwd`:/usr/src/app/ keycloak-admin:test bundle exec rspec spec
-```
-
-## Future work
-
-* Allow authentication using JWT assertions
+```

data/lib/keycloak-admin.rb

@@ -55,7 +55,7 @@ module KeycloakAdmin
       config.use_service_account = true
       config.username            = nil
       config.password            = nil
-      config.rest_client_options = nil
+      config.rest_client_options = {}
     end
   end
 

data/lib/keycloak-admin/client/configurable_token_client.rb

@@ -16,13 +16,18 @@ module KeycloakAdmin
 
     def exchange_with(user_access_token, token_lifespan_in_seconds)
       response = execute_http do
-        RestClient.post(token_url, {
-          tokenLifespanInSeconds: token_lifespan_in_seconds
-        }.to_json, {
-          Authorization: "Bearer #{user_access_token}",
-          content_type:  :json,
-          accept:        :json
-        })
+        RestClient::Request.execute(
+          @configuration.rest_client_options.merge(
+            method: :post,
+            url: token_url,
+            payload: { tokenLifespanInSeconds: token_lifespan_in_seconds }.to_json,
+            headers: {
+              Authorization: "Bearer #{user_access_token}",
+              content_type: :json,
+              accept: :json
+            }
+          )
+        )
       end
       TokenRepresentation.from_json(response.body)
     end

data/lib/keycloak-admin/client/user_client.rb

@@ -21,7 +21,14 @@ module KeycloakAdmin
     end
 
     def update(user_id, user_representation_body)
-      RestClient.put(users_url(user_id), user_representation_body.to_json, headers)
+      RestClient::Request.execute(
+        @configuration.rest_client_options.merge(
+          method: :put,
+          url: users_url(user_id),
+          payload: user_representation_body.to_json,
+          headers: headers
+        )
+      )
     end
 
     def get(user_id)
@@ -31,8 +38,22 @@ module KeycloakAdmin
       UserRepresentation.from_hash(JSON.parse(response))
     end
 
+    ##
+    # Query can be a string or a hash.
+    # * String: It's used as search query
+    # * Hash: Used for complex search queries.
+    #   For its documentation see: https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_users_resource
+    ##
     def search(query)
-      derived_headers = query ? headers.merge({params: { search: query }}) : headers
+      derived_headers = case query
+                        when String
+                          headers.merge({params: { search: query }})
+                        when Hash
+                          headers.merge({params: query })
+                        else
+                          headers
+                        end
+
       response = execute_http do
         RestClient::Resource.new(users_url, @configuration.rest_client_options).get(derived_headers)
       end
@@ -59,22 +80,26 @@ module KeycloakAdmin
 
     def update_password(user_id, new_password)
       execute_http do
-        RestClient.put(reset_password_url(user_id), {
-          type: "password",
-          value: new_password,
-          temporary: false
-        }.to_json, headers)
+        RestClient::Request.execute(
+          @configuration.rest_client_options.merge(
+            method: :put,
+            url: reset_password_url(user_id),
+            payload: { type: 'password', value: new_password, temporary: false }.to_json,
+            headers: headers
+          )
+        )
       end
       user_id
     end
 
-    def forgot_password(user_id)
-      execute_actions_email(user_id, ["UPDATE_PASSWORD"])
+    def forgot_password(user_id, lifespan=nil)
+      execute_actions_email(user_id, ["UPDATE_PASSWORD"], lifespan)
     end
 
-    def execute_actions_email(user_id, actions=[])
+    def execute_actions_email(user_id, actions=[], lifespan=nil)
       execute_http do
-        RestClient.put(execute_actions_email_url(user_id), actions.to_json, headers)
+        lifespan_param = lifespan.nil? ? "" : "lifespan=#{lifespan.seconds}"
+        RestClient.put("#{execute_actions_email_url(user_id)}?#{lifespan_param}", actions.to_json, headers)
       end
       user_id
     end
@@ -82,7 +107,14 @@ module KeycloakAdmin
     def impersonate(user_id)
       impersonation = get_redirect_impersonation(user_id)
       response = execute_http do
-        RestClient.post(impersonation.impersonation_url, impersonation.body.to_json, impersonation.headers)
+        RestClient::Request.execute(
+          @configuration.rest_client_options.merge(
+            method: :post,
+            url: impersonation.impersonation_url,
+            payload: impersonation.body.to_json,
+            headers: impersonation.headers
+          )
+        )
       end
       ImpersonationRepresentation.from_response(response, @configuration.server_domain)
     end
@@ -98,7 +130,14 @@ module KeycloakAdmin
       fed_id_rep.identity_provider = idp_id
 
       execute_http do
-        RestClient.post(federated_identity_url(user_id, idp_id), fed_id_rep.to_json, headers)
+        RestClient::Request.execute(
+          @configuration.rest_client_options.merge(
+            method: :post,
+            url: federated_identity_url(user_id, idp_id),
+            payload: fed_id_rep.to_json,
+            headers: headers
+          )
+        )
       end
     end
 

data/lib/keycloak-admin/representation/user_representation.rb

@@ -10,8 +10,10 @@ module KeycloakAdmin
       :email_verified,
       :first_name,
       :last_name,
+      :totp,
       :credentials,
-      :federated_identities
+      :federated_identities,
+      :required_actions
 
     def self.from_hash(hash)
       user                      = new
@@ -25,6 +27,8 @@ module KeycloakAdmin
       user.first_name           = hash["firstName"]
       user.last_name            = hash["lastName"]
       user.attributes           = hash["attributes"]
+      user.required_actions     = hash["requiredActions"] || []
+      user.totp                 = hash["totp"] || false
       user.credentials          = hash["credentials"]&.map{ |hash| CredentialRepresentation.from_hash(hash) } || []
       user.federated_identities = hash["federatedIdentities"]&.map { |hash| FederatedIdentityRepresentation.from_hash(hash) } || []
       user

data/lib/keycloak-admin/version.rb

@@ -1,3 +1,3 @@
 module KeycloakAdmin
-  VERSION = "0.7.6"
+  VERSION = "1.0.0"
 end

data/spec/client/user_client_spec.rb

@@ -158,7 +158,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
       @user_client = KeycloakAdmin.realm(realm_name).users
 
       stub_token_client
-      allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"username":"test_username","createdTimestamp":1559347200}'
+      allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"username":"test_username","createdTimestamp":1559347200, "requiredActions":["CONFIGURE_TOTP"], "totp": true}'
     end
 
     it "parses the response" do
@@ -175,6 +175,8 @@ RSpec.describe KeycloakAdmin::TokenClient do
 
       user = @user_client.get('test_user_id')
       expect(user.username).to eq 'test_username'
+      expect(user.totp).to be true
+      expect(user.required_actions).to eq ["CONFIGURE_TOTP"]
     end
   end
 
@@ -192,12 +194,24 @@ RSpec.describe KeycloakAdmin::TokenClient do
       allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"username":"test_username","createdTimestamp":1559347200}]'
     end
 
-    it "finds a user" do
+    it "finds a user using a string" do
       users = @user_client.search("test_username")
       expect(users.length).to eq 1
       expect(users[0].username).to eq "test_username"
     end
 
+    it "finds a user using nil does not fail" do
+      users = @user_client.search(nil)
+      expect(users.length).to eq 1
+      expect(users[0].username).to eq "test_username"
+    end
+
+    it "finds a user using a hash" do
+      users = @user_client.search({ search: "test_username"})
+      expect(users.length).to eq 1
+      expect(users[0].username).to eq "test_username"
+    end
+
     it "passes rest client options" do
       rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options

data/spec/representation/user_representation_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe KeycloakAdmin::UserRepresentation do
     end
 
     it "can convert to json" do
-      expect(@user.to_json).to eq '{"id":null,"createdTimestamp":1559836000,"origin":null,"username":"test_username","email":null,"enabled":true,"emailVerified":null,"firstName":null,"lastName":null,"attributes":null,"credentials":[],"federatedIdentities":[]}'
+      expect(@user.to_json).to eq '{"id":null,"createdTimestamp":1559836000,"origin":null,"username":"test_username","email":null,"enabled":true,"emailVerified":null,"firstName":null,"lastName":null,"attributes":null,"requiredActions":[],"totp":false,"credentials":[],"federatedIdentities":[]}'
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keycloak-admin
 version: !ruby/object:Gem::Version
-  version: 0.7.6
+  version: 1.0.0
 platform: ruby
 authors:
 - Lorent Lempereur
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-22 00:00:00.000000000 Z
+date: 2021-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: http-cookie