keycloak-admin 1.1.1 → 1.1.3

data/lib/keycloak-admin/client/client_authz_resource_client.rb

@@ -0,0 +1,93 @@
+module KeycloakAdmin
+  class ClientAuthzResourceClient < Client
+    def initialize(configuration, realm_client, client_id)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      @realm_client = realm_client
+      @client_id = client_id
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzResourceRepresentation.from_hash(role_as_hash) }
+    end
+
+    def get(resource_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id, resource_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzResourceRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def update(resource_id, client_authz_resource_representation)
+      raise "scope[:name] is mandatory and the only necessary attribute to add scope to resource" if client_authz_resource_representation[:scopes] && client_authz_resource_representation[:scopes].any?{|a| !a[:name]}
+
+      existing_resource = get(resource_id)
+      new_resource = build(
+        client_authz_resource_representation[:name] || existing_resource.name,
+        client_authz_resource_representation[:type] || existing_resource.type,
+        (client_authz_resource_representation[:uris] || [] ) + existing_resource.uris,
+        client_authz_resource_representation[:owner_managed_access] || existing_resource.owner_managed_access,
+        client_authz_resource_representation[:display_name] || existing_resource.display_name,
+        (client_authz_resource_representation[:scopes] || []) + existing_resource.scopes.map{|s| {name: s.name}},
+        client_authz_resource_representation[:attributes] || existing_resource.attributes
+      )
+
+      execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id, resource_id), @configuration.rest_client_options).put(new_resource.to_json, headers)
+      end
+      get(resource_id)
+    end
+
+    def create!(name, type, uris, owner_managed_access, display_name, scopes, attributes = {})
+      save(build(name, type, uris, owner_managed_access, display_name, scopes, attributes))
+    end
+
+    def find_by(name, type, uris, owner, scope)
+      response = execute_http do
+        url = "#{authz_resources_url(@client_id)}?name=#{name}&type=#{type}&uris=#{uris}&owner=#{owner}&scope=#{scope}&deep=true&first=0&max=100"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzResourceRepresentation.from_hash(role_as_hash) }
+    end
+
+    def save(client_authz_resource_representation)
+      response = execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id), @configuration.rest_client_options).post(client_authz_resource_representation.to_json, headers)
+      end
+      ClientAuthzResourceRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def delete(resource_id)
+      execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id, resource_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def authz_resources_url(client_id, id = nil)
+      if id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource"
+      end
+    end
+
+    private
+
+    def build(name, type, uris, owner_managed_access, display_name, scopes, attributes={})
+      resource                      = ClientAuthzResourceRepresentation.new
+      resource.name                 = name
+      resource.type                 = type
+      resource.uris                 = uris
+      resource.owner_managed_access = owner_managed_access
+      resource.display_name         = display_name
+      resource.scopes               = scopes
+      resource.attributes           = attributes || {}
+      resource
+    end
+
+  end
+end

data/lib/keycloak-admin/client/client_authz_scope_client.rb

@@ -0,0 +1,71 @@
+module KeycloakAdmin
+  class ClientAuthzScopeClient < Client
+    def initialize(configuration, realm_client, client_id, resource_id = nil)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      @realm_client = realm_client
+      @client_id = client_id
+      @resource_id = resource_id
+    end
+
+    def create!(name, display_name, icon_uri)
+      response = save(build(name, display_name, icon_uri))
+      ClientAuthzScopeRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id, @resource_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzScopeRepresentation.from_hash(role_as_hash) }
+    end
+
+    def delete(scope_id)
+      execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id, nil, scope_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def get(scope_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id, nil, scope_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzScopeRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def search(name)
+      url = "#{authz_scopes_url(@client_id)}?first=0&max=11&deep=false&name=#{name}"
+      response = execute_http do
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzScopeRepresentation.from_hash(role_as_hash) }
+    end
+
+    def authz_scopes_url(client_id, resource_id = nil, id = nil)
+      if resource_id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource/#{resource_id}/scopes"
+      elsif id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/scope/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/scope"
+      end
+    end
+
+    def save(scope_representation)
+      execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id), @configuration.rest_client_options).post(
+          create_payload(scope_representation), headers
+        )
+      end
+    end
+
+    def build(name, display_name, icon_uri)
+      scope              = ClientAuthzScopeRepresentation.new
+      scope.name         = name
+      scope.icon_uri     = icon_uri
+      scope.display_name = display_name
+      scope
+    end
+  end
+end

data/lib/keycloak-admin/client/group_client.rb

@@ -6,6 +6,21 @@ module KeycloakAdmin
       @realm_client = realm_client
     end
 
+    def get(group_id)
+      response = execute_http do
+        RestClient::Resource.new(groups_url(group_id), @configuration.rest_client_options).get(headers)
+      end
+      GroupRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def children(parent_id)
+      response = execute_http do
+        url = "#{groups_url(parent_id)}/children"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |group_as_hash| GroupRepresentation.from_hash(group_as_hash) }
+    end
+
     def list
       search(nil)
     end
@@ -25,29 +40,39 @@ module KeycloakAdmin
       JSON.parse(response).map { |group_as_hash| GroupRepresentation.from_hash(group_as_hash) }
     end
 
-    def create!(name, path = nil)
-      response = save(build(name, path))
+    def create!(name, path = nil, attributes = {})
+      response = save(build(name, path, attributes))
       created_id(response)
     end
 
     def save(group_representation)
       execute_http do
-        RestClient::Resource.new(groups_url, @configuration.rest_client_options).post(
-          create_payload(group_representation), headers
-        )
+        payload = create_payload(group_representation)
+        if group_representation.id
+          RestClient::Resource.new(groups_url(group_representation.id), @configuration.rest_client_options).put(payload, headers)
+        else
+          RestClient::Resource.new(groups_url, @configuration.rest_client_options).post(payload, headers)
+        end
       end
     end
 
-    def create_subgroup!(parent_id, name)
+    def create_subgroup!(parent_id, name, attributes = {})
       url = "#{groups_url(parent_id)}/children"
       response = execute_http do
         RestClient::Resource.new(url, @configuration.rest_client_options).post(
-          create_payload(build(name, nil)), headers
+          create_payload(build(name, nil, attributes)), headers
         )
       end
       created_id(response)
     end
-    
+
+    def delete(group_id)
+      execute_http do
+        RestClient::Resource.new(groups_url(group_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
     def members(group_id, first=0, max=100)
       url = "#{groups_url(group_id)}/members"
       query = {first: first.try(:to_i), max: max.try(:to_i)}.compact
@@ -93,11 +118,14 @@ module KeycloakAdmin
 
     private
 
-    def build(name, path)
-      group      = GroupRepresentation.new
-      group.name = name
-      group.path = path
-      group
+    def build(name, path, attributes)
+      GroupRepresentation.from_hash(
+        {
+          "name" => name,
+          "path" => path,
+          "attributes" => attributes
+        }
+      )
     end
   end
 end

data/lib/keycloak-admin/client/realm_client.rb

@@ -99,6 +99,22 @@ module KeycloakAdmin
       UserResource.new(@configuration, self, user_id)
     end
 
+    def authz_scopes(client_id, resource_id = nil)
+      ClientAuthzScopeClient.new(@configuration, self, client_id, resource_id)
+    end
+
+    def authz_resources(client_id)
+      ClientAuthzResourceClient.new(@configuration, self, client_id)
+    end
+
+    def authz_permissions(client_id, type, resource_id = nil)
+      ClientAuthzPermissionClient.new(@configuration, self, client_id, type, resource_id)
+    end
+
+    def authz_policies(client_id, type)
+      ClientAuthzPolicyClient.new(@configuration, self, client_id, type)
+    end
+
     def name_defined?
       !@realm_name.nil?
     end

data/lib/keycloak-admin/client/role_client.rb

@@ -35,23 +35,25 @@ module KeycloakAdmin
 
     def save(role_representation)
       execute_http do
-        RestClient::Resource.new(roles_url, @configuration.rest_client_options).post(
-          create_payload(role_representation), headers
-        )
+        payload = create_payload(role_representation)
+        if role_representation.id
+          RestClient::Resource.new(role_id_url(role_representation.id), @configuration.rest_client_options).put(payload, headers)
+        else
+          RestClient::Resource.new(roles_url, @configuration.rest_client_options).post(payload, headers)
+        end
       end
     end
 
-    def roles_url(id=nil)
-      if id
-        "#{@realm_client.realm_admin_url}/roles/#{id}"
-      else
-        "#{@realm_client.realm_admin_url}/roles"
-      end
+    def roles_url
+      "#{@realm_client.realm_admin_url}/roles"
+    end
+
+    def role_id_url(id)
+      "#{@realm_client.realm_admin_url}/roles-by-id/#{id}"
     end
     
     def role_name_url(name)
       "#{@realm_client.realm_admin_url}/roles/#{name}"
     end
-    
   end
 end

data/lib/keycloak-admin/client/user_client.rb

@@ -20,6 +20,7 @@ module KeycloakAdmin
       user_representation
     end
 
+    # pay attention that, since Keycloak 24.0.4, partial updates of attributes are not authorized anymore
     def update(user_id, user_representation_body)
       raise ArgumentError.new("user_id must be defined") if user_id.nil?
       RestClient::Request.execute(

data/lib/keycloak-admin/representation/client_authz_permission_representation.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+
+## ### {"resources":["4f55e984-d1ec-405c-a25c-1387f88acd5c"],"policies":["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],"name":"delme policy","description":"delme polidy ","decisionStrategy":"UNANIMOUS","resourceType":""}
+#
+module KeycloakAdmin
+  class ClientAuthzPermissionRepresentation < Representation
+    attr_accessor :id,
+                  :name,
+                  :description,
+                  :decision_strategy,
+                  :resource_type,
+                  :resources,
+                  :policies,
+                  :scopes,
+                  :logic,
+                  :type
+
+    def self.from_hash(hash)
+      resource                   = new
+      resource.id                = hash["id"]
+      resource.name              = hash["name"]
+      resource.description       = hash["description"]
+      resource.decision_strategy = hash["decisionStrategy"]
+      resource.resource_type     = hash["resourceType"]
+      resource.resources         = hash["resources"]
+      resource.policies          = hash["policies"]
+      resource.scopes            = hash["scopes"]
+      resource.logic             = hash["logic"]
+      resource.type              = hash["type"]
+      resource
+    end
+  end
+end

data/lib/keycloak-admin/representation/client_authz_policy_config_representation.rb

@@ -0,0 +1,15 @@
+module KeycloakAdmin
+  class ClientAuthzPolicyConfigRepresentation < Representation
+    attr_accessor :roles,
+                  :code
+
+    def self.from_hash(hash)
+      resource                      = new
+      resource.code                 = hash["code"]
+      resource.roles               = JSON.parse(hash["roles"] || '[]').map do |str|
+        RoleRepresentation.from_hash(str)
+      end
+      resource
+    end
+  end
+end

data/lib/keycloak-admin/representation/client_authz_policy_representation.rb

@@ -0,0 +1,27 @@
+module KeycloakAdmin
+  class ClientAuthzPolicyRepresentation < Representation
+    attr_accessor :id,
+                  :name,
+                  :description,
+                  :type,
+                  :logic,
+                  :decision_strategy,
+                  :config,
+                  :fetch_roles,
+                  :roles
+
+    def self.from_hash(hash)
+      resource                      = new
+      resource.id                   = hash["id"]
+      resource.name                 = hash["name"]
+      resource.description          = hash["description"]
+      resource.type                 = hash["type"]
+      resource.logic                = hash["logic"]
+      resource.decision_strategy    = hash["decisionStrategy"]
+      resource.roles                = hash["roles"]
+      resource.fetch_roles          = hash["fetchRoles"]
+      resource.config               = ClientAuthzPolicyConfigRepresentation.from_hash((hash["config"] || {}))
+      resource
+    end
+  end
+end

data/lib/keycloak-admin/representation/client_authz_resource_representation.rb

@@ -0,0 +1,26 @@
+module KeycloakAdmin
+
+  class ClientAuthzResourceRepresentation < Representation
+    attr_accessor :id,
+                  :name,
+                  :type,
+                  :uris,
+                  :owner_managed_access,
+                  :display_name,
+                  :attributes,
+                  :scopes
+
+    def self.from_hash(hash)
+      resource                      = new
+      resource.id                   = hash["_id"]
+      resource.type                 = hash["type"]
+      resource.name                 = hash["name"]
+      resource.owner_managed_access = hash["ownerManagedAccess"]
+      resource.uris                 = hash["uris"]
+      resource.display_name         = hash["displayName"]
+      resource.attributes           = hash.fetch("attributes", {}).map { |k, v| [k.to_sym, Array(v)] }.to_h
+      resource.scopes               = (hash["scopes"] || []).map { |scope_hash| ClientAuthzScopeRepresentation.from_hash(scope_hash) }
+      resource
+    end
+  end
+end

data/lib/keycloak-admin/representation/client_authz_scope_representation.rb

@@ -0,0 +1,17 @@
+module KeycloakAdmin
+  class ClientAuthzScopeRepresentation < Representation
+    attr_accessor :id,
+                  :name,
+                  :icon_uri,
+                  :display_name
+
+    def self.from_hash(hash)
+      scope                                      = new
+      scope.id                                   = hash["id"]
+      scope.name                                 = hash["name"]
+      scope.icon_uri                             = hash["iconUri"]
+      scope.display_name                         = hash["displayName"]
+      scope
+    end
+  end
+end

data/lib/keycloak-admin/representation/group_representation.rb

@@ -3,14 +3,18 @@ module KeycloakAdmin
     attr_accessor :id,
       :name,
       :path,
+      :attributes,
+      :sub_group_count,
       :sub_groups
 
     def self.from_hash(hash)
-      group            = new
-      group.id         = hash["id"]
-      group.name       = hash["name"]
-      group.path       = hash["path"]
-      group.sub_groups = hash.fetch("subGroups", []).map { |sub_group_hash| self.from_hash(sub_group_hash) }
+      group                 = new
+      group.id              = hash["id"]
+      group.name            = hash["name"]
+      group.path            = hash["path"]
+      group.attributes      = hash.fetch("attributes", {}).map { |k, v| [k.to_sym, Array(v)] }.to_h
+      group.sub_group_count = hash["subGroupCount"]
+      group.sub_groups      = hash.fetch("subGroups", []).map { |sub_group_hash| self.from_hash(sub_group_hash) }
       group
     end
   end

data/lib/keycloak-admin/version.rb

@@ -1,3 +1,3 @@
 module KeycloakAdmin
-  VERSION = "1.1.1"
+  VERSION = "1.1.3"
 end

data/lib/keycloak-admin.rb

@@ -14,6 +14,10 @@ require_relative "keycloak-admin/client/user_client"
 require_relative "keycloak-admin/client/identity_provider_client"
 require_relative "keycloak-admin/client/configurable_token_client"
 require_relative "keycloak-admin/client/attack_detection_client"
+require_relative "keycloak-admin/client/client_authz_scope_client"
+require_relative "keycloak-admin/client/client_authz_resource_client"
+require_relative "keycloak-admin/client/client_authz_policy_client"
+require_relative "keycloak-admin/client/client_authz_permission_client"
 require_relative "keycloak-admin/representation/camel_json"
 require_relative "keycloak-admin/representation/representation"
 require_relative "keycloak-admin/representation/protocol_mapper_representation"
@@ -31,6 +35,11 @@ require_relative "keycloak-admin/representation/identity_provider_mapper_represe
 require_relative "keycloak-admin/representation/identity_provider_representation"
 require_relative "keycloak-admin/representation/attack_detection_representation"
 require_relative "keycloak-admin/representation/session_representation"
+require_relative "keycloak-admin/representation/client_authz_scope_representation"
+require_relative "keycloak-admin/representation/client_authz_resource_representation"
+require_relative "keycloak-admin/representation/client_authz_policy_representation"
+require_relative "keycloak-admin/representation/client_authz_policy_config_representation"
+require_relative "keycloak-admin/representation/client_authz_permission_representation"
 require_relative "keycloak-admin/resource/base_role_containing_resource"
 require_relative "keycloak-admin/resource/group_resource"
 require_relative "keycloak-admin/resource/user_resource"