keycloak-admin 1.1.2 → 1.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 75a9e29c443612983e789a4d2d38d050908a0239fd4b74bca5f5d722234ef940
-  data.tar.gz: e0bf740884bb1da5bf3c63032f6349e46f98ce56f1b06f0ae62dcb96eb324bb7
+  metadata.gz: be47369f8365b8b32ff4ca3b09ebad45f5037212eca3022524b10ba17b0f64d6
+  data.tar.gz: 36a340f437ecb97ce5c415e752d5e1159ebbc5911d454f643985de541c6deaf3
 SHA512:
-  metadata.gz: 1cc1adf071a240af23ace33f0f48d3b4c9cee0868dc4e50acab30d900bc0575fd4784bd725869dff58e79c053e4b6505376569855fbdb647bf929b8d82190277
-  data.tar.gz: e34ae74e3096db9fa6ac6c92370eed71e23e25a4d896a98eed1afb68cfeb422d66ad99eb5d4a02460bd7fa3a6b57b2c6b351bfb42d4adb7fcdab70fc838f4825
+  metadata.gz: 6bd85e4709a0044168b7c3b3e9e2d89b1fab559070d4a318d65283db2046716439c4d1d0a534ba3cc9b1cbc89771626945877a76723bd03cc5f0e6dbebe6b266
+  data.tar.gz: e4b2286bac6d7e11192a1f3b6a569170849275bd3fa91aa104cdf521139a691396c8681a4152b5611e6a28e6c1457f60329b39ebca44cc4eb328f9ade9f7f605

data/.github/workflows/Dockerfile

@@ -0,0 +1,24 @@
+### Dockerfile for: tillawy/keycloak-github-actions
+##
+## To build & push
+# docker buildx build . --platform linux/amd64 -t tillawy/keycloak-github-actions:25.0.1
+# docker push tillawy/keycloak-github-actions:25.0.1
+#
+## To Run Locally
+# docker run \
+#        --rm \
+#        -p 8080:8080 \
+#        -e KEYCLOAK_ADMIN="admin" \
+#        -e KEYCLOAK_ADMIN_PASSWORD="admin" \
+#        -e KC_HOSTNAME="http://localhost:8080" \
+#        -e KC_HOSTNAME_ADMIN="http://localhost:8080" \
+#        -e KC_HTTP_ENABLED="true" \
+#        -e KC_DB="dev-file" \
+#        tillawy/keycloak-github-actions:25.0.1
+
+FROM quay.io/keycloak/keycloak:25.0.1
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+
+CMD ["start-dev", "--hostname=http://localhost:8080" , "--hostname-admin=http://localhost:8080" , "--http-enabled=true", "--verbose"]
+

data/.github/workflows/ci.yml

@@ -0,0 +1,83 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    services:
+      keycloak:
+        image: tillawy/keycloak-github-actions:25.0.1
+        ports:
+          - 8080:8080
+        options: '--health-cmd "exec 3<>/dev/tcp/localhost/8080" --health-interval 5s --health-timeout 5s --health-retries 10 --health-start-period 100s'
+        env:
+          KEYCLOAK_ADMIN: "admin"
+          KEYCLOAK_ADMIN_PASSWORD: "admin"
+          KC_HOSTNAME: "http://localhost:8080"
+          KC_HOSTNAME_ADMIN: "http://localhost:8080"
+          KC_HTTP_ENABLED: "true"
+          KC_DB: "dev-file"
+
+    strategy:
+      matrix:
+        ruby-version: ['3.2']
+
+    steps:
+    - name: create realm
+      run: |
+         TOKEN=$(curl --silent --location --request POST "http://localhost:8080/realms/master/protocol/openid-connect/token" \
+            --header 'Content-Type: application/x-www-form-urlencoded' \
+            --data-urlencode 'grant_type=password' \
+            --data-urlencode 'username=admin' \
+            --data-urlencode 'password=admin' \
+            --data-urlencode 'client_id=admin-cli' | jq -r '.access_token')
+          
+         curl --silent --show-error -L -X POST "http://localhost:8080/admin/realms" \
+            --header "Content-Type: application/json" \
+            --header "Authorization: Bearer ${TOKEN}" \
+            --data '{"realm":"dummy","enabled":true}'
+        
+         curl --silent --show-error --request POST 'http://localhost:8080/admin/realms/dummy/clients' \
+           --header 'Authorization: Bearer '$TOKEN \
+           --header 'Content-Type: application/json' \
+           --data-raw '{
+             "clientId":"dummy-client",
+             "enabled":true,
+             "consentRequired": false,
+             "attributes":{},
+             "serviceAccountsEnabled": true,
+             "protocol":"openid-connect",
+             "publicClient":false,
+             "authorizationServicesEnabled": true,
+             "clientAuthenticatorType":"client-secret",
+             "redirectUris":["http://localhost:8180/demo"]
+           }'
+
+    - uses: actions/checkout@v4
+    - name: Set up Ruby
+    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+    # change this to (see https://github.com/ruby/setup-ruby#versioning):
+    # uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rspec
+      env:
+        GITHUB_ACTIONS: true

data/CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.3] - 2024-07-12
+
+* Client Authorization management support (thanks to @tillawy)
+* GitHub-actions setup to execute `rspec` (thanks to @tillawy)
+
 ## [1.1.2] - 2024-05-22
 
 * Add group endpoints (get, children, delete), support for group attributes (thanks to @mkrawc)

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    keycloak-admin (1.1.2)
+    keycloak-admin (1.1.3)
       http-cookie (~> 1.0, >= 1.0.3)
       rest-client (~> 2.0)
 
@@ -12,11 +12,11 @@ GEM
     diff-lcs (1.5.1)
     domain_name (0.6.20240107)
     http-accept (1.7.0)
-    http-cookie (1.0.5)
+    http-cookie (1.0.6)
       domain_name (~> 0.5)
     mime-types (3.5.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0507)
+    mime-types-data (3.2024.0702)
     netrc (0.11.0)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)

data/README.md

@@ -12,7 +12,7 @@ This gem *does not* require Rails.
 For example, using `bundle`, add this line to your Gemfile.
 
 ```ruby
-gem "keycloak-admin", "1.1.2"
+gem "keycloak-admin", "1.1.3"
 ```
 
 ## Login
@@ -133,6 +133,7 @@ All options have a default value. However, all of them can be changed in your in
 * Link/Unlink users to federated identity provider brokers
 * Execute actions emails
 * Send forgot passsword mail
+* Client Authorization, create, update, get, delete Resource, Scope, Policy, Permission, Policy Enforcer
 
 ### Get an access token
 
@@ -472,6 +473,271 @@ Returns an array of `KeycloakAdmin::IdentityProviderRepresentation`.
 KeycloakAdmin.realm("a_realm").identity_providers.list
 ```
 
+### Manage [Client Authorization Resources & Scopes](https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview)
+
+In order to use authorization, you need to enable the client's `authorization_services_enabled` attribute.
+
+```ruby
+client_id = "dummy-client"
+client = KeycloakAdmin.realm("realm_a").clients.find_by_client_id(client_id)
+client.authorization_services_enabled = true
+KeycloakAdmin.realm("a_realm").clients.update(client)
+```
+
+### Create a scope
+
+Returns added `KeycloakAdmin::ClientAuthzScopeRepresentation`
+
+```ruby
+KeycloakAdmin.realm("a_realm").authz_scopes(client_id).create!("POST_1", "POST 1 scope description", "http://icon.url")
+````
+
+### Search for scope
+
+Returns array of `KeycloakAdmin::ClientAuthzScopeRepresentation`
+
+```ruby
+KeycloakAdmin.realm("a_realm").authz_scopes(client.id).search("POST")
+```
+
+### Get one scope by its id
+
+Returns `KeycloakAdmin::ClientAuthzScopeRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("a_realm").authz_scopes(client.id).get(scope_id)
+```
+
+### Delete one scope
+
+```ruby
+KeycloakAdmin.realm("a_realm").authz_scopes(client.id).delete(scope.id)
+```
+
+### Create a client authorization resource
+
+note: for scopes, use {name: scope.name} to reference the scope object
+
+Returns added `KeycloakAdmin::ClientAuthzResourceRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_id")
+        .authz_resources(client.id)
+        .create!(
+                "Dummy Resource", 
+                "type", 
+                ["/resource_1/*", "/resource_1/"], 
+                true, 
+                "display_name", 
+                [ {name: scope_1.name} ], 
+                {"attribute": ["value_1", "value_2"]}
+        )
+```
+
+### Update a client authorization resource
+
+Returns updated `KeycloakAdmin::ClientAuthzResourceRepresentation`
+
+note: for scopes, use {name: scope.name} to reference the scope object
+
+```ruby 
+KeycloakAdmin.realm("realm_a")
+        .authz_resources(client.id)
+        .update(resource.id,
+                       {
+                         "name": "Dummy Resource",
+                         "type": "type",
+                         "owner_managed_access": true,
+                         "display_name": "display_name",
+                         "attributes": {"a":["b","c"]},
+                         "uris": [ "/resource_1/*" , "/resource_1/" ],
+                         "scopes":[
+                           {name: scope_1.name},
+                           {name: scope_2.name}
+                         ],
+                         "icon_uri": "https://icon.url"
+                       })
+```
+
+### Find client authorization resources by (name, type, uri, owner, scope)
+
+Returns array of `KeycloakAdmin::ClientAuthzResourceRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_resources(client.id).find_by("Dummy Resource", "", "", "", "")
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_resources(client.id).find_by("", "type", "", "", "")
+```
+
+### Get client authorization resource by its id
+
+Returns `KeycloakAdmin::ClientAuthzResourceRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_resources(client.id).get(resource.id)
+```
+
+### delete a client authorization resource
+
+```ruby
+KeycloakAdmin.realm("realm_a").authz_resources(client.id).delete(resource.id)
+```
+
+### Create a client authorization policy
+
+Note: for the moment only `role` policies are supported.
+
+Returns added `KeycloakAdmin::ClientAuthzPolicyRepresentation`
+
+```ruby 
+ KeycloakAdmin.realm("realm_a")
+        .authz_policies(client.id, 'role')
+        .create!("Policy 1", 
+                 "description", 
+                 "role", 
+                 "POSITIVE", 
+                 "UNANIMOUS", 
+                 true, 
+                 [{id: realm_role.id, required: true}]
+        )
+```
+
+### Find client authorization policies by (name, type)
+
+Returns array of `KeycloakAdmin::ClientAuthzPolicyRepresentation`
+
+```ruby
+KeycloakAdmin.realm("realm_a").authz_policies(client.id, 'role').find_by("Policy 1", "role") 
+```
+
+### Get client authorization policy by its id
+
+Returns `KeycloakAdmin::ClientAuthzPolicyRepresentation`
+
+```ruby
+KeycloakAdmin.realm("realm_a").authz_policies(client.id, 'role').get(policy.id) 
+```
+
+### Delete a client authorization policy
+
+```ruby
+KeycloakAdmin.realm("realm_a").authz_policies(client.id, 'role').delete(policy.id)
+```
+
+### Create a client authorization permission (Resource type)
+
+Returns added `KeycloakAdmin::ClientAuthzPermissionRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_a")
+        .authz_permissions(client.id, :resource)
+        .create!("Dummy Resource Permission", 
+                 "resource description", 
+                 "UNANIMOUS", 
+                 "POSITIVE",
+                 [resource.id], 
+                 [policy.id],
+                 nil, 
+                 ""
+        )
+```
+
+### Create a client authorization permission (Scope type)
+
+Returns added `KeycloakAdmin::ClientAuthzPermissionRepresentation`
+
+```ruby
+KeycloakAdmin.realm("realm_a")
+        .authz_permissions(client.id, :scope)
+        .create!("Dummy Scope Permission", 
+                 "scope description", 
+                 "UNANIMOUS", 
+                 "POSITIVE", 
+                 [resource.id], 
+                 [policy.id], 
+                 [scope_1.id, scope_2.id], 
+                 ""
+        ) 
+```
+
+### List a resource authorization permissions (all: scope or resource)
+
+Return array of `KeycloakAdmin::ClientAuthzPermissionRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "", resource.id).list
+```
+
+### List a resource authorization permissions (by type: resource)
+
+Return array of `KeycloakAdmin::ClientAuthzPermissionRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, 'resource').list
+```
+### List a resource authorization permissions (by type: scope)
+
+Return array of `KeycloakAdmin::ClientAuthzPermissionRepresentation`
+
+```ruby 
+authz_permissions(client.id, 'scope').list.size
+```
+
+### Find client authorization permissions by (name, type, scope)
+
+Return array of `KeycloakAdmin::ClientAuthzPermissionRepresentation`
+
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "resource").find_by(resource_permission.name, nil)
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "resource").find_by(resource_permission.name, nil)
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "resource").find_by(resource_permission.name, resource.id)
+
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id)
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id, "POST_1")
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "resource").find_by(nil, resource.id)
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "scope").find_by(nil, resource.id)
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "scope").find_by(nil, resource.id, "POST_1")
+```
+or
+```ruby 
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, "scope").find_by(scope_permission.name, nil)
+```
+
+### Delete a client authorization permission, scope type
+
+```ruby
+KeycloakAdmin.realm("realm_a").authz_permissions(client.id, 'scope').delete(scope.id)
+```
+
+### Delete a client authorization permission, resource type
+
+```ruby
+ KeycloakAdmin.realm("realm_a").authz_permissions(client.id, 'resource').delete(resource_permission.id)
+```
+
 ## How to execute library tests
 
 From the `keycloak-admin-api` directory:

data/lib/keycloak-admin/client/client_authz_permission_client.rb

@@ -0,0 +1,81 @@
+module KeycloakAdmin
+  class ClientAuthzPermissionClient < Client
+    def initialize(configuration, realm_client, client_id, type, resource_id = nil)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      raise ArgumentError.new("bad permission type") if !resource_id && !%i[resource scope].include?(type.to_sym)
+
+      @realm_client = realm_client
+      @client_id = client_id
+      @type = type
+      @resource_id = resource_id
+    end
+
+    def delete(permission_id)
+      execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, nil, nil, permission_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def find_by(name, resource, scope = nil)
+      response = execute_http do
+        url = "#{authz_permission_url(@client_id)}?name=#{name}&resource=#{resource}&type=#{@type}&scope=#{scope}&deep=true&first=0&max=100"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPermissionRepresentation.from_hash(role_as_hash) }
+    end
+
+    def create!(name, description, decision_strategy,logic = "POSITIVE", resources = [], policies = [], scopes = [], resource_type = nil)
+      response = save(build(name, description, decision_strategy, logic, resources, policies, scopes, resource_type))
+      ClientAuthzPermissionRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def save(permission_representation)
+      execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, nil, permission_representation.type), @configuration.rest_client_options).post(
+          create_payload(permission_representation), headers
+        )
+      end
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, @resource_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPermissionRepresentation.from_hash(role_as_hash) }
+    end
+
+    def get(permission_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, nil, @type, permission_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzPermissionRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def authz_permission_url(client_id, resource_id = nil, type = nil, id = nil)
+      if resource_id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource/#{resource_id}/permissions"
+      elsif id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/permission/#{type}/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/permission/#{type}"
+      end
+    end
+
+    def build(name, description, decision_strategy, logic, resources, policies, scopes, resource_type)
+      policy                   = ClientAuthzPermissionRepresentation.new
+      policy.name              = name
+      policy.description       = description
+      policy.type              = @type
+      policy.decision_strategy = decision_strategy
+      policy.resource_type     = resource_type
+      policy.resources         = resources
+      policy.policies          = policies
+      policy.scopes            = scopes
+      policy.logic             = logic
+      policy
+    end
+
+  end
+end

data/lib/keycloak-admin/client/client_authz_policy_client.rb

@@ -0,0 +1,76 @@
+module KeycloakAdmin
+  class ClientAuthzPolicyClient < Client
+    def initialize(configuration, realm_client, client_id, type)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      raise ArgumentError.new("type must be defined") unless type
+      raise ArgumentError.new("only 'role' policies supported") unless type.to_sym == :role
+
+      @realm_client = realm_client
+      @client_id = client_id
+      @type = type
+    end
+
+    def create!(name, description, type, logic, decision_strategy, fetch_roles, roles)
+      response = save(build(name, description, type, logic, decision_strategy, fetch_roles, roles))
+      ClientAuthzPolicyRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def save(policy_representation)
+      execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type), @configuration.rest_client_options).post(
+          create_payload(policy_representation), headers
+        )
+      end
+    end
+
+    def get(policy_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type, policy_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzPolicyRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def find_by(name, type)
+      response = execute_http do
+        url = "#{authz_policy_url(@client_id, @type)}?permission=false&name=#{name}&type=#{type}&first=0&max=11"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPolicyRepresentation.from_hash(role_as_hash) }
+    end
+
+    def delete(policy_id)
+      execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type, policy_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPolicyRepresentation.from_hash(role_as_hash) }
+    end
+
+    def authz_policy_url(client_id, type, id = nil)
+      if id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/policy/#{type}/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/policy/#{type}?permission=false"
+      end
+    end
+
+    def build(name, description, type, logic, decision_strategy, fetch_roles, roles=[])
+      policy                   = ClientAuthzPolicyRepresentation.new
+      policy.name              = name
+      policy.description       = description
+      policy.type              = type
+      policy.logic             = logic
+      policy.decision_strategy = decision_strategy
+      policy.fetch_roles       = fetch_roles
+      policy.roles             = roles
+      policy
+    end
+  end
+end