def before_request():
if oidc.user_loggedin:
g.user = oidc.user_getfield('name')
g.role = "employee"
email = oidc.user_getfield('email')
groups = oidc.user_getfield('groups')
print('groups : ', app_config['KEYCLOAK_URL'])
keycloak_admin = KeycloakAdmin(server_url=app_config['KEYCLOAK_URL'],
username=app_config['USERNAME'],
password=app_config['PASSWORD'],
realm_name=app_config['REALM_NAME'],
verify=True)
users = keycloak_admin.get_users({})
#print(users)
for user in users:
print(user)
if (email.strip().lower() == user['email'].strip().lower()):
print(user['attributes']['emp_id'])
print(user['attributes']['role'][0])
g.role = user['attributes']['role'][0]
g.empId = user['attributes']['emp_id'][0]
else:
g.user = None
def _authentificate(self):
self.keycloak_admin = KeycloakAdmin(server_url=self.base_url,
username=self.username,
password=self.password,
verify=True)
self.keycloak_admin.realm_name = self.realm
def create_department_group(keycloak_admin: keycloak.KeycloakAdmin, department: Department, parent_id=None, path="/"):
with start_action(action_type="create_department_group", department=department.internal_name, path=path):
# Create or update group
keycloak_admin.create_group({"name": department.internal_name, "attributes": {"display_name": [department.name]}},
parent=parent_id, skip_exists=True)
# Extend path
path += department.internal_name
# Get group id
try:
created_group = keycloak_admin.get_group_by_path(path, search_in_subgroups=True)
except keycloak.KeycloakGetError as e:
log_message(message_type="get_group_failed", exception=e)
return
# Add slash to group path
path += "/"
# Create groups for sub departments
subgroup_names = []
for sub_department in department.children:
create_department_group(keycloak_admin, sub_department, parent_id=created_group["id"], path=path)
subgroup_names.append(sub_department.internal_name)
# Delete old subgroups
for old_group in created_group["subGroups"]:
if old_group["name"] not in subgroup_names:
keycloak_admin.delete_group(old_group["id"])
def create_emp_keycloak(employee):
headers = {'Content-type': 'application/json'}
print('config : ', app_config['CLIENT_SECRET'])
keycloak_admin = KeycloakAdmin(server_url=app_config['KEYCLOAK_URL'],
username=app_config['USERNAME'],
password=app_config['PASSWORD'],
realm_name=app_config['REALM_NAME'],
verify=True)
users = keycloak_admin.get_users({})
print(users[0]['attributes']['emp_id'])
# attrs = user_attributes(app_config['KEYCLOAK_URL'], app_config['REALM_NAME'], app_config['KEYCLOAK_URL'], token, "Jeyasri")
# print(attrs)
new_user = keycloak_admin.create_user({
"email":
employee[3],
"username":
employee[1],
"enabled":
True,
"firstName":
employee[1],
"lastName":
employee[2],
"credentials": [{
"value": "welcome123",
"type": "password",
}],
"attributes": {
"emp_id": employee[0]
}
})
def init():
keycloack = KeycloakAdmin(server_url='http://localhost:8080/auth/',
username='******',
password='******',
realm_name='master',
verify=True)
keycloack.realm_name = 'n5geh_devices'
keycloack.create_user({
"username":
'******',
"credentials": [{
"value": "password",
"type": "password",
}],
"enabled":
True,
"firstName":
'Device',
"lastName":
'Wizard'
})
user_id = keycloack.get_user_id("device_wizard")
client_id = keycloack.get_client_id("realm-management")
role = keycloack.get_client_role(client_id=client_id,
role_name="manage-users")
keycloack.assign_client_role(client_id=client_id,
user_id=user_id,
roles=[role])
def __init__(self):
keycloak_admin = KeycloakAdmin(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')),
username = os.getenv('KEYCLOAK_ADMIN_USER'),
password = os.getenv('KEYCLOAK_ADMIN_PASSWORD'),
realm_name = "master",
verify = True)
keycloak_admin.realm_name = os.getenv('CLIENT_RELM_NAME')
return keycloak_admin
def get_keycload_admin(self, realm=None):
ka = KeycloakAdmin(server_url=f"{self.kc_api}/auth/",
username=self.kc_admin,
password=self.kc_admin_pw,
realm_name=self.kc_realm,
verify=True)
ka.realm_name = self.user_realm
return ka
def create_client_and_get_client_secret():
# Create kong client on Keycloak
keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL,
username=KEYCLOAK_ADMIN_USER,
password=KEYCLOAK_ADMIN_PASSWORD,
verify=True)
try:
keycloak_admin.create_client({
"clientId":
CLIENT_NAME,
"name":
CLIENT_NAME,
"enabled":
True,
"redirectUris": ["/front/*", "/api/*", "/*", "*"],
})
client_uuid = keycloak_admin.get_client_id(CLIENT_NAME)
keycloak_admin.generate_client_secrets(client_uuid)
except KeycloakGetError as e:
if e.response_code == 409:
print("Keycloak Kong client already exists")
client_uuid = keycloak_admin.get_client_id(CLIENT_NAME)
return keycloak_admin.get_client_secrets(client_uuid)['value']
def get(self, request, *args, **kwargs):
keycloak_admin = KeycloakAdmin(
server_url=admin_config['KEYCLOAK_SERVER_URL'],
username=admin_config['KEYCLOAK_USERNAME'],
password=admin_config['KEYCLOAK_PASSWORD'],
realm_name=admin_config['KEYCLOAK_REALM'],
verify=True)
try:
applications = keycloak_admin.get_clients()
return response.Response(applications, status=status.HTTP_200_OK)
except KeycloakError as e:
print(e.__class__)
return keycloak_error_response(e)
def _get_service_oidc_payload(service_name, realm):
client_id = KEYCLOAK_KONG_CLIENT
client_secret = None
# must be the public url
KEYCLOAK_URL = f'{HOST}/keycloak/auth/realms'
OPENID_PATH = 'protocol/openid-connect'
try:
# https://bitbucket.org/agriness/python-keycloak
# find out client secret
# 1. connect to master realm
keycloak_admin = KeycloakAdmin(
server_url=KC_URL,
username=KC_ADMIN_USER,
password=KC_ADMIN_PASSWORD,
realm_name=KC_MASTER_REALM,
)
# 2. change to given realm
keycloak_admin.realm_name = realm
# 3. get kong client internal id
client_pk = keycloak_admin.get_client_id(client_id)
# 4. get its secrets
secret = keycloak_admin.get_client_secrets(client_pk)
client_secret = secret.get('value')
except KeycloakError as ke:
raise RuntimeError(f'Could not get info from keycloak {str(ke)}')
except Exception as e:
raise RuntimeError(
f'Unexpected error, do the realm and the client exist? {str(e)}')
# OIDC plugin settings (same for all endpoints)
return {
'name': KONG_OIDC_PLUGIN,
'config.client_id': client_id,
'config.client_secret': client_secret,
'config.cookie_domain': DOMAIN,
'config.email_key': 'email',
'config.scope': 'openid+profile+email+iss',
'config.user_info_cache_enabled': 'true',
'config.app_login_redirect_url': f'{HOST}/{realm}/{service_name}/',
'config.authorize_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/auth',
'config.service_logout_url':
f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/logout',
'config.token_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/token',
'config.user_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/userinfo',
}
def send(self, user_id_keycloak):
""" Ponovo posalji email verifikaciju.
user_id_keycloak -> send_verify_email
send_verify_email : realm_name -> izvrsna komanda slanje verifikacije
"""
keycloak_admin = KeycloakAdmin(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')),
username = os.getenv('KEYCLOAK_ADMIN_USER'),
password = os.getenv('KEYCLOAK_ADMIN_PASSWORD'),
realm_name = "master",
verify = True)
keycloak_admin.realm_name = os.getenv('CLIENT_RELM_NAME')
# user_id_keycloak dobijamo iz prethodne funkcije koju saljemo iz main fajla
keycloak_admin.send_verify_email(user_id=user_id_keycloak)
def __init__(self):
self.ClientId = "admin-cli"
self.Realm = "zdr"
self.Username = "******"
self.Password = "******"
self.FQDN = "auth.mydomain.dev"
self.keycloak_admin = KeycloakAdmin(server_url="https://" + self.FQDN +
"/auth/",
username=self.Username,
password=self.Password,
realm_name=self.Realm,
verify=True)
self.keycloak_users = self.keycloak_admin.get_users({})
self.client_id = self.keycloak_admin.get_client_id("crm")
def get_kc_cookies(username):
"""
Login as Keycloak Admin and Impersonate User
Keyword arguments:
username -- Username of account to generate secret for
"""
admin = KeycloakAdmin(
server_url="https://sso.csh.rit.edu/auth/",
username=app.config["KC_ADMIN_USER"],
password=app.config["KC_ADMIN_PW"],
realm_name="master",
verify=True,
)
conn = admin.connection
user = conn.raw_get(
"admin/realms/csh/users?first=0&max=20&search={}@csh.rit.edu".format(
username))
user_id = json.loads(user.text)[0]["id"]
imp = conn.raw_post(
"admin/realms/csh/users/{}/impersonation".format(user_id),
data=json.dumps({
"user": user_id,
"realm": "csh"
}),
)
return imp.cookies
def main():
args = args_parse()
ssl_verify = True
if args.disable_ssl_verify:
ssl_verify = False
server_url = args.server_url + '/auth/' # Full url to access api
fp = open(args.input_yaml, 'rt')
values = yaml.load(fp, Loader=yaml.FullLoader)
try:
session = KeycloakAdmin(server_url=server_url,
username=args.admin_user,
password=args.admin_password,
realm_name='master',
verify=ssl_verify)
for realm in values:
users = values[realm]['users']
for user in users:
password = user['password']
if is_password_empty(password):
password = generate_random_password(10)
r = create_user(session, realm, user['username'], user['email'], user['firstName'], user['lastName'],
password, user['temporary'])
print('*** User: %s, password: %s' % (user['username'], password))
# Assign role
assign_user_roles(session, realm, user['username'], user['roles'])
except:
formatted_lines = traceback.format_exc()
print(formatted_lines)
sys.exit(1)
sys.exit(r)
def __get_keycloak_admin(self, realm_name="master") -> KeycloakAdmin:
"""Private function to get a Keycloak administration object which points at a specific realm.
Uses a dict to store all instances of the Keycloak administration object as a cache. This
ensures that we use one and only one admin object per realm.
Args:
realm_name (string): name of the realm to associate the keycloak admin object
Returns:
The initialised Keycloak admin object
Raises:
keycloak.exceptions.KeycloakConnectionError: Failed to connect to keycloak (invalid url/server unavailable)
keycloak.exceptions.KeycloakAuthenticationError: Invalid user credentials
"""
if realm_name not in self.keycloak_admins:
# Can't log directly into a non-master realm, set the realm after logging in to the 'master' realm
# There's flipped logic for 'self.insecure' and 'verify', as 'verified connection == not insecure'
self.keycloak_admins[realm_name] = KeycloakAdmin(
server_url=self.server_url,
username=self.admin_username,
password=self.admin_password,
realm_name="master",
verify=(not self.insecure),
)
self.keycloak_admins[realm_name].realm_name = realm_name
return self.keycloak_admins[realm_name]
def main():
args = args_parse()
ssl_verify = True
if args.disable_ssl_verify:
ssl_verify = False
server_url = args.server_url + '/auth/' # Full url to access api
fp = open(args.input_yaml, 'rt')
values = yaml.load(fp, Loader=yaml.FullLoader)
try:
session = KeycloakAdmin(server_url=server_url,
username=args.admin_user,
password=args.admin_password,
realm_name='master',
verify=ssl_verify)
for realm in values:
users = values[realm]['users']
for user in users:
r = delete_user(session, realm, user['username'])
except:
formatted_lines = traceback.format_exc()
print(formatted_lines)
sys.exit(1)
sys.exit(r)
def get_admin_client(config: Config) -> KeycloakAdmin:
params = {
"server_url": config.users["provider"]["url"],
"realm_name": config.users["provider"]["realm_name"],
"client_secret_key": config.users["provider"]["client_secret_key"],
"verify": True,
}
return KeycloakAdmin(**params)
def main():
keycloak_admin = KeycloakAdmin(server_url='http://localhost:8080/auth/',
username='******',
password='******',
realm_name='master',
verify=True)
for user in convert_to_users(emails):
print(user)
create_user(keycloak_admin, user)
user_id = keycloak_admin.get_user_id(user.username)
print("User id: ", user_id)
reset_password(keycloak_admin, user, user_id)
assign_roles(keycloak_admin, user_id)
def get_instance(self) -> KeycloakAdmin:
return KeycloakAdmin(
server_url=settings.OIDC_RP_SERVER_URL,
realm_name=settings.OIDC_RP_REALM_NAME,
client_id=settings.OIDC_RP_CLIENT_ID,
client_secret_key=settings.OIDC_RP_CLIENT_SECRET,
verify=True,
auto_refresh_token=["get", "post", "put", "delete"],
)
def wrapper(*args, **kwargs):
nonlocal obj
try:
return obj(*args, **kwargs)
except KeycloakError:
# retry
logger.debug("got keycloak error, retry.")
self.keycloak_admin = KeycloakAdmin(*self._args, **self._kwargs)
obj = getattr(self.keycloak_admin, item)
return obj(*args, **kwargs)
def test_keycloak():
from keycloak import KeycloakOpenID
# Configure client
# keycloak_openid = KeycloakOpenID(server_url="http://127.0.0.1:8080/auth/",
# client_id="master-realm",
# realm_name="master",
# client_secret_key="c5c25fef-b247-4876-8f8e-c8b90780daee")
# # Get WellKnow
# config_well_know = keycloak_openid.well_know()
#
# # Get Token
# token = keycloak_openid.token("omar", "omar19")
# # token = keycloak_openid.token("user", "password", totp="012345")
# return token
#
# # Get Userinfo
# userinfo = keycloak_openid.userinfo(token['access_token'])
# return userinfo
from keycloak import KeycloakAdmin
# connect to keycloak server
admin = KeycloakAdmin(server_url='http://127.0.0.1:8080/auth/',
username='******',
password='******',
realm_name='master',
verify=True)
user_groups = admin.get_user_groups(user_id="9018d0fe-4dc6-41bf-ad9f-02fd5fe3cd1a")
# return user_groups
# Add user
# new_user = admin.create_user({"email": "*****@*****.**",
# "username": "******",
# "enabled": True,
# "firstName": "Example",
# "lastName": "Example"})
# return new_user
# Get User
user = admin.get_user("58b704de-f5e6-422b-aa59-bf36a45d62f5")
return user
def admin_api():
conf = app.config['keycloak']
keycloak_admin = KeycloakAdmin(server_url=conf['serverUrl'],
username=conf['username'],
password=conf['password'],
realm_name=conf['realm'],
client_id=conf['clientId'],
user_realm_name=conf['userRealm'],
verify=True)
return keycloak_admin
def create_keycloak_admin_client() -> KeycloakAdmin:
with start_action(action_type="create_keycloak_admin_client"):
return KeycloakAdmin(
server_url=settings.keycloak_url,
realm_name=settings.realm,
client_id=settings.client_id,
client_secret_key=settings.client_secret,
user_realm_name="master",
verify=True,
auto_refresh_token=['get', 'post', 'put', 'delete'])
def keycloak_api(self):
""" one limitation of this api endpoint is that you must first connect to the
master realm, then connect to the desired realm. To get the api for a different realm,
use self.get_keycloak_api
"""
server_url = f"{self.saml_endpoint}/"
realm = self.realms.get('master')
return KeycloakAdmin(server_url=server_url,
realm_name=realm,
username=self.username,
password=self.password)
def client():
# connect to master realm
try:
keycloak_admin = KeycloakAdmin(
server_url=KC_URL,
username=KC_ADMIN_USER,
password=KC_ADMIN_PASSWORD,
realm_name=KC_MASTER_REALM,
)
return keycloak_admin
except KeycloakError as ke:
raise RuntimeError(f'Could not get info from keycloak {str(ke)}')
def test_KeycloakAdmin_custom_header(self):
class FakeToken:
@staticmethod
def get(string_val):
return "faketoken"
fake_token = FakeToken()
with mock.patch.object(KeycloakOpenID, "__init__",
return_value=None) as mock_keycloak_open_id:
with mock.patch("keycloak.keycloak_openid.KeycloakOpenID.token",
return_value=fake_token):
with mock.patch(
"keycloak.connection.ConnectionManager.__init__",
return_value=None) as mock_connection_manager:
with mock.patch(
"keycloak.connection.ConnectionManager.__del__",
return_value=None
) as mock_connection_manager_delete:
server_url = "https://localhost/auth/"
username = "******"
password = "******"
realm_name = "master"
headers = {'Custom': 'test-custom-header'}
KeycloakAdmin(server_url=server_url,
username=username,
password=password,
realm_name=realm_name,
verify=False,
custom_headers=headers)
mock_keycloak_open_id.assert_called_with(
server_url=server_url,
realm_name=realm_name,
client_id='admin-cli',
client_secret_key=None,
verify=False,
custom_headers=headers)
expected_header = {
'Authorization': 'Bearer faketoken',
'Content-Type': 'application/json',
'Custom': 'test-custom-header'
}
mock_connection_manager.assert_called_with(
base_url=server_url,
headers=expected_header,
timeout=60,
verify=False)
mock_connection_manager_delete.assert_called_once_with(
)
class KeycloakHelper:
def __init__(self, base_url: str, realm: str, username: str, password: str):
self.base_url: str = base_url
self.realm: str = realm
self.username: str = username
self.password: str = password
self.keycloak_admin: Union[KeycloakAdmin, None] = None
self._authentificate()
self.user_endpoint = f"{self.base_url}/admin/realms/{self.realm}/users"
self.group_endpoint = f"{self.base_url}/admin/realms/{self.realm}/groups"
def _authentificate(self):
self.keycloak_admin = KeycloakAdmin(server_url=self.base_url,
username=self.username,
password=self.password,
verify=True)
self.keycloak_admin.realm_name = self.realm
@classmethod
def from_config(cls, config):
return cls(
base_url=config.KEYCLOAK_BASE_URL,
realm=config.KEYCLOAK_REALM,
username=config.KEYCLOAK_USERNAME,
password=config.KEYCLOAK_PASSWORD
)
def update_user_at_creation(self, user_id: str, first_name: str, last_name: str, attributes: dict) -> bool:
self._authentificate()
body = {
"firstName": first_name,
"lastName": last_name,
"attributes": attributes
}
current_app.logger.info(f"User id : {user_id}")
self.keycloak_admin.update_user(user_id=user_id, payload=body)
return True
def update_user_attributes(self, user_id: str, attributes: dict) -> bool:
self._authentificate()
body = {
"attributes": attributes
}
self.keycloak_admin.update_user(user_id=user_id, payload=body)
return True
def assign_to_group(self, user_id: str, group_name: str) -> bool:
self._authentificate()
current_app.logger.info(f"group_name {group_name}")
group_id = self.keycloak_admin.get_group_by_path(f"/{group_name}")["id"]
self.keycloak_admin.group_user_add(user_id=user_id, group_id=group_id)
return True
def resend(self, username):
"""
Uzmi Keycloak user id.
Parametri:
---------------
user_id_keycloak -> username : None -> bool(False) - ako nema username
user_id_keycloak -> username : bool(True), user_id - ima username
"""
keycloak_admin = KeycloakAdmin(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')),
username = os.getenv('KEYCLOAK_ADMIN_USER'),
password = os.getenv('KEYCLOAK_ADMIN_PASSWORD'),
realm_name = "master",
verify = True)
keycloak_admin.realm_name = os.getenv('CLIENT_RELM_NAME')
user_id_keycloak = keycloak_admin.get_user_id(self.username)
if user_id_keycloak == None:
return {"exist" : False}
else:
return {"exist" : True, "user_id_keycloak" : user_id_keycloak}
def init_kc_admin():
logging.info('Initializing keycloak admin client...')
try:
kc.admin = KeycloakAdmin(
server_url=KEYCLOAK_SERVER,
username=KEYCLOAK_USERNAME,
password=KEYCLOAK_PASSWORD,
realm_name='master',
verify=True,
auto_refresh_token=['get', 'put', 'post', 'delete'])
logging.info('Initialized keycloak admin client')
except:
logging.error('Failed initializing keycloak admin client')
def get_admin_client(self):
"""
Setup and return a keycloak admin client
The client will connect to the Keycloak server with the default admin credentials
and connects to the 'master' realm. The client uses the application realm for read/write
to the Keycloak server
:return: KeycloakAdmin
"""
user = "******"
passwd = get_api_password()
if not getattr(self, "_admin_client", None):
self._admin_client = KeycloakAdmin(
server_url=get_server_url(),
username=user,
password=passwd,
realm_name=get_auth_realm(),
user_realm_name='master',
verify=True)
return self._admin_client