def create_client_and_get_client_secret():
# Create kong client on Keycloak
keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL,
username=KEYCLOAK_ADMIN_USER,
password=KEYCLOAK_ADMIN_PASSWORD,
verify=True)
try:
keycloak_admin.create_client({
"clientId":
CLIENT_NAME,
"name":
CLIENT_NAME,
"enabled":
True,
"redirectUris": ["/front/*", "/api/*", "/*", "*"],
})
client_uuid = keycloak_admin.get_client_id(CLIENT_NAME)
keycloak_admin.generate_client_secrets(client_uuid)
except KeycloakGetError as e:
if e.response_code == 409:
print("Keycloak Kong client already exists")
client_uuid = keycloak_admin.get_client_id(CLIENT_NAME)
return keycloak_admin.get_client_secrets(client_uuid)['value']
class KeycloakSession:
def __init__(self, realm, server_url, user, pwd, ssl_verify):
self.keycloak_admin = KeycloakAdmin(server_url=server_url,
username=user,
password=pwd,
realm_name=realm,
verify=ssl_verify)
def create_realm(self, realm):
payload = {
"realm": realm,
"enabled": True,
"accessCodeLifespan": 7200,
"accessCodeLifespanLogin": 1800,
"accessCodeLifespanUserAction": 300,
"accessTokenLifespan": 86400,
"accessTokenLifespanForImplicitFlow": 900,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300
}
try:
self.keycloak_admin.create_realm(payload, skip_exists=False)
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % realm)
self.keycloak_admin.update_realm(realm, payload)
except:
raise
return 0
def create_role(self, realm, role):
print('Creating role %s for realm %s' % (role, realm))
self.keycloak_admin.realm_name = realm # work around because otherwise role was getting created in master
self.keycloak_admin.create_realm_role(
{
'name': role,
'clientRole': False
}, skip_exists=True)
self.keycloak_admin.realm_name = 'master' # restore
return 0
# sa_roles: service account roles
def create_client(self, realm, client, secret, sa_roles=None):
self.keycloak_admin.realm_name = realm # work around because otherwise client was getting created in master
payload = {
"clientId": client,
"secret": secret,
"standardFlowEnabled": True,
"serviceAccountsEnabled": True,
"directAccessGrantsEnabled": True,
"redirectUris": ['*'],
"authorizationServicesEnabled": True
}
try:
print('Creating client %s' % client)
self.keycloak_admin.create_client(
payload, skip_exists=False) # If exists, update. So don't skip
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % client)
client_id = self.keycloak_admin.get_client_id(client)
self.keycloak_admin.update_client(client_id, payload)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
if len(sa_roles) == 0: # Skip the below step
self.keycloak_admin.realm_name = 'master' # restore
return
try:
roles = [] # Get full role reprentation of all roles
for role in sa_roles:
role_rep = self.keycloak_admin.get_realm_role(role)
roles.append(role_rep)
client_id = self.keycloak_admin.get_client_id(client)
user = self.keycloak_admin.get_client_service_account_user(
client_id)
params_path = {
"realm-name": self.keycloak_admin.realm_name,
"id": user["id"]
}
self.keycloak_admin.raw_post(
URL_ADMIN_USER_REALM_ROLES.format(**params_path),
data=json.dumps(roles))
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
def create_user(self, realm, uname, email, fname, lname, password,
temp_flag):
self.keycloak_admin.realm_name = realm
payload = {
"username": uname,
"email": email,
"firstName": fname,
"lastName": lname,
"enabled": True
}
try:
print('Creating user %s' % uname)
self.keycloak_admin.create_user(
payload, False) # If exists, update. So don't skip
user_id = self.keycloak_admin.get_user_id(uname)
self.keycloak_admin.set_user_password(user_id,
password,
temporary=temp_flag)
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % uname)
user_id = self.keycloak_admin.get_user_id(uname)
self.keycloak_admin.update_user(user_id, payload)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
def assign_user_roles(self, realm, username, roles):
self.keycloak_admin.realm_name = realm
roles = [self.keycloak_admin.get_realm_role(role) for role in roles]
try:
print(f'''Get user id for {username}''')
user_id = self.keycloak_admin.get_user_id(username)
self.keycloak_admin.assign_realm_roles(user_id, roles)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
for _id in [e["id"] for e in response.json()["data"]]:
requests.delete(f'http://{KONG_HOST_IP}:{KONG_PORT}/services/{_id}')
from keycloak import KeycloakAdmin
# Create kong client on Keycloak
keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL,
username=KEYCLOAK_ADMIN_USER,
password=KEYCLOAK_ADMIN_PASSWORD,
verify=True)
CLIENT_KONG_KEYCLOAK_ID = str(uuid.uuid4())
keycloak_admin.create_client({
"id": CLIENT_KONG_KEYCLOAK_ID,
"clientId": CLIENT_ID,
"name": CLIENT_ID,
"enabled": True,
"redirectUris": ["/front/*", "/api/*", "/*", "*"],
})
CLIENT_SECRET = keycloak_admin.get_client_secrets(
CLIENT_KONG_KEYCLOAK_ID)["value"]
introspection_url = f'http://{KEYCLOAK_HOST_IP}:{KEYCLOAK_PORT}/auth/realms/{REALM_NAME}/protocol/openid-connect/token/introspect'
discovery_url = f'http://{KEYCLOAK_HOST_IP}:{KEYCLOAK_PORT}/auth/realms/{REALM_NAME}/.well-known/openid-configuration'
for service in services:
data = service
# Create Service
response = requests.post(f'http://{KONG_HOST_IP}:{KONG_PORT}/services',