def create_client_and_get_client_secret():
# Create kong client on Keycloak
keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL,
username=KEYCLOAK_ADMIN_USER,
password=KEYCLOAK_ADMIN_PASSWORD,
verify=True)
try:
keycloak_admin.create_client({
"clientId":
CLIENT_NAME,
"name":
CLIENT_NAME,
"enabled":
True,
"redirectUris": ["/front/*", "/api/*", "/*", "*"],
})
client_uuid = keycloak_admin.get_client_id(CLIENT_NAME)
keycloak_admin.generate_client_secrets(client_uuid)
except KeycloakGetError as e:
if e.response_code == 409:
print("Keycloak Kong client already exists")
client_uuid = keycloak_admin.get_client_id(CLIENT_NAME)
return keycloak_admin.get_client_secrets(client_uuid)['value']
def init():
keycloack = KeycloakAdmin(server_url='http://localhost:8080/auth/',
username='******',
password='******',
realm_name='master',
verify=True)
keycloack.realm_name = 'n5geh_devices'
keycloack.create_user({
"username":
'******',
"credentials": [{
"value": "password",
"type": "password",
}],
"enabled":
True,
"firstName":
'Device',
"lastName":
'Wizard'
})
user_id = keycloack.get_user_id("device_wizard")
client_id = keycloack.get_client_id("realm-management")
role = keycloack.get_client_role(client_id=client_id,
role_name="manage-users")
keycloack.assign_client_role(client_id=client_id,
user_id=user_id,
roles=[role])
def _get_service_oidc_payload(service_name, realm):
client_id = KEYCLOAK_KONG_CLIENT
client_secret = None
# must be the public url
KEYCLOAK_URL = f'{HOST}/keycloak/auth/realms'
OPENID_PATH = 'protocol/openid-connect'
try:
# https://bitbucket.org/agriness/python-keycloak
# find out client secret
# 1. connect to master realm
keycloak_admin = KeycloakAdmin(
server_url=KC_URL,
username=KC_ADMIN_USER,
password=KC_ADMIN_PASSWORD,
realm_name=KC_MASTER_REALM,
)
# 2. change to given realm
keycloak_admin.realm_name = realm
# 3. get kong client internal id
client_pk = keycloak_admin.get_client_id(client_id)
# 4. get its secrets
secret = keycloak_admin.get_client_secrets(client_pk)
client_secret = secret.get('value')
except KeycloakError as ke:
raise RuntimeError(f'Could not get info from keycloak {str(ke)}')
except Exception as e:
raise RuntimeError(
f'Unexpected error, do the realm and the client exist? {str(e)}')
# OIDC plugin settings (same for all endpoints)
return {
'name': KONG_OIDC_PLUGIN,
'config.client_id': client_id,
'config.client_secret': client_secret,
'config.cookie_domain': DOMAIN,
'config.email_key': 'email',
'config.scope': 'openid+profile+email+iss',
'config.user_info_cache_enabled': 'true',
'config.app_login_redirect_url': f'{HOST}/{realm}/{service_name}/',
'config.authorize_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/auth',
'config.service_logout_url':
f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/logout',
'config.token_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/token',
'config.user_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/userinfo',
}
def main():
args = args_parse()
ssl_verify = True
if args.disable_ssl_verify:
ssl_verify = False
server_url = args.server_url + '/auth/' # Full url to access api
try:
keycloak_admin = KeycloakAdmin(server_url=server_url,
username=args.admin_user,
password=args.admin_password,
realm_name='master',
verify=ssl_verify)
keycloak_admin.realm_name = args.realm
client_id = keycloak_admin.get_client_id(args.client_name)
user = keycloak_admin.get_client_service_account_user(client_id)
keycloak_admin.logout(user['id'])
except:
formatted_lines = traceback.format_exc()
print(formatted_lines)
sys.exit(1)
sys.exit(0)
class KeycloakSession:
def __init__(self, realm, server_url, user, pwd, ssl_verify):
self.keycloak_admin = KeycloakAdmin(server_url=server_url,
username=user,
password=pwd,
realm_name=realm,
verify=ssl_verify)
def create_realm(self, realm):
payload = {
"realm": realm,
"enabled": True,
"accessCodeLifespan": 7200,
"accessCodeLifespanLogin": 1800,
"accessCodeLifespanUserAction": 300,
"accessTokenLifespan": 86400,
"accessTokenLifespanForImplicitFlow": 900,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300
}
try:
self.keycloak_admin.create_realm(payload, skip_exists=False)
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % realm)
self.keycloak_admin.update_realm(realm, payload)
except:
raise
return 0
def create_role(self, realm, role):
print('Creating role %s for realm %s' % (role, realm))
self.keycloak_admin.realm_name = realm # work around because otherwise role was getting created in master
self.keycloak_admin.create_realm_role(
{
'name': role,
'clientRole': False
}, skip_exists=True)
self.keycloak_admin.realm_name = 'master' # restore
return 0
# sa_roles: service account roles
def create_client(self, realm, client, secret, sa_roles=None):
self.keycloak_admin.realm_name = realm # work around because otherwise client was getting created in master
payload = {
"clientId": client,
"secret": secret,
"standardFlowEnabled": True,
"serviceAccountsEnabled": True,
"directAccessGrantsEnabled": True,
"redirectUris": ['*'],
"authorizationServicesEnabled": True
}
try:
print('Creating client %s' % client)
self.keycloak_admin.create_client(
payload, skip_exists=False) # If exists, update. So don't skip
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % client)
client_id = self.keycloak_admin.get_client_id(client)
self.keycloak_admin.update_client(client_id, payload)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
if len(sa_roles) == 0: # Skip the below step
self.keycloak_admin.realm_name = 'master' # restore
return
try:
roles = [] # Get full role reprentation of all roles
for role in sa_roles:
role_rep = self.keycloak_admin.get_realm_role(role)
roles.append(role_rep)
client_id = self.keycloak_admin.get_client_id(client)
user = self.keycloak_admin.get_client_service_account_user(
client_id)
params_path = {
"realm-name": self.keycloak_admin.realm_name,
"id": user["id"]
}
self.keycloak_admin.raw_post(
URL_ADMIN_USER_REALM_ROLES.format(**params_path),
data=json.dumps(roles))
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
def create_user(self, realm, uname, email, fname, lname, password,
temp_flag):
self.keycloak_admin.realm_name = realm
payload = {
"username": uname,
"email": email,
"firstName": fname,
"lastName": lname,
"enabled": True
}
try:
print('Creating user %s' % uname)
self.keycloak_admin.create_user(
payload, False) # If exists, update. So don't skip
user_id = self.keycloak_admin.get_user_id(uname)
self.keycloak_admin.set_user_password(user_id,
password,
temporary=temp_flag)
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % uname)
user_id = self.keycloak_admin.get_user_id(uname)
self.keycloak_admin.update_user(user_id, payload)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
def assign_user_roles(self, realm, username, roles):
self.keycloak_admin.realm_name = realm
roles = [self.keycloak_admin.get_realm_role(role) for role in roles]
try:
print(f'''Get user id for {username}''')
user_id = self.keycloak_admin.get_user_id(username)
self.keycloak_admin.assign_realm_roles(user_id, roles)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
keycloack.create_user({
"username":
'******',
"credentials": [{
"value": "n5geh",
"type": "password",
}],
"enabled":
True,
"firstName":
'n5geh',
"lastName":
'n5geh'
})
user_id = keycloack.get_user_id("n5geh")
client_id = keycloack.get_client_id("realm-management")
role = keycloack.get_client_role(client_id=client_id,
role_name="manage-users")
keycloack.assign_client_role(client_id=client_id,
user_id=user_id,
roles=[role])
keycloack.realm_name = 'n5geh_devices'
# Create a new user for device wizard
user_id = keycloack.get_user_id("device_wizard")
if user_id is None:
keycloack.create_user({
"username":
'******',
"credentials": [{
"value": "password",
class KeycloakAdm(object):
def __init__(self):
self.ClientId = "admin-cli"
self.Realm = "zdr"
self.Username = "******"
self.Password = "******"
self.FQDN = "auth.mydomain.dev"
self.keycloak_admin = KeycloakAdmin(server_url="https://" + self.FQDN +
"/auth/",
username=self.Username,
password=self.Password,
realm_name=self.Realm,
verify=True)
self.keycloak_users = self.keycloak_admin.get_users({})
self.client_id = self.keycloak_admin.get_client_id("crm")
def __del__(self):
# Get users Returns a list of users, filtered according to query parameters
users = self.keycloak_admin.get_users({})
for user in users:
if user['username'] == self.Username:
my_sessions = self.keycloak_admin.get_sessions(user['id'])
for my_session in my_sessions:
ret = self.keycloak_admin.connection.raw_delete(
"admin/realms/" + self.Realm + "/sessions/" +
my_session['id'])
def GetLastUserSessionTime(self, user):
lastAccess = None
sessions = self.keycloak_admin.get_sessions(user['id'])
for sess in sessions:
sestime = int(sess['lastAccess'])
if lastAccess is not None:
if lastAccess < sestime:
lastAccess = sestime
else:
lastAccess = sestime
return lastAccess
def GetIdBySip(self, sip):
lastAccess = None
retId = None
for user in self.keycloak_users:
if 'attributes' in user:
attributes = user['attributes']
if 'sip' in attributes:
if str(attributes['sip'][0]) == str(sip):
if self.GetClientRoleOfUserByRoleName(
'dev', user['id']) == None:
sestime = self.GetLastUserSessionTime(user)
if lastAccess is not None:
if lastAccess < sestime:
lastAccess = sestime
retId = user['id']
else:
lastAccess = sestime
retId = user['id']
return retId
def GetNameBySip(self, sip):
lastAccess = None
ret = None
for user in self.keycloak_users:
if 'attributes' in user:
attributes = user['attributes']
if 'sip' in attributes:
if str(attributes['sip'][0]) == str(sip):
if self.GetClientRoleOfUserByRoleName(
'dev', user['id']) == None:
sestime = self.GetLastUserSessionTime(user)
if lastAccess is not None:
if lastAccess < sestime:
lastAccess = sestime
ret = user['username']
else:
lastAccess = sestime
ret = user['username']
return ret
def GetClientRoleOfUserByRoleName(self, roleName, userID):
rolesOfUser = self.keycloak_admin.get_client_roles_of_user(
user_id=userID, client_id=self.client_id)
#keycloak_admin.get_available_client_roles_of_user(user_id="user_id", client_id="client_id")
#print user['username'], user['id']
for role in rolesOfUser:
if roleName == role['name']: return role
return None
payload=json.dumps(['UPDATE_PASSWORD']))
# Send Verify Email
response = keycloak_admin.send_verify_email(user_id="user-id-keycloak")
# Get sessions associated with the user
sessions = keycloak_admin.get_sessions(user_id="user-id-keycloak")
# Get themes, social providers, auth providers, and event listeners available on this server
server_info = keycloak_admin.get_server_info()
# Get clients belonging to the realm Returns a list of clients belonging to the realm
clients = keycloak_admin.get_clients()
# Get client - id (not client-id) from client by name
client_id=keycloak_admin.get_client_id("my-client")
# Get representation of the client - id of client (not client-id)
client = keycloak_admin.get_client(client_id="client_id")
# Get all roles for the realm or client
realm_roles = keycloak_admin.get_realm_roles()
# Get all roles for the client
client_roles = keycloak_admin.get_client_roles(client_id="client_id")
# Get client role
role = keycloak_admin.get_client_role(client_id="client_id", role_name="role_name")
# Warning: Deprecated
# Get client role id from name