Page MenuHomeSoftware Heritage

keycloak_swh_setup: Assign swh.deposit.api role to hal user
ClosedPublic

Authored by ardumont on Mar 5 2021, 2:51 PM.

Details

Summary

It's been pending work in my stash for a while.
It's working in my docker tryouts for D5137.
Might as well land it, one less thing to worry about.

Related to T2858

Test Plan

docker is happy

$ swh-doco-keycloak exec swh-deposit /bin/bash
+ cd /home/tony/work/inria/repo/swh/swh-environment/docker
+ docker-compose -f docker-compose.yml -f docker-compose.keycloak.yml -f docker-compose.override.yml exec swh-deposit /bin/bash
swh@7910820d6ef2:/$ pip install ipython
Collecting ipython
...
$ ipython
In [1]: from swh.auth.keycloak import KeycloakOpenIDConnect
...
In [19]: kc = KeycloakOpenIDConnect(server_url="http://keycloak:8080/keycloak/auth/", realm_name="SoftwareHeritage", client_id="swh-deposit")

In [20]: token = kc.login("hal", "test")

In [21]: decoded_token = kc.decode_token(token['access_token'])

In [22]: decoded_token["resource_access"]
Out[22]:
{'swh-deposit': {'roles': ['swh.deposit.api']},
 'account': {'roles': ['manage-account',
   'manage-account-links',
   'view-profile']}}

Diff Detail

Repository
rDENV Development environment
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert added a subscriber: anlambert.
anlambert added inline comments.
docker/services/keycloak/keycloak_swh_setup.py
32

while you are working on this file, could you rename that variable to user_role ?

263–270

Use assign_client_role_to_user function instead as it is the same as assign_deposit_api_role_to_user.

This revision now requires changes to proceed.Mar 5 2021, 2:56 PM
docker/services/keycloak/keycloak_swh_setup.py
32

sure

263–270

d'oh

(yes)

Adapt according to review, and checks ok [1]

[1] checked by down --volumes, up -d stanza, login in admin auth ui and checked
the hal users has the swh.deposit.api role in its "role mapping" view (and it does)

with our brand new swh.auth (v0.2.0 ;)

In [19]: kc = KeycloakOpenIDConnect(server_url="http://keycloak:8080/keycloak/auth/", realm_name="SoftwareHeritage", client_id="swh-deposit")

In [20]: token = kc.login("hal", "test")

In [21]: decoded_token = kc.decode_token(token['access_token'])

In [22]: decoded_token["resource_access"]
Out[22]:
{'swh-deposit': {'roles': ['swh.deposit.api']},
 'account': {'roles': ['manage-account',
   'manage-account-links',
   'view-profile']}}
This revision is now accepted and ready to land.Mar 5 2021, 3:46 PM