Changeset View
Changeset View
Standalone View
Standalone View
docker/services/keycloak/keycloak_swh_setup.py
Show All 28 Lines | |||||
def assign_client_role_to_user(keycloak_admin, client_name, client_role, username): | def assign_client_role_to_user(keycloak_admin, client_name, client_role, username): | ||||
client_id = keycloak_admin.get_client_id(client_name) | client_id = keycloak_admin.get_client_id(client_name) | ||||
user_role = keycloak_admin.get_client_role(client_id, client_role) | user_role = keycloak_admin.get_client_role(client_id, client_role) | ||||
user_id = keycloak_admin.get_user_id(username) | user_id = keycloak_admin.get_user_id(username) | ||||
keycloak_admin.assign_client_role(user_id, client_id, user_role) | keycloak_admin.assign_client_role(user_id, client_id, user_role) | ||||
def assign_realm_roles_to_user(keycloak_admin, realm_roles, username): | |||||
roles = [] | |||||
for realm_role in realm_roles: | |||||
roles.append(keycloak_admin.get_realm_role(realm_role)) | |||||
user_id = keycloak_admin.get_user_id(username) | |||||
# due to a design bug in python-keycloak API, client_id parameter must | |||||
# be provided while it is not used | |||||
keycloak_admin.assign_realm_roles(user_id, client_id="", roles=roles) | |||||
def assign_client_roles_to_user(keycloak_admin, client_name, client_roles, username): | def assign_client_roles_to_user(keycloak_admin, client_name, client_roles, username): | ||||
for client_role in client_roles: | for client_role in client_roles: | ||||
assign_client_role_to_user(keycloak_admin, client_name, client_role, username) | assign_client_role_to_user(keycloak_admin, client_name, client_role, username) | ||||
def create_user(keycloak_admin, user_data): | def create_user(keycloak_admin, user_data): | ||||
try: | try: | ||||
keycloak_admin.create_user(user_data) | keycloak_admin.create_user(user_data) | ||||
except Exception as e: | except Exception as e: | ||||
logger.warning(f"User already created: {e}, skipping.") | logger.warning(f"User already created: {e}, skipping.") | ||||
def create_client_roles(keycloak_admin, client_name, client_roles): | def create_client_roles(keycloak_admin, client_name, client_roles): | ||||
for client_role in client_roles: | for client_role in client_roles: | ||||
try: | try: | ||||
keycloak_admin.create_client_role( | keycloak_admin.create_client_role( | ||||
client_name, payload={"name": client_role} | client_name, payload={"name": client_role} | ||||
) | ) | ||||
except Exception as e: | except Exception as e: | ||||
logger.warning(f"User already created: {e}, skipping.") | logger.warning(f"Client role already created: {e}, skipping.") | ||||
def create_realm_roles(keycloak_admin, realm_roles): | |||||
for realm_role in realm_roles: | |||||
try: | |||||
keycloak_admin.create_realm_role(payload={"name": realm_role}) | |||||
except Exception as e: | |||||
logger.warning(f"Realm role already created: {e}, skipping.") | |||||
# login as admin in master realm | # login as admin in master realm | ||||
KEYCLOAK_ADMIN = KeycloakAdmin(SERVER_URL, ADMIN["username"], ADMIN["password"]) | KEYCLOAK_ADMIN = KeycloakAdmin(SERVER_URL, ADMIN["username"], ADMIN["password"]) | ||||
# update master realm clients base urls as we use a reverse proxy | # update master realm clients base urls as we use a reverse proxy | ||||
assign_client_base_url( | assign_client_base_url( | ||||
KEYCLOAK_ADMIN, "account", "/keycloak/auth/realms/master/account" | KEYCLOAK_ADMIN, "account", "/keycloak/auth/realms/master/account" | ||||
▲ Show 20 Lines • Show All 193 Lines • ▼ Show 20 Lines | for user_data in [ | ||||
"email": "test@swh.org", | "email": "test@swh.org", | ||||
"username": "test", | "username": "test", | ||||
"firstName": "Test", | "firstName": "Test", | ||||
"lastName": "aibot", | "lastName": "aibot", | ||||
"credentials": [{"value": "test", "type": "password", "temporary": False}], | "credentials": [{"value": "test", "type": "password", "temporary": False}], | ||||
"enabled": True, | "enabled": True, | ||||
"emailVerified": True, | "emailVerified": True, | ||||
}, | }, | ||||
{ | |||||
"email": "ambassador@swh.org", | |||||
"username": "ambassador", | |||||
"firstName": "ambassador", | |||||
"lastName": "ambassador", | |||||
"credentials": [ | |||||
{"value": "ambassador", "type": "password", "temporary": False} | |||||
], | |||||
"enabled": True, | |||||
"emailVerified": True, | |||||
}, | |||||
]: | ]: | ||||
create_user(KEYCLOAK_ADMIN, user_data) | create_user(KEYCLOAK_ADMIN, user_data) | ||||
assign_client_roles_to_user( | assign_client_roles_to_user( | ||||
KEYCLOAK_ADMIN, CLIENT_DEPOSIT_NAME, [DEPOSIT_API_ROLE_NAME], "test" | KEYCLOAK_ADMIN, CLIENT_DEPOSIT_NAME, [DEPOSIT_API_ROLE_NAME], "test" | ||||
) | ) | ||||
AMBASSADOR_ROLE_NAME = "swh.ambassador" | |||||
# create SoftwareHeritage realm roles | |||||
create_realm_roles( | |||||
KEYCLOAK_ADMIN, [AMBASSADOR_ROLE_NAME], | |||||
) | |||||
assign_realm_roles_to_user(KEYCLOAK_ADMIN, [AMBASSADOR_ROLE_NAME], "ambassador") |