Changeset View
Changeset View
Standalone View
Standalone View
docker/services/keycloak/keycloak_swh_setup.py
| Show All 28 Lines | |||||
| def assign_client_role_to_user(keycloak_admin, client_name, client_role, username): | def assign_client_role_to_user(keycloak_admin, client_name, client_role, username): | ||||
| client_id = keycloak_admin.get_client_id(client_name) | client_id = keycloak_admin.get_client_id(client_name) | ||||
| user_role = keycloak_admin.get_client_role(client_id, client_role) | user_role = keycloak_admin.get_client_role(client_id, client_role) | ||||
| user_id = keycloak_admin.get_user_id(username) | user_id = keycloak_admin.get_user_id(username) | ||||
| keycloak_admin.assign_client_role(user_id, client_id, user_role) | keycloak_admin.assign_client_role(user_id, client_id, user_role) | ||||
| def assign_realm_roles_to_user(keycloak_admin, realm_roles, username): | |||||
| roles = [] | |||||
| for realm_role in realm_roles: | |||||
| roles.append(keycloak_admin.get_realm_role(realm_role)) | |||||
| user_id = keycloak_admin.get_user_id(username) | |||||
| # due to a design bug in python-keycloak API, client_id parameter must | |||||
| # be provided while it is not used | |||||
| keycloak_admin.assign_realm_roles(user_id, client_id="", roles=roles) | |||||
| def assign_client_roles_to_user(keycloak_admin, client_name, client_roles, username): | def assign_client_roles_to_user(keycloak_admin, client_name, client_roles, username): | ||||
| for client_role in client_roles: | for client_role in client_roles: | ||||
| assign_client_role_to_user(keycloak_admin, client_name, client_role, username) | assign_client_role_to_user(keycloak_admin, client_name, client_role, username) | ||||
| def create_user(keycloak_admin, user_data): | def create_user(keycloak_admin, user_data): | ||||
| try: | try: | ||||
| keycloak_admin.create_user(user_data) | keycloak_admin.create_user(user_data) | ||||
| except Exception as e: | except Exception as e: | ||||
| logger.warning(f"User already created: {e}, skipping.") | logger.warning(f"User already created: {e}, skipping.") | ||||
| def create_client_roles(keycloak_admin, client_name, client_roles): | def create_client_roles(keycloak_admin, client_name, client_roles): | ||||
| for client_role in client_roles: | for client_role in client_roles: | ||||
| try: | try: | ||||
| keycloak_admin.create_client_role( | keycloak_admin.create_client_role( | ||||
| client_name, payload={"name": client_role} | client_name, payload={"name": client_role} | ||||
| ) | ) | ||||
| except Exception as e: | except Exception as e: | ||||
| logger.warning(f"User already created: {e}, skipping.") | logger.warning(f"Client role already created: {e}, skipping.") | ||||
| def create_realm_roles(keycloak_admin, realm_roles): | |||||
| for realm_role in realm_roles: | |||||
| try: | |||||
| keycloak_admin.create_realm_role(payload={"name": realm_role}) | |||||
| except Exception as e: | |||||
| logger.warning(f"Realm role already created: {e}, skipping.") | |||||
| # login as admin in master realm | # login as admin in master realm | ||||
| KEYCLOAK_ADMIN = KeycloakAdmin(SERVER_URL, ADMIN["username"], ADMIN["password"]) | KEYCLOAK_ADMIN = KeycloakAdmin(SERVER_URL, ADMIN["username"], ADMIN["password"]) | ||||
| # update master realm clients base urls as we use a reverse proxy | # update master realm clients base urls as we use a reverse proxy | ||||
| assign_client_base_url( | assign_client_base_url( | ||||
| KEYCLOAK_ADMIN, "account", "/keycloak/auth/realms/master/account" | KEYCLOAK_ADMIN, "account", "/keycloak/auth/realms/master/account" | ||||
| ▲ Show 20 Lines • Show All 193 Lines • ▼ Show 20 Lines | for user_data in [ | ||||
| "email": "test@swh.org", | "email": "test@swh.org", | ||||
| "username": "test", | "username": "test", | ||||
| "firstName": "Test", | "firstName": "Test", | ||||
| "lastName": "aibot", | "lastName": "aibot", | ||||
| "credentials": [{"value": "test", "type": "password", "temporary": False}], | "credentials": [{"value": "test", "type": "password", "temporary": False}], | ||||
| "enabled": True, | "enabled": True, | ||||
| "emailVerified": True, | "emailVerified": True, | ||||
| }, | }, | ||||
| { | |||||
| "email": "ambassador@swh.org", | |||||
| "username": "ambassador", | |||||
| "firstName": "ambassador", | |||||
| "lastName": "ambassador", | |||||
| "credentials": [ | |||||
| {"value": "ambassador", "type": "password", "temporary": False} | |||||
| ], | |||||
| "enabled": True, | |||||
| "emailVerified": True, | |||||
| }, | |||||
| ]: | ]: | ||||
| create_user(KEYCLOAK_ADMIN, user_data) | create_user(KEYCLOAK_ADMIN, user_data) | ||||
| assign_client_roles_to_user( | assign_client_roles_to_user( | ||||
| KEYCLOAK_ADMIN, CLIENT_DEPOSIT_NAME, [DEPOSIT_API_ROLE_NAME], "test" | KEYCLOAK_ADMIN, CLIENT_DEPOSIT_NAME, [DEPOSIT_API_ROLE_NAME], "test" | ||||
| ) | ) | ||||
| AMBASSADOR_ROLE_NAME = "swh.ambassador" | |||||
| # create SoftwareHeritage realm roles | |||||
| create_realm_roles( | |||||
| KEYCLOAK_ADMIN, [AMBASSADOR_ROLE_NAME], | |||||
| ) | |||||
| assign_realm_roles_to_user(KEYCLOAK_ADMIN, [AMBASSADOR_ROLE_NAME], "ambassador") | |||||