91 lines
5.0 KiB
Plaintext
91 lines
5.0 KiB
Plaintext
connect_to_keycloak() {
|
|
{{ .Script }} config credentials --server http://0.0.0.0:8080/auth --realm master --user {{ .KeycloakAdminUserName }} --password {{ .KeycloakAdminPassword }}
|
|
}
|
|
|
|
create_identity_provider() {
|
|
{{ .Script }} get identity-provider/instances/{{ .ProviderId }} -r {{ .KeycloakRealm }}
|
|
if [ $? -eq 0 ]
|
|
then echo "Provider exists"
|
|
else {{ .Script }} create identity-provider/instances -r {{ .KeycloakRealm }} -s alias={{ .ProviderId }} -s providerId={{ .ProviderId }} -s enabled=true -s storeToken=true -s addReadTokenRoleOnCreate=true -s config.useJwksUrl=true -s config.clientId={{ .OAuthClientName}} -s config.clientSecret={{ .OauthSecret}} -s config.baseUrl={{ .OpenShiftApiUrl }} -s config.defaultScope=user:full
|
|
fi
|
|
}
|
|
|
|
default_to_openshift_login() {
|
|
EXECUTION_ID=$({{ .Script }} get authentication/flows/browser/executions -r {{ .KeycloakRealm }} -c | sed -e 's/.*\({[^}]\+"identity-provider-redirector"[^}]\+}\).*/\1/' -e 's/.*"id":"\([^"]\+\)".*/\1/')
|
|
ALIAS=$({{ .Script }} get authentication/flows/browser/executions -r {{ .KeycloakRealm }} -c | sed -e 's/.*\({[^}]\+"identity-provider-redirector"[^}]\+}\).*/\1/' | grep '"alias":"' | sed -e 's/.*"alias":"\([^"]\+\)".*/\1/')
|
|
if [ "${EXECUTION_ID}" == "" ]
|
|
then
|
|
echo "Could not find the identity provider redirector"
|
|
return 1
|
|
fi
|
|
if [ -z ${ALIAS} ];
|
|
then
|
|
echo '{"config":{"defaultProvider":"{{ .ProviderId }}"},"alias":"{{ .ProviderId }}"}' | {{ .Script }} create -r {{ .KeycloakRealm }} authentication/executions/${EXECUTION_ID}/config -f -
|
|
fi
|
|
}
|
|
|
|
enable_openshift_token-exchange() {
|
|
IDENTITY_PROVIDER_ID=$({{ .Script }} get -r {{ .KeycloakRealm }} identity-provider/instances/{{ .ProviderId }} | jq --raw-output '.internalId')
|
|
if [ "${IDENTITY_PROVIDER_ID}" == "" ]
|
|
then
|
|
echo "identity provider not found"
|
|
return 1
|
|
fi
|
|
echo '{"enabled": true}' | {{ .Script }} update -r {{ .KeycloakRealm }} identity-provider/instances/{{ .ProviderId }}/management/permissions -f -
|
|
if [ $? -ne 0 ]
|
|
then
|
|
echo "failed to enable permissions on identity provider"
|
|
return 1
|
|
fi
|
|
TOKEN_EXCHANGE_PERMISSIONS=$({{ .Script }} get -r {{ .KeycloakRealm }} identity-provider/instances/{{ .ProviderId }}/management/permissions)
|
|
if [ "${TOKEN_EXCHANGE_PERMISSIONS}" == "" ]
|
|
then
|
|
echo "token exchange permissions not found"
|
|
return 1
|
|
fi
|
|
TOKEN_EXCHANGE_RESOURCE=$(echo ${TOKEN_EXCHANGE_PERMISSIONS} | jq --raw-output '.resource | strings')
|
|
TOKEN_EXCHANGE_PERMISSION_ID=$(echo ${TOKEN_EXCHANGE_PERMISSIONS} | jq --raw-output '.scopePermissions["token-exchange"] | strings')
|
|
if [ "${TOKEN_EXCHANGE_RESOURCE}" == "" ] || [ "${TOKEN_EXCHANGE_PERMISSION_ID}" == "" ]
|
|
then
|
|
echo "token exchange permissions do not contain expected values"
|
|
return 1
|
|
fi
|
|
REALM_MGMT_CLIENT_ID=$({{ .Script }} get -r {{ .KeycloakRealm }} clients | jq --raw-output '.[] | select(.clientId == "realm-management") | .id | strings')
|
|
if [ "${REALM_MGMT_CLIENT_ID}" == "" ]
|
|
then
|
|
echo "Realm management client ID not found"
|
|
return 1
|
|
fi
|
|
EXISTING_POLICY=$({{ .Script }} get -r {{ .KeycloakRealm }} clients/${REALM_MGMT_CLIENT_ID}/authz/resource-server/policy/client -q 'name={{ .ProviderId }}' | jq --raw-output '.[0].id | strings')
|
|
if [ "${EXISTING_POLICY}" == "" ]
|
|
then
|
|
echo '{"type":"client","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","name":"{{ .ProviderId }}","clients":["che-public"]}' | {{ .Script }} create -r {{ .KeycloakRealm }} clients/${REALM_MGMT_CLIENT_ID}/authz/resource-server/policy/client -f -
|
|
if [ $? -ne 0 ]
|
|
then
|
|
echo "Failed to create policy"
|
|
return 1
|
|
fi
|
|
fi
|
|
TOKEN_EXCHANGE_POLICY=$({{ .Script }} get -r {{ .KeycloakRealm }} clients/${REALM_MGMT_CLIENT_ID}/authz/resource-server/policy/client -q 'name={{ .ProviderId }}' | jq --raw-output '.[0].id | strings')
|
|
if [ "${TOKEN_EXCHANGE_POLICY}" == "" ]
|
|
then
|
|
echo "Token exchange policy not found"
|
|
return 1
|
|
fi
|
|
TOKEN_EXCHANGE_PERMISSION=$({{ .Script }} get -r {{ .KeycloakRealm }} clients/${REALM_MGMT_CLIENT_ID}/authz/resource-server/permission/scope/${TOKEN_EXCHANGE_PERMISSION_ID})
|
|
if [ "${TOKEN_EXCHANGE_PERMISSION}" == "" ]
|
|
then
|
|
echo "Token exchange permission not found"
|
|
return 1
|
|
fi
|
|
TOKEN_EXCHANGE_SCOPE=$({{ .Script }} get -r {{ .KeycloakRealm }} clients/${REALM_MGMT_CLIENT_ID}/authz/resource-server/resource/${TOKEN_EXCHANGE_RESOURCE}/scopes | jq --raw-output '.[] | select( .name == "token-exchange") | .id | strings')
|
|
if [ "${TOKEN_EXCHANGE_PERMISSION}" == "" ]
|
|
then
|
|
echo "Token exchange scope not found"
|
|
return 1
|
|
fi
|
|
echo ${TOKEN_EXCHANGE_PERMISSION} | jq --arg resource "${TOKEN_EXCHANGE_RESOURCE}" --arg scope "${TOKEN_EXCHANGE_SCOPE}" --arg policy "${TOKEN_EXCHANGE_POLICY}" '. + {resources:[$resource],scopes:[$scope],policies:[$policy]}' | {{ .Script }} update -r {{ .KeycloakRealm }} clients/${REALM_MGMT_CLIENT_ID}/authz/resource-server/permission/scope/${TOKEN_EXCHANGE_PERMISSION_ID} -f -
|
|
}
|
|
|
|
set -x
|
|
connect_to_keycloak && create_identity_provider && default_to_openshift_login && enable_openshift_token-exchange |