feat: allows retrieval of realm and client level roles for a user (#512)

Co-authored-by: Côme Mary-Vallée <[email protected]>
marcospereirampj · Apr 10, 2024 · 654cf88 · 654cf88
1 parent 5eb9c8d
commit 654cf88
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py
@@ -3111,6 +3111,20 @@ def delete_group_client_roles(self, group_id, client_id, roles):
         )
         return raise_error_from_response(data_raw, KeycloakDeleteError, expected_codes=[204])
 
+    def get_all_roles_of_user(self, user_id):
+        """Get all level roles for a user.
+
+        :param user_id: id of user
+        :type user_id: str
+        :return: Keycloak server response (array RoleRepresentation)
+        :rtype: list
+        """
+        params_path = {"realm-name": self.connection.realm_name, "id": user_id}
+        data_raw = self.connection.raw_get(
+            urls_patterns.URL_ADMIN_USER_ALL_ROLES.format(**params_path)
+        )
+        return raise_error_from_response(data_raw, KeycloakGetError)
+
     def get_client_roles_of_user(self, user_id, client_id):
         """Get all client roles for a user.
 

diff --git a/src/keycloak/urls_patterns.py b/src/keycloak/urls_patterns.py
@@ -51,6 +51,7 @@
 URL_ADMIN_SEND_VERIFY_EMAIL = "admin/realms/{realm-name}/users/{id}/send-verify-email"
 URL_ADMIN_RESET_PASSWORD = "admin/realms/{realm-name}/users/{id}/reset-password"
 URL_ADMIN_GET_SESSIONS = "admin/realms/{realm-name}/users/{id}/sessions"
+URL_ADMIN_USER_ALL_ROLES = "admin/realms/{realm-name}/users/{id}/role-mappings"
 URL_ADMIN_USER_CLIENT_ROLES = (
     "admin/realms/{realm-name}/users/{id}/role-mappings/clients/{client-id}"
 )

diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py
@@ -386,6 +386,39 @@ def test_users(admin: KeycloakAdmin, realm: str):
     assert err.match(USER_NOT_FOUND_REGEX)
 
 
+def test_users_roles(admin: KeycloakAdmin, realm: str):
+    """Test users roles.
+
+    :param admin: Keycloak Admin client
+    :type admin: KeycloakAdmin
+    :param realm: Keycloak realm
+    :type realm: str
+    """
+    user_id = admin.create_user(payload={"username": "test", "email": "[email protected]"})
+
+    # Test all level user roles
+    client_id = admin.create_client(payload={"name": "test-client", "clientId": "test-client"})
+    admin.create_client_role(client_role_id=client_id, payload={"name": "test-role"})
+    admin.assign_client_role(
+        client_id=client_id,
+        user_id=user_id,
+        roles=[admin.get_client_role(client_id=client_id, role_name="test-role")],
+    )
+    all_roles = admin.get_all_roles_of_user(user_id=user_id)
+    realm_roles = all_roles["realmMappings"]
+    assert len(realm_roles) == 1, realm_roles
+    client_roles = all_roles["clientMappings"]
+    assert len(client_roles) == 1, client_roles
+
+    # Test all level user roles fail
+    with pytest.raises(KeycloakGetError) as err:
+        admin.get_all_roles_of_user(user_id="non-existent-id")
+    err.match('404: b\'{"error":"User not found"}\'')
+
+    admin.delete_user(user_id)
+    admin.delete_client(client_id)
+
+
 def test_users_pagination(admin: KeycloakAdmin, realm: str):
     """Test user pagination.