From 4d269ba34c483778818a4ffc0b7bd90b60473a0f Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:38:12 +0100 Subject: [PATCH 01/10] feat: uma extra payload --- src/keycloak/keycloak_openid.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/keycloak/keycloak_openid.py b/src/keycloak/keycloak_openid.py index d2c3b3d..a40c55c 100644 --- a/src/keycloak/keycloak_openid.py +++ b/src/keycloak/keycloak_openid.py @@ -731,7 +731,7 @@ def get_permissions(self, token, method_token_info="introspect", **kwargs): return list(set(permissions)) - def uma_permissions(self, token, permissions=""): + def uma_permissions(self, token, permissions="", **extra_payload): """Get UMA permissions by user token with requested permissions. The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be @@ -743,6 +743,8 @@ def uma_permissions(self, token, permissions=""): :type token: str :param permissions: list of uma permissions list(resource:scope) requested by the user :type permissions: str + :param extra_payload: Additional payload data + :type extra_payload: dict :returns: Keycloak server response :rtype: dict """ @@ -754,6 +756,7 @@ def uma_permissions(self, token, permissions=""): "permission": permission, "response_mode": "permissions", "audience": self.client_id, + **extra_payload, } orig_bearer = self.connection.headers.get("Authorization") @@ -1394,7 +1397,7 @@ async def a_get_permissions(self, token, method_token_info="introspect", **kwarg return list(set(permissions)) - async def a_uma_permissions(self, token, permissions=""): + async def a_uma_permissions(self, token, permissions="", **extra_payload): """Get UMA permissions by user token with requested permissions asynchronously. The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be @@ -1406,6 +1409,8 @@ async def a_uma_permissions(self, token, permissions=""): :type token: str :param permissions: list of uma permissions list(resource:scope) requested by the user :type permissions: str + :param extra_payload: Additional payload data + :type extra_payload: dict :returns: Keycloak server response :rtype: dict """ @@ -1417,6 +1422,7 @@ async def a_uma_permissions(self, token, permissions=""): "permission": list(permission), # httpx does not handle `set` correctly "response_mode": "permissions", "audience": self.client_id, + **extra_payload, } orig_bearer = self.connection.headers.get("Authorization") From b9f8bd29d009495a082d99becf7a1f8ef699389d Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:39:12 +0100 Subject: [PATCH 02/10] fix: get group by path should not raise on 404 --- src/keycloak/keycloak_admin.py | 4 ++-- tests/test_keycloak_admin.py | 18 ++++++++++++------ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py index eeeaea3..6b8234e 100644 --- a/src/keycloak/keycloak_admin.py +++ b/src/keycloak/keycloak_admin.py @@ -1149,7 +1149,7 @@ def get_group_by_path(self, path): data_raw = self.connection.raw_get( urls_patterns.URL_ADMIN_GROUP_BY_PATH.format(**params_path) ) - return raise_error_from_response(data_raw, KeycloakGetError) + return raise_error_from_response(data_raw, KeycloakGetError, [200, 404]) def create_group(self, payload, parent=None, skip_exists=False): """Create a group in the Realm. @@ -5460,7 +5460,7 @@ async def a_get_group_by_path(self, path): data_raw = await self.connection.a_raw_get( urls_patterns.URL_ADMIN_GROUP_BY_PATH.format(**params_path) ) - return raise_error_from_response(data_raw, KeycloakGetError) + return raise_error_from_response(data_raw, KeycloakGetError, [200, 404]) async def a_create_group(self, payload, parent=None, skip_exists=False): """Create a group in the Realm asynchronously. diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py index e33614b..3e1e98f 100644 --- a/tests/test_keycloak_admin.py +++ b/tests/test_keycloak_admin.py @@ -845,9 +845,12 @@ def test_groups(admin: KeycloakAdmin, user: str): assert res is not None, res assert res["id"] == subgroup_id_1, res - with pytest.raises(KeycloakGetError) as err: - admin.get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1/test") - assert err.match('404: b\'{"error":"Group path does not exist".*}\'') + res = admin.get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1/test") + assert res == { + "error": "Group path does not exist", + "error_description": "For more on this error consult the server log at the " + "debug level.", + }, res res = admin.get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1") assert res is not None, res @@ -3947,9 +3950,12 @@ async def test_a_groups(admin: KeycloakAdmin, user: str): assert res is not None, res assert res["id"] == subgroup_id_1, res - with pytest.raises(KeycloakGetError) as err: - await admin.a_get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1/test") - assert err.match('404: b\'{"error":"Group path does not exist".*}\'') + res = await admin.a_get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1/test") + assert res == { + "error": "Group path does not exist", + "error_description": "For more on this error consult the server log at the " + "debug level.", + }, res res = await admin.a_get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1") assert res is not None, res From a9c03a4bca4c1868e85a88f1504502b27b9867f0 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:39:52 +0100 Subject: [PATCH 03/10] feat: user profile metadata parameter for get_user method --- src/keycloak/keycloak_admin.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py index 6b8234e..4d1cf56 100644 --- a/src/keycloak/keycloak_admin.py +++ b/src/keycloak/keycloak_admin.py @@ -619,7 +619,7 @@ def get_user_id(self, username): users = self.get_users(query={"username": lower_user_name, "max": 1, "exact": True}) return users[0]["id"] if len(users) == 1 else None - def get_user(self, user_id): + def get_user(self, user_id, user_profile_metadata=False): """Get representation of the user. UserRepresentation @@ -627,10 +627,15 @@ def get_user(self, user_id): :param user_id: User id :type user_id: str + :param user_profile_metadata: Whether to include user profile metadata in the response + :type user_profile_metadata: bool :return: UserRepresentation """ params_path = {"realm-name": self.connection.realm_name, "id": user_id} - data_raw = self.connection.raw_get(urls_patterns.URL_ADMIN_USER.format(**params_path)) + data_raw = self.connection.raw_get( + urls_patterns.URL_ADMIN_USER.format(**params_path), + userProfileMetadata=user_profile_metadata, + ) return raise_error_from_response(data_raw, KeycloakGetError) def get_user_groups(self, user_id, query=None, brief_representation=True): @@ -4922,7 +4927,7 @@ async def a_get_user_id(self, username): ) return users[0]["id"] if len(users) == 1 else None - async def a_get_user(self, user_id): + async def a_get_user(self, user_id, user_profile_metadata=False): """Get representation of the user asynchronously. UserRepresentation @@ -4930,11 +4935,14 @@ async def a_get_user(self, user_id): :param user_id: User id :type user_id: str + :param user_profile_metadata: whether to include user profile metadata in the response + :type user_profile_metadata: bool :return: UserRepresentation """ params_path = {"realm-name": self.connection.realm_name, "id": user_id} data_raw = await self.connection.a_raw_get( - urls_patterns.URL_ADMIN_USER.format(**params_path) + urls_patterns.URL_ADMIN_USER.format(**params_path), + userProfileMetadata=user_profile_metadata, ) return raise_error_from_response(data_raw, KeycloakGetError) From 5fa7ea160ebf58edd12de73d5d4738f399c80840 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:41:03 +0100 Subject: [PATCH 04/10] feat: uma extra payload --- src/keycloak/keycloak_uma.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/keycloak/keycloak_uma.py b/src/keycloak/keycloak_uma.py index c64193f..1c00c0f 100644 --- a/src/keycloak/keycloak_uma.py +++ b/src/keycloak/keycloak_uma.py @@ -318,7 +318,7 @@ def permission_ticket_create(self, permissions: Iterable[UMAPermission]): ) return raise_error_from_response(data_raw, KeycloakPostError) - def permissions_check(self, token, permissions: Iterable[UMAPermission]): + def permissions_check(self, token, permissions: Iterable[UMAPermission], **extra_payload): """Check UMA permissions by user token with requested permissions. The token endpoint is used to check UMA permissions from Keycloak. It can only be @@ -330,6 +330,8 @@ def permissions_check(self, token, permissions: Iterable[UMAPermission]): :type token: str :param permissions: Iterable of uma permissions to validate the token against :type permissions: Iterable[UMAPermission] + :param extra_payload: extra payload data + :type extra_payload: dict :returns: Keycloak decision :rtype: boolean """ @@ -338,6 +340,7 @@ def permissions_check(self, token, permissions: Iterable[UMAPermission]): "permission": ",".join(str(permission) for permission in permissions), "response_mode": "decision", "audience": self.connection.client_id, + **extra_payload, } # Everyone always has the null set of permissions @@ -657,7 +660,9 @@ async def a_permission_ticket_create(self, permissions: Iterable[UMAPermission]) ) return raise_error_from_response(data_raw, KeycloakPostError) - async def a_permissions_check(self, token, permissions: Iterable[UMAPermission]): + async def a_permissions_check( + self, token, permissions: Iterable[UMAPermission], **extra_payload + ): """Check UMA permissions by user token with requested permissions asynchronously. The token endpoint is used to check UMA permissions from Keycloak. It can only be @@ -669,6 +674,8 @@ async def a_permissions_check(self, token, permissions: Iterable[UMAPermission]) :type token: str :param permissions: Iterable of uma permissions to validate the token against :type permissions: Iterable[UMAPermission] + :param extra_payload: extra payload data + :type extra_payload: dict :returns: Keycloak decision :rtype: boolean """ @@ -677,6 +684,7 @@ async def a_permissions_check(self, token, permissions: Iterable[UMAPermission]) "permission": ",".join(str(permission) for permission in permissions), "response_mode": "decision", "audience": self.connection.client_id, + **extra_payload, } # Everyone always has the null set of permissions From b37edc8ba9791d55bca09acaa463528b7a755073 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:41:27 +0100 Subject: [PATCH 05/10] fix: check uma permissions with resource ID as well --- src/keycloak/keycloak_openid.py | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/keycloak/keycloak_openid.py b/src/keycloak/keycloak_openid.py index a40c55c..30670a4 100644 --- a/src/keycloak/keycloak_openid.py +++ b/src/keycloak/keycloak_openid.py @@ -803,13 +803,13 @@ def has_uma_access(self, token, permissions): raise for resource_struct in granted: - resource = resource_struct["rsname"] - scopes = resource_struct.get("scopes", None) - if not scopes: - needed.discard(resource) - continue - for scope in scopes: # pragma: no cover - needed.discard("{}#{}".format(resource, scope)) + for resource in (resource_struct["rsname"], resource_struct["rsid"]): + scopes = resource_struct.get("scopes", None) + if not scopes: + needed.discard(resource) + continue + for scope in scopes: # pragma: no cover + needed.discard("{}#{}".format(resource, scope)) return AuthStatus( is_logged_in=True, is_authorized=len(needed) == 0, missing_permissions=needed @@ -1469,13 +1469,13 @@ async def a_has_uma_access(self, token, permissions): raise for resource_struct in granted: - resource = resource_struct["rsname"] - scopes = resource_struct.get("scopes", None) - if not scopes: - needed.discard(resource) - continue - for scope in scopes: # pragma: no cover - needed.discard("{}#{}".format(resource, scope)) + for resource in (resource_struct["rsname"], resource_struct["rsid"]): + scopes = resource_struct.get("scopes", None) + if not scopes: + needed.discard(resource) + continue + for scope in scopes: # pragma: no cover + needed.discard("{}#{}".format(resource, scope)) return AuthStatus( is_logged_in=True, is_authorized=len(needed) == 0, missing_permissions=needed From 0fd1cd663aff473f65538bf129e090bfe9b77d72 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:42:10 +0100 Subject: [PATCH 06/10] docs: fixed docs for get_client_role --- src/keycloak/keycloak_admin.py | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py index 4d1cf56..2f56655 100644 --- a/src/keycloak/keycloak_admin.py +++ b/src/keycloak/keycloak_admin.py @@ -2129,9 +2129,7 @@ def get_client_roles(self, client_id, brief_representation=True): return raise_error_from_response(data_raw, KeycloakGetError) def get_client_role(self, client_id, role_name): - """Get client role id by name. - - This is required for further actions with this role. + """Get client role by name. RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation @@ -2140,8 +2138,8 @@ def get_client_role(self, client_id, role_name): :type client_id: str :param role_name: role's name (not id!) :type role_name: str - :return: role_id - :rtype: str + :return: Role object + :rtype: dict """ params_path = { "realm-name": self.connection.realm_name, @@ -6453,19 +6451,14 @@ async def a_get_client_roles(self, client_id, brief_representation=True): return raise_error_from_response(data_raw, KeycloakGetError) async def a_get_client_role(self, client_id, role_name): - """Get client role id by name asynchronously. - - This is required for further actions with this role. - - RoleRepresentation - https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation + """Get client role by name asynchronously. :param client_id: id of client (not client-id) :type client_id: str :param role_name: role's name (not id!) :type role_name: str - :return: role_id - :rtype: str + :return: Role object + :rtype: dict """ params_path = { "realm-name": self.connection.realm_name, From c17f830f6fa76c5f47ee6440853f50909a8afd14 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:42:35 +0100 Subject: [PATCH 07/10] feat: get_client_all_sessions now supports pagination --- src/keycloak/keycloak_admin.py | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py index 2f56655..b69f8df 100644 --- a/src/keycloak/keycloak_admin.py +++ b/src/keycloak/keycloak_admin.py @@ -3966,7 +3966,7 @@ def set_events(self, payload): ) return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[204]) - def get_client_all_sessions(self, client_id): + def get_client_all_sessions(self, client_id, query=None): """Get sessions associated with the client. UserSessionRepresentation @@ -3974,14 +3974,18 @@ def get_client_all_sessions(self, client_id): :param client_id: id of client :type client_id: str + :param query: Additional query parameters + :type query: dict :return: UserSessionRepresentation :rtype: list """ + query = query or {} params_path = {"realm-name": self.connection.realm_name, "id": client_id} - data_raw = self.connection.raw_get( - urls_patterns.URL_ADMIN_CLIENT_ALL_SESSIONS.format(**params_path) - ) - return raise_error_from_response(data_raw, KeycloakGetError) + url = urls_patterns.URL_ADMIN_CLIENT_ALL_SESSIONS.format(**params_path) + if "first" in query or "max" in query: + return self.__fetch_paginated(url, query) + + return self.__fetch_all(url, query) def get_client_sessions_stats(self): """Get current session count for all clients with active sessions. @@ -8300,7 +8304,7 @@ async def a_set_events(self, payload): ) return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[204]) - async def a_get_client_all_sessions(self, client_id): + async def a_get_client_all_sessions(self, client_id, query=None): """Get sessions associated with the client asynchronously. UserSessionRepresentation @@ -8308,14 +8312,18 @@ async def a_get_client_all_sessions(self, client_id): :param client_id: id of client :type client_id: str + :param query: Additional query parameters + :type query: dict :return: UserSessionRepresentation :rtype: list """ + query = query or {} params_path = {"realm-name": self.connection.realm_name, "id": client_id} - data_raw = await self.connection.a_raw_get( - urls_patterns.URL_ADMIN_CLIENT_ALL_SESSIONS.format(**params_path) - ) - return raise_error_from_response(data_raw, KeycloakGetError) + url = urls_patterns.URL_ADMIN_CLIENT_ALL_SESSIONS.format(**params_path) + if "first" in query or "max" in query: + return await self.a___fetch_paginated(url, query) + + return await self.a___fetch_all(url, query) async def a_get_client_sessions_stats(self): """Get current session count for all clients with active sessions asynchronously. From e5f3cb6bd12433b894d2dadc6b749caadae1df70 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 13:42:46 +0100 Subject: [PATCH 08/10] chore: updated dependencies --- poetry.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/poetry.lock b/poetry.lock index 4099c2f..2b37d7f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand. [[package]] name = "alabaster" @@ -1415,20 +1415,20 @@ dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments [[package]] name = "pytest-asyncio" -version = "0.24.0" +version = "0.25.0" description = "Pytest support for asyncio" optional = false -python-versions = ">=3.8" +python-versions = ">=3.9" files = [ - {file = "pytest_asyncio-0.24.0-py3-none-any.whl", hash = "sha256:a811296ed596b69bf0b6f3dc40f83bcaf341b155a269052d82efa2b25ac7037b"}, - {file = "pytest_asyncio-0.24.0.tar.gz", hash = "sha256:d081d828e576d85f875399194281e92bf8a68d60d72d1a2faf2feddb6c46b276"}, + {file = "pytest_asyncio-0.25.0-py3-none-any.whl", hash = "sha256:db5432d18eac6b7e28b46dcd9b69921b55c3b1086e85febfe04e70b18d9e81b3"}, + {file = "pytest_asyncio-0.25.0.tar.gz", hash = "sha256:8c0610303c9e0442a5db8604505fc0f545456ba1528824842b37b4a626cbf609"}, ] [package.dependencies] pytest = ">=8.2,<9" [package.extras] -docs = ["sphinx (>=5.3)", "sphinx-rtd-theme (>=1.0)"] +docs = ["sphinx (>=5.3)", "sphinx-rtd-theme (>=1)"] testing = ["coverage (>=6.2)", "hypothesis (>=5.7.1)"] [[package]] From 01e76946482a31a9bc00a2c58d143c8f1419f4b5 Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 16:10:41 +0100 Subject: [PATCH 09/10] test: simplify assertion for non-existent group path error --- tests/test_keycloak_admin.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py index 3e1e98f..68b2be1 100644 --- a/tests/test_keycloak_admin.py +++ b/tests/test_keycloak_admin.py @@ -3951,11 +3951,7 @@ async def test_a_groups(admin: KeycloakAdmin, user: str): assert res["id"] == subgroup_id_1, res res = await admin.a_get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1/test") - assert res == { - "error": "Group path does not exist", - "error_description": "For more on this error consult the server log at the " - "debug level.", - }, res + assert res["error"] == "Group path does not exist" res = await admin.a_get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1") assert res is not None, res From 3548e1e8ecbbe1cdda7895418fac205c1d6a509b Mon Sep 17 00:00:00 2001 From: Richard Nemeth Date: Sat, 14 Dec 2024 16:12:02 +0100 Subject: [PATCH 10/10] test: simplify assertion for non-existent group path error --- tests/test_keycloak_admin.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py index 68b2be1..04179a8 100644 --- a/tests/test_keycloak_admin.py +++ b/tests/test_keycloak_admin.py @@ -846,11 +846,7 @@ def test_groups(admin: KeycloakAdmin, user: str): assert res["id"] == subgroup_id_1, res res = admin.get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1/test") - assert res == { - "error": "Group path does not exist", - "error_description": "For more on this error consult the server log at the " - "debug level.", - }, res + assert res["error"] == "Group path does not exist" res = admin.get_group_by_path(path="/main-group/subgroup-2/subsubgroup-1") assert res is not None, res