Release (#29)

* Fix develop dockerfile * Change keycloak urls * Fix develop workflow tag * Fix production workflow * Change log message * Change config * Add health check * Fix health check * Add ready health endpoint * Fix issue * Change workflow filenames * Eoepca 910 um keycloak develop an identity api based on keycloak api (#17) * feat: policies endpoints added, not completely * feat: working on update policies * feat: all remaining added, still policy update not working, create and update scope based permission not working * feat: last resource permissions endpoints added and working * fix: changed pyyaml version from 5.4.1 to 5.3.1 * feat: endpoints changed * Update README * Update config * Update config * Update config * Api testing (#18) * feat: added client_id as param to enpoints and other fixes * added changes for permissions endpoints * Update ci * Update ci * Release v1.0.0 * Fix ci * Fix requirements * Fix ci * Upgrade flask version * Update requirements * feat: added error handling (#23) * feat: added validator of register and protect resource enpoint to test * feat: register and protect resources endpoint working * feat: added delete resources, policies and permissions * Update ci * Update ci * Fix ci * Add options method to endpoints * feat: added endpoint to create client, add resources and protect them if provided * Revert "Add options method to endpoints" This reverts commit 9d8c034. * fea: commit fixes * feat: more fixes, some endpoint were dounbled * fix: last fix * Update ci * fix: policies fix, response now return client id and resources created * feat: create client default to confidential and authorization enabled * Convert to FastAPI * Convert to FastAPI * changes to models * Remove file * Add error handling, pydantic models, files restructuring * Fix issues * Handle keycloak error message * added fildes to models and descriptions * Add authenticated field * Clean and reformat * Point to keycloak client 1.0.0 * Change logging * Fix readme * Clean * Change logging * Clean * merge to develop * added default resource to response list * Create default resource * Fix policies issue * Improvements * Change keycloak client to v1.0.0 * Clarify readme --------- Co-authored-by: flaviorosadme <82375986+flaviorosadme@users.noreply.github.com> Co-authored-by: flaviorosadme <flavio.rosa@deimos.com.pt>
EOEPCA · Nov 17, 2023 · e24b28d · e24b28d
1 parent 620a77b
commit e24b28d
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 40 deletions.
diff --git a/README.md b/README.md
@@ -80,7 +80,7 @@ cd um-identity-api
 
 3. Execute
 
-   3.1 Run with docker compose
+   3.1 Run with docker compose (Identity API + Keycloak + Postgres)
     ```sh
     docker compose up -d --build
     ```

diff --git a/app/routers/clients_resources.py b/app/routers/clients_resources.py
@@ -1,10 +1,12 @@
 from typing import List
 
-from fastapi import APIRouter
+from fastapi import APIRouter, HTTPException
 
 from app.keycloak_client import keycloak
+from app.log import logger
 from app.models.policies import PolicyType
 from app.models.resources import Resource
+from app.routers.resources import get_resources
 
 router = APIRouter(
     prefix="/{client_id}/resources",
@@ -16,40 +18,73 @@
 def register_resources(client_id: str, resources: List[Resource]):
     response_list = []
     for resource in resources:
-        resource_name = resource.name.replace(" ", "_")
-        res = {
-            "name": resource_name,
-            "uris": resource.uris,
-            "scopes": resource.scopes,
-        }
-        response_resource = keycloak.register_resource(res, client_id)
-        response_list.append(response_resource)
-        permissions = resource.permissions
-        policy_list = []
-        if permissions.role:
-            policy = {
-                "name": f'{resource_name}_role_policy',
-                "roles": [{"id": p} for p in permissions.role]
+        if resource.name.lower() == "default resource":
+            client_resources = get_resources(client_id)
+            default_resource = None
+            for client_resource in client_resources:
+                if client_resource["name"].lower() == "default resource":
+                    default_resource = client_resource
+            if default_resource:
+                # update default resource
+                default_resource["scopes"] = resource.scopes
+                update_resource(client_id=client_id, resource_id=default_resource['_id'], resource=default_resource)
+                response_list.append(default_resource)
+            else:
+                # create default resource
+                res = {
+                    "name": resource.name,
+                    "uris": resource.uris,
+                    "scopes": resource.scopes,
+                }
+                response_resource = keycloak.register_resource(res, client_id)
+                response_list.append(response_resource)
+            permission_payload = {
+                "type": "resource",
+                "name": f'{resource.name} Permission',
+                "decisionStrategy": "UNANIMOUS",
+                "resources": [
+                    resource.name
+                ],
+                "policies": ["Default Policy"]
             }
-            policy_response = keycloak.register_role_policy(policy, client_id)
-            policy_list.append(policy_response["name"])
-        if permissions.user:
-            policy = {
-                "name": f'{resource_name}_user_policy',
-                "users": permissions.user
+            keycloak.create_client_authz_resource_based_permission(client_id, permission_payload)
+        else:
+            res = {
+                "name": resource.name,
+                "uris": resource.uris,
+                "scopes": resource.scopes,
             }
-            policy_response = keycloak.register_user_policy(policy, client_id)
-            policy_list.append(policy_response["name"])
-        permission_payload = {
-            "type": "resource",
-            "name": f'{resource_name}_permission',
-            "decisionStrategy": resource.decisionStrategy,
-            "resources": [
-                resource_name
-            ],
-            "policies": policy_list
-        }
-        keycloak.create_client_authz_resource_based_permission(client_id, permission_payload)
+            response_resource = keycloak.register_resource(res, client_id)
+            response_list.append(response_resource)
+            permissions = resource.permissions
+            policy_list = []
+            if permissions.role:
+                policy = {
+                    "name": f'{resource.name} Role Policy',
+                    "roles": [{"id": p} for p in permissions.role]
+                }
+                policy_response = keycloak.register_role_policy(policy, client_id)
+                print(policy_response)
+                policy_list.append(policy_response["name"])
+            if permissions.user:
+                policy = {
+                    "name": f'{resource.name} User Policy',
+                    "users": permissions.user
+                }
+                policy_response = keycloak.register_user_policy(policy, client_id)
+                print(policy_response)
+                policy_list.append(policy_response["name"])
+            print(policy_list)
+            permission_payload = {
+                "type": "resource",
+                "name": f'{resource.name} Permission',
+                "decisionStrategy": resource.decisionStrategy,
+                "resources": [
+                    resource.name
+                ],
+                "policies": policy_list
+            }
+            keycloak.create_client_authz_resource_based_permission(client_id, permission_payload)
     return response_list
 
 
@@ -59,17 +94,17 @@ def delete_resource_and_policies(client_id: str, resource_name: str):
     client_policies = keycloak.get_client_authz_policies(client_id)
     for policy in client_policies:
         for policy_type in [e.value for e in PolicyType]:
-            if policy['name'] == f'{resource_name}_{policy_type}_policy':
+            if policy['name'].lower() == f'{resource_name} {policy_type} policy'.lower():
                 keycloak.delete_policy(policy['id'], client_id)
     # delete permissions
     permissions = keycloak.get_client_resource_permissions(client_id)
     for permission in permissions:
-        if permission['name'] == f'{resource_name}_permission':
+        if permission['name'].lower() == f'{resource_name} permission'.lower():
             keycloak.delete_resource_permissions(client_id, permission['id'])
     # delete resources
     resources = keycloak.get_resources(client_id)
     for resource in resources:
-        if resource['name'] == resource_name:
+        if resource['name'].lower() == resource_name.lower():
             return keycloak.delete_resource(resource['_id'], client_id)
 
 

diff --git a/app/routers/resources.py b/app/routers/resources.py
@@ -9,8 +9,8 @@
 
 
 @router.get("")
-def get_resources():
-    return keycloak.get_resources()
+def get_resources(client_id: str):
+    return keycloak.get_resources(client_id)
 
 
 @router.get("/resources/{resource_id}")

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -29,7 +29,8 @@ services:
         - KC_DB_PASSWORD=123456
         - KC_DB_USERNAME=keycloak
         - KC_DB_URL_PORT=5432
-      entrypoint: /opt/keycloak/bin/kc.sh start
+        - KC_FEATURES=account3,admin-fine-grained-authz,declarative-user-profile,recovery-codes,scripts
+      entrypoint: /opt/keycloak/bin/kc.sh start-dev
       restart: on-failure
   postgres:
     image: postgres:16.0