EOEPCA · daniel-pimenta-DME · Nov 9, 2023 · Jul 5, 2023 · Jul 5, 2023 · Jul 5, 2023
diff --git a/.github/workflows/docker-publish-develop.yml b/.github/workflows/docker-publish-develop.yml
@@ -36,9 +36,9 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: 'v2.1.1'
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
@@ -78,7 +78,6 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
       # repository is public to avoid leaking data.  If you would like to publish
@@ -87,10 +86,12 @@ jobs:
       - name: Sign the published Docker image
         if: ${{ github.event_name != 'pull_request' }}
         env:
-          COSIGN_EXPERIMENTAL: "true"
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
       - name: Log into registry ${{ env.DOCKER_REGISTRY }}
         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9

diff --git a/.github/workflows/docker-publish-master.yml b/.github/workflows/docker-publish-master.yml
@@ -37,9 +37,9 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: 'v2.1.1'
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
@@ -87,10 +87,12 @@ jobs:
       - name: Sign the published Docker image
         if: ${{ github.event_name != 'pull_request' }}
         env:
-          COSIGN_EXPERIMENTAL: "true"
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
       - name: Log into registry ${{ env.DOCKER_REGISTRY }}
         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9

diff --git a/src/blueprints/resources.py b/src/blueprints/resources.py
@@ -39,7 +39,7 @@ def register_resource(client_id: str ):
 
 
     @resources.route("/<client_id>/register-resources", methods=["OPTIONS", "POST"])
-    def register_and_protect_resources(client_id: str ):
+    def register_and_protect_resources(client_id: str, payload=None ):
         """payload = [{
             "resource":{
                 "name": "resource1",
@@ -60,7 +60,8 @@ def register_and_protect_resources(client_id: str ):
             },
             "decisionStrategy": "UNANIMOUS"
         }]"""
-        payload = request.get_json()
+        if payload == None:
+            payload = request.get_json()
         policy_list = []
 
         response_list = []
@@ -142,7 +143,6 @@ def delete_resource_and_policies(client_id: str, resource_name: str):
                 return custom_error(error.error_message, error.response_code)
         except:
             return custom_error("Unknown server error", 500)
-
 
     @resources.route("/<client_id>/resources/<resource_id>", methods=["OPTIONS", "PUT"])
     def update_resource(client_id: str, resource_id: str):
@@ -164,6 +164,74 @@ def delete_resource(client_id: str, resource_id: str):
             return custom_error(error.error_message, error.response_code)
         except:
             return custom_error("Unknown server error", 500)
+
+    @resources.route("/create-client", methods=["POST"])
+    def create_client():
+        payload = request.get_json()
+        helper_text = """ The following fields are allowed:
+clientId*: String
+name: String
+description: String
+rootUrl: String
+adminUrl: String
+baseUrl: String
+surrogateAuthRequired: Boolean
+enabled: Boolean
+alwaysDisplayInConsole: Boolean
+clientAuthenticatorType: String
+secret: String
+registrationAccessToken: String
+defaultRoles: List of [string]
+redirectUris: List of [string]
+webOrigins: List of [string]
+notBefore: Integer
+bearerOnly: Boolean
+consentRequired: Boolean
+standardFlowEnabled: Boolean
+implicitFlowEnabled: Boolean
+directAccessGrantsEnabled: Boolean
+serviceAccountsEnabled: Boolean
+oauth2DeviceAuthorizationGrantEnabled: Boolean
+authorizationServicesEnabled: Boolean
+directGrantsOnly: Boolean
+publicClient: Boolean
+frontchannelLogout: Boolean
+protocol: String
+attributes: Map of [string]
+authenticationFlowBindingOverrides: Map of [string]
+fullScopeAllowed: Boolean
+nodeReRegistrationTimeout: Integer
+registeredNodes: Map of [integer]
+protocolMappers: List of ProtocolMapperRepresentation
+clientTemplate: String
+useTemplateConfig: Boolean
+useTemplateScope: Boolean
+useTemplateMappers: Boolean
+defaultClientScopes: List of [string]
+ClientScopes: List of [string]
+authorizationSettings: ResourceServerRepresentation
+access: Map of [boolean]
+origin: String
+resources: List of[Resource Representation]"""
+        if 'clientId' not in payload:
+            return custom_error("The field 'client_id' is mandatory", 400)
+        if 'redirectUris' not in payload:
+            payload['redirectUris'] = ['*']
+        if 'standardFlowEnabled' not in payload:
+            payload['standardFlowEnabled'] = True
+        if 'protocol' not in payload:
+            payload['protocol'] = 'openid-connect'
+        if 'resources' in payload:
+            resources = payload['resources']
+            del payload['resources']
+            keycloak_client.create_client(payload)
+            return register_and_protect_resources(payload['clientId'], resources)
+        try:
+            return keycloak_client.create_client(payload)
+        except KeycloakPostError as error:
+                return custom_error(error.error_message, error.response_code)
+        except:
+            return custom_error("Unknown server error", 500)
 
     def custom_error(message, status_code): 
         return message, status_code