Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
910 Commits
16 Branches
109 Tags
19 MiB
Tree: 032418de63
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '032418de63'
${ noResults }
python-keycloak/src/keycloak/keycloak_uma.py

795 lines
29 KiB
Raw Normal View History

feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
docs: Update all links (#546) Update all links to the Keycloak Admin REST API for the current version.
7 months ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
docs: Update all links (#546) Update all links to the Keycloak Admin REST API for the current version.
7 months ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
docs: Update all links (#546) Update all links to the Keycloak Admin REST API for the current version.
7 months ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add matchingUri support for listing resources with wildcards (#592) * feat: add matchingUri support for listing resources with wildcards * fix: change formatting
2 months ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add matchingUri support for listing resources with wildcards (#592) * feat: add matchingUri support for listing resources with wildcards * fix: change formatting
2 months ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add matchingUri support for listing resources with wildcards (#592) * feat: add matchingUri support for listing resources with wildcards * fix: change formatting
2 months ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
docs: Update all links (#546) Update all links to the Keycloak Admin REST API for the current version.
7 months ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
docs: Update all links (#546) Update all links to the Keycloak Admin REST API for the current version.
7 months ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
docs: Update all links (#546) Update all links to the Keycloak Admin REST API for the current version.
7 months ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
feat: add matchingUri support for listing resources with wildcards (#592) * feat: add matchingUri support for listing resources with wildcards * fix: change formatting
2 months ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
feat: add matchingUri support for listing resources with wildcards (#592) * feat: add matchingUri support for listing resources with wildcards * fix: change formatting
2 months ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
feat: add matchingUri support for listing resources with wildcards (#592) * feat: add matchingUri support for listing resources with wildcards * fix: change formatting
2 months ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
  1. # -*- coding: utf-8 -*-
  2. #
  3. # The MIT License (MIT)
  4. #
  5. # Copyright (C) 2017 Marcos Pereira <marcospereira.mpj@gmail.com>
  6. #
  7. # Permission is hereby granted, free of charge, to any person obtaining a copy of
  8. # this software and associated documentation files (the "Software"), to deal in
  9. # the Software without restriction, including without limitation the rights to
  10. # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
  11. # the Software, and to permit persons to whom the Software is furnished to do so,
  12. # subject to the following conditions:
  13. #
  14. # The above copyright notice and this permission notice shall be included in all
  15. # copies or substantial portions of the Software.
  16. #
  17. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
  19. # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
  20. # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
  21. # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  22. # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  24. """Keycloak UMA module.
  26. The module contains a UMA compatible client for keycloak:
  27. https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html
  28. """
  29. import json
  30. from typing import Iterable
  31. from urllib.parse import quote_plus
  33. from async_property import async_property
  35. from .connection import ConnectionManager
  36. from .exceptions import (
  37. KeycloakDeleteError,
  38. KeycloakGetError,
  39. KeycloakPostError,
  40. KeycloakPutError,
  41. raise_error_from_response,
  42. )
  43. from .openid_connection import KeycloakOpenIDConnection
  44. from .uma_permissions import UMAPermission
  45. from .urls_patterns import URL_UMA_WELL_KNOWN
  48. class KeycloakUMA:
  49. """Keycloak UMA client.
  51. :param connection: OpenID connection manager
  52. """
  54. def __init__(self, connection: KeycloakOpenIDConnection):
  55. """Init method.
  57. :param connection: OpenID connection manager
  58. :type connection: KeycloakOpenIDConnection
  59. """
  60. self.connection = connection
  61. self._well_known = None
  63. def _fetch_well_known(self):
  64. params_path = {"realm-name": self.connection.realm_name}
  65. data_raw = self.connection.raw_get(URL_UMA_WELL_KNOWN.format(**params_path))
  66. return raise_error_from_response(data_raw, KeycloakGetError)
  68. @staticmethod
  69. def format_url(url, **kwargs):
  70. """Substitute url path parameters.
  72. Given a parameterized url string, returns the string after url encoding and substituting
  73. the given params. For example,
  74. `format_url("https://myserver/{my_resource}/{id}", my_resource="hello world", id="myid")`
  75. would produce `https://myserver/hello+world/myid`.
  77. :param url: url string to format
  78. :type url: str
  79. :param kwargs: dict containing kwargs to substitute
  80. :type kwargs: dict
  81. :return: formatted string
  82. :rtype: str
  83. """
  84. return url.format(**{k: quote_plus(v) for k, v in kwargs.items()})
  86. @staticmethod
  87. async def a_format_url(url, **kwargs):
  88. """Substitute url path parameters.
  90. Given a parameterized url string, returns the string after url encoding and substituting
  91. the given params. For example,
  92. `format_url("https://myserver/{my_resource}/{id}", my_resource="hello world", id="myid")`
  93. would produce `https://myserver/hello+world/myid`.
  95. :param url: url string to format
  96. :type url: str
  97. :param kwargs: dict containing kwargs to substitute
  98. :type kwargs: dict
  99. :return: formatted string
  100. :rtype: str
  101. """
  102. return url.format(**{k: quote_plus(v) for k, v in kwargs.items()})
  104. @property
  105. def uma_well_known(self):
  106. """Get the well_known UMA2 config.
  108. :returns: It lists endpoints and other configuration options relevant
  109. :rtype: dict
  110. """
  111. # per instance cache
  112. if not self._well_known:
  113. self._well_known = self._fetch_well_known()
  114. return self._well_known
  116. @async_property
  117. async def a_uma_well_known(self):
  118. """Get the well_known UMA2 config async.
  120. :returns: It lists endpoints and other configuration options relevant
  121. :rtype: dict
  122. """
  123. if not self._well_known:
  124. self._well_known = await self.a__fetch_well_known()
  125. return self._well_known
  127. def resource_set_create(self, payload):
  128. """Create a resource set.
  130. Spec
  131. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1
  133. ResourceRepresentation
  134. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  136. :param payload: ResourceRepresentation
  137. :type payload: dict
  138. :return: ResourceRepresentation with the _id property assigned
  139. :rtype: dict
  140. """
  141. data_raw = self.connection.raw_post(
  142. self.uma_well_known["resource_registration_endpoint"], data=json.dumps(payload)
  143. )
  144. return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[201])
  146. def resource_set_update(self, resource_id, payload):
  147. """Update a resource set.
  149. Spec
  150. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set
  152. ResourceRepresentation
  153. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  155. :param resource_id: id of the resource
  156. :type resource_id: str
  157. :param payload: ResourceRepresentation
  158. :type payload: dict
  159. :return: Response dict (empty)
  160. :rtype: dict
  161. """
  162. url = self.format_url(
  163. self.uma_well_known["resource_registration_endpoint"] + "/{id}", id=resource_id
  164. )
  165. data_raw = self.connection.raw_put(url, data=json.dumps(payload))
  166. return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[204])
  168. def resource_set_read(self, resource_id):
  169. """Read a resource set.
  171. Spec
  172. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set
  174. ResourceRepresentation
  175. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  177. :param resource_id: id of the resource
  178. :type resource_id: str
  179. :return: ResourceRepresentation
  180. :rtype: dict
  181. """
  182. url = self.format_url(
  183. self.uma_well_known["resource_registration_endpoint"] + "/{id}", id=resource_id
  184. )
  185. data_raw = self.connection.raw_get(url)
  186. return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
  188. def resource_set_delete(self, resource_id):
  189. """Delete a resource set.
  191. Spec
  192. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set
  194. :param resource_id: id of the resource
  195. :type resource_id: str
  196. :return: Response dict (empty)
  197. :rtype: dict
  198. """
  199. url = self.format_url(
  200. self.uma_well_known["resource_registration_endpoint"] + "/{id}", id=resource_id
  201. )
  202. data_raw = self.connection.raw_delete(url)
  203. return raise_error_from_response(data_raw, KeycloakDeleteError, expected_codes=[204])
  205. def resource_set_list_ids(
  206. self,
  207. name: str = "",
  208. exact_name: bool = False,
  209. uri: str = "",
  210. owner: str = "",
  211. resource_type: str = "",
  212. scope: str = "",
  213. matchingUri: bool = False,
  214. first: int = 0,
  215. maximum: int = -1,
  216. ):
  217. """Query for list of resource set ids.
  219. Spec
  220. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
  222. :param name: query resource name
  223. :type name: str
  224. :param exact_name: query exact match for resource name
  225. :type exact_name: bool
  226. :param uri: query resource uri
  227. :type uri: str
  228. :param owner: query resource owner
  229. :type owner: str
  230. :param resource_type: query resource type
  231. :type resource_type: str
  232. :param scope: query resource scope
  233. :type scope: str
  234. :param matchingUri: enable URI matching
  235. :type matchingUri: bool
  236. :param first: index of first matching resource to return
  237. :type first: int
  238. :param maximum: maximum number of resources to return (-1 for all)
  239. :type maximum: int
  240. :return: List of ids
  241. :rtype: List[str]
  242. """
  243. query = dict()
  244. if name:
  245. query["name"] = name
  246. if exact_name:
  247. query["exactName"] = "true"
  248. if uri:
  249. query["uri"] = uri
  250. if owner:
  251. query["owner"] = owner
  252. if resource_type:
  253. query["type"] = resource_type
  254. if scope:
  255. query["scope"] = scope
  256. if matchingUri:
  257. query["matchingUri"] = "true"
  258. if first > 0:
  259. query["first"] = first
  260. if maximum >= 0:
  261. query["max"] = maximum
  263. data_raw = self.connection.raw_get(
  264. self.uma_well_known["resource_registration_endpoint"], **query
  265. )
  266. return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
  268. def resource_set_list(self):
  269. """List all resource sets.
  271. Spec
  272. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
  274. ResourceRepresentation
  275. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  277. :yields: Iterator over a list of ResourceRepresentations
  278. :rtype: Iterator[dict]
  279. """
  280. for resource_id in self.resource_set_list_ids():
  281. resource = self.resource_set_read(resource_id)
  282. yield resource
  284. def permission_ticket_create(self, permissions: Iterable[UMAPermission]):
  285. """Create a permission ticket.
  287. :param permissions: Iterable of uma permissions to validate the token against
  288. :type permissions: Iterable[UMAPermission]
  289. :returns: Keycloak decision
  290. :rtype: boolean
  291. :raises KeycloakPostError: In case permission resource not found
  292. """
  293. resources = dict()
  294. for permission in permissions:
  295. resource_id = getattr(permission, "resource_id", None)
  297. if resource_id is None:
  298. resource_ids = self.resource_set_list_ids(
  299. exact_name=True, name=permission.resource, first=0, maximum=1
  300. )
  302. if not resource_ids:
  303. raise KeycloakPostError("Invalid resource specified")
  305. setattr(permission, "resource_id", resource_ids[0])
  307. resources.setdefault(resource_id, set())
  308. if permission.scope:
  309. resources[resource_id].add(permission.scope)
  311. payload = [
  312. {"resource_id": resource_id, "resource_scopes": list(scopes)}
  313. for resource_id, scopes in resources.items()
  314. ]
  316. data_raw = self.connection.raw_post(
  317. self.uma_well_known["permission_endpoint"], data=json.dumps(payload)
  318. )
  319. return raise_error_from_response(data_raw, KeycloakPostError)
  321. def permissions_check(self, token, permissions: Iterable[UMAPermission]):
  322. """Check UMA permissions by user token with requested permissions.
  324. The token endpoint is used to check UMA permissions from Keycloak. It can only be
  325. invoked by confidential clients.
  327. https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api
  329. :param token: user token
  330. :type token: str
  331. :param permissions: Iterable of uma permissions to validate the token against
  332. :type permissions: Iterable[UMAPermission]
  333. :returns: Keycloak decision
  334. :rtype: boolean
  335. """
  336. payload = {
  337. "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  338. "permission": ",".join(str(permission) for permission in permissions),
  339. "response_mode": "decision",
  340. "audience": self.connection.client_id,
  341. }
  343. # Everyone always has the null set of permissions
  344. # However keycloak cannot evaluate the null set
  345. if len(payload["permission"]) == 0:
  346. return True
  348. connection = ConnectionManager(self.connection.base_url)
  349. connection.add_param_headers("Authorization", "Bearer " + token)
  350. connection.add_param_headers("Content-Type", "application/x-www-form-urlencoded")
  351. data_raw = connection.raw_post(self.uma_well_known["token_endpoint"], data=payload)
  352. try:
  353. data = raise_error_from_response(data_raw, KeycloakPostError)
  354. except KeycloakPostError:
  355. return False
  356. return data.get("result", False)
  358. def policy_resource_create(self, resource_id, payload):
  359. """Create permission policy for resource.
  361. Supports name, description, scopes, roles, groups, clients
  363. https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource
  365. :param resource_id: _id of resource
  366. :type resource_id: str
  367. :param payload: permission configuration
  368. :type payload: dict
  369. :return: PermissionRepresentation
  370. :rtype: dict
  371. """
  372. data_raw = self.connection.raw_post(
  373. self.uma_well_known["policy_endpoint"] + f"/{resource_id}", data=json.dumps(payload)
  374. )
  375. return raise_error_from_response(data_raw, KeycloakPostError)
  377. def policy_update(self, policy_id, payload):
  378. """Update permission policy.
  380. https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource
  381. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation
  383. :param policy_id: id of policy permission
  384. :type policy_id: str
  385. :param payload: policy permission configuration
  386. :type payload: dict
  387. :return: PermissionRepresentation
  388. :rtype: dict
  389. """
  390. data_raw = self.connection.raw_put(
  391. self.uma_well_known["policy_endpoint"] + f"/{policy_id}", data=json.dumps(payload)
  392. )
  393. return raise_error_from_response(data_raw, KeycloakPutError)
  395. def policy_delete(self, policy_id):
  396. """Delete permission policy.
  398. https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission
  399. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation
  401. :param policy_id: id of permission policy
  402. :type policy_id: str
  403. :return: PermissionRepresentation
  404. :rtype: dict
  405. """
  406. data_raw = self.connection.raw_delete(
  407. self.uma_well_known["policy_endpoint"] + f"/{policy_id}"
  408. )
  409. return raise_error_from_response(data_raw, KeycloakDeleteError)
  411. def policy_query(
  412. self,
  413. resource: str = "",
  414. name: str = "",
  415. scope: str = "",
  416. first: int = 0,
  417. maximum: int = -1,
  418. ):
  419. """Query permission policies.
  421. https://www.keycloak.org/docs/latest/authorization_services/#querying-permission
  423. :param resource: query resource id
  424. :type resource: str
  425. :param name: query resource name
  426. :type name: str
  427. :param scope: query resource scope
  428. :type scope: str
  429. :param first: index of first matching resource to return
  430. :type first: int
  431. :param maximum: maximum number of resources to return (-1 for all)
  432. :type maximum: int
  433. :return: List of ids
  434. :return: List of ids
  435. :rtype: List[str]
  436. """
  437. query = dict()
  438. if name:
  439. query["name"] = name
  440. if resource:
  441. query["resource"] = resource
  442. if scope:
  443. query["scope"] = scope
  444. if first > 0:
  445. query["first"] = first
  446. if maximum >= 0:
  447. query["max"] = maximum
  449. data_raw = self.connection.raw_get(self.uma_well_known["policy_endpoint"], **query)
  450. return raise_error_from_response(data_raw, KeycloakGetError)
  452. async def a__fetch_well_known(self):
  453. """Get the well_known UMA2 config async.
  455. :returns: It lists endpoints and other configuration options relevant
  456. :rtype: dict
  457. """
  458. params_path = {"realm-name": self.connection.realm_name}
  459. data_raw = await self.connection.a_raw_get(URL_UMA_WELL_KNOWN.format(**params_path))
  460. return raise_error_from_response(data_raw, KeycloakGetError)
  462. async def a_resource_set_create(self, payload):
  463. """Create a resource set asynchronously.
  465. Spec
  466. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1
  468. ResourceRepresentation
  469. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  471. :param payload: ResourceRepresentation
  472. :type payload: dict
  473. :return: ResourceRepresentation with the _id property assigned
  474. :rtype: dict
  475. """
  476. data_raw = await self.connection.a_raw_post(
  477. (await self.a_uma_well_known)["resource_registration_endpoint"],
  478. data=json.dumps(payload),
  479. )
  480. return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[201])
  482. async def a_resource_set_update(self, resource_id, payload):
  483. """Update a resource set asynchronously.
  485. Spec
  486. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set
  488. ResourceRepresentation
  489. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  491. :param resource_id: id of the resource
  492. :type resource_id: str
  493. :param payload: ResourceRepresentation
  494. :type payload: dict
  495. :return: Response dict (empty)
  496. :rtype: dict
  497. """
  498. url = self.format_url(
  499. (await self.a_uma_well_known)["resource_registration_endpoint"] + "/{id}",
  500. id=resource_id,
  501. )
  502. data_raw = await self.connection.a_raw_put(url, data=json.dumps(payload))
  503. return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[204])
  505. async def a_resource_set_read(self, resource_id):
  506. """Read a resource set asynchronously.
  508. Spec
  509. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set
  511. ResourceRepresentation
  512. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  514. :param resource_id: id of the resource
  515. :type resource_id: str
  516. :return: ResourceRepresentation
  517. :rtype: dict
  518. """
  519. url = self.format_url(
  520. (await self.a_uma_well_known)["resource_registration_endpoint"] + "/{id}",
  521. id=resource_id,
  522. )
  523. data_raw = await self.connection.a_raw_get(url)
  524. return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
  526. async def a_resource_set_delete(self, resource_id):
  527. """Delete a resource set asynchronously.
  529. Spec
  530. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set
  532. :param resource_id: id of the resource
  533. :type resource_id: str
  534. :return: Response dict (empty)
  535. :rtype: dict
  536. """
  537. url = self.format_url(
  538. (await self.a_uma_well_known)["resource_registration_endpoint"] + "/{id}",
  539. id=resource_id,
  540. )
  541. data_raw = await self.connection.a_raw_delete(url)
  542. return raise_error_from_response(data_raw, KeycloakDeleteError, expected_codes=[204])
  544. async def a_resource_set_list_ids(
  545. self,
  546. name: str = "",
  547. exact_name: bool = False,
  548. uri: str = "",
  549. owner: str = "",
  550. resource_type: str = "",
  551. scope: str = "",
  552. matchingUri: bool = False,
  553. first: int = 0,
  554. maximum: int = -1,
  555. ):
  556. """Query for list of resource set ids asynchronously.
  558. Spec
  559. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
  561. :param name: query resource name
  562. :type name: str
  563. :param exact_name: query exact match for resource name
  564. :type exact_name: bool
  565. :param uri: query resource uri
  566. :type uri: str
  567. :param owner: query resource owner
  568. :type owner: str
  569. :param resource_type: query resource type
  570. :type resource_type: str
  571. :param scope: query resource scope
  572. :type scope: str
  573. :param first: index of first matching resource to return
  574. :param matchingUri: enable URI matching
  575. :type matchingUri: bool
  576. :type first: int
  577. :param maximum: maximum number of resources to return (-1 for all)
  578. :type maximum: int
  579. :return: List of ids
  580. :rtype: List[str]
  581. """
  582. query = dict()
  583. if name:
  584. query["name"] = name
  585. if exact_name:
  586. query["exactName"] = "true"
  587. if uri:
  588. query["uri"] = uri
  589. if owner:
  590. query["owner"] = owner
  591. if resource_type:
  592. query["type"] = resource_type
  593. if scope:
  594. query["scope"] = scope
  595. if matchingUri:
  596. query["matchingUri"] = "true"
  597. if first > 0:
  598. query["first"] = first
  599. if maximum >= 0:
  600. query["max"] = maximum
  602. data_raw = await self.connection.a_raw_get(
  603. (await self.a_uma_well_known)["resource_registration_endpoint"], **query
  604. )
  605. return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
  607. async def a_resource_set_list(self):
  608. """List all resource sets asynchronously.
  610. Spec
  611. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
  613. ResourceRepresentation
  614. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
  616. :yields: Iterator over a list of ResourceRepresentations
  617. :rtype: Iterator[dict]
  618. """
  619. for resource_id in await self.a_resource_set_list_ids():
  620. resource = await self.a_resource_set_read(resource_id)
  621. yield resource
  623. async def a_permission_ticket_create(self, permissions: Iterable[UMAPermission]):
  624. """Create a permission ticket asynchronously.
  626. :param permissions: Iterable of uma permissions to validate the token against
  627. :type permissions: Iterable[UMAPermission]
  628. :returns: Keycloak decision
  629. :rtype: boolean
  630. :raises KeycloakPostError: In case permission resource not found
  631. """
  632. resources = dict()
  633. for permission in permissions:
  634. resource_id = getattr(permission, "resource_id", None)
  636. if resource_id is None:
  637. resource_ids = await self.a_resource_set_list_ids(
  638. exact_name=True, name=permission.resource, first=0, maximum=1
  639. )
  641. if not resource_ids:
  642. raise KeycloakPostError("Invalid resource specified")
  644. setattr(permission, "resource_id", resource_ids[0])
  646. resources.setdefault(resource_id, set())
  647. if permission.scope:
  648. resources[resource_id].add(permission.scope)
  650. payload = [
  651. {"resource_id": resource_id, "resource_scopes": list(scopes)}
  652. for resource_id, scopes in resources.items()
  653. ]
  655. data_raw = await self.connection.a_raw_post(
  656. (await self.a_uma_well_known)["permission_endpoint"], data=json.dumps(payload)
  657. )
  658. return raise_error_from_response(data_raw, KeycloakPostError)
  660. async def a_permissions_check(self, token, permissions: Iterable[UMAPermission]):
  661. """Check UMA permissions by user token with requested permissions asynchronously.
  663. The token endpoint is used to check UMA permissions from Keycloak. It can only be
  664. invoked by confidential clients.
  666. https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api
  668. :param token: user token
  669. :type token: str
  670. :param permissions: Iterable of uma permissions to validate the token against
  671. :type permissions: Iterable[UMAPermission]
  672. :returns: Keycloak decision
  673. :rtype: boolean
  674. """
  675. payload = {
  676. "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  677. "permission": ",".join(str(permission) for permission in permissions),
  678. "response_mode": "decision",
  679. "audience": self.connection.client_id,
  680. }
  682. # Everyone always has the null set of permissions
  683. # However keycloak cannot evaluate the null set
  684. if len(payload["permission"]) == 0:
  685. return True
  687. connection = ConnectionManager(self.connection.base_url)
  688. connection.add_param_headers("Authorization", "Bearer " + token)
  689. connection.add_param_headers("Content-Type", "application/x-www-form-urlencoded")
  690. data_raw = await connection.a_raw_post(
  691. (await self.a_uma_well_known)["token_endpoint"], data=payload
  692. )
  693. try:
  694. data = raise_error_from_response(data_raw, KeycloakPostError)
  695. except KeycloakPostError:
  696. return False
  697. return data.get("result", False)
  699. async def a_policy_resource_create(self, resource_id, payload):
  700. """Create permission policy for resource asynchronously.
  702. Supports name, description, scopes, roles, groups, clients
  704. https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource
  706. :param resource_id: _id of resource
  707. :type resource_id: str
  708. :param payload: permission configuration
  709. :type payload: dict
  710. :return: PermissionRepresentation
  711. :rtype: dict
  712. """
  713. data_raw = await self.connection.a_raw_post(
  714. (await self.a_uma_well_known)["policy_endpoint"] + f"/{resource_id}",
  715. data=json.dumps(payload),
  716. )
  717. return raise_error_from_response(data_raw, KeycloakPostError)
  719. async def a_policy_update(self, policy_id, payload):
  720. """Update permission policy asynchronously.
  722. https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource
  723. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation
  725. :param policy_id: id of policy permission
  726. :type policy_id: str
  727. :param payload: policy permission configuration
  728. :type payload: dict
  729. :return: PermissionRepresentation
  730. :rtype: dict
  731. """
  732. data_raw = await self.connection.a_raw_put(
  733. (await self.a_uma_well_known)["policy_endpoint"] + f"/{policy_id}",
  734. data=json.dumps(payload),
  735. )
  736. return raise_error_from_response(data_raw, KeycloakPutError)
  738. async def a_policy_delete(self, policy_id):
  739. """Delete permission policy asynchronously.
  741. https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission
  742. https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation
  744. :param policy_id: id of permission policy
  745. :type policy_id: str
  746. :return: PermissionRepresentation
  747. :rtype: dict
  748. """
  749. data_raw = await self.connection.a_raw_delete(
  750. (await self.a_uma_well_known)["policy_endpoint"] + f"/{policy_id}"
  751. )
  752. return raise_error_from_response(data_raw, KeycloakDeleteError)
  754. async def a_policy_query(
  755. self,
  756. resource: str = "",
  757. name: str = "",
  758. scope: str = "",
  759. first: int = 0,
  760. maximum: int = -1,
  761. ):
  762. """Query permission policies asynchronously.
  764. https://www.keycloak.org/docs/latest/authorization_services/#querying-permission
  766. :param resource: query resource id
  767. :type resource: str
  768. :param name: query resource name
  769. :type name: str
  770. :param scope: query resource scope
  771. :type scope: str
  772. :param first: index of first matching resource to return
  773. :type first: int
  774. :param maximum: maximum number of resources to return (-1 for all)
  775. :type maximum: int
  776. :return: List of ids
  777. :return: List of ids
  778. :rtype: List[str]
  779. """
  780. query = dict()
  781. if name:
  782. query["name"] = name
  783. if resource:
  784. query["resource"] = resource
  785. if scope:
  786. query["scope"] = scope
  787. if first > 0:
  788. query["first"] = first
  789. if maximum >= 0:
  790. query["max"] = maximum
  792. data_raw = await self.connection.a_raw_get(
  793. (await self.a_uma_well_known)["policy_endpoint"], **query
  794. )
  795. return raise_error_from_response(data_raw, KeycloakGetError)