feat: allows retrieval of realm and client level roles for a user (#512)

Co-authored-by: Côme Mary-Vallée <come.maryvallee@cdbdx.biz>
2 years ago · 654cf8848d
3 changed files with 48 additions and 0 deletions
--- a/src/keycloak/keycloak_admin.py
+++ b/src/keycloak/keycloak_admin.py
@ -3111,6 +3111,20 @@ class KeycloakAdmin:
        )
        return raise_error_from_response(data_raw, KeycloakDeleteError, expected_codes=[204])

+    def get_all_roles_of_user(self, user_id):
+        """Get all level roles for a user.
+
+        :param user_id: id of user
+        :type user_id: str
+        :return: Keycloak server response (array RoleRepresentation)
+        :rtype: list
+        """
+        params_path = {"realm-name": self.connection.realm_name, "id": user_id}
+        data_raw = self.connection.raw_get(
+            urls_patterns.URL_ADMIN_USER_ALL_ROLES.format(**params_path)
+        )
+        return raise_error_from_response(data_raw, KeycloakGetError)
+
    def get_client_roles_of_user(self, user_id, client_id):
        """Get all client roles for a user.

--- a/src/keycloak/urls_patterns.py
+++ b/src/keycloak/urls_patterns.py
@ -51,6 +51,7 @@ URL_ADMIN_SEND_UPDATE_ACCOUNT = "admin/realms/{realm-name}/users/{id}/execute-ac
 URL_ADMIN_SEND_VERIFY_EMAIL = "admin/realms/{realm-name}/users/{id}/send-verify-email"
 URL_ADMIN_RESET_PASSWORD = "admin/realms/{realm-name}/users/{id}/reset-password"
 URL_ADMIN_GET_SESSIONS = "admin/realms/{realm-name}/users/{id}/sessions"
+URL_ADMIN_USER_ALL_ROLES = "admin/realms/{realm-name}/users/{id}/role-mappings"
 URL_ADMIN_USER_CLIENT_ROLES = (
    "admin/realms/{realm-name}/users/{id}/role-mappings/clients/{client-id}"
 )
--- a/tests/test_keycloak_admin.py
+++ b/tests/test_keycloak_admin.py
@ -386,6 +386,39 @@ def test_users(admin: KeycloakAdmin, realm: str):
    assert err.match(USER_NOT_FOUND_REGEX)


+def test_users_roles(admin: KeycloakAdmin, realm: str):
+    """Test users roles.
+
+    :param admin: Keycloak Admin client
+    :type admin: KeycloakAdmin
+    :param realm: Keycloak realm
+    :type realm: str
+    """
+    user_id = admin.create_user(payload={"username": "test", "email": "test@test.test"})
+
+    # Test all level user roles
+    client_id = admin.create_client(payload={"name": "test-client", "clientId": "test-client"})
+    admin.create_client_role(client_role_id=client_id, payload={"name": "test-role"})
+    admin.assign_client_role(
+        client_id=client_id,
+        user_id=user_id,
+        roles=[admin.get_client_role(client_id=client_id, role_name="test-role")],
+    )
+    all_roles = admin.get_all_roles_of_user(user_id=user_id)
+    realm_roles = all_roles["realmMappings"]
+    assert len(realm_roles) == 1, realm_roles
+    client_roles = all_roles["clientMappings"]
+    assert len(client_roles) == 1, client_roles
+
+    # Test all level user roles fail
+    with pytest.raises(KeycloakGetError) as err:
+        admin.get_all_roles_of_user(user_id="non-existent-id")
+    err.match('404: b\'{"error":"User not found"}\'')
+
+    admin.delete_user(user_id)
+    admin.delete_client(client_id)
+
+
 def test_users_pagination(admin: KeycloakAdmin, realm: str):
    """Test user pagination.