From 74eaf4210efd2b532b306a8294396b9b3d7273b5 Mon Sep 17 00:00:00 2001
From: Frieder Schrempf <frieder@fris.de>
Date: Sat, 29 Oct 2022 22:30:49 +0200
Subject: [PATCH] feat: Implement admin method for creating scope-based
 permission

Implement the currently missing method
create_client_authz_scope_based_permission().
---
 src/keycloak/keycloak_admin.py | 42 ++++++++++++++++++++++++++++++++++
 src/keycloak/urls_patterns.py  |  3 +++
 2 files changed, 45 insertions(+)

diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py
index 994b97d..b936481 100644
--- a/src/keycloak/keycloak_admin.py
+++ b/src/keycloak/keycloak_admin.py
@@ -1426,6 +1426,48 @@ class KeycloakAdmin:
             data_raw, KeycloakPostError, expected_codes=[201], skip_exists=skip_exists
         )
 
+    def create_client_authz_scope_based_permission(self, client_id, payload, skip_exists=False):
+        """Create scope-based permission of client.
+
+        Payload example::
+
+            payload={
+                "type": "resource",
+                "logic": "POSITIVE",
+                "decisionStrategy": "UNANIMOUS",
+                "name": "Permission-Name",
+                "resources": [
+                    resource_id
+                ],
+                "policies": [
+                    policy_id
+                ],
+                "scopes": [
+                    scope_id
+                ]
+
+        :param client_id: id in ClientRepresentation
+            https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
+        :type client_id: str
+        :param payload: PolicyRepresentation
+            https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_policyrepresentation
+        :type payload: dict
+        :param skip_exists: Skip creation in case the object already exists
+        :type skip_exists: bool
+        :return: Keycloak server response
+        :rtype: bytes
+
+        """
+        params_path = {"realm-name": self.realm_name, "id": client_id}
+
+        data_raw = self.raw_post(
+            urls_patterns.URL_ADMIN_CLIENT_AUTHZ_SCOPE_BASED_PERMISSION.format(**params_path),
+            data=json.dumps(payload),
+        )
+        return raise_error_from_response(
+            data_raw, KeycloakPostError, expected_codes=[201], skip_exists=skip_exists
+        )
+
     def get_client_authz_scopes(self, client_id):
         """Get scopes from client.
 
diff --git a/src/keycloak/urls_patterns.py b/src/keycloak/urls_patterns.py
index b5f3277..987b26a 100644
--- a/src/keycloak/urls_patterns.py
+++ b/src/keycloak/urls_patterns.py
@@ -109,6 +109,9 @@ URL_ADMIN_CLIENT_AUTHZ_ROLE_BASED_POLICY = (
 URL_ADMIN_CLIENT_AUTHZ_RESOURCE_BASED_PERMISSION = (
     URL_ADMIN_CLIENT + "/authz/resource-server/permission/resource?max=-1"
 )
+URL_ADMIN_CLIENT_AUTHZ_SCOPE_BASED_PERMISSION = (
+    URL_ADMIN_CLIENT + "/authz/resource-server/permission/scope?max=-1"
+)
 URL_ADMIN_CLIENT_AUTHZ_POLICY_SCOPES = (
     URL_ADMIN_CLIENT + "/authz/resource-server/policy/{policy-id}/scopes"
 )