From 7dd46e1658d260c32a7df80a0373fe2fd0f832fd Mon Sep 17 00:00:00 2001
From: Hadeer Elsaeed <47625223+Hadeer-Elsaeed@users.noreply.github.com>
Date: Mon, 13 Nov 2023 14:59:10 +0300
Subject: [PATCH] chore: Feat/create permission for scopes (#400)

* feat(api): add api url

* feat(api): add create permission function

* feat(api): add testcases for create permission function

* fix: linting

* fix: linting

* feat(api): add testcases for create permission function

* feat(api): add testcases for create permission function

* feat(api): apply formating

* feat(api): fix testing

* feat(api): fix testing

* feat(api): fix testing for create client_authz_scope_permission

* feat(api): add scope id for get client_authz_scope_permission

* fix create_client_authz_scope_permission test case

* fix: create_client_authz_scope_permission test case

* fix: add id in create client authz scope permissions

* fix: linting

* fix: test case of create client authz scope permissions

* fix: test case of create client authz scope permissions

---------

Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
---
 src/keycloak/keycloak_admin.py | 30 ++++++++++++++++++++++++++++++
 src/keycloak/urls_patterns.py  |  1 +
 tests/test_keycloak_admin.py   | 25 +++++++++++++++++++++++++
 3 files changed, 56 insertions(+)

diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py
index adccddf..24ff6c3 100644
--- a/src/keycloak/keycloak_admin.py
+++ b/src/keycloak/keycloak_admin.py
@@ -4155,6 +4155,36 @@ class KeycloakAdmin:
         )
         return raise_error_from_response(data_raw, KeycloakGetError)
 
+    def create_client_authz_scope_permission(self, payload, client_id):
+        """Create permissions for a authz scope.
+
+        Payload example::
+
+            payload={
+                "name": "My Permission Name",
+                "type": "scope",
+                "logic": "POSITIVE",
+                "decisionStrategy": "UNANIMOUS",
+                "resources": [some_resource_id],
+                "scopes": [some_scope_id],
+                "policies": [some_policy_id],
+            }
+
+        :param payload: No Document
+        :type payload: dict
+        :param client_id: id in ClientRepresentation
+            https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
+        :type client_id: str
+        :return: Keycloak server response
+        :rtype: bytes
+        """
+        params_path = {"realm-name": self.realm_name, "id": client_id}
+        data_raw = self.raw_post(
+            urls_patterns.URL_ADMIN_ADD_CLIENT_AUTHZ_SCOPE_PERMISSION.format(**params_path),
+            data=json.dumps(payload),
+        )
+        return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[201])
+
     def update_client_authz_scope_permission(self, payload, client_id, scope_id):
         """Update permissions for a given scope.
 
diff --git a/src/keycloak/urls_patterns.py b/src/keycloak/urls_patterns.py
index a618260..e9a14f8 100644
--- a/src/keycloak/urls_patterns.py
+++ b/src/keycloak/urls_patterns.py
@@ -126,6 +126,7 @@ URL_ADMIN_CLIENT_AUTHZ_POLICY = URL_ADMIN_CLIENT_AUTHZ + "/policy/{policy-id}"
 URL_ADMIN_CLIENT_AUTHZ_POLICY_SCOPES = URL_ADMIN_CLIENT_AUTHZ_POLICY + "/scopes"
 URL_ADMIN_CLIENT_AUTHZ_POLICY_RESOURCES = URL_ADMIN_CLIENT_AUTHZ_POLICY + "/resources"
 URL_ADMIN_CLIENT_AUTHZ_SCOPE_PERMISSION = URL_ADMIN_CLIENT_AUTHZ + "/permission/scope/{scope-id}"
+URL_ADMIN_ADD_CLIENT_AUTHZ_SCOPE_PERMISSION = URL_ADMIN_CLIENT_AUTHZ + "/permission/scope?max=-1"
 URL_ADMIN_CLIENT_AUTHZ_CLIENT_POLICY = URL_ADMIN_CLIENT_AUTHZ + "/policy/client"
 
 URL_ADMIN_CLIENT_SERVICE_ACCOUNT_USER = URL_ADMIN_CLIENT + "/service-account-user"
diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py
index 104fc83..ba35ccc 100644
--- a/tests/test_keycloak_admin.py
+++ b/tests/test_keycloak_admin.py
@@ -1819,6 +1819,31 @@ def test_enable_token_exchange(admin: KeycloakAdmin, realm: str):
         scope_id=token_exchange_permission_id,
     )
 
+    # Create permissions on the target client to reference this policy
+    admin.create_client_authz_scope_permission(
+        payload={
+            "id": token_exchange_permission_id,
+            "name": "test-permission",
+            "type": "scope",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "resources": [token_exchange_resource_id],
+            "scopes": [token_exchange_scope_id],
+            "policies": [client_policy_id],
+        },
+        client_id=realm_management_id,
+    )
+    permission_name = admin.get_client_authz_scope_permission(
+        client_id=realm_management_id, scope_id=token_exchange_permission_id
+    )["name"]
+    assert permission_name == "test-permission"
+    with pytest.raises(KeycloakPostError) as err:
+        admin.create_client_authz_scope_permission(
+            payload={"name": "test-permission", "scopes": [token_exchange_scope_id]},
+            client_id="realm_management_id",
+        )
+    assert err.match('404: b\'{"errorMessage":"Could not find client"}\'')
+
 
 def test_email(admin: KeycloakAdmin, user: str):
     """Test email.