From a724051a27f09ef1951e7919a49e0fc3422324ec Mon Sep 17 00:00:00 2001 From: Hadeer Elsaeed <47625223+Hadeer-Elsaeed@users.noreply.github.com> Date: Mon, 13 Nov 2023 14:59:10 +0300 Subject: [PATCH] chore: Feat/create permission for scopes (#400) * feat(api): add api url * feat(api): add create permission function * feat(api): add testcases for create permission function * fix: linting * fix: linting * feat(api): add testcases for create permission function * feat(api): add testcases for create permission function * feat(api): apply formating * feat(api): fix testing * feat(api): fix testing * feat(api): fix testing for create client_authz_scope_permission * feat(api): add scope id for get client_authz_scope_permission * fix create_client_authz_scope_permission test case * fix: create_client_authz_scope_permission test case * fix: add id in create client authz scope permissions * fix: linting * fix: test case of create client authz scope permissions * fix: test case of create client authz scope permissions --------- Co-authored-by: Richard Nemeth --- src/keycloak/keycloak_admin.py | 30 ++++++++++++++++++++++++++++++ src/keycloak/urls_patterns.py | 1 + tests/test_keycloak_admin.py | 25 +++++++++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/src/keycloak/keycloak_admin.py b/src/keycloak/keycloak_admin.py index 0c9359b..cb51b70 100644 --- a/src/keycloak/keycloak_admin.py +++ b/src/keycloak/keycloak_admin.py @@ -4330,6 +4330,36 @@ class KeycloakAdmin: ) return raise_error_from_response(data_raw, KeycloakGetError) + def create_client_authz_scope_permission(self, payload, client_id): + """Create permissions for a authz scope. + + Payload example:: + + payload={ + "name": "My Permission Name", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "resources": [some_resource_id], + "scopes": [some_scope_id], + "policies": [some_policy_id], + } + + :param payload: No Document + :type payload: dict + :param client_id: id in ClientRepresentation + https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation + :type client_id: str + :return: Keycloak server response + :rtype: bytes + """ + params_path = {"realm-name": self.realm_name, "id": client_id} + data_raw = self.raw_post( + urls_patterns.URL_ADMIN_ADD_CLIENT_AUTHZ_SCOPE_PERMISSION.format(**params_path), + data=json.dumps(payload), + ) + return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[201]) + def update_client_authz_scope_permission(self, payload, client_id, scope_id): """Update permissions for a given scope. diff --git a/src/keycloak/urls_patterns.py b/src/keycloak/urls_patterns.py index c44a937..817b69c 100644 --- a/src/keycloak/urls_patterns.py +++ b/src/keycloak/urls_patterns.py @@ -130,6 +130,7 @@ URL_ADMIN_CLIENT_AUTHZ_POLICY = URL_ADMIN_CLIENT_AUTHZ + "/policy/{policy-id}" URL_ADMIN_CLIENT_AUTHZ_POLICY_SCOPES = URL_ADMIN_CLIENT_AUTHZ_POLICY + "/scopes" URL_ADMIN_CLIENT_AUTHZ_POLICY_RESOURCES = URL_ADMIN_CLIENT_AUTHZ_POLICY + "/resources" URL_ADMIN_CLIENT_AUTHZ_SCOPE_PERMISSION = URL_ADMIN_CLIENT_AUTHZ + "/permission/scope/{scope-id}" +URL_ADMIN_ADD_CLIENT_AUTHZ_SCOPE_PERMISSION = URL_ADMIN_CLIENT_AUTHZ + "/permission/scope?max=-1" URL_ADMIN_CLIENT_AUTHZ_CLIENT_POLICY = URL_ADMIN_CLIENT_AUTHZ + "/policy/client" URL_ADMIN_CLIENT_SERVICE_ACCOUNT_USER = URL_ADMIN_CLIENT + "/service-account-user" diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py index 104fc83..ba35ccc 100644 --- a/tests/test_keycloak_admin.py +++ b/tests/test_keycloak_admin.py @@ -1819,6 +1819,31 @@ def test_enable_token_exchange(admin: KeycloakAdmin, realm: str): scope_id=token_exchange_permission_id, ) + # Create permissions on the target client to reference this policy + admin.create_client_authz_scope_permission( + payload={ + "id": token_exchange_permission_id, + "name": "test-permission", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "resources": [token_exchange_resource_id], + "scopes": [token_exchange_scope_id], + "policies": [client_policy_id], + }, + client_id=realm_management_id, + ) + permission_name = admin.get_client_authz_scope_permission( + client_id=realm_management_id, scope_id=token_exchange_permission_id + )["name"] + assert permission_name == "test-permission" + with pytest.raises(KeycloakPostError) as err: + admin.create_client_authz_scope_permission( + payload={"name": "test-permission", "scopes": [token_exchange_scope_id]}, + client_id="realm_management_id", + ) + assert err.match('404: b\'{"errorMessage":"Could not find client"}\'') + def test_email(admin: KeycloakAdmin, user: str): """Test email.