From 4da620bf7c7d7e540bdbb022685c7f8e9f16a659 Mon Sep 17 00:00:00 2001 From: Markus Spanier Date: Sun, 4 Mar 2018 17:43:20 +0100 Subject: [PATCH 1/4] Add method to retrieve the client roles of a user --- keycloak/keycloak_admin.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/keycloak/keycloak_admin.py b/keycloak/keycloak_admin.py index 17e2c12..a134b44 100644 --- a/keycloak/keycloak_admin.py +++ b/keycloak/keycloak_admin.py @@ -637,6 +637,18 @@ class KeycloakAdmin: data=json.dumps(payload)) return raise_error_from_response(data_raw, KeycloakGetError, expected_code=204) + def get_client_roles_of_user(self, user_id, client_id): + """ + Get all client roles for a user. + + :param client_id: id of client (not client-id) + :param user_id: id of user + :return: Keycloak server response (array RoleRepresentation) + """ + params_path = {"realm-name": self.realm_name, "id": user_id, "client-id": client_id} + data_raw = self.connection.raw_get(URL_ADMIN_USER_CLIENT_ROLES.format(**params_path)) + return raise_error_from_response(data_raw, KeycloakGetError) + def sync_users(self, storage_id, action): """ Function to trigger user sync from provider From 7f2579865384ebfe0587462223ca8095cdd5fb29 Mon Sep 17 00:00:00 2001 From: Markus Spanier Date: Sun, 4 Mar 2018 17:44:32 +0100 Subject: [PATCH 2/4] Add method to delete client roles of a user --- keycloak/keycloak_admin.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/keycloak/keycloak_admin.py b/keycloak/keycloak_admin.py index a134b44..37d5ab4 100644 --- a/keycloak/keycloak_admin.py +++ b/keycloak/keycloak_admin.py @@ -649,6 +649,22 @@ class KeycloakAdmin: data_raw = self.connection.raw_get(URL_ADMIN_USER_CLIENT_ROLES.format(**params_path)) return raise_error_from_response(data_raw, KeycloakGetError) + def delete_client_roles_of_user(self, user_id, client_id, roles): + """ + Delete client roles from a user. + + :param client_id: id of client (not client-id) + :param user_id: id of user + :param client_id: id of client containing role, + :param roles: roles list or role to delete (use RoleRepresentation) + :return: Keycloak server response + """ + payload = roles if isinstance(roles, list) else [roles] + params_path = {"realm-name": self.realm_name, "id": user_id, "client-id": client_id} + data_raw = self.connection.raw_delete(URL_ADMIN_USER_CLIENT_ROLES.format(**params_path), + data=json.dumps(payload)) + return raise_error_from_response(data_raw, KeycloakGetError, expected_code=204) + def sync_users(self, storage_id, action): """ Function to trigger user sync from provider From 562b884c606b827bd8b410d10d14440d0b4dccce Mon Sep 17 00:00:00 2001 From: Markus Spanier Date: Sun, 4 Mar 2018 17:47:33 +0100 Subject: [PATCH 3/4] Add method to retrieve avaialbe and composite client roles of a user --- keycloak/keycloak_admin.py | 30 +++++++++++++++++++++++++++--- keycloak/urls_patterns.py | 2 ++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/keycloak/keycloak_admin.py b/keycloak/keycloak_admin.py index 37d5ab4..bfedd86 100644 --- a/keycloak/keycloak_admin.py +++ b/keycloak/keycloak_admin.py @@ -22,8 +22,9 @@ from .urls_patterns import \ URL_ADMIN_USERS_COUNT, URL_ADMIN_USER, URL_ADMIN_USER_CONSENTS, \ URL_ADMIN_SEND_UPDATE_ACCOUNT, URL_ADMIN_RESET_PASSWORD, URL_ADMIN_SEND_VERIFY_EMAIL, URL_ADMIN_GET_SESSIONS, \ URL_ADMIN_SERVER_INFO, URL_ADMIN_CLIENTS, URL_ADMIN_CLIENT, URL_ADMIN_CLIENT_ROLES, URL_ADMIN_REALM_ROLES, \ - URL_ADMIN_GROUP, URL_ADMIN_GROUPS, URL_ADMIN_GROUP_CHILD, URL_ADMIN_USER_GROUP,\ - URL_ADMIN_GROUP_PERMISSIONS, URL_ADMIN_USER_CLIENT_ROLES, URL_ADMIN_USER_STORAGE + URL_ADMIN_GROUP, URL_ADMIN_GROUPS, URL_ADMIN_GROUP_CHILD, URL_ADMIN_USER_GROUP, \ + URL_ADMIN_GROUP_PERMISSIONS, URL_ADMIN_USER_CLIENT_ROLES, URL_ADMIN_USER_CLIENT_ROLES_AVAILABLE, \ + URL_ADMIN_USER_CLIENT_ROLES_COMPOSITE, URL_ADMIN_USER_STORAGE from .keycloak_openid import KeycloakOpenID @@ -645,8 +646,31 @@ class KeycloakAdmin: :param user_id: id of user :return: Keycloak server response (array RoleRepresentation) """ + return self._get_client_roles_of_user(URL_ADMIN_USER_CLIENT_ROLES, user_id, client_id) + + def get_available_client_roles_of_user(self, user_id, client_id): + """ + Get available client role-mappings for a user. + + :param client_id: id of client (not client-id) + :param user_id: id of user + :return: Keycloak server response (array RoleRepresentation) + """ + return self._get_client_roles_of_user(URL_ADMIN_USER_CLIENT_ROLES_AVAILABLE, user_id, client_id) + + def get_composite_client_roles_of_user(self, user_id, client_id): + """ + Get composite client role-mappings for a user. + + :param client_id: id of client (not client-id) + :param user_id: id of user + :return: Keycloak server response (array RoleRepresentation) + """ + return self._get_client_roles_of_user(URL_ADMIN_USER_CLIENT_ROLES_COMPOSITE, user_id, client_id) + + def _get_client_roles_of_user(self, client_level_role_mapping_url, user_id, client_id): params_path = {"realm-name": self.realm_name, "id": user_id, "client-id": client_id} - data_raw = self.connection.raw_get(URL_ADMIN_USER_CLIENT_ROLES.format(**params_path)) + data_raw = self.connection.raw_get(client_level_role_mapping_url.format(**params_path)) return raise_error_from_response(data_raw, KeycloakGetError) def delete_client_roles_of_user(self, user_id, client_id, roles): diff --git a/keycloak/urls_patterns.py b/keycloak/urls_patterns.py index ce593da..11f2e00 100644 --- a/keycloak/urls_patterns.py +++ b/keycloak/urls_patterns.py @@ -34,6 +34,8 @@ URL_ADMIN_SEND_VERIFY_EMAIL = "admin/realms/{realm-name}/users/{id}/send-verify- URL_ADMIN_RESET_PASSWORD = "admin/realms/{realm-name}/users/{id}/reset-password" URL_ADMIN_GET_SESSIONS = "admin/realms/{realm-name}/users/{id}/sessions" URL_ADMIN_USER_CLIENT_ROLES = "admin/realms/{realm-name}/users/{id}/role-mappings/clients/{client-id}" +URL_ADMIN_USER_CLIENT_ROLES_AVAILABLE = "admin/realms/{realm-name}/users/{id}/role-mappings/clients/{client-id}/available" +URL_ADMIN_USER_CLIENT_ROLES_COMPOSITE = "admin/realms/{realm-name}/users/{id}/role-mappings/clients/{client-id}/composite" URL_ADMIN_USER_GROUP = "admin/realms/{realm-name}/users/{id}/groups/{group-id}" URL_ADMIN_SERVER_INFO = "admin/serverinfo" From 511eb4aeb4a4f69ab714754f64e1757d5879ccfb Mon Sep 17 00:00:00 2001 From: Markus Spanier Date: Sun, 4 Mar 2018 18:52:17 +0100 Subject: [PATCH 4/4] Add documentation how to retrieve and delete client roles from user --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index ec9b7cd..937e4cc 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,19 @@ keycloak_admin.create_client_role(client_id, "test") # Assign client role to user. Note that BOTH role_name and role_id appear to be required. keycloak_admin.assign_client_role(client_id="client_id", user_id="user_id", role_id="role_id", role_name="test") +# Retrieve client roles of a user. +keycloak_admin.get_client_roles_of_user(user_id="user_id", client_id="client_id") + +# Retrieve available client roles of a user. +keycloak_admin.get_available_client_roles_of_user(user_id="user_id", client_id="client_id") + +# Retrieve composite client roles of a user. +keycloak_admin.get_composite_client_roles_of_user(user_id="user_id", client_id="client_id") + +# Delete client roles of a user. +keycloak_admin.delete_client_roles_of_user(client_id="client_id", user_id="user_id", roles={"id": "role-id"}) +keycloak_admin.delete_client_roles_of_user(client_id="client_id", user_id="user_id", roles=[{"id": "role-id_1"}, {"id": "role-id_2"}]) + # Create new group group = keycloak_admin.create_group(name="Example Group")