-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
32 changed files
with
1,949 additions
and
330 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,3 +11,6 @@ | |
venv | ||
venv3 | ||
docs | ||
*.log | ||
*.db | ||
*.sqlite3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
import requests | ||
|
||
from django.core.cache import cache | ||
|
||
|
||
def get_metadata(metadata_endpoint): | ||
op_metadata = cache.get('OIDC_OP_METADATA') | ||
if not op_metadata: | ||
response = requests.get(url=metadata_endpoint, verify=False) | ||
response.raise_for_status() | ||
op_metadata = response.json() | ||
cache.set('OIDC_OP_METADATA', op_metadata) | ||
return op_metadata | ||
|
||
|
||
def get_from_well_known(metadata_endpoint, attr): | ||
metadata = get_metadata(metadata_endpoint) | ||
return metadata.get(attr) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
from cloudman.auth import get_from_well_known | ||
from django.contrib.auth.models import Group | ||
from django.db import transaction | ||
from mozilla_django_oidc import auth, utils, views | ||
|
||
|
||
def provider_logout(request): | ||
return get_from_well_known( | ||
utils.import_from_settings('OIDC_OP_METADATA_ENDPOINT'), | ||
'end_session_endpoint') | ||
|
||
|
||
class CMOIDCAuthenticationBackend(auth.OIDCAuthenticationBackend): | ||
|
||
def create_user(self, claims): | ||
user = super(CMOIDCAuthenticationBackend, self).create_user(claims) | ||
return self.update_user(user, claims) | ||
|
||
def update_user(self, user, claims): | ||
roles = claims.get('roles') | ||
user.first_name = claims.get('given_name', '') | ||
user.last_name = claims.get('family_name', '') | ||
user.is_staff = 'admin' in roles or 'superuser' in roles | ||
user.is_superuser = 'superuser' in roles | ||
user.save() | ||
self.update_groups(user, claims) | ||
|
||
return user | ||
|
||
def update_groups(self, user, claims): | ||
""" | ||
Transform roles obtained from keycloak into Django Groups and | ||
add them to the user. Note that any role not passed via keycloak | ||
will be removed from the user. | ||
""" | ||
with transaction.atomic(): | ||
user.groups.clear() | ||
for role in claims.get('roles'): | ||
group, _ = Group.objects.get_or_create(name=role) | ||
group.user_set.add(user) | ||
|
||
def get_userinfo(self, access_token, id_token, payload): | ||
""" | ||
Get user details from the access_token and id_token and return | ||
them in a dict. | ||
""" | ||
userinfo = super().get_userinfo(access_token, id_token, payload) | ||
accessinfo = self.verify_token(access_token, nonce=payload.get('nonce')) | ||
roles = accessinfo.get('realm_access', {}).get('roles', []) | ||
|
||
userinfo['roles'] = roles | ||
return userinfo | ||
|
||
|
||
class OIDCAuthenticationRequestView(views.OIDCAuthenticationRequestView): | ||
|
||
def __init__(self, *args, **kwargs): | ||
super(OIDCAuthenticationRequestView, self).__init__(*args, **kwargs) | ||
|
||
self.OIDC_OP_AUTH_ENDPOINT = get_from_well_known( | ||
utils.import_from_settings('OIDC_OP_METADATA_ENDPOINT'), | ||
'authorization_endpoint') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# https://stackoverflow.com/questions/60766292/how-to-get-keycloak-to-export-realm-users-and-then-exit | ||
# docker-exec-cmd.sh | ||
|
||
set -o errexit | ||
set -o errtrace | ||
set -o nounset | ||
set -o pipefail | ||
|
||
# If something goes wrong, this script does not run forever but times out | ||
TIMEOUT_SECONDS=300 | ||
# Logfile for the keycloak export instance | ||
LOGFILE=/tmp/standalone.sh.log | ||
# destionation export file | ||
JSON_EXPORT_FILE=/testdata/realm-export.json | ||
|
||
rm -f ${LOGFILE} ${JSON_EXPORT_FILE} | ||
|
||
# Start a new keycloak instance with exporting options enabled. | ||
# Use prot offset to prevent port conflicts with the "real" keycloak instance. | ||
timeout ${TIMEOUT_SECONDS}s \ | ||
/opt/jboss/keycloak/bin/standalone.sh \ | ||
-Dkeycloak.migration.action=export \ | ||
-Dkeycloak.migration.provider=singleFile \ | ||
-Dkeycloak.migration.realmName=master \ | ||
-Dkeycloak.migration.file=${JSON_EXPORT_FILE} \ | ||
-Dkeycloak.migration.usersExportStrategy=REALM_FILE \ | ||
-Djboss.socket.binding.port-offset=99 \ | ||
| tee -a ${LOGFILE} & | ||
|
||
# Grab the keycloak export instance process id | ||
PID="${!}" | ||
|
||
# Wait for the export to finish | ||
timeout ${TIMEOUT_SECONDS}s \ | ||
grep -m 1 "Export finished successfully" <(tail -f ${LOGFILE}) | ||
|
||
# Stop the keycloak export instance | ||
kill ${PID} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
docker exec -it keycloak bash /testdata/keycloak-export-realm.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=testpassword -v `pwd`:/testdata/ -e JAVA_OPTS="-server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/testdata/realm-export.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING" jboss/keycloak:7.0.0 | ||
|
Oops, something went wrong.