mirror of
https://github.com/sartography/spiff-arena.git
synced 2025-01-13 02:54:27 +00:00
Hunter is me main (#1585)
* get token object for local development env * print just token to stdout in case we want to shell out to this script for some reason * migrated get_token bash script to python version w/ burnettk * ruff should ignore print statements in bin script w/ burnettk --------- Co-authored-by: unknown <hdl560@163.com> Co-authored-by: HunterIsMe <36193162+HunterIsMe@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> Co-authored-by: jasquat <jasquat@users.noreply.github.com>
This commit is contained in:
parent
a402bfc4fd
commit
c882a208fb
@ -1,83 +1,83 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env python
|
||||||
|
|
||||||
function error_handler() {
|
import base64
|
||||||
>&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
|
import json
|
||||||
exit "$2"
|
import os
|
||||||
}
|
import re
|
||||||
trap 'error_handler ${LINENO} $?' ERR
|
import sys
|
||||||
set -o errtrace -o errexit -o nounset -o pipefail
|
from typing import Any
|
||||||
|
|
||||||
# this tests we can get a token from a public client and exchange it with a confidential client
|
import requests
|
||||||
# so we can see what resources that user has access to
|
|
||||||
|
|
||||||
# originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
|
|
||||||
# btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
|
|
||||||
# some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc,
|
|
||||||
# though resource_set docs are elsewhere.
|
|
||||||
|
|
||||||
# ./bin/get_token # uses ciuser1 ciuser1
|
|
||||||
# ./bin/get_token ciadmin1 ciadmin1
|
|
||||||
# ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script
|
|
||||||
# ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models'
|
|
||||||
|
|
||||||
USERNAME=${1-admin}
|
|
||||||
PASSWORD=${2-admin}
|
|
||||||
REALM_NAME=${3-spiffworkflow}
|
|
||||||
|
|
||||||
if [[ -z "${BACKEND_BASE_URL:-}" ]]; then
|
|
||||||
BACKEND_BASE_URL=http://localhost:7000
|
|
||||||
fi
|
|
||||||
if [[ -z "${BACKEND_CLIENT_ID:-}" ]]; then
|
|
||||||
export BACKEND_CLIENT_ID=spiffworkflow-backend
|
|
||||||
fi
|
|
||||||
if [[ -z "${BACKEND_CLIENT_SECRET:-}" ]]; then
|
|
||||||
export BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" # noqa: S105
|
|
||||||
fi
|
|
||||||
|
|
||||||
SECURE=false
|
|
||||||
|
|
||||||
BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
|
|
||||||
|
|
||||||
if [[ -z "${OPENID_TOKEN_URL:-}" ]]; then
|
|
||||||
if [[ -z "${KEYCLOAK_BASE_URL:-}" ]]; then
|
|
||||||
if grep -qE "spiffworkflow.org" <<<"$BACKEND_BASE_URL" ; then
|
|
||||||
env_domain=$(hot_sed -E 's/.*api\.(\w+\.spiffworkflow.org).*/\1/' <<<"${BACKEND_BASE_URL}")
|
|
||||||
KEYCLOAK_BASE_URL="https://keycloak.${env_domain}"
|
|
||||||
elif grep -qE "localhost:7000" <<<"$BACKEND_BASE_URL" ; then
|
|
||||||
KEYCLOAK_BASE_URL="http://localhost:7002"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
OPENID_TOKEN_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token
|
|
||||||
fi
|
|
||||||
|
|
||||||
>&2 echo "Using OPENID_TOKEN_URL: $OPENID_TOKEN_URL"
|
|
||||||
>&2 echo "realm: $REALM_NAME"
|
|
||||||
>&2 echo "client-id: $BACKEND_CLIENT_ID"
|
|
||||||
>&2 echo "username: $USERNAME"
|
|
||||||
>&2 echo "password: $PASSWORD"
|
|
||||||
>&2 echo "secure: $SECURE"
|
|
||||||
|
|
||||||
|
|
||||||
if [[ $SECURE = 'y' ]]; then
|
def get_argv(index: int, default: Any = None) -> Any:
|
||||||
INSECURE=
|
try:
|
||||||
else
|
return sys.argv[index]
|
||||||
INSECURE=--insecure
|
except IndexError:
|
||||||
fi
|
return default
|
||||||
|
|
||||||
|
|
||||||
### Basic auth test with backend
|
username = get_argv(1, "admin")
|
||||||
result=$(curl -s -X POST "$OPENID_TOKEN_URL" "$INSECURE" \
|
password = get_argv(2, "admin")
|
||||||
-H "Content-Type: application/x-www-form-urlencoded" \
|
realm_name = get_argv(3, "spiffworkflow")
|
||||||
-H "Authorization: Basic $BACKEND_BASIC_AUTH" \
|
|
||||||
-d "username=$USERNAME" \
|
OPEN_ID_CODE = ":this_is_not_secure_do_not_use_in_production"
|
||||||
-d "password=$PASSWORD" \
|
|
||||||
-d 'grant_type=password' \
|
backend_base_url = os.getenv("BACKEND_BASE_URL", "http://localhost:7000")
|
||||||
-d "client_id=$BACKEND_CLIENT_ID" \
|
backend_client_id = os.getenv("BACKEND_CLIENT_ID", "spiffworkflow-backend")
|
||||||
-d "code=${USERNAME}:for-local-dev" \
|
backend_client_secret = os.getenv("BACKEND_CLIENT_secret", "JXeQExm0JhQPLumgHtIIqf52bDalHz0q")
|
||||||
)
|
|
||||||
backend_token=$(jq -r '.access_token' <<< "$result")
|
openid_token_url = os.getenv("OPENID_TOKEN_URL")
|
||||||
if [[ -z "$backend_token" || "$backend_token" == "null" ]]; then
|
keycloak_base_url = os.getenv("KEYCLOAK_BASE_URL")
|
||||||
>&2 echo "ERROR: Could not get the backend token. Received result: ${result}"
|
if openid_token_url is None:
|
||||||
exit 1
|
if keycloak_base_url is None:
|
||||||
fi
|
if "spiffworkflow.org" in backend_base_url:
|
||||||
echo "$backend_token"
|
pattern = r".*api\.(\w+\.spiffworkflow.org).*"
|
||||||
|
match = re.search(pattern, backend_base_url)
|
||||||
|
if match is None:
|
||||||
|
raise Exception("Could not determine openid url based on backend url")
|
||||||
|
env_domain = match.group(1)
|
||||||
|
keycloak_base_url = "https://keycloak.${env_domain}"
|
||||||
|
elif "localhost:7000" in backend_base_url:
|
||||||
|
keycloak_base_url = "http://localhost:7002"
|
||||||
|
openid_token_url = f"{keycloak_base_url}/realms/{realm_name}/protocol/openid-connect/token"
|
||||||
|
|
||||||
|
|
||||||
|
def get_auth_token_object() -> dict:
|
||||||
|
backend_basic_auth_string = f"{backend_client_id}:{backend_client_secret}"
|
||||||
|
backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
|
||||||
|
backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
|
||||||
|
headers = {
|
||||||
|
"Content-Type": "application/x-www-form-urlencoded",
|
||||||
|
"Authorization": f"Basic {backend_basic_auth.decode('utf-8')}",
|
||||||
|
}
|
||||||
|
data = {
|
||||||
|
"grant_type": "password",
|
||||||
|
"code": username + OPEN_ID_CODE,
|
||||||
|
"username": username,
|
||||||
|
"password": password,
|
||||||
|
"client_id": backend_client_id,
|
||||||
|
}
|
||||||
|
|
||||||
|
if openid_token_url is None:
|
||||||
|
raise Exception("Please specify the OPENID_TOKEN_URL")
|
||||||
|
|
||||||
|
response = requests.post(openid_token_url, data=data, headers=headers, timeout=15)
|
||||||
|
auth_token_object: dict = json.loads(response.text)
|
||||||
|
return auth_token_object
|
||||||
|
|
||||||
|
|
||||||
|
# ruff: noqa: T201
|
||||||
|
|
||||||
|
for token_identifier, token in get_auth_token_object().items():
|
||||||
|
# if the k is access_token, print just it to stdout
|
||||||
|
print(f"{token_identifier}:", file=sys.stderr)
|
||||||
|
if token_identifier == "access_token": # noqa: S105
|
||||||
|
# print token with no newline
|
||||||
|
print(token, end="")
|
||||||
|
# flush the buffer to stdout
|
||||||
|
sys.stdout.flush()
|
||||||
|
print("\n", file=sys.stderr)
|
||||||
|
else:
|
||||||
|
# print the rest of the key value pairs to stderr
|
||||||
|
print(f"{token}\n", file=sys.stderr)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user