updated get_token to actually work

2023-01-11 10:47:35 -05:00 · 2023-01-11 10:47:35 -05:00 · 4f04ed7169
parent 77e4e017a3
commit 4f04ed7169
1 changed files with 66 additions and 48 deletions
--- a/bin/get_token
+++ b/bin/get_token
@ -11,8 +11,7 @@ set -o errtrace -o errexit -o nounset -o pipefail
 # so we can see what resources that user has access to

 # originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
-# btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration
-# token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
+# btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
 # some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc,
 # though resource_set docs are elsewhere.

@ -21,11 +20,13 @@ set -o errtrace -o errexit -o nounset -o pipefail
 # ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script
 # ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models'

-HOSTNAME=localhost:7002
+# KEYCLOAK_BASE_URL=http://localhost:7002
+KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org
+# BACKEND_BASE_URL=http://localhost:7000
+BACKEND_BASE_URL=https://api.dev.spiffworkflow.org
 REALM_NAME=spiffworkflow
-USERNAME=${1-ciuser1}
-PASSWORD=${2-ciuser1}
-URI_TO_TEST_AGAINST=${3-'%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form'}
+USERNAME=${1-fin}
+PASSWORD=${2-fin}

 FRONTEND_CLIENT_ID=spiffworkflow-frontend
 BACKEND_CLIENT_ID=spiffworkflow-backend
@ -33,7 +34,7 @@ BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"  # noqa: S105
 SECURE=false

 BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
-KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token
+KEYCLOAK_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token

 echo "Using Keycloak: $KEYCLOAK_URL"
 echo "realm: $REALM_NAME"
@ -49,55 +50,72 @@ else
 	INSECURE=--insecure
 fi

+
+### Basic auth test with backend
 result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
 -H "Content-Type: application/x-www-form-urlencoded" \
+ -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
 -d "username=$USERNAME" \
 -d "password=$PASSWORD" \
 -d 'grant_type=password' \
- -d "client_id=$FRONTEND_CLIENT_ID" \
-)
-frontend_token=$(jq -r '.access_token' <<< "$result")
-
-result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
- -H "Content-Type: application/x-www-form-urlencoded" \
- --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
 -d "client_id=$BACKEND_CLIENT_ID" \
- -d "subject_token=${frontend_token}" \
- -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
- -d "audience=${BACKEND_CLIENT_ID}" \
 )
 backend_token=$(jq -r '.access_token' <<< "$result")
+curl --fail -v "${BACKEND_BASE_URL}/v1.0/process-groups?per_page=1" -H "Authorization: Bearer $backend_token"

-if [[ "$backend_token" != 'null' ]]; then
-  echo "backend_token: $backend_token"

-  echo "Getting resource set"
-  # everything_resource_id='446bdcf4-a3bd-41c7-a0f8-67a225ba6b57'
-  resource_result=$(curl -s "http://${HOSTNAME}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token")
-  # resource_result=$(curl -s "http://${HOSTNAME}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=false&deep=true&max=-1&exactName=false&type=admin" -H "Authorization: Bearer $backend_token")
+### Get with frontend and exchange with backend - not configured to work in keycloak atm
+# result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
+#  -H "Content-Type: application/x-www-form-urlencoded" \
+#  -d "username=$USERNAME" \
+#  -d "password=$PASSWORD" \
+#  -d 'grant_type=password' \
+#  -d "client_id=$FRONTEND_CLIENT_ID" \
+# )
+# frontend_token=$(jq -r '.access_token' <<< "$result")
+#
+# result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
+#  -H "Content-Type: application/x-www-form-urlencoded" \
+#  --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
+#  -d "client_id=$BACKEND_CLIENT_ID" \
+#  -d "subject_token=${frontend_token}" \
+#  -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
+#  -d "audience=${BACKEND_CLIENT_ID}" \
+# )
+# backend_token=$(jq -r '.access_token' <<< "$result")

-  resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '')
-  if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then
-    >&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}"
-    exit 1
-  fi
-  echo $resource_id_name_pairs
-
-  echo "Getting permissions"
-  for resource_id_name_pair in $resource_id_name_pairs ; do
-    resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair")
-    resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair")
-
-    echo "Checking $resource_name"
-    curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
-      -H "Content-Type: application/x-www-form-urlencoded" \
-      -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
-      -d "audience=${BACKEND_CLIENT_ID}" \
-      --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
-      -d "permission=${resource_id}" \
-      -d "subject_token=${backend_token}" \
-      | jq .
-  done
-else
-  echo "Failed auth result: $result"
-fi
+### Check fine grain permissions - does not work currently
+# URI_TO_TEST_AGAINST=${3-'%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form'}
+# if [[ "$backend_token" != 'null' ]]; then
+#   echo "backend_token: $backend_token"
+#
+#   echo "Getting resource set"
+#   # everything_resource_id='446bdcf4-a3bd-41c7-a0f8-67a225ba6b57'
+#   resource_result=$(curl -s "${BASE_URL}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token")
+#   # resource_result=$(curl -s "${BASE_URL}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=false&deep=true&max=-1&exactName=false&type=admin" -H "Authorization: Bearer $backend_token")
+#
+#   resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '')
+#   if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then
+#     >&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}"
+#     exit 1
+#   fi
+#   echo $resource_id_name_pairs
+#
+#   echo "Getting permissions"
+#   for resource_id_name_pair in $resource_id_name_pairs ; do
+#     resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair")
+#     resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair")
+#
+#     echo "Checking $resource_name"
+#     curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
+#       -H "Content-Type: application/x-www-form-urlencoded" \
+#       -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
+#       -d "audience=${BACKEND_CLIENT_ID}" \
+#       --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
+#       -d "permission=${resource_id}" \
+#       -d "subject_token=${backend_token}" \
+#       | jq .
+#   done
+# else
+#   echo "Failed auth result: $result"
+# fi