updated get_token to actually work

This commit is contained in:
jasquat 2023-01-11 10:47:35 -05:00
parent bac203727e
commit 21d32f00be
1 changed files with 66 additions and 48 deletions

View File

@ -11,8 +11,7 @@ set -o errtrace -o errexit -o nounset -o pipefail
# so we can see what resources that user has access to # so we can see what resources that user has access to
# originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c # originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
# btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration # btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
# token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
# some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc, # some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc,
# though resource_set docs are elsewhere. # though resource_set docs are elsewhere.
@ -21,11 +20,13 @@ set -o errtrace -o errexit -o nounset -o pipefail
# ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script # ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script
# ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models' # ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models'
HOSTNAME=localhost:7002 # KEYCLOAK_BASE_URL=http://localhost:7002
KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org
# BACKEND_BASE_URL=http://localhost:7000
BACKEND_BASE_URL=https://api.dev.spiffworkflow.org
REALM_NAME=spiffworkflow REALM_NAME=spiffworkflow
USERNAME=${1-ciuser1} USERNAME=${1-fin}
PASSWORD=${2-ciuser1} PASSWORD=${2-fin}
URI_TO_TEST_AGAINST=${3-'%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form'}
FRONTEND_CLIENT_ID=spiffworkflow-frontend FRONTEND_CLIENT_ID=spiffworkflow-frontend
BACKEND_CLIENT_ID=spiffworkflow-backend BACKEND_CLIENT_ID=spiffworkflow-backend
@ -33,7 +34,7 @@ BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" # noqa: S105
SECURE=false SECURE=false
BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64) BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token KEYCLOAK_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token
echo "Using Keycloak: $KEYCLOAK_URL" echo "Using Keycloak: $KEYCLOAK_URL"
echo "realm: $REALM_NAME" echo "realm: $REALM_NAME"
@ -49,55 +50,72 @@ else
INSECURE=--insecure INSECURE=--insecure
fi fi
### Basic auth test with backend
result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \ result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
-H "Content-Type: application/x-www-form-urlencoded" \ -H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic $BACKEND_BASIC_AUTH" \
-d "username=$USERNAME" \ -d "username=$USERNAME" \
-d "password=$PASSWORD" \ -d "password=$PASSWORD" \
-d 'grant_type=password' \ -d 'grant_type=password' \
-d "client_id=$FRONTEND_CLIENT_ID" \
)
frontend_token=$(jq -r '.access_token' <<< "$result")
result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
-d "client_id=$BACKEND_CLIENT_ID" \ -d "client_id=$BACKEND_CLIENT_ID" \
-d "subject_token=${frontend_token}" \
-H "Authorization: Basic $BACKEND_BASIC_AUTH" \
-d "audience=${BACKEND_CLIENT_ID}" \
) )
backend_token=$(jq -r '.access_token' <<< "$result") backend_token=$(jq -r '.access_token' <<< "$result")
curl --fail -v "${BACKEND_BASE_URL}/v1.0/process-groups?per_page=1" -H "Authorization: Bearer $backend_token"
if [[ "$backend_token" != 'null' ]]; then
echo "backend_token: $backend_token"
echo "Getting resource set" ### Get with frontend and exchange with backend - not configured to work in keycloak atm
# everything_resource_id='446bdcf4-a3bd-41c7-a0f8-67a225ba6b57' # result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
resource_result=$(curl -s "http://${HOSTNAME}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token") # -H "Content-Type: application/x-www-form-urlencoded" \
# resource_result=$(curl -s "http://${HOSTNAME}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=false&deep=true&max=-1&exactName=false&type=admin" -H "Authorization: Bearer $backend_token") # -d "username=$USERNAME" \
# -d "password=$PASSWORD" \
# -d 'grant_type=password' \
# -d "client_id=$FRONTEND_CLIENT_ID" \
# )
# frontend_token=$(jq -r '.access_token' <<< "$result")
#
# result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
# -H "Content-Type: application/x-www-form-urlencoded" \
# --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
# -d "client_id=$BACKEND_CLIENT_ID" \
# -d "subject_token=${frontend_token}" \
# -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
# -d "audience=${BACKEND_CLIENT_ID}" \
# )
# backend_token=$(jq -r '.access_token' <<< "$result")
resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '') ### Check fine grain permissions - does not work currently
if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then # URI_TO_TEST_AGAINST=${3-'%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form'}
>&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}" # if [[ "$backend_token" != 'null' ]]; then
exit 1 # echo "backend_token: $backend_token"
fi #
echo $resource_id_name_pairs # echo "Getting resource set"
# # everything_resource_id='446bdcf4-a3bd-41c7-a0f8-67a225ba6b57'
echo "Getting permissions" # resource_result=$(curl -s "${BASE_URL}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token")
for resource_id_name_pair in $resource_id_name_pairs ; do # # resource_result=$(curl -s "${BASE_URL}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=false&deep=true&max=-1&exactName=false&type=admin" -H "Authorization: Bearer $backend_token")
resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair") #
resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair") # resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '')
# if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then
echo "Checking $resource_name" # >&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}"
curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \ # exit 1
-H "Content-Type: application/x-www-form-urlencoded" \ # fi
-H "Authorization: Basic $BACKEND_BASIC_AUTH" \ # echo $resource_id_name_pairs
-d "audience=${BACKEND_CLIENT_ID}" \ #
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ # echo "Getting permissions"
-d "permission=${resource_id}" \ # for resource_id_name_pair in $resource_id_name_pairs ; do
-d "subject_token=${backend_token}" \ # resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair")
| jq . # resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair")
done #
else # echo "Checking $resource_name"
echo "Failed auth result: $result" # curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
fi # -H "Content-Type: application/x-www-form-urlencoded" \
# -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
# -d "audience=${BACKEND_CLIENT_ID}" \
# --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
# -d "permission=${resource_id}" \
# -d "subject_token=${backend_token}" \
# | jq .
# done
# else
# echo "Failed auth result: $result"
# fi