From df959ee17d39518dc8eb17d50a33e7a71a1848b3 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sat, 3 Jan 2026 15:43:07 -0300 Subject: [PATCH] keycloak: enable fine-grained token exchange authz --- services/keycloak/deployment.yaml | 2 +- services/keycloak/kustomization.yaml | 1 + ...al-e2e-token-exchange-permissions-job.yaml | 235 ++++++++++++++++++ 3 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 services/keycloak/portal-e2e-token-exchange-permissions-job.yaml diff --git a/services/keycloak/deployment.yaml b/services/keycloak/deployment.yaml index e632d7d..48cf5e0 100644 --- a/services/keycloak/deployment.yaml +++ b/services/keycloak/deployment.yaml @@ -104,7 +104,7 @@ spec: - name: KC_HTTP_ENABLED value: "true" - name: KC_FEATURES - value: token-exchange + value: token-exchange,admin-fine-grained-authz - name: KC_HTTP_MANAGEMENT_PORT value: "9000" - name: KC_HTTP_MANAGEMENT_BIND_ADDRESS diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml index 80c504c..f3f91ab 100644 --- a/services/keycloak/kustomization.yaml +++ b/services/keycloak/kustomization.yaml @@ -9,6 +9,7 @@ resources: - realm-settings-job.yaml - portal-e2e-client-job.yaml - portal-e2e-target-client-job.yaml + - portal-e2e-token-exchange-permissions-job.yaml - ldap-federation-job.yaml - user-overrides-job.yaml - service.yaml diff --git a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml new file mode 100644 index 0000000..2610f6d --- /dev/null +++ b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml @@ -0,0 +1,235 @@ +# services/keycloak/portal-e2e-token-exchange-permissions-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: keycloak-portal-e2e-token-exchange-permissions-1 + namespace: sso +spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + containers: + - name: configure + image: python:3.11-alpine + env: + - name: KEYCLOAK_SERVER + value: http://keycloak.sso.svc.cluster.local + - name: KEYCLOAK_REALM + value: atlas + - name: KEYCLOAK_ADMIN_USER + valueFrom: + secretKeyRef: + name: keycloak-admin + key: username + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin + key: password + - name: PORTAL_E2E_CLIENT_ID + value: test-portal-e2e + - name: TARGET_CLIENT_ID + value: bstein-dev-home + command: ["/bin/sh", "-c"] + args: + - | + set -euo pipefail + python - <<'PY' + import json + import os + import re + import urllib.parse + import urllib.error + import urllib.request + from typing import Any + + base_url = os.environ["KEYCLOAK_SERVER"].rstrip("/") + realm = os.environ["KEYCLOAK_REALM"] + admin_user = os.environ["KEYCLOAK_ADMIN_USER"] + admin_password = os.environ["KEYCLOAK_ADMIN_PASSWORD"] + e2e_client_id = os.environ["PORTAL_E2E_CLIENT_ID"] + target_client_id = os.environ["TARGET_CLIENT_ID"] + + uuid_re = re.compile(r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", re.IGNORECASE) + + def is_uuid(value: str) -> bool: + return bool(uuid_re.match(value)) + + def http_json(method: str, url: str, token: str, payload: Any | None = None): + data = None + headers = {"Authorization": f"Bearer {token}"} + if payload is not None: + data = json.dumps(payload).encode() + headers["Content-Type"] = "application/json" + req = urllib.request.Request(url, data=data, headers=headers, method=method) + try: + with urllib.request.urlopen(req, timeout=30) as resp: + body = resp.read() + if not body: + return resp.status, None + return resp.status, json.loads(body.decode()) + except urllib.error.HTTPError as exc: + raw = exc.read() + if not raw: + return exc.code, None + try: + return exc.code, json.loads(raw.decode()) + except Exception: + return exc.code, {"raw": raw.decode(errors="replace")} + + def get_admin_token() -> str: + token_data = urllib.parse.urlencode( + { + "grant_type": "password", + "client_id": "admin-cli", + "username": admin_user, + "password": admin_password, + } + ).encode() + req = urllib.request.Request( + f"{base_url}/realms/master/protocol/openid-connect/token", + data=token_data, + headers={"Content-Type": "application/x-www-form-urlencoded"}, + method="POST", + ) + try: + with urllib.request.urlopen(req, timeout=15) as resp: + body = json.loads(resp.read().decode()) + except urllib.error.HTTPError as exc: + raw = exc.read().decode(errors="replace") + raise SystemExit(f"Token request failed: status={exc.code} body={raw}") + return body["access_token"] + + def find_client_uuid(token: str, client_id: str) -> str: + status, clients = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/clients?clientId={urllib.parse.quote(client_id)}", + token, + ) + if status != 200 or not isinstance(clients, list) or not clients: + raise SystemExit(f"Unable to find client {client_id!r} (status={status})") + for item in clients: + if isinstance(item, dict) and item.get("clientId") == client_id and item.get("id"): + return item["id"] + raise SystemExit(f"Client {client_id!r} has no id") + + token = get_admin_token() + + rm_uuid = find_client_uuid(token, "realm-management") + e2e_uuid = find_client_uuid(token, e2e_client_id) + target_uuid = find_client_uuid(token, target_client_id) + + def enable_and_get_permissions(url: str) -> dict[str, Any]: + status, resp = http_json("PUT", url, token, {"enabled": True}) + if status not in (200, 204): + raise SystemExit(f"Failed enabling permissions at {url} (status={status}) resp={resp}") + status, perms = http_json("GET", url, token) + if status != 200 or not isinstance(perms, dict): + raise SystemExit(f"Failed reading permissions at {url} (status={status}) resp={perms}") + return perms + + users_perms = enable_and_get_permissions(f"{base_url}/admin/realms/{realm}/users-management-permissions") + users_scope_perms = users_perms.get("scopePermissions") or {} + if not isinstance(users_scope_perms, dict): + raise SystemExit("Users management permissions missing scopePermissions") + impersonate_perm_id = users_scope_perms.get("impersonate") or users_scope_perms.get("impersonation") + if not impersonate_perm_id: + keys = sorted(k for k in users_scope_perms.keys()) + raise SystemExit(f"Users permissions missing impersonate scope (have: {keys})") + + target_perms = enable_and_get_permissions( + f"{base_url}/admin/realms/{realm}/clients/{target_uuid}/management/permissions" + ) + target_scope_perms = target_perms.get("scopePermissions") or {} + if not isinstance(target_scope_perms, dict): + raise SystemExit("Target client permissions missing scopePermissions") + token_exchange_perm_id = target_scope_perms.get("token-exchange") + if not token_exchange_perm_id: + keys = sorted(k for k in target_scope_perms.keys()) + raise SystemExit(f"Target client permissions missing token-exchange scope (have: {keys})") + + policy_name = "test-portal-e2e-token-exchange" + status, policies = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/authz/resource-server/policy/search?name={urllib.parse.quote(policy_name)}&fields=id,name,type,config", + token, + ) + policy = None + if status == 200 and isinstance(policies, list): + for item in policies: + if isinstance(item, dict) and item.get("name") == policy_name: + policy = item + break + + if policy is None: + create_rep: dict[str, Any] = { + "name": policy_name, + "type": "client", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": {"clients": json.dumps([e2e_uuid])}, + } + status, created = http_json( + "POST", + f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/authz/resource-server/policy", + token, + create_rep, + ) + if status != 201 or not isinstance(created, dict) or not created.get("id"): + raise SystemExit(f"Failed creating policy {policy_name!r} (status={status}) resp={created}") + policy = created + + policy_id = policy.get("id") + if not isinstance(policy_id, str) or not policy_id: + raise SystemExit(f"Policy {policy_name!r} missing id") + + def patch_permission(permission_id: str): + candidates = [ + f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/authz/resource-server/permission/scope/{permission_id}", + f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/authz/resource-server/permission/resource/{permission_id}", + f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/authz/resource-server/permission/{permission_id}", + ] + perm = None + url_used = None + for url in candidates: + st, body = http_json("GET", url, token) + if st == 200 and isinstance(body, dict): + perm = body + url_used = url + break + if perm is None or url_used is None: + raise SystemExit(f"Unable to fetch permission {permission_id} via expected endpoints") + + policies_field = perm.get("policies") + if isinstance(policies_field, list): + policies_list = [p for p in policies_field if isinstance(p, str)] + else: + policies_list = [] + + use_ids = any(is_uuid(p) for p in policies_list) + entry = policy_id if use_ids else policy_name + if entry in policies_list: + return + + policies_list.append(entry) + perm["policies"] = policies_list + st, body = http_json("PUT", url_used, token, perm) + if st in (200, 204): + return + + # Retry once with the other identifier form. + alt_entry = policy_name if entry == policy_id else policy_id + if alt_entry not in policies_list: + perm["policies"] = [p for p in policies_list if p != entry] + [alt_entry] + st2, body2 = http_json("PUT", url_used, token, perm) + if st2 in (200, 204): + return + raise SystemExit(f"Failed updating permission {permission_id} (status={st2}) resp={body2}") + raise SystemExit(f"Failed updating permission {permission_id} (status={st}) resp={body}") + + patch_permission(str(impersonate_perm_id)) + patch_permission(str(token_exchange_perm_id)) + + print("OK: configured token exchange permissions for portal E2E client") + PY