212 lines
6.9 KiB
Bash
212 lines
6.9 KiB
Bash
#!/bin/bash
|
|
|
|
# Script de configuration Keycloak - Utilisateur de test
|
|
# Utilise l'API Admin REST de Keycloak pour créer l'utilisateur et les rôles
|
|
|
|
KEYCLOAK_URL="http://localhost:8180"
|
|
ADMIN_USER="admin"
|
|
ADMIN_PASSWORD="admin"
|
|
REALM="lions-user-manager"
|
|
TEST_USER="test-user"
|
|
TEST_PASSWORD="test123"
|
|
TEST_EMAIL="test@lions.dev"
|
|
|
|
echo "=========================================="
|
|
echo "Configuration Keycloak - Utilisateur Test"
|
|
echo "=========================================="
|
|
echo ""
|
|
|
|
# 1. Obtenir le token d'administration
|
|
echo "1. Authentification admin..."
|
|
TOKEN_RESPONSE=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "username=${ADMIN_USER}" \
|
|
-d "password=${ADMIN_PASSWORD}" \
|
|
-d "grant_type=password" \
|
|
-d "client_id=admin-cli")
|
|
|
|
ACCESS_TOKEN=$(echo $TOKEN_RESPONSE | grep -o '"access_token":"[^"]*' | cut -d'"' -f4)
|
|
|
|
if [ -z "$ACCESS_TOKEN" ]; then
|
|
echo "ERREUR: Impossible d'obtenir le token d'administration"
|
|
echo "Réponse: $TOKEN_RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✓ Token obtenu"
|
|
echo ""
|
|
|
|
# 2. Vérifier/Créer le realm
|
|
echo "2. Vérification du realm '${REALM}'..."
|
|
REALM_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-X GET "${KEYCLOAK_URL}/admin/realms/${REALM}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}")
|
|
|
|
if [ "$REALM_EXISTS" != "200" ]; then
|
|
echo "Création du realm '${REALM}'..."
|
|
curl -s -X POST "${KEYCLOAK_URL}/admin/realms" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"realm\": \"${REALM}\",
|
|
\"enabled\": true
|
|
}"
|
|
echo "✓ Realm créé"
|
|
else
|
|
echo "✓ Realm existe déjà"
|
|
fi
|
|
echo ""
|
|
|
|
# 3. Créer les rôles realm
|
|
echo "3. Création des rôles realm..."
|
|
ROLES=("admin" "user_manager" "user_viewer" "role_manager" "role_viewer" "auditor" "sync_manager")
|
|
|
|
for ROLE in "${ROLES[@]}"; do
|
|
echo " - Vérification du rôle '${ROLE}'..."
|
|
ROLE_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/roles/${ROLE}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}")
|
|
|
|
if [ "$ROLE_EXISTS" != "200" ]; then
|
|
curl -s -X POST "${KEYCLOAK_URL}/admin/realms/${REALM}/roles" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"name\": \"${ROLE}\",
|
|
\"description\": \"Rôle ${ROLE} pour lions-user-manager\"
|
|
}"
|
|
echo " ✓ Rôle '${ROLE}' créé"
|
|
else
|
|
echo " ✓ Rôle '${ROLE}' existe déjà"
|
|
fi
|
|
done
|
|
echo ""
|
|
|
|
# 4. Créer l'utilisateur de test
|
|
echo "4. Création de l'utilisateur '${TEST_USER}'..."
|
|
USER_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/users?username=${TEST_USER}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}")
|
|
|
|
if [ "$USER_EXISTS" != "200" ]; then
|
|
# Créer l'utilisateur
|
|
USER_ID=$(curl -s -X POST "${KEYCLOAK_URL}/admin/realms/${REALM}/users" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"username\": \"${TEST_USER}\",
|
|
\"email\": \"${TEST_EMAIL}\",
|
|
\"firstName\": \"Test\",
|
|
\"lastName\": \"User\",
|
|
\"enabled\": true,
|
|
\"emailVerified\": true
|
|
}" | grep -o '"id":"[^"]*' | cut -d'"' -f4)
|
|
|
|
if [ -z "$USER_ID" ]; then
|
|
# Récupérer l'ID de l'utilisateur existant
|
|
USER_ID=$(curl -s -X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/users?username=${TEST_USER}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" | grep -o '"id":"[^"]*' | cut -d'"' -f4 | head -1)
|
|
fi
|
|
|
|
if [ -z "$USER_ID" ]; then
|
|
echo "ERREUR: Impossible de créer ou récupérer l'utilisateur"
|
|
exit 1
|
|
fi
|
|
|
|
echo " ✓ Utilisateur créé (ID: ${USER_ID})"
|
|
|
|
# Définir le mot de passe
|
|
curl -s -X PUT "${KEYCLOAK_URL}/admin/realms/${REALM}/users/${USER_ID}/reset-password" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"type\": \"password\",
|
|
\"value\": \"${TEST_PASSWORD}\",
|
|
\"temporary\": false
|
|
}"
|
|
echo " ✓ Mot de passe défini"
|
|
else
|
|
# Récupérer l'ID de l'utilisateur existant
|
|
USER_ID=$(curl -s -X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/users?username=${TEST_USER}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" | grep -o '"id":"[^"]*' | cut -d'"' -f4 | head -1)
|
|
echo " ✓ Utilisateur existe déjà (ID: ${USER_ID})"
|
|
fi
|
|
echo ""
|
|
|
|
# 5. Assigner les rôles à l'utilisateur
|
|
echo "5. Attribution des rôles à l'utilisateur..."
|
|
|
|
# Récupérer les représentations des rôles
|
|
ROLE_REPRESENTATIONS="["
|
|
for i in "${!ROLES[@]}"; do
|
|
ROLE="${ROLES[$i]}"
|
|
ROLE_REP=$(curl -s -X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/roles/${ROLE}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}")
|
|
|
|
if [ $i -gt 0 ]; then
|
|
ROLE_REPRESENTATIONS+=","
|
|
fi
|
|
ROLE_REPRESENTATIONS+="${ROLE_REP}"
|
|
done
|
|
ROLE_REPRESENTATIONS+="]"
|
|
|
|
# Assigner tous les rôles
|
|
curl -s -X POST "${KEYCLOAK_URL}/admin/realms/${REALM}/users/${USER_ID}/role-mappings/realm" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "${ROLE_REPRESENTATIONS}"
|
|
|
|
echo " ✓ Rôles assignés"
|
|
echo ""
|
|
|
|
# 6. Vérifier le client et le mapper de rôles
|
|
echo "6. Vérification du client 'lions-user-manager-client'..."
|
|
CLIENT_ID=$(curl -s -X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=lions-user-manager-client" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" | grep -o '"id":"[^"]*' | cut -d'"' -f4 | head -1)
|
|
|
|
if [ -z "$CLIENT_ID" ]; then
|
|
echo " ⚠ Client 'lions-user-manager-client' non trouvé"
|
|
echo " Veuillez créer le client manuellement dans Keycloak"
|
|
else
|
|
echo " ✓ Client trouvé (ID: ${CLIENT_ID})"
|
|
|
|
# Vérifier le mapper de rôles realm
|
|
MAPPER_EXISTS=$(curl -s -X GET "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_ID}/protocol-mappers/models" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" | grep -o '"name":"realm roles"')
|
|
|
|
if [ -z "$MAPPER_EXISTS" ]; then
|
|
echo " Création du mapper 'realm roles'..."
|
|
curl -s -X POST "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_ID}/protocol-mappers/models" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"name\": \"realm roles\",
|
|
\"protocol\": \"openid-connect\",
|
|
\"protocolMapper\": \"oidc-usermodel-realm-role-mapper\",
|
|
\"config\": {
|
|
\"claim.name\": \"realm_access.roles\",
|
|
\"access.token.claim\": \"true\",
|
|
\"id.token.claim\": \"true\",
|
|
\"userinfo.token.claim\": \"true\"
|
|
}
|
|
}"
|
|
echo " ✓ Mapper créé"
|
|
else
|
|
echo " ✓ Mapper existe déjà"
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
echo "=========================================="
|
|
echo "Configuration terminée !"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo "Informations de connexion:"
|
|
echo " Username: ${TEST_USER}"
|
|
echo " Password: ${TEST_PASSWORD}"
|
|
echo " Email: ${TEST_EMAIL}"
|
|
echo ""
|
|
echo "Rôles assignés: ${ROLES[*]}"
|
|
echo ""
|
|
|