Merge pull request #5 from forths/master

新增获取角色下所有关联权限的功能

Author: gemfield

README.md

@@ -50,7 +50,7 @@ RBAC python implementation based on Keycloak
 
 * [x] 角色和权限关联
 * [x] 取消角色和权限关联
-* [ ] 获取角色的权限
+* [x] 获取角色的权限
 * [x] 获取权限关联的角色
 
 ## 用户和角色

demos/admindemo.py

@@ -4,13 +4,14 @@
 sys.path.append(pwd.replace('/demos', ''))
 from pyKeyCloakRBAC.pyrbac import PyRBACAdmin
 
-# 配置是否需要测试
-testdict = {'roletest': False, 'usertest': False, 'resourcetest': False,
-            'permissiontest': False, 'policytest': False, 'user_role': False,
+# 配置是否需要演示
+testdict = {'roletest': True, 'usertest': True, 'resourcetest': True,
+            'permissiontest': True, 'policytest': True, 'user_role': True,
             'role_permission': True}
 
 if __name__ == '__main__':
-    server_url = "http://xxxx:xxxx/auth/"
+    # keycloak实际地址
+    server_url = "http://host:port/auth/"
     # 管理员操作
     username = "realmadmin"
     password = "1111"
@@ -75,8 +76,8 @@
         new_info = {'emailVerified': True, 'attributes': {'count': ['999']}}
         print('\t', pa.update_user(uid, new_info))
         print('\t', pa.get_user(uid))
-        print('删除用户 {}'.format(username))
-        print('\t', pa.delete_user(uid))
+        # print('删除用户 {}'.format(username))
+        # print('\t', pa.delete_user(uid))
 
     # 操作用户和角色
     if testdict['user_role']:
@@ -109,5 +110,7 @@
         print("\t", pa.op_permission_with_role(resource_client, resource, rolename))
         print('获取权限{}关联的角色：'.format(resource))
         print('\t', pa.get_permission_roles(resource_client, resource))
-        print('角色{}取消权限{}: '.format(rolename, resource))
-        print("\t", pa.op_permission_with_role(resource_client, resource, rolename, op="delete"))
+        # print('角色{}取消权限{}: '.format(rolename, resource))
+        # print("\t", pa.op_permission_with_role(resource_client, resource, rolename, op="delete"))
+        print('获取角色{}的所有权限: '.format(rolename))
+        print("\t", pa.get_role_permissions(resource_client, rolename))

pyKeyCloakRBAC/pyrbac.py

@@ -64,25 +64,26 @@ def get_client_policies(self, client_id):
                        "cid": self.get_client_id(client_id)}
         data_raw = self.raw_get(url.format(**params_path))
         return raise_error_from_response(data_raw, KeycloakGetError)
-    
+
     def create_policy(self, client_id, policyname, rolename):
         try:
             rid = self.get_role_id(rolename)
             payload = {"type": "role", "logic": "POSITIVE",
-                    "decisionStrategy": "UNANIMOUS", "name": policyname, "roles": [{"id": rid}]}
+                       "decisionStrategy": "AFFIRMATIVE", "name": policyname, "roles": [{"id": rid}]}
             cid = self.get_client_id(client_id)
             url = "admin/realms/{realm-name}/clients/{cid}/authz/resource-server/policy/role"
             params_path = {"realm-name": self.realm_name, "cid": cid}
             data_raw = self.raw_post(url.format(**params_path),
-                                    data=json.dumps(payload))
+                                     data=json.dumps(payload))
             return raise_error_from_response(data_raw, KeycloakGetError)
         except Exception as e:
             return self.errormsg(str(e))
 
     def delete_policy(self, client_id, policyname):
         try:
             url = 'admin/realms/{realm-name}/clients/{cid}/authz/resource-server/policy/{pid}'
-            params_path = {"realm-name": self.realm_name, "cid": self.get_client_id(client_id), 'pid': self.get_policy_id(client_id, policyname)}
+            params_path = {"realm-name": self.realm_name, "cid": self.get_client_id(
+                client_id), 'pid': self.get_policy_id(client_id, policyname)}
             rawdata = self.raw_delete(url.format(**params_path))
             return raise_error_from_response(rawdata, KeycloakGetError)
         except Exception as e:
@@ -105,7 +106,7 @@ def create_client_permission(self, client_id, resource):
         try:
             cid = self.get_client_id(client_id)
             url = "admin/realms/{realm-name}/clients/{cid}/authz/resource-server/permission/resource"
-            payload = {"type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS",
+            payload = {"type": "resource", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE",
                        "name": resource, "resources": [self.get_resource_id(client_id, resource)], "policies": []}
             params_path = {"realm-name": self.realm_name, "cid": cid}
             data_raw = self.raw_post(url.format(
@@ -120,7 +121,8 @@ def get_resources(self, client_id):
 
     def get_resource_id(self, client_id, resourcename):
         url = "admin/realms/{realm-name}/clients/{cid}/authz/resource-server/resource/search?name={rn}"
-        params_path = {'realm-name':self.realm_name, 'cid': self.get_client_id(client_id), 'rn': resourcename}
+        params_path = {'realm-name': self.realm_name,
+                       'cid': self.get_client_id(client_id), 'rn': resourcename}
         raw_data = self.raw_get(url.format(**params_path))
         if raw_data.status_code == 200:
             return raw_data.json()['_id']
@@ -134,20 +136,29 @@ def get_permissions(self, client_id, permission=None):
             params_path = {"realm-name": self.realm_name, "cid": cid}
         else:
             url = 'admin/realms/{realm-name}/clients/{cid}/authz/resource-server/policy/search?name={pname}'
-            params_path = {'realm-name': self.realm_name, 'cid': cid, 'pname':permission}
+            params_path = {'realm-name': self.realm_name,
+                           'cid': cid, 'pname': permission}
         raw_data = self.raw_get(url.format(**params_path))
         return raise_error_from_response(raw_data, KeycloakGetError)
 
+    def delete_permission(self, client_id, permission):
+        url = 'admin/realms/{realm-admin}/clients/{cid}/authz/resource-server/permission/{pid}'
+        params_path = {'realm-name': self.realm_name, 'cid': self.get_client_id(
+            client_id), 'pid': self.get_permissions(client_id, permission)['id']}
+        raw_data = self.raw_delete(url.format(**params_path))
+        return raise_error_from_response(raw_data, KeycloakGetError)
+
     # 角色和权限操作
     def op_permission_with_role(self, client_id, permission, role, op="assign"):
         url = 'admin/realms/{realm-name}/clients/{cid}/authz/resource-server/permission/resource/{pid}'
         perm = self.get_permissions(client_id, permission)
         src_roles = self.get_permission_roles(client_id, permission)
         src_role_ids = [rid['id'] for rid in src_roles]
         npoid = self.get_policy_id(client_id, role)
-        payload = {"id": perm['id'], "name": permission, "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS"}
+        payload = {"id": perm['id'], "name": permission, "type": "resource",
+                   "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE"}
         params_path = {'realm-name': self.realm_name,
-                        'pid': perm['id'], 'cid': self.get_client_id(client_id)}
+                       'pid': perm['id'], 'cid': self.get_client_id(client_id)}
         if op == "assign":
             if npoid in src_role_ids:
                 return {}
@@ -160,23 +171,33 @@ def op_permission_with_role(self, client_id, permission, role, op="assign"):
                 src_role_ids.remove(npoid)
         payload["resources"] = [self.get_resource_id(client_id, permission)]
         payload["policies"] = src_role_ids
-        data_raw = self.raw_put(url.format(**params_path), data=json.dumps(payload))
+        data_raw = self.raw_put(url.format(
+            **params_path), data=json.dumps(payload))
         return raise_error_from_response(data_raw, KeycloakGetError)
 
-#     def get_role_permissions(self, rolename):
-#         rid = self.get_role_id(rolename)
-#         if not rid:
-#             return self.errormsg("role {} not found".format(rolename))
-#         url = "admin/realms/{realm-name}/groups/{rid}/role-mappings/clients/{cid}"
-#         self.get_admin_cid()
-#         params_path = {"realm-name": self.realm_name,
-#                        "rid": rid, "cid": self.cid}
-#         data_raw = self.raw_get(url.format(**params_path))
-#         return raise_error_from_response(data_raw, KeycloakGetError, expected_code=200)
+    def get_role_permissions(self, client_id, rolename):
+        client_settings = self.get_client_authz_settings(
+            self.get_client_id(client_id)).json()
+        policies = client_settings.get("policies")
+        permissions = []
+        role = None
+        for rolep in policies:
+            if rolep['type'] == 'role' and not role:
+                if rolep['name'] == rolename:
+                    role = rolep
+            else:
+                if rolep['type'] == 'resource':
+                    rolepolicies = rolep['config'].get(
+                        'applyPolicies') if rolep['config'].get('applyPolicies') else []
+                    permissions.extend(
+                        [{'id': rolep['id'], 'name': rolep['name']}] if rolename in rolepolicies else [])
+        role['permissions'] = permissions
+        return role
 
     def get_permission_roles(self, client_id, permission):
         url = 'admin/realms/{realm-name}/clients/{cid}/authz/resource-server/policy/{pid}/associatedPolicies'
-        params_path = {'realm-name': self.realm_name, 'cid': self.get_client_id(client_id), 'pid': self.get_permissions(client_id, permission)['id']}
+        params_path = {'realm-name': self.realm_name, 'cid': self.get_client_id(
+            client_id), 'pid': self.get_permissions(client_id, permission)['id']}
         rawdata = self.raw_get(url.format(**params_path))
         return raise_error_from_response(rawdata, KeycloakGetError)