From 42a4fa05d6a8d452bd4b24769010902b5480f486 Mon Sep 17 00:00:00 2001
From: vcestone <v.cestone@gmail.com>
Date: Thu, 18 Jun 2020 18:54:43 +0200
Subject: [PATCH] XQuery scripts to create d4science OIDC clients on keycloak

---
 src/xquery/create-client.xq     | 33 ++++++++++++
 src/xquery/d4s-gateways.xqm     | 10 ++++
 src/xquery/gateways.xq          |  2 +
 src/xquery/keycloak-clients.xqm | 91 +++++++++++++++++++++++++++++++++
 4 files changed, 136 insertions(+)
 create mode 100644 src/xquery/create-client.xq
 create mode 100644 src/xquery/d4s-gateways.xqm
 create mode 100644 src/xquery/gateways.xq
 create mode 100644 src/xquery/keycloak-clients.xqm

diff --git a/src/xquery/create-client.xq b/src/xquery/create-client.xq
new file mode 100644
index 0000000..d866512
--- /dev/null
+++ b/src/xquery/create-client.xq
@@ -0,0 +1,33 @@
+
+import module namespace c = 'urn:nubisware:keycloak:clients' at 'keycloak-clients.xqm';
+import module namespace gw = 'urn:nubisware:d4science:gateways' at 'd4s-gateways.xqm';
+
+
+declare function local:build-clientId($gateway) {
+  replace($gateway, 'https://', '')
+};
+
+declare function local:build-client-def($gateway) {
+  let $clientId := local:build-clientId($gateway)
+  let $baseUrl := $gateway || '/'
+  let $redirectUri := $gateway || '/*'
+  let $login_theme := "d4science"
+  return map {
+    "clientId" : $clientId,
+    "baseUrl" : $baseUrl,
+    "redirectUri" : $redirectUri,
+    "login_theme" : $login_theme
+  }
+};
+
+let $dummy := ''
+
+(: delete all clients
+ gw:list() ! c:delete-client(local:build-clientId(.))
+:)
+
+(: add all clients
+ gw:list() ! c:create-client(local:build-client-def(.)) 
+:)
+
+return gw:list() ! c:create-client(local:build-client-def(.)) 
\ No newline at end of file
diff --git a/src/xquery/d4s-gateways.xqm b/src/xquery/d4s-gateways.xqm
new file mode 100644
index 0000000..3506702
--- /dev/null
+++ b/src/xquery/d4s-gateways.xqm
@@ -0,0 +1,10 @@
+module namespace gw = 'urn:nubisware:d4science:gateways';
+
+declare variable $gw:url := 'https://services.d4science.org/thematic-gateways';
+
+
+declare function gw:list() {
+  let $req := <http:request method="get" />
+  return http:send-request($req, $gw:url)//a[@class='entry-link']/@href/data() ! replace(., '/explore', '')
+};
+
diff --git a/src/xquery/gateways.xq b/src/xquery/gateways.xq
new file mode 100644
index 0000000..5f63503
--- /dev/null
+++ b/src/xquery/gateways.xq
@@ -0,0 +1,2 @@
+
+http:send-request(<http:request href="https://services.d4science.org/thematic-gateways" method="get" />)//a[@class='entry-link']/@href/data() ! replace(., '/explore', '')
\ No newline at end of file
diff --git a/src/xquery/keycloak-clients.xqm b/src/xquery/keycloak-clients.xqm
new file mode 100644
index 0000000..2c6ddb7
--- /dev/null
+++ b/src/xquery/keycloak-clients.xqm
@@ -0,0 +1,91 @@
+module namespace c = 'urn:nubisware:keycloak:clients';
+
+declare variable $c:keycloak-url := 'http://localhost:8080';
+declare variable $c:token-url := '/auth/realms/master/protocol/openid-connect/token';
+declare variable $c:clients-url := '/auth/admin/realms/test/clients';
+
+
+declare function c:get-token() {
+  let $url := $c:keycloak-url || $c:token-url
+  
+  let $form-params := map {
+    'grant_type': 'password',
+    'client_id': 'admin-cli',
+    'username': 'admin',
+    'password': 'admin'
+  }
+  
+  let $body := substring(web:create-url('', $form-params), 2)
+  
+  let $http-req := 
+    <http:request method="GET">
+      <http:body media-type="application/x-www-form-urlencoded"/>
+    </http:request>
+    
+  let $token := http:send-request($http-req, $url, $body)[2]//access__token/data()
+  return $token
+};
+
+
+declare function c:create-client($params) {
+  let $client-def := ``[
+    {
+      "clientId": "`{$params?clientId}`",
+      "baseUrl": "`{$params?baseUrl}`",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [
+          "`{$params?redirectUri}`"
+      ],
+      "webOrigins": [
+          "/*"
+      ],
+      "standardFlowEnabled": true,
+      "directAccessGrantsEnabled": true,
+      "publicClient": true,
+      "protocol": "openid-connect",
+      "attributes": {
+          "login_theme": "`{$params?login_theme}`"
+      },
+      "fullScopeAllowed": true
+    }
+  ]``
+  
+  let $token := c:get-token()
+  let $url := $c:keycloak-url || $c:clients-url
+
+  let $http-req := 
+    <http:request method="POST">
+      <http:header name="Authorization" value="Bearer {$token}"/>
+      <http:body media-type="application/json"/>
+    </http:request>
+  
+  let $resp := http:send-request($http-req, $url, $client-def)
+  
+  return $params?clientId || ' : ' || $resp[1]/@status/data() || ' ' || $resp[1]/@message/data()
+};
+
+
+declare function c:delete-client($clientId) {
+  let $token := c:get-token()
+  let $url := $c:keycloak-url || $c:clients-url
+  
+  let $geturl := web:create-url($url, map { "clientId" : $clientId })
+  let $http-req := 
+    <http:request method="GET">
+      <http:header name="Authorization" value="Bearer {$token}"/>
+    </http:request>
+  
+  let $resp := http:send-request($http-req, $geturl)
+  let $id := $resp[2]/json/_[clientId=$clientId]/id/data()
+
+  return if ($id) then
+    let $delurl := $url || '/' || $id
+    let $http-req := 
+      <http:request method="DELETE">
+        <http:header name="Authorization" value="Bearer {$token}"/>
+      </http:request>
+    
+    let $resp := http:send-request($http-req, $delurl)
+    return $clientId || ' : ' || $resp[1]/@status/data() || ' ' || $resp[1]/@message/data()
+};
\ No newline at end of file