package keycloak import ( "context" "fmt" "net/http" "net/url" "time" oidc "github.com/coreos/go-oidc" "github.com/pkg/errors" "gopkg.in/h2non/gentleman.v2" "gopkg.in/h2non/gentleman.v2/plugin" "gopkg.in/h2non/gentleman.v2/plugins/query" "gopkg.in/h2non/gentleman.v2/plugins/timeout" ) // Config is the keycloak client http config. type Config struct { Addr string Timeout time.Duration } // Client is the keycloak client. type Client struct { url *url.URL httpClient *gentleman.Client } // New returns a keycloak client. func New(config Config) (*Client, error) { var u *url.URL { var err error u, err = url.Parse(config.Addr) if err != nil { return nil, errors.Wrap(err, "could not parse URL") } } var httpClient = gentleman.New() { httpClient = httpClient.URL(u.String()) httpClient = httpClient.Use(timeout.Request(config.Timeout)) } return &Client{ url: u, httpClient: httpClient, }, nil } // getToken returns a valid token from keycloak. func (c *Client) GetToken(realm string, username string, password string) (string, error) { var req *gentleman.Request { var authPath = fmt.Sprintf("/auth/realms/%s/protocol/openid-connect/token", realm) req = c.httpClient.Post() req = req.SetHeader("Content-Type", "application/x-www-form-urlencoded") req = req.Path(authPath) req = req.Type("urlencoded") req = req.BodyString(fmt.Sprintf("username=%s&password=%s&grant_type=password&client_id=admin-cli", username, password)) } var resp *gentleman.Response { var err error resp, err = req.Do() if err != nil { return "", errors.Wrap(err, "could not get token") } } defer resp.Close() var unmarshalledBody map[string]interface{} { var err error err = resp.JSON(&unmarshalledBody) if err != nil { return "", errors.Wrap(err, "could not unmarshal response") } } var accessToken interface{} { var ok bool accessToken, ok = unmarshalledBody["access_token"] if !ok { return "", fmt.Errorf("could not find access token in response body") } } fmt.Printf("%s", accessToken.(string)) fmt.Println() return accessToken.(string), nil } // verifyToken token verify a token. It returns an error it is malformed, expired,... func (c *Client) VerifyToken(realmName string, accessToken string) error { var oidcProvider *oidc.Provider { var err error var issuer = fmt.Sprintf("%s/auth/realms/%s", c.url.String(), realmName) oidcProvider, err = oidc.NewProvider(context.Background(), issuer) if err != nil { return errors.Wrap(err, "could not create oidc provider") } } var v = oidcProvider.Verifier(&oidc.Config{SkipClientIDCheck: true}) var err error _, err = v.Verify(context.Background(), accessToken) return err } // get is a HTTP get method. func (c *Client) get(accessToken string, data interface{}, plugins ...plugin.Plugin) error { var req = c.httpClient.Get() req = applyPlugins(req, accessToken, plugins...) var resp *gentleman.Response { var err error resp, err = req.Do() if err != nil { return errors.Wrap(err, "could not get response") } switch { case resp.StatusCode == http.StatusUnauthorized: return fmt.Errorf("unauthorized request: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 400: return fmt.Errorf("invalid status code: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 200: switch resp.Header.Get("Content-Type") { case "application/json": return resp.JSON(data) case "application/octet-stream": data = resp.Bytes() return nil default: return fmt.Errorf("unkown http content-type: %v", resp.Header.Get("Content-Type")) } default: return fmt.Errorf("unknown response status code: %v", resp.StatusCode) } } } func (c *Client) post(accessToken string, data interface{}, plugins ...plugin.Plugin) (string, error) { var req = c.httpClient.Post() req = applyPlugins(req, accessToken, plugins...) var resp *gentleman.Response { var err error resp, err = req.Do() if err != nil { return "", errors.Wrap(err, "could not get response") } switch { case resp.StatusCode == http.StatusUnauthorized: return "", fmt.Errorf("unauthorized request: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 400: return "", fmt.Errorf("invalid status code: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 200: var location = resp.Header.Get("Location") switch resp.Header.Get("Content-Type") { case "application/json": return location, resp.JSON(data) case "application/octet-stream": data = resp.Bytes() return location, nil default: return location, nil } default: return "", fmt.Errorf("unknown response status code: %v", resp.StatusCode) } } } func (c *Client) delete(accessToken string, plugins ...plugin.Plugin) error { var req = c.httpClient.Delete() req = applyPlugins(req, accessToken, plugins...) var resp *gentleman.Response { var err error resp, err = req.Do() if err != nil { return errors.Wrap(err, "could not get response") } switch { case resp.StatusCode == http.StatusUnauthorized: return fmt.Errorf("unauthorized request: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 400: return fmt.Errorf("invalid status code: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 200: return nil default: return fmt.Errorf("unknown response status code: %v", resp.StatusCode) } } } func (c *Client) put(accessToken string, plugins ...plugin.Plugin) error { var req = c.httpClient.Put() req = applyPlugins(req, accessToken, plugins...) var resp *gentleman.Response { var err error resp, err = req.Do() if err != nil { return errors.Wrap(err, "could not get response") } switch { case resp.StatusCode == http.StatusUnauthorized: return fmt.Errorf("unauthorized request: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 400: return fmt.Errorf("invalid status code: '%v': %v", resp.RawResponse.Status, string(resp.Bytes())) case resp.StatusCode >= 200: return nil default: return fmt.Errorf("unknown response status code: %v", resp.StatusCode) } } } // applyPlugins apply all the plugins to the request req. func applyPlugins(req *gentleman.Request, accessToken string, plugins ...plugin.Plugin) *gentleman.Request { var r = req.SetHeader("Authorization", fmt.Sprintf("Bearer %s", accessToken)) for _, p := range plugins { r = r.Use(p) } return r } // createQueryPlugins create query parameters with the key values paramKV. func createQueryPlugins(paramKV ...string) []plugin.Plugin { var plugins = []plugin.Plugin{} for i := 0; i < len(paramKV); i += 2 { var k = paramKV[i] var v = paramKV[i+1] plugins = append(plugins, query.Set(k, v)) } return plugins } func str(s string) *string { return &s }