keycloak group members causes LDAP query for each individual user - keycloak

I have a keycloak instance with a read only LDAP Federation. I add members to groups by searching for both GROUP_ID and USER_ID (which queries the LDAP server) and then using a 'PUT' to add the USER to the GROUP (I use python to parse the JSON):
GROUP_ID=$(curl -s -H "Authorization: bearer $ACCESS_TOKEN" \
https://${KEYCLOAK_SERVER}/auth/admin/realms/myrealm/groups|python -c '
import json,sys,os;keycloak_data=json.load(sys.stdin);
GROUP=os.environ["GROUP"]
for g in keycloak_data:
if g["name"]==GROUP:
print g["id"]
sys.exit()
')
USER_ID=$(curl -s -H "Authorization: bearer $ACCESS_TOKEN" \
https://${KEYCLOAK_SERVER}/auth/admin/realms/myrealm/users?username=$USER | python -c '
import json,sys,os;keycloak_data=json.load(sys.stdin)
USERID=os.environ["USER"]
for c in keycloak_data:
if c["attributes"]["LDAP_ID"][0]==USERID:
print c["id"]
sys.exit()
')
echo "Adding $USER to $GROUP GROUP_ID=$GROUP_ID USER_ID=$USER_ID"
curl -s -X PUT -H "Authorization: bearer $ACCESS_TOKEN" \
https://${KEYCLOAK_SERVER}/auth/admin/realms/myrealm/users/$USER_ID/groups/$GROUP_ID
Above works great. But when I want to get a list of the members in that group it queries LDAP for every user (which can take a long time if there are over 100 users in a group)
curl -s -H "Authorization: bearer $ACCESS_TOKEN" \
https://${KEYCLOAK_SERVER}/auth/admin/realms/myrealm/groups/$GROUP_ID/members
Any way to query the group membership without triggering an LDAP query for every member of the group? I have already tried changing the LDAP Cache settings under the LDAP Federation and doesn't seem to help.
I just want to know (quickly) which users are in a given keycloak group.

Related

GitHub Actions: Must have admin rights to trigger workflow_dispatch?

Using the github API I am trying to manually start a workflow using:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: MY_TOKEN" \
https://api.github.com/repos/djpr-data/djprdashdata/actions/workflows/refresh-data.yaml/dispatches
but I keep getting an authentication error:
{
"message": "Must have admin rights to Repository.",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-workflow-dispatch-event"
}
This seems to be a similar issue to this question. But my PAT token has all admin and repo scopes selected. I also have my user account setup as admin for the repository and I have added a workflow dispatch to the workflow yaml file.
workflow_dispatch:
inputs:
tags:
description:
"run from cmdline"
I have been following the docs at https://docs.github.com/en/rest/actions/workflows#create-a-workflow-dispatch-event and have had no problems using the API to retrieve all previous workflow jobs. I have also tried the runs and jobs endpoints but get the same error. So I am now not sure what else I can do. Is there somewhere else I need to set permissions?
Thanks
This is a poor error message to tell you that your request is not formed correctly. If you want to pass a PAT as a header, you need to prefix it with token, as described in the docs:
-H "Authorization: token MY_TOKEN"
Once that's resolved, however, you'll also get an error because you don't pass the required ref payload. Assuming your default branch is main, here's a correct curl command:
> export MY_TOKEN=gha_abcdef
> curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token $MY_TOKEN" \
-d '{"ref": "main"}' \
https://api.github.com/repos/djpr-data/djprdashdata/actions/workflows/refresh-data.yaml/dispatches

Configuration of reCAPTCHA for Keycloak via CLI

Is there a way to configure reCAPTCHA via the CLI for a Keycloak standalone installation? To be more precise, is it possible to carry out all the steps described here in the Keycloak docs with the help of kcadm.sh?
You can achieve that by using Keycloak Admin REST API.
The first step is to get an admin token, so that one can call the Rest API:
curl -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
https://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token
You will get a json response with the admin token. Extract the access token from that response (lets called $ACCESS_TOKEN).
Now, we need to get the list of all executions linked to the registration flow:
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/authentication/flows/registration/executions \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From that json response, extract the id of the "providerId=registration-recaptcha-action". Lets call that id, $ID_RECAPTCHA.
Next make the reCaptcha required at the registration:
CAPTCHA_DATA='{"id":"$ID_RECAPTCHA","requirement":"REQUIRED","providerId":"registration-recaptcha-action"}'
curl -X PUT https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/authentication/flows/registration/executions \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"\
-d "$JSON_DATA"
Finally, to configure your own captcha:
CONFIG_DATA='{"config":{"site.key":"<YOUR SITE KEY>","secret":"<YOUR SECRET>","useRecaptchaNet":"<True or False>"},"alias":"<The CAPTCHA ALIAS>"}'
curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/authentication/executions/$ID_RECAPTCHA/config \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"\
Next, the best thing is to automatize this process with, for instance, some bash scripts.

Trying to create a usergroup in Jira Cloud with REST API

I have an upcoming tool migration where I can import assignees but not inactive ones - and there is no user group by default with only active users.
So I've exported all jira users and filtered based on active - so I have a nice list of all their usernames/emails. Now I want to use the REST API to create a usergroup from the list and add each user.
From the API documentation, it's pretty straightforward:
curl --request POST \
--url '/rest/api/3/group/user' \
--header 'Authorization: Bearer <access_token>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"accountId": "384093:32b4d9w0-f6a5-3535-11a3-9c8c88d10192"
}'
However, I'm not about to type in one by one the accountIds. How can I specify an excel list or how else can i achieve this?
Easier than I thought - Just made a bash script where accountId's is the variable to cycle through the addresses.

Google Cloud SQL import database programatically (without prompt)

I want to export a database and import the output into another database programatically. This is what I have so far:
gcloud sql export sql instance_name gs://bucketname/db.gz --database=db_name
gcloud sql databases create new_db --instance=instance_name
gcloud sql import sql instance_name gs://bucketname/db.gz --database=new_db
Created database [new_db].
instance: instance_name
Data from [gs://bucketname/db.gz]
will be imported to [instance_name].
Do you want to continue (Y/n)
As you can see the prompt is the issue.
How can I import it without being prompted? Is there another way to import an export?
You can use --quiet, -q parameter when running your gcloud command as shown below:
gcloud sql import sql instance_name gs://bucketname/db.gz --database=new_db -q
The gcloud Reference official documentation contains the following explanation about this parameter in case you want to take a look on it:
--quiet, -q
Disable all interactive prompts when running gcloud commands. If input
is required, defaults will be used, or an error will be raised.
Overrides the default core/disable_prompts property value for this
command invocation. Must be used at the beginning of commands. This is
equivalent to setting the environment variable
CLOUDSDK_CORE_DISABLE_PROMPTS to 1.
Additionally, you can perform the import/export tasks by using cURL API calls as an alternative option; In this way, you just need to send the authorized requests to the service.
*Importing:
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header 'Content-Type: application/json' \
--data '{"importContext":
{"fileType": "SQL",
"uri": "gs://[BUCKET_NAME]/[PATH_TO_DUMP_FILE]",
"database": "[DATABASE_NAME]" }}' \
-X POST \
https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/import
*Exporting:
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)" curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header 'Content-Type: application/json' \
--data '{"exportContext":
{"fileType": "SQL",
"uri": "gs://<BUCKET_NAME>/<PATH_TO_DUMP_FILE>",
"databases": ["<DATABASE_NAME1>", "<DATABASE_NAME2>"] }}' \
-X POST \
https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/export

Remove all members from a group in WSO2 IS using SCIM endpoints

I have created one group in WSO2 IS by using SCIM endpoint. Then i updated the group with some members. Now i want to remove all the members from the group, I have used the same update command to do this, But i couldn't remove all the members from the group. No errors are there.
I have used the following curl commands to do this.
Create Group :
curl -v -k --user admin:admin --data "{"displayName": "groupname"}" --header "Content-Type:application/json" https://example.com:9443/wso2/scim/Groups
Update group to add one member :
curl -v -k --user admin:admin -X PUT -d "{"displayName": 'groupname' ,"members":[{"value":"dfd437b5-2e52-4077-9c31-84bc2ea8c117","display":"hasinitg"}]}" --header "Content-Type:application/json" https://example.com:9443/wso2/scim/Groups/328b8e27-4869-45c5-9857-1afa9aaacf59
Update group to remove the existing member :
curl -v -k --user admin:admin -X PUT -d "{"displayName": 'groupname' }" --header "Content-Type:application/json" https://example.com:9443/wso2/scim/Groups/328b8e27-4869-45c5-9857-1afa9aaacf59
In the current implementation it doest support to remove all members. To get this done what you will have to do is. Delete the existing group and create it with the same name.