baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cf28e427c20b84924ab453c432bc10e8de332f4a
buun-stack/keycloak/scripts/add-minio-policy.ts
Masaki Yatsu ed1ba74797 feat: add keycloak and postgres
2025-08-15 11:21:54 +09:00

122 lines
3.9 KiB
TypeScript
Raw Blame History

import KcAdminClient from "@keycloak/keycloak-admin-client";
import invariant from "tiny-invariant";
const main = async () => {
const keycloakHost = process.env.KEYCLOAK_HOST;
invariant(keycloakHost, "KEYCLOAK_HOST environment variable is required.");
const adminUsername = process.env.KEYCLOAK_ADMIN_USER;
invariant(adminUsername, "KEYCLOAK_ADMIN_USER environment variable is required.");
const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
const realmName = process.env.KEYCLOAK_REALM;
invariant(realmName, "KEYCLOAK_REALM environment variable is required");
const minioClientId = process.env.MINIO_OIDC_CLIENT_ID;
invariant(minioClientId, "MINIO_OIDC_CLIENT_ID environment variable is required");
const policyValue = process.env.MINIO_POLICY || "readwrite";
console.log(`Setting minioPolicy attribute with value: ${policyValue}`);
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${keycloakHost}`,
realmName: "master",
});
try {
await kcAdminClient.auth({
username: adminUsername,
password: adminPassword,
grantType: "password",
clientId: "admin-cli",
});
console.log("Authentication successful.");
// Set realm to work with
kcAdminClient.setConfig({
realmName,
});
// Get current User Profile configuration
const userProfile = await kcAdminClient.users.getProfile();
// Check if minioPolicy attribute already exists
const existingAttribute = userProfile.attributes?.find(
(attr: any) => attr.name === "minioPolicy"
);
if (existingAttribute) {
console.log("minioPolicy attribute already exists in User Profile.");
} else {
// Add minioPolicy attribute to User Profile with proper permissions
if (!userProfile.attributes) {
userProfile.attributes = [];
}
userProfile.attributes.push({
name: "minioPolicy",
displayName: "MinIO Policy",
permissions: {
view: ["admin", "user"],
edit: ["admin"],
},
validations: {
options: { options: ["readwrite", "readonly", "writeonly"] },
},
});
// Update User Profile
await kcAdminClient.users.updateProfile(userProfile);
console.log(
"minioPolicy attribute added to User Profile successfully with admin edit permissions."
);
}
// Create protocol mapper for the minioPolicy attribute if it doesn't exist
const minioClient = await kcAdminClient.clients.find({ clientId: minioClientId });
if (minioClient.length === 0) {
console.error(`Client '${minioClientId}' not found.`);
// eslint-disable-next-line unicorn/no-process-exit
process.exit(1);
}
const clientId = minioClient[0].id;
invariant(clientId, "Client ID is required");
// Check if the mapper already exists
const mappers = await kcAdminClient.clients.listProtocolMappers({ id: clientId });
const existingMapper = mappers.find((mapper) => mapper.name === "MinIO Policy");
if (existingMapper) {
console.log("MinIO Policy mapper already exists.");
} else {
// Create the protocol mapper
await kcAdminClient.clients.addProtocolMapper(
{ id: clientId },
{
name: "MinIO Policy",
protocol: "openid-connect",
protocolMapper: "oidc-usermodel-attribute-mapper",
config: {
"userinfo.token.claim": "true",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "minioPolicy",
"jsonType.label": "String",
"user.attribute": "minioPolicy",
multivalued: "false",
},
}
);
console.log("MinIO Policy mapper created successfully.");
}
} catch (error) {
console.error("An error occurred:", error);
// eslint-disable-next-line unicorn/no-process-exit
process.exit(1);
}
};
main();
Reference in New Issue View Git Blame Copy Permalink