Applied changes based on suggestions

131e7d3f · Francisco Borges Aurindo Barros · 03c3e8ee · 131e7d3f · 131e7d3f · 131e7d3f
Commit 131e7d3f authored 3 years ago by Francisco Borges Aurindo Barros
--- a/scripts/addGroupToDrupalAdmins.sh
+++ b/scripts/addGroupToDrupalAdmins.sh
@@ -18,11 +18,12 @@ done
 [[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
 [[ -z "${GROUP_NAME}" ]] && usage
 [[ -z "${PROJECT}" ]] && usage
+export AUTHZ_OPERATOR_NAMESPACE="openshift-cern-authz-operator"

-export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
-export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
-export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
-export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+export AUTHZAPI_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE} -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
+export KC_ISSUER_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE}  -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
+export KC_CLIENT_ID=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
 export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
 export AUTHZAPI_VERSION="api/v1.0"

@@ -39,6 +40,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
    exit 1
 fi

+# This CURL will make an API request to bound ${GROUP_NAME} to ${ROLE_ID} in ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-post_api_v1_0_Application__id__roles__roleid__groups__groupid_
 SUCCESS=$(curl --silent -X POST "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H  "accept: text/plain" -H  "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
 if [[ $SUCCESS != "200" ]]; then
    echo "Error binding group to admin role, error code: ${SUCCESS}"

--- a/scripts/recreateDrupalAdminRole.sh
+++ b/scripts/recreateDrupalAdminRole.sh
 #!/bin/bash

+# Whenever requested by user, this will generate a AdminRole in AuthzAPI
+
 usage() { echo "Usage: $0 [--project <PROJECT>]" 1>&2; exit 1;  }
 # Options
 ARGS=$(getopt -o 'p:' --long 'project:' -- "$@") || exit 1

--- a/scripts/removeGroupFromDrupalAdmins.sh
+++ b/scripts/removeGroupFromDrupalAdmins.sh
@@ -18,11 +18,12 @@ done
 [[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
 [[ -z "${GROUP_NAME}" ]] && usage
 [[ -z "${PROJECT}" ]] && usage
+export AUTHZ_OPERATOR_NAMESPACE="openshift-cern-authz-operator"

-export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
-export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
-export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
-export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+export AUTHZAPI_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE} -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
+export KC_ISSUER_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE}  -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
+export KC_CLIENT_ID=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
 export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
 export AUTHZAPI_VERSION="api/v1.0"

@@ -39,6 +40,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
    exit 1
 fi

+# This CURL will make an API request to remove ${GROUP_NAME} of ${ROLE_ID} from ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-delete_api_v1_0_Application__id__roles__roleid__groups__groupid_
 SUCCESS=$(curl --silent -X DELETE "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H  "accept: text/plain" -H  "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
 if [[ $SUCCESS != "200" ]]; then
    echo "Error binding group to admin role, error code: ${SUCCESS}"