From 723d36abecb27c2cc09c50726b5d1e482dd117da Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Tue, 8 Feb 2022 11:17:29 +0100
Subject: [PATCH 1/8] Add/Remove Group from Admin scripts
---
scripts/addGroupToDrupalAdmins.sh | 44 ++++++++++++++++++++++++++
scripts/removeGroupFromDrupalAdmins.sh | 44 ++++++++++++++++++++++++++
2 files changed, 88 insertions(+)
create mode 100755 scripts/addGroupToDrupalAdmins.sh
create mode 100755 scripts/removeGroupFromDrupalAdmins.sh
diff --git a/scripts/addGroupToDrupalAdmins.sh b/scripts/addGroupToDrupalAdmins.sh
new file mode 100755
index 0000000..32033ef
--- /dev/null
+++ b/scripts/addGroupToDrupalAdmins.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+usage() { echo "Usage: $0 [--group-name <GROUP>]" 1>&2; exit 1; }
+# Options
+ARGS=$(getopt -o 'g:' --long 'group-name:' -- "$@") || exit 1
+eval "set -- $ARGS"
+
+while true; do
+ case "$1" in
+ (-g|--group-name)
+ GROUP_NAME="$2"; shift 2;;
+ (--) shift; break;;
+ (*) usage;;
+ esac
+done
+
+[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
+[[ -z "${GROUP_NAME}" ]] && usage
+
+export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
+export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
+export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
+export AUTHZAPI_VERSION="api/v1.0"
+
+APPLICATION_ID=$(oc get applicationregistration -o json | jq -r '.items[0].status.id')
+# Retrieve list of Roles
+ROLE_LIST=$(curl --silent -X GET "${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" )
+# Extract Administrator ID from roles
+ROLE_ID=$(echo $ROLE_LIST | jq -r '.data[] | select(.name=="administrator") | .id')
+
+GROUP_EXISTS=$(curl --silent -X GET "${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Group/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
+
+if [[ $GROUP_EXISTS != "200" ]]; then
+ echo "Error trying to find group in API, error code: ${GROUP_EXISTS}"
+ exit 1
+fi
+
+SUCCESS=$(curl --silent -X POST "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
+if [[ $SUCCESS != "200" ]]; then
+ echo "Error binding group to admin role, error code: ${SUCCESS}"
+ exit 1
+fi
+echo "Successfully binded ${GROUP_NAME} to applicationID ${APPLICATION_ID}"
diff --git a/scripts/removeGroupFromDrupalAdmins.sh b/scripts/removeGroupFromDrupalAdmins.sh
new file mode 100755
index 0000000..5af745a
--- /dev/null
+++ b/scripts/removeGroupFromDrupalAdmins.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+usage() { echo "Usage: $0 [--group-name <GROUP>]" 1>&2; exit 1; }
+# Options
+ARGS=$(getopt -o 'g:' --long 'group-name:' -- "$@") || exit 1
+eval "set -- $ARGS"
+
+while true; do
+ case "$1" in
+ (-g|--group-name)
+ GROUP_NAME="$2"; shift 2;;
+ (--) shift; break;;
+ (*) usage;;
+ esac
+done
+
+[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
+[[ -z "${GROUP_NAME}" ]] && usage
+
+export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
+export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
+export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
+export AUTHZAPI_VERSION="api/v1.0"
+
+APPLICATION_ID=$(oc get applicationregistration -o json | jq -r '.items[0].status.id')
+# Retrieve list of Roles
+ROLE_LIST=$(curl --silent -X GET "${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" )
+# Extract Administrator ID from roles
+ROLE_ID=$(echo $ROLE_LIST | jq -r '.data[] | select(.name=="administrator") | .id')
+
+GROUP_EXISTS=$(curl --silent -X GET "${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Group/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
+
+if [[ $GROUP_EXISTS != "200" ]]; then
+ echo "Error trying to find group in API, error code: ${GROUP_EXISTS}"
+ exit 1
+fi
+
+SUCCESS=$(curl --silent -X DELETE "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
+if [[ $SUCCESS != "200" ]]; then
+ echo "Error binding group to admin role, error code: ${SUCCESS}"
+ exit 1
+fi
+echo "Successfully removed ${GROUP_NAME} to applicationID ${APPLICATION_ID}"
--
GitLab
From 2e4ae9396365e59f62803938e1bf44cfe38a0042 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Tue, 8 Feb 2022 11:39:33 +0100
Subject: [PATCH 2/8] Script to recreate AdminRole
---
scripts/recreateDrupalAdminRole.sh | 41 ++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100755 scripts/recreateDrupalAdminRole.sh
diff --git a/scripts/recreateDrupalAdminRole.sh b/scripts/recreateDrupalAdminRole.sh
new file mode 100755
index 0000000..4bb7e67
--- /dev/null
+++ b/scripts/recreateDrupalAdminRole.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+usage() { echo "Usage: $0 [--project <PROJECT>]" 1>&2; exit 1; }
+# Options
+ARGS=$(getopt -o 'p:' --long 'project:' -- "$@") || exit 1
+eval "set -- $ARGS"
+
+while true; do
+ case "$1" in
+ (-p|--projec)
+ PROJECT="$2"; shift 2;;
+ (--) shift; break;;
+ (*) usage;;
+ esac
+done
+
+[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
+[[ -z "${PROJECT}" ]] && usage
+
+ROLE_NAME="new-administrator"
+ADMIN='
+{
+ "apiVersion": "webservices.cern.ch/v1alpha1",
+ "kind": "BootstrapApplicationRole",
+ "metadata": {
+ "name": "'${ROLE_NAME}'",
+ "namespace": "'${PROJECT}'"
+ },
+ "spec": {
+ "applyToAllUsers": false,
+ "description": "Role for Administrators of the Drupal website",
+ "displayName": "Administrator",
+ "minLevelOfAssurance": 5,
+ "multifactorRequired": false,
+ "name": "administrator",
+ "required": false
+ }
+}
+'
+createRole=$(echo ${ADMIN} | oc apply -f -)
+echo $createRole
--
GitLab
From 03c3e8ee517877170e0568cfe88f9d21f45627f3 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Tue, 8 Feb 2022 11:50:22 +0100
Subject: [PATCH 3/8] Require project field
---
scripts/addGroupToDrupalAdmins.sh | 9 ++++++---
scripts/removeGroupFromDrupalAdmins.sh | 9 ++++++---
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/scripts/addGroupToDrupalAdmins.sh b/scripts/addGroupToDrupalAdmins.sh
index 32033ef..c2aa98d 100755
--- a/scripts/addGroupToDrupalAdmins.sh
+++ b/scripts/addGroupToDrupalAdmins.sh
@@ -1,13 +1,15 @@
#!/bin/bash
-usage() { echo "Usage: $0 [--group-name <GROUP>]" 1>&2; exit 1; }
+usage() { echo "Usage: $0 [--group-name <GROUP> --project <PROJECT>]" 1>&2; exit 1; }
# Options
-ARGS=$(getopt -o 'g:' --long 'group-name:' -- "$@") || exit 1
+ARGS=$(getopt -o 'g:p:' --long 'group-name:project:' -- "$@") || exit 1
eval "set -- $ARGS"
while true; do
case "$1" in
(-g|--group-name)
GROUP_NAME="$2"; shift 2;;
+ (-p|--project)
+ PROJECT="$2"; shift 2;;
(--) shift; break;;
(*) usage;;
esac
@@ -15,6 +17,7 @@ done
[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
[[ -z "${GROUP_NAME}" ]] && usage
+[[ -z "${PROJECT}" ]] && usage
export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
@@ -23,7 +26,7 @@ export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operato
export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
export AUTHZAPI_VERSION="api/v1.0"
-APPLICATION_ID=$(oc get applicationregistration -o json | jq -r '.items[0].status.id')
+APPLICATION_ID=$(oc get applicationregistration -n ${PROJECT} -o json | jq -r '.items[0].status.id')
# Retrieve list of Roles
ROLE_LIST=$(curl --silent -X GET "${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" )
# Extract Administrator ID from roles
diff --git a/scripts/removeGroupFromDrupalAdmins.sh b/scripts/removeGroupFromDrupalAdmins.sh
index 5af745a..53a94c0 100755
--- a/scripts/removeGroupFromDrupalAdmins.sh
+++ b/scripts/removeGroupFromDrupalAdmins.sh
@@ -1,13 +1,15 @@
#!/bin/bash
-usage() { echo "Usage: $0 [--group-name <GROUP>]" 1>&2; exit 1; }
+usage() { echo "Usage: $0 [--group-name <GROUP> --project <PROJECT>]" 1>&2; exit 1; }
# Options
-ARGS=$(getopt -o 'g:' --long 'group-name:' -- "$@") || exit 1
+ARGS=$(getopt -o 'g:p:' --long 'group-name:project:' -- "$@") || exit 1
eval "set -- $ARGS"
while true; do
case "$1" in
(-g|--group-name)
GROUP_NAME="$2"; shift 2;;
+ (-p|--project)
+ PROJECT="$2"; shift 2;;
(--) shift; break;;
(*) usage;;
esac
@@ -15,6 +17,7 @@ done
[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
[[ -z "${GROUP_NAME}" ]] && usage
+[[ -z "${PROJECT}" ]] && usage
export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
@@ -23,7 +26,7 @@ export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operato
export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
export AUTHZAPI_VERSION="api/v1.0"
-APPLICATION_ID=$(oc get applicationregistration -o json | jq -r '.items[0].status.id')
+APPLICATION_ID=$(oc get applicationregistration -n ${PROJECT} -o json | jq -r '.items[0].status.id')
# Retrieve list of Roles
ROLE_LIST=$(curl --silent -X GET "${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" )
# Extract Administrator ID from roles
--
GitLab
From 131e7d3f0b937f47bd63718cf46392635759b595 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Wed, 9 Feb 2022 18:14:59 +0100
Subject: [PATCH 4/8] Applied changes based on suggestions
---
scripts/addGroupToDrupalAdmins.sh | 10 ++++++----
scripts/recreateDrupalAdminRole.sh | 2 ++
scripts/removeGroupFromDrupalAdmins.sh | 10 ++++++----
3 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/scripts/addGroupToDrupalAdmins.sh b/scripts/addGroupToDrupalAdmins.sh
index c2aa98d..6e8a6cb 100755
--- a/scripts/addGroupToDrupalAdmins.sh
+++ b/scripts/addGroupToDrupalAdmins.sh
@@ -18,11 +18,12 @@ done
[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
[[ -z "${GROUP_NAME}" ]] && usage
[[ -z "${PROJECT}" ]] && usage
+export AUTHZ_OPERATOR_NAMESPACE="openshift-cern-authz-operator"
-export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
-export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
-export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
-export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+export AUTHZAPI_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE} -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
+export KC_ISSUER_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE} -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
+export KC_CLIENT_ID=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
export AUTHZAPI_VERSION="api/v1.0"
@@ -39,6 +40,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
exit 1
fi
+# This CURL will make an API request to bound ${GROUP_NAME} to ${ROLE_ID} in ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-post_api_v1_0_Application__id__roles__roleid__groups__groupid_
SUCCESS=$(curl --silent -X POST "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
if [[ $SUCCESS != "200" ]]; then
echo "Error binding group to admin role, error code: ${SUCCESS}"
diff --git a/scripts/recreateDrupalAdminRole.sh b/scripts/recreateDrupalAdminRole.sh
index 4bb7e67..8e93eee 100755
--- a/scripts/recreateDrupalAdminRole.sh
+++ b/scripts/recreateDrupalAdminRole.sh
@@ -1,5 +1,7 @@
#!/bin/bash
+# Whenever requested by user, this will generate a AdminRole in AuthzAPI
+
usage() { echo "Usage: $0 [--project <PROJECT>]" 1>&2; exit 1; }
# Options
ARGS=$(getopt -o 'p:' --long 'project:' -- "$@") || exit 1
diff --git a/scripts/removeGroupFromDrupalAdmins.sh b/scripts/removeGroupFromDrupalAdmins.sh
index 53a94c0..8656898 100755
--- a/scripts/removeGroupFromDrupalAdmins.sh
+++ b/scripts/removeGroupFromDrupalAdmins.sh
@@ -18,11 +18,12 @@ done
[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
[[ -z "${GROUP_NAME}" ]] && usage
[[ -z "${PROJECT}" ]] && usage
+export AUTHZ_OPERATOR_NAMESPACE="openshift-cern-authz-operator"
-export AUTHZAPI_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
-export KC_ISSUER_URL=$(oc get deploy/authz-operator -n openshift-cern-authz-operator -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
-export KC_CLIENT_ID=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
-export KC_CLIENT_SECRET=$(oc get secret -n openshift-cern-authz-operator operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
+export AUTHZAPI_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE} -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "AUTHZAPI_URL") | .value')
+export KC_ISSUER_URL=$(oc get deploy/authz-operator -n ${AUTHZ_OPERATOR_NAMESPACE} -o json | jq -r '.spec.template.spec.containers[0].env[] | select(.name == "KC_ISSUER_URL") | .value')
+export KC_CLIENT_ID=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_ID' | base64 -d)
+export KC_CLIENT_SECRET=$(oc get secret -n ${AUTHZ_OPERATOR_NAMESPACE} operator-keycloak-credentials -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
export BEARER_TOKEN=$(curl -m 45 --silent --fail -XPOST ${KC_ISSUER_URL}/api-access/token -d "grant_type=client_credentials&client_id=${KC_CLIENT_ID}&client_secret=${KC_CLIENT_SECRET}&audience=authorization-service-api" | jq -r '.access_token')
export AUTHZAPI_VERSION="api/v1.0"
@@ -39,6 +40,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
exit 1
fi
+# This CURL will make an API request to remove ${GROUP_NAME} of ${ROLE_ID} from ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-delete_api_v1_0_Application__id__roles__roleid__groups__groupid_
SUCCESS=$(curl --silent -X DELETE "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
if [[ $SUCCESS != "200" ]]; then
echo "Error binding group to admin role, error code: ${SUCCESS}"
--
GitLab
From 190d507e0cb2b0d2b0bec7703aa0fc0499b80388 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Wed, 16 Feb 2022 13:13:29 +0100
Subject: [PATCH 5/8] Fixed typo on scripts/recreateDrupalAdminRole.sh
---
scripts/recreateDrupalAdminRole.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/recreateDrupalAdminRole.sh b/scripts/recreateDrupalAdminRole.sh
index 8e93eee..febf824 100755
--- a/scripts/recreateDrupalAdminRole.sh
+++ b/scripts/recreateDrupalAdminRole.sh
@@ -9,7 +9,7 @@ eval "set -- $ARGS"
while true; do
case "$1" in
- (-p|--projec)
+ (-p|--project)
PROJECT="$2"; shift 2;;
(--) shift; break;;
(*) usage;;
@@ -19,7 +19,7 @@ done
[[ -z "${KUBECONFIG}" ]] && echo "No cluster access!" && usage
[[ -z "${PROJECT}" ]] && usage
-ROLE_NAME="new-administrator"
+ROLE_NAME="recreated-administrator"
ADMIN='
{
"apiVersion": "webservices.cern.ch/v1alpha1",
--
GitLab
From 69dad6a3d87b4326fb2e1708a3acba550591f62f Mon Sep 17 00:00:00 2001
From: Vineet Reddy Rajula <rajula.vineet.reddy@cern.ch>
Date: Wed, 16 Feb 2022 14:27:21 +0100
Subject: [PATCH 6/8] Apply 1 suggestion(s) to 1 file(s)
---
scripts/removeGroupFromDrupalAdmins.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/removeGroupFromDrupalAdmins.sh b/scripts/removeGroupFromDrupalAdmins.sh
index 8656898..ec5c804 100755
--- a/scripts/removeGroupFromDrupalAdmins.sh
+++ b/scripts/removeGroupFromDrupalAdmins.sh
@@ -41,7 +41,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
fi
# This CURL will make an API request to remove ${GROUP_NAME} of ${ROLE_ID} from ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-delete_api_v1_0_Application__id__roles__roleid__groups__groupid_
-SUCCESS=$(curl --silent -X DELETE "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
+SUCCESS=$(curl --silent -X DELETE "https://${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
if [[ $SUCCESS != "200" ]]; then
echo "Error binding group to admin role, error code: ${SUCCESS}"
exit 1
--
GitLab
From d7496266ab2b5929abf36590e06a4529fac85787 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Wed, 16 Feb 2022 14:32:13 +0100
Subject: [PATCH 7/8] Clarify comments
---
scripts/addGroupToDrupalAdmins.sh | 2 +-
scripts/removeGroupFromDrupalAdmins.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/addGroupToDrupalAdmins.sh b/scripts/addGroupToDrupalAdmins.sh
index 6e8a6cb..689dda3 100755
--- a/scripts/addGroupToDrupalAdmins.sh
+++ b/scripts/addGroupToDrupalAdmins.sh
@@ -40,7 +40,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
exit 1
fi
-# This CURL will make an API request to bound ${GROUP_NAME} to ${ROLE_ID} in ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-post_api_v1_0_Application__id__roles__roleid__groups__groupid_
+# Add group ${GROUP_NAME} to ${ROLE_ID} (administrator) in ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-post_api_v1_0_Application__id__roles__roleid__groups__groupid_
SUCCESS=$(curl --silent -X POST "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
if [[ $SUCCESS != "200" ]]; then
echo "Error binding group to admin role, error code: ${SUCCESS}"
diff --git a/scripts/removeGroupFromDrupalAdmins.sh b/scripts/removeGroupFromDrupalAdmins.sh
index ec5c804..5d70d49 100755
--- a/scripts/removeGroupFromDrupalAdmins.sh
+++ b/scripts/removeGroupFromDrupalAdmins.sh
@@ -40,7 +40,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
exit 1
fi
-# This CURL will make an API request to remove ${GROUP_NAME} of ${ROLE_ID} from ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-delete_api_v1_0_Application__id__roles__roleid__groups__groupid_
+# Remove ${GROUP_NAME} of ${ROLE_ID} (administrator) from ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-delete_api_v1_0_Application__id__roles__roleid__groups__groupid_
SUCCESS=$(curl --silent -X DELETE "https://${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
if [[ $SUCCESS != "200" ]]; then
echo "Error binding group to admin role, error code: ${SUCCESS}"
--
GitLab
From a478e65421d2c3f36edc59065c9cc8b4ee7f86aa Mon Sep 17 00:00:00 2001
From: Vineet Reddy Rajula <rajula.vineet.reddy@cern.ch>
Date: Wed, 16 Feb 2022 14:33:11 +0100
Subject: [PATCH 8/8] Apply 1 suggestion(s) to 1 file(s)
---
scripts/addGroupToDrupalAdmins.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/addGroupToDrupalAdmins.sh b/scripts/addGroupToDrupalAdmins.sh
index 689dda3..a64aa86 100755
--- a/scripts/addGroupToDrupalAdmins.sh
+++ b/scripts/addGroupToDrupalAdmins.sh
@@ -41,7 +41,7 @@ if [[ $GROUP_EXISTS != "200" ]]; then
fi
# Add group ${GROUP_NAME} to ${ROLE_ID} (administrator) in ${APPLICATION_ID}, as per https://authorization-service-api.web.cern.ch/swagger/index.html#operations-Application-post_api_v1_0_Application__id__roles__roleid__groups__groupid_
-SUCCESS=$(curl --silent -X POST "https://authorization-service-api.web.cern.ch/api/v1.0/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
+SUCCESS=$(curl --silent -X POST "https://${AUTHZAPI_URL}/${AUTHZAPI_VERSION}/Application/${APPLICATION_ID}/roles/${ROLE_ID}/groups/${GROUP_NAME}" -H "accept: text/plain" -H "Authorization: Bearer ${BEARER_TOKEN}" -d "" -o /dev/null -w "%{http_code}")
if [[ $SUCCESS != "200" ]]; then
echo "Error binding group to admin role, error code: ${SUCCESS}"
exit 1
--
GitLab