Release

.github/workflows/docker-publish-develop.yml

@@ -14,11 +14,9 @@ on:
     branches: [ "develop" ]
 
 env:
-  # Use docker.io for Docker Hub if empty
-  REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
+  GITHUB_REGISTRY: ghcr.io
+  DOCKER_REGISTRY: docker.io
   IMAGE_NAME: ${{ github.repository }}
-
 jobs:
   build:
 
@@ -48,11 +46,11 @@ jobs:
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
+      - name: Log into registry ${{ env.GITHUB_REGISTRY }}
         if: github.event_name != 'pull_request'
         uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GITHUB_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
@@ -62,7 +60,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=develop
             type=ref,event=tag
@@ -81,35 +79,35 @@ jobs:
           cache-to: type=gha,mode=max
 
 
-#      # Sign the resulting Docker image digest except on PRs.
-#      # This will only write to the public Rekor transparency log when the Docker
-#      # repository is public to avoid leaking data.  If you would like to publish
-#      # transparency data even for private images, pass --force to cosign below.
-#      # https://github.com/sigstore/cosign
-#      - name: Sign the published Docker image
-#        if: ${{ github.event_name != 'pull_request' }}
-#        env:
-#          COSIGN_EXPERIMENTAL: "true"
-#        # This step uses the identity token to provision an ephemeral certificate
-#        # against the sigstore community Fulcio instance.
-#        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
-#
-#      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
-#        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
-#        with:
-#          username: ${{ secrets.DOCKER_USERNAME }}
-#          password: ${{ secrets.DOCKER_PASSWORD }}
-#
-#      - name: Extract metadata (tags, labels) for Docker
-#        id: docker_meta
-#        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
-#        with:
-#          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
-#
-#      - name: Build and push Docker image
-#        uses: docker/build-push-action@v2
-#        with:
-#          context: "{{defaultContext}}"
-#          push: true
-#          tags: ${{ steps.docker_meta.outputs.tags }}
-#          labels: ${{ steps.docker_meta.outputs.labels }}
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: docker_meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: "{{defaultContext}}"
+          push: true
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}

.github/workflows/docker-publish-master.yml

@@ -14,9 +14,8 @@ on:
     branches: [ "master" ]
 
 env:
-  # Use docker.io for Docker Hub if empty
-  REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
+  GITHUB_REGISTRY: ghcr.io
+  DOCKER_REGISTRY: docker.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -48,11 +47,11 @@ jobs:
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
+      - name: Log into registry ${{ env.GITHUB_REGISTRY }}
         if: github.event_name != 'pull_request'
         uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GITHUB_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
@@ -62,7 +61,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=production
             type=ref,event=tag
@@ -80,34 +79,34 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-#      # Sign the resulting Docker image digest except on PRs.
-#      # This will only write to the public Rekor transparency log when the Docker
-#      # repository is public to avoid leaking data.  If you would like to publish
-#      # transparency data even for private images, pass --force to cosign below.
-#      # https://github.com/sigstore/cosign
-#      - name: Sign the published Docker image
-#        if: ${{ github.event_name != 'pull_request' }}
-#        env:
-#          COSIGN_EXPERIMENTAL: "true"
-#        # This step uses the identity token to provision an ephemeral certificate
-#        # against the sigstore community Fulcio instance.
-#        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
-#
-#      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
-#        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
-#        with:
-#          username: ${{ secrets.DOCKER_USERNAME }}
-#          password: ${{ secrets.DOCKER_PASSWORD }}
-#      - name: Extract metadata (tags, labels) for Docker
-#        id: docker_meta
-#        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
-#        with:
-#          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
-#
-#      - name: Build and push Docker image
-#        uses: docker/build-push-action@v2
-#        with:
-#          context: "{{defaultContext}}"
-#          push: true
-#          tags: ${{ steps.docker_meta.outputs.tags }}
-#          labels: ${{ steps.docker_meta.outputs.labels }}
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: docker_meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: "{{defaultContext}}"
+          push: true
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}

src/blueprints/permissions.py

@@ -6,7 +6,7 @@ def construct_blueprint(keycloak_client):
     keycloak_client = keycloak_client
     permissions = Blueprint('permissions', __name__)
 
-    @permissions.route("/<client_id>/permissions", methods=["GET"])
+    @permissions.route("/<client_id>/permissions", methods=["OPTIONS", "GET"])
     def get_client_authz_permissions(client_id: str):
         try:
             response = keycloak_client.get_client_authz_permissions(client_id)
@@ -16,7 +16,7 @@ def get_client_authz_permissions(client_id: str):
         except:
             return custom_error("Unknown server error", 500)
 
-    @permissions.route("/<client_id>/permissions/management", methods=["GET"])
+    @permissions.route("/<client_id>/permissions/management", methods=["OPTIONS", "GET"])
     def get_client_management_permissions(client_id: str):
         try:
             response =  keycloak_client.get_client_management_permissions(client_id)
@@ -26,7 +26,7 @@ def get_client_management_permissions(client_id: str):
         except:
             return custom_error("Unknown server error", 500)
 
-    @permissions.route("/<client_id>/permissions/resources", methods=["GET"])
+    @permissions.route("/<client_id>/permissions/resources", methods=["OPTIONS", "GET"])
     def get_client_resource_permissions(client_id: str):
         try:
             response =  keycloak_client.get_client_resource_permissions(client_id)
@@ -36,16 +36,16 @@ def get_client_resource_permissions(client_id: str):
         except:
             return custom_error("Unknown server error", 500)
 
-    #@permissions.route("/client_authz_scope_permissions/<client_id>/<scope_id>", methods=["GET"])
+    #@permissions.route("/client_authz_scope_permissions/<client_id>/<scope_id>", methods=["OPTIONS", "GET"])
     #def get_client_authz_scope_permissions(client_id: str, scope_id: str):
     #    return keycloak_client.get_client_authz_scope_permissions(client_id, scope_id)
 
-    #@permissions.route("/client_authz_scope_permissions/<client_id>", methods=["POST"])
+    #@permissions.route("/client_authz_scope_permissions/<client_id>", methods=["OPTIONS", "POST"])
     #def create_client_authz_scope_based_permissions(client_id: str):
     #    payload = request.get_json()
     #    return keycloak_client.create_client_authz_scope_based_permission(client_id, payload)
 
-    @permissions.route("/<client_id>/permissions/resources", methods=["POST"])
+    @permissions.route("/<client_id>/permissions/resources", methods=["OPTIONS", "POST"])
     def create_client_authz_resource_based_permission(client_id: str):
         payload = request.get_json()
         try:
@@ -56,7 +56,7 @@ def create_client_authz_resource_based_permission(client_id: str):
         except:
             return custom_error("Unknown server error", 500)
 
-    @permissions.route("/<client_id>/permissions/management", methods=["PUT"])
+    @permissions.route("/<client_id>/permissions/management", methods=["OPTIONS", "PUT"])
     def update_client_management_permissions(client_id: str):
         payload = request.get_json()
         try:
@@ -67,7 +67,7 @@ def update_client_management_permissions(client_id: str):
         except:
             return custom_error("Unknown server error", 500)
 
-    @permissions.route("/<client_id>/permissions/resources/<permission_id>", methods=["PUT"])
+    @permissions.route("/<client_id>/permissions/resources/<permission_id>", methods=["OPTIONS", "PUT"])
     def update_client_authz_resource_permission(client_id: str, permission_id):
         payload = request.get_json()
         try:
@@ -78,7 +78,7 @@ def update_client_authz_resource_permission(client_id: str, permission_id):
         except:
             return custom_error("Unknown server error", 500)
 
-    #@permissions.route("/<client_id>/permissions/scopes/<scope_id>", methods=["PUT"])
+    #@permissions.route("/<client_id>/permissions/scopes/<scope_id>", methods=["OPTIONS", "PUT"])
     #def update_client_authz_scope_permissions(client_id: str, scope_id):
     #    payload = request.get_json()
     #    return keycloak_client.update_client_authz_scope_permission(client_id,  payload, scope_id)

src/blueprints/policies.py

@@ -7,7 +7,7 @@ def construct_blueprint(keycloak_client):
     policies = Blueprint('policies', __name__)
 
     # -------- Always returns empty -------
-    #@policies.route("/policies", methods=["GET"])
+    #@policies.route("/policies", methods=["OPTIONS", "GET"])
     #def get_policies():
     #    resource = request.args.get('resource', "")
     #    name = request.args.get('name', "")
@@ -17,7 +17,7 @@ def construct_blueprint(keycloak_client):
     #    return keycloak_client.get_policies(resource, name, scope, first, maximum)
     # --------------- GET -----------------
 
-    @policies.route("/<client_id>/policies", methods=["GET"])
+    @policies.route("/<client_id>/policies", methods=["OPTIONS", "GET"])
     def get_client_authz_policies(client_id: str):
         try:
             response = keycloak_client.get_client_authz_policies(client_id)
@@ -29,7 +29,7 @@ def get_client_authz_policies(client_id: str):
 
     # --------------- POST -----------------
 
-    @policies.route("/<client_id>/policies/client", methods=["POST"])
+    @policies.route("/<client_id>/policies/client", methods=["OPTIONS", "POST"])
     def create_client_policy(client_id: str):
         policy = request.get_json()
         try:
@@ -149,7 +149,7 @@ def create_user_policy(client_id: str):
 
     # --------------- UPDATE -----------------
 
-    @policies.route("/<client_id>/policies/<policy_id>", methods=["PUT"])
+    @policies.route("/<client_id>/policies/<policy_id>", methods=["OPTIONS", "PUT"])
     def update_policy(client_id: str, policy_id: str):
         policy = request.get_json()
         try:
@@ -162,7 +162,7 @@ def update_policy(client_id: str, policy_id: str):
 
     # --------------- DELETE -----------------
 
-    @policies.route("/<client_id>/policies/<policy_id>", methods=["DELETE"])
+    @policies.route("/<client_id>/policies/<policy_id>", methods=["OPTIONS", "DELETE"])
     def delete_policy(client_id: str ,policy_id: str):
         try:
             response =  keycloak_client.delete_policy(policy_id, client_id)
@@ -175,4 +175,4 @@ def delete_policy(client_id: str ,policy_id: str):
     def custom_error(message, status_code): 
         return message, status_code
 
-    return policies
+    return policies