From 620df7add4cd49351a922549db8b993a0926bda4 Mon Sep 17 00:00:00 2001
From: greg <greg.lebreton@hotmail.com>
Date: Mon, 5 May 2025 15:11:44 +0200
Subject: [PATCH] push script import/export clients

---
 README.md               | 18 +++++++--
 clients-export.json     |  5 +++
 compose.yml             | 50 +++++++++++++++++++++++++
 keycloak-adm-clients.sh | 81 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 151 insertions(+), 3 deletions(-)
 create mode 100644 clients-export.json
 create mode 100644 compose.yml
 create mode 100755 keycloak-adm-clients.sh

diff --git a/README.md b/README.md
index c9de5a6..bed0da0 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,14 @@ nano .env
 docker-compose up -d
 ```
 
+### EXPORTER LES CLIENTS DU REALM
+
+- Utiliser le script pour exporter les clients:
+```bash
+./keycloak-export-clients.sh
+export
+```
+
 ### IMPORTER DATABASE
 
 - Copier la database de keycloak-openldap:
@@ -31,9 +39,13 @@ cp  /chemin/vers/l'ancienne/ldap_db/*.mdb ./keycloak/ldap_db
 
 > c'est là que sont les users
 
-### IMPORTER REALM (CLIENTS)
+### IMPORTER LES CLIENTS DU REALM
 
-> Cliquer sur le realm master, puis créer un realm et importer celui-ci d'un fichier d'export .json
+- Utiliser le script pour exporter les clients:
+```bash
+./keycloak-export-clients.sh
+import
+```
 
 ### IMPORTER USERS
 
@@ -41,5 +53,5 @@ cp  /chemin/vers/l'ancienne/ldap_db/*.mdb ./keycloak/ldap_db
 
 ## BUGS
 
-- Clients secrets don't get exported (***********) -> maj (àregenérer) 
+- Clients secrets don't get exported (***********) -> maj (script export à tester) 
 - Users need get verified -> A faire manuellement sur chq user
diff --git a/clients-export.json b/clients-export.json
new file mode 100644
index 0000000..ce06e63
--- /dev/null
+++ b/clients-export.json
@@ -0,0 +1,5 @@
+[
+,
+,
+
+]
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..68b8e8f
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,50 @@
+version: '3'
+
+services:
+  keycloak:
+    image: quay.io/keycloak/keycloak:23.0.3
+    container_name: keycloak
+    restart: always
+    command: start --proxy=edge
+#    command: start-dev  # pour debug
+    ports:
+      - 8080:8080
+    depends_on:
+      - keycloak_db
+    env_file:
+      - .env
+    volumes:
+      - ./keycloak/datas:/opt/keycloak/data/h2
+    # volumes:
+    #   - ./keycloak/certs:/opt/jboss/keycloak/standalone/configuration/certs:ro
+    #   - ./keycloak/conf/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml:ro
+
+  keycloak_db:
+    image: postgres:13
+    container_name: keycloak-db
+    restart: always
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    ports:
+      - 5435:5432
+    env_file:
+      - .env
+
+  openldap:
+    image: osixia/openldap
+    container_name: keycloak-openldap
+    restart: always
+    volumes:
+      - ./keycloak/ldap_ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
+      - ./keycloak/ldap_db:/var/lib/ldap
+      - ./keycloak/ldap_conf:/etc/ldap/slapd.d
+    command: ["--copy-service"]
+    env_file:
+      - .env
+    tty: true
+    stdin_open: true
+    domainname: legaragenumerique.fr
+    hostname: "ldap"
+    ports:
+      - "389:389"
+      - "636:636"
\ No newline at end of file
diff --git a/keycloak-adm-clients.sh b/keycloak-adm-clients.sh
new file mode 100755
index 0000000..7487edc
--- /dev/null
+++ b/keycloak-adm-clients.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Configuration
+KEYCLOAK_CONTAINER="keycloak"
+KEYCLOAK_URL="http://localhost:8080"
+REALM="mon-realm"
+ADMIN_USER="admin"
+ADMIN_PASS="admin"
+CLIENT_IDS=("mon-client-1" "mon-client-2" "mon-client-3")
+# CLIENT_IDS=("adventure" "ai" "djangoquiz" "gitea" "glpi" "grafana" "leboard.legaragenumerique.fr" "netxcloud.legaragenumerique.fr" "odoo" "pdf" "penpot" "sshwifty" "synapse")
+EXPORT_FILE="clients-export.json"
+
+# Fonction pour exécuter kcadm dans le conteneur
+kcadm() {
+  docker exec -i "$KEYCLOAK_CONTAINER" /opt/keycloak/bin/kcadm.sh "$@"
+}
+
+# Authentification
+login() {
+  kcadm config credentials --server "$KEYCLOAK_URL" --realm master --user "$ADMIN_USER" --password "$ADMIN_PASS"
+}
+
+# Export des clients
+export_clients() {
+  echo "[" > "$EXPORT_FILE"
+  for CLIENT_ID in "${CLIENT_IDS[@]}"; do
+    echo "🔄 Export du client : $CLIENT_ID"
+    CLIENT_JSON=$(kcadm get clients -r "$REALM" -q clientId="$CLIENT_ID" | jq '.[0]')
+    CLIENT_UUID=$(echo "$CLIENT_JSON" | jq -r '.id')
+    CLIENT_SECRET=$(kcadm get clients/"$CLIENT_UUID"/client-secret -r "$REALM" | jq -r '.value')
+    CLIENT_JSON=$(echo "$CLIENT_JSON" | jq --arg secret "$CLIENT_SECRET" '.secret = $secret')
+    echo "$CLIENT_JSON," >> "$EXPORT_FILE"
+  done
+  sed -i '$ s/,$//' "$EXPORT_FILE"
+  echo "]" >> "$EXPORT_FILE"
+  echo "✅ Export terminé → $EXPORT_FILE"
+}
+
+# Import des clients
+import_clients() {
+  jq -c '.[]' "$EXPORT_FILE" | while read -r CLIENT_JSON; do
+    CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
+    echo "⬇️  Import du client : $CLIENT_ID"
+
+    # Nettoyage des champs non valides
+    CLEAN_JSON=$(echo "$CLIENT_JSON" | jq 'del(.id, .secret, .rootUrl, .baseUrl, .adminUrl, .attributes."client.secret.created.timestamp")')
+
+    # Création du client
+    kcadm create clients -r "$REALM" -f - <<EOF
+$CLEAN_JSON
+EOF
+
+    # Mise à jour du secret
+    CLIENT_SECRET=$(echo "$CLIENT_JSON" | jq -r '.secret')
+    CLIENT_UUID=$(kcadm get clients -r "$REALM" -q clientId="$CLIENT_ID" | jq -r '.[0].id')
+    kcadm update clients/"$CLIENT_UUID"/client-secret -r "$REALM" -s "value=$CLIENT_SECRET"
+
+    echo "✅ Importé : $CLIENT_ID"
+  done
+}
+
+# Affichage d'aide
+usage() {
+  echo "Usage: $0 [export|import]"
+  exit 1
+}
+
+# Execution
+# login
+
+case "$1" in
+  export)
+    export_clients
+    ;;
+  import)
+    import_clients
+    ;;
+  *)
+    usage
+    ;;
+esac