This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new efa1084a4e0 Add `LIST` permission to admin role in Keycloak auth
manager (#57978)
efa1084a4e0 is described below
commit efa1084a4e0197c6a767b520df2d54136c955566
Author: Vincent <[email protected]>
AuthorDate: Thu Nov 6 11:33:23 2025 -0500
Add `LIST` permission to admin role in Keycloak auth manager (#57978)
---
.../airflow/providers/keycloak/auth_manager/cli/commands.py | 3 ++-
.../providers/keycloak/auth_manager/keycloak_auth_manager.py | 1 +
.../tests/unit/keycloak/auth_manager/cli/test_commands.py | 10 ++++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
index d19693b81cc..9ab2c9d8792 100644
---
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
+++
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
@@ -179,7 +179,8 @@ def _create_read_only_permission(client: KeycloakAdmin,
client_uuid: str):
def _create_admin_permission(client: KeycloakAdmin, client_uuid: str):
all_scopes = client.get_client_authz_scopes(client_uuid)
- scopes = [scope["id"] for scope in all_scopes if scope["name"] in
get_args(ExtendedResourceMethod)]
+ scope_names = get_args(ExtendedResourceMethod) + ("LIST",)
+ scopes = [scope["id"] for scope in all_scopes if scope["name"] in
scope_names]
payload = {
"name": "Admin",
"type": "scope",
diff --git
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
index 5d42c8bb160..e5a5eb35a72 100644
---
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
+++
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
@@ -112,6 +112,7 @@ class
KeycloakAuthManager(BaseAuthManager[KeycloakAuthManagerUser]):
def refresh_user(self, *, user: KeycloakAuthManagerUser) ->
KeycloakAuthManagerUser | None:
if self._token_expired(user.access_token):
+ log.debug("Refreshing the token")
client = self.get_keycloak_client()
tokens = client.refresh_token(user.refresh_token)
user.refresh_token = tokens["refresh_token"]
diff --git
a/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
b/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
index 4ead9a3ef68..f8767164f53 100644
--- a/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
+++ b/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
@@ -277,7 +277,13 @@ class TestCommands:
def test_create_permissions_admin(self):
client = Mock()
- scopes = [{"id": "1", "name": "GET"}, {"id": "2", "name": "MENU"},
{"id": "3", "name": "PUT"}]
+ scopes = [
+ {"id": "1", "name": "GET"},
+ {"id": "2", "name": "MENU"},
+ {"id": "3", "name": "PUT"},
+ {"id": "4", "name": "LIST"},
+ {"id": "5", "name": "DUMMY"},
+ ]
client.get_client_authz_scopes.return_value = scopes
@@ -291,7 +297,7 @@ class TestCommands:
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
- "scopes": ["1", "2", "3"],
+ "scopes": ["1", "2", "3", "4"],
},
)
