Metadata-Version: 2.4
Name: pas.plugins.kimug
Version: 1.5.0
Summary: A PAS plugin to set roles to imio keycloak users
Home-page: https://github.com/imio/pas.plugins.kimug
Author: iMio
Author-email: devops@imio.be
License: GPL version 2
Project-URL: PyPI, https://pypi.org/project/pas.plugins.kimug
Project-URL: Source, https://github.com/imio/pas.plugins.kimug
Project-URL: Tracker, https://github.com/imio/pas.plugins.kimug/issues
Keywords: Python Plone CMS
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Web Environment
Classifier: Framework :: Plone
Classifier: Framework :: Plone :: Addon
Classifier: Framework :: Plone :: 6.0
Classifier: Framework :: Plone :: 6.1
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Operating System :: OS Independent
Classifier: License :: OSI Approved :: GNU General Public License v2 (GPLv2)
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE.GPL
License-File: LICENSE.md
Requires-Dist: setuptools
Requires-Dist: Products.CMFPlone
Requires-Dist: plone.api
Requires-Dist: pas.plugins.oidc>=2.0.0b4
Requires-Dist: python-keycloak
Requires-Dist: PyJWT[crypto]>=2.6
Provides-Extra: test
Requires-Dist: ipdb; extra == "test"
Requires-Dist: zest.releaser[recommended]; extra == "test"
Requires-Dist: zestreleaser.towncrier; extra == "test"
Requires-Dist: plone.app.testing; extra == "test"
Requires-Dist: plone.classicui; extra == "test"
Requires-Dist: plone.restapi[test]; extra == "test"
Requires-Dist: pytest; extra == "test"
Requires-Dist: pytest-cov; extra == "test"
Requires-Dist: pytest-plone>=0.5.0; extra == "test"
Requires-Dist: pytest-docker; extra == "test"
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: keywords
Dynamic: license
Dynamic: license-file
Dynamic: project-url
Dynamic: provides-extra
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary


# pas.plugins.kimug

A PAS plugin to set roles to imio keycloak users

Kimug is a acronym for "Keycloak IMio User & Group"

## Installation

### Install pas.plugins.kimug:

```shell
make build
```

### Create the Plone site:

```shell
make create-site
```

## Test / dev environment

### Init dev environment

You have to initialize a certificate with `tests/mkcert.sh` .


### Start dev environment

```shell
make docker-start
```

This command will start a keycloak instance available at https://keycloak.127.0.0.1.nip.io


### Tests dev accounts

| Realm    | login | e-mail        | password |
| ---------| ----- | --------------| -------- |
| master   | admin |               | admin    |
| imio     | kimug | kimug_at_imio.be | kimug    |
| plone    | plone | plone_at_imio.be | plone    |
| sso-apps | imio-apps-plone_belleville-ac | imio-apps_at_kimug.be | Kimug123456*** |

### Export keycloak realms

```shell
cd tests
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-imio.json --realm imio
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-plone.json --realm plone
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-sso-apps.json --realm sso-apps
```

### Run test

```shell
.venv/bin/tox -e test -s
```

or only one class

```shell
.venv/bin/pytest tests -s -k TestMigration
```

## Contribute

- [Issue Tracker](https://github.com/imio/pas.plugins.kimug/issues)
- [Source Code](https://github.com/imio/pas.plugins.kimug/)

## License

The project is licensed under GPLv2.


# Contributors

- iMio [devops@imio.be]


## 1.5.0 (2026-05-29)


### New features:

- Add SSO apps authentication via a second PAS plugin (`oidc_sso_apps`) backed by a dedicated `sso-apps` Keycloak realm.
  Bearer tokens are routed to the correct plugin by inspecting the `iss` claim; Plone users are created automatically on first access.
  A sync view (`/keycloak_sso_apps_users`) lets administrators bulk-import SSO app users. Configure via `SSO_APPS_CLIENT_ID`, `SSO_APPS_CLIENT_SECRET`, `SSO_APPS_URL`, `SSO_APPS_ACCESS_GROUP`.
  [remdub] sso-apps-authentication


### Bug fixes:

- **Security:** Kimug bearer-token authentication now verifies JWT signatures
  against the Keycloak realm's JWKS with RS256, and checks `iss`, `aud`,
  `exp`, `iat`. Previously `jwt.decode(..., options={"verify_signature": False})`
  accepted any JWT — including attacker-forged tokens — allowing account
  takeover by sending `Authorization: Bearer <unsigned.jwt>`. `_decode_token`
  now returns `None` on any verification failure instead of raising, so the
  PAS authentication chain degrades cleanly.
  Configure `keycloak_url`, `keycloak_realm`, `keycloak_issuer` and
  `keycloak_audience` via environment variables (audience defaults to
  `account`).
  [bsuttor] kimug-jwt-verify

## 1.4.4 (unreleased)


- Nothing changed yet.


## 1.4.3 (2026-03-24)


- DEVOPS-339 : Fix ConflictError when multiple Zope instances start simultaneously and commit OIDC settings
  [remdub]


## 1.4.2 (2025-12-10)

- Set administrator role for users in group iA.Smartweb-admin with an imio address.
  [bsuttor]


## 1.4.1 (2025-11-25)

- WEB-4331 : Set Allowed Groups with environment variable
  [remdub]


## 1.4.0 (2025-11-04)

- Upgrade dev environment to Plone 6.1.3
  [remdub]

- Override views related to user management
  We no longer create or modify users in Plone
  This is now handled by Keycloak
  [remdub]

- Remove deprecated methods related to redirect uris
  We are not using those methods anymore since 1.3.0
  [remdub]


## 1.3.1 (2025-09-30)

- Do not gave administrator role for users in group iA.Smartweb.
  [bsuttor]


## 1.3.0 (2025-09-25)

- Skip OIDC settings configuration when Plone site or OIDC plugin is unavailable
  [remdub]

- Set "came_from" session variable from HTTP_REFERER instead of came_from request.
  [bsuttor]

- In controlpanel status, check if the redirect_uris set in Keycloak match the ones set in the OIDC plugin.
  [remdub]

- Set OIDC settings from environment variables on instance boot
  [remdub, bsuttor]


## 1.2.0 (2025-09-16)

- Add controlpanel
  [remdub]

- Add a view to set OIDC settings
  [remdub]

- Add a view to import Keycloak users to Plone.
  [bsuttor]


## 1.1.5 (2025-09-09)


- Add upgrade-step to clean authentic users
  [remdub]


## 1.1.4 (2025-08-28)


- You should rerun migration as many times as you want.
  [bsuttor]


## 1.1.3 (2025-08-28)


- Check if realm exists and environment variables are set before migration
  [remdub]


## 1.1.2 (2025-08-27)


- Add forgot local roles on migration to Keycloak.
  [bsuttor & remdub]

## 1.1.1 (2025-08-26)


- Migrate users form Authentic to Keycloal OIDC plugin.
  [bsuttor]


## 1.1.0 (2025-07-10)


- Migrate authentic to keycloak


## 1.0.0 (2025-03-31)


