Flag default-to-user-email
All checks were successful
/ Test (push) Successful in 56s
/ Test (pull_request) Successful in 48s

When set for an export config, if the user doesn't have that attribute, their email will be substituted as a default. If any of the values is not a valid email address, they are filtered out.

Closes #29
This commit is contained in:
Stefan Bethke 2026-07-18 19:59:22 +02:00
commit 149d98f90e
5 changed files with 79 additions and 37 deletions

View file

@ -14,6 +14,7 @@ Each endpoint configuration requires:
- the name of an attribute or an attribute group that should be exported
- the name of a role that users must have to be included in the list
- an optional regular expression that must match to have a value included
- whether to default to the user email if the attribute is empty
> **Note** The attribute (group) and the roles need to exist before you can create the endpoint configuration.

View file

@ -148,6 +148,13 @@ public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<Compon
.type(ProviderConfigProperty.STRING_TYPE)
.add()
.property()
.name("default-to-user-email")
.label("Default to User Email")
.helpText("When the attribute value is empty, use the users email address instead. If the value is not a valid email address, it will not be included in the export.")
.type(ProviderConfigProperty.BOOLEAN_TYPE)
.add()
.build();
}

View file

@ -52,8 +52,9 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
List<String> attribute_list = ctx.users
.map(user -> {
Stream<String> attributeStream = ctx.attributeNames.stream()
.map(attributeName -> user.getAttributeStream(attributeName).toList())
Stream<String> attributeStream = ctx.attributeNames.stream();
attributeStream = attributeStream.map(attributeName -> ctx.MapUserAttribute(user, attributeName).toList())
.flatMap(Collection::stream);
return attributeStream
@ -87,7 +88,7 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
.collect(Collectors.toMap(
attributeName -> attributeName,
attributeName -> userList.stream()
.flatMap(user -> user.getAttributeStream(attributeName))
.flatMap(user -> ctx.MapUserAttribute(user, attributeName))
.filter(attribute -> !attribute.isEmpty())
.filter(ctx.filter::matches)
.toList()));
@ -101,9 +102,12 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
* values for a given slug, exposing the results as member variables.
*/
private class AttributeExportContext {
final Pattern validEmail = Pattern.compile("@");
List<String> attributeNames;
UserModel authUser;
String configAttributeGroup;
boolean defaultToUserEmail;
RegExFilter filter;
UPConfig upconfig;
Stream<UserModel> users;
@ -169,6 +173,25 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
UserProvider userProvider = session.users();
users = userProvider.searchForUserStream(realm, Map.of())
.filter(user -> user.hasRole(matchRole));
defaultToUserEmail = Boolean.parseBoolean(component.getConfig().getFirstOrDefault("default-to-user-email", "false"));
}
/**
* If defaultToUserEmail is set, default to user email if no attribute exists, and remove any value that is not
* a valid email address.
*
* @param user the user whose attributes are being exported
* @param attributeName the attribute to export
* @return a stream of attribute values
*/
Stream<String> MapUserAttribute(UserModel user, String attributeName) {
if (defaultToUserEmail) {
// need to load everything otherwise we can't check for non-existent attribute
Map<String, List<String>> attrs = user.getAttributes();
return attrs.getOrDefault(attributeName,
List.of(user.getEmail())).stream().filter(v -> !validEmail.matcher(v).matches());
}
return user.getAttributeStream(attributeName);
}
}

View file

@ -68,34 +68,36 @@ public class AttributeEndpointsResourceProviderTest {
List<ComponentModel> components = List.of(
attributeEndpointComponent("dooris-ssh-keys",
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys"),
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
false),
attributeEndpointComponent("mailing-list-addresses-chaos",
"export-mailing-list-addresses", "mailing-list-chaos-member", MAILING_LIST_CHAOS),
"export-mailing-list-addresses", "mailing-list-chaos-member", MAILING_LIST_CHAOS,
true),
attributeEndpointComponent("mailing-list-addresses-intern",
"export-mailing-list-addresses", "mailing-list-intern-member", MAILING_LIST_INTERN));
"export-mailing-list-addresses", "mailing-list-intern-member", MAILING_LIST_INTERN,
true));
when(realm.getComponentsStream()).thenAnswer(inv -> components.stream());
UserProfileProvider userProfileProvider = mock(UserProfileProvider.class);
when(session.getProvider(UserProfileProvider.class)).thenReturn(userProfileProvider);
when(userProfileProvider.getConfiguration()).thenReturn(testUserProfileConfig());
hacker = user("hacker", Map.of(
SSH_KEY_1, "hacker-ssh-key-1",
SSH_KEY_2, "hacker-ssh-key-2",
MAILING_LIST_CHAOS, "hacker+chaos@example.net",
MAILING_LIST_INTERN, "hacker+intern@example.net"),
hacker = user("hacker", "hacker@example.net", Map.of(
SSH_KEY_1, List.of("hacker-ssh-key-1"),
SSH_KEY_2, List.of("hacker-ssh-key-2"),
MAILING_LIST_INTERN, List.of("hacker+intern@example.net")),
List.of("dooris-authorized", "mailing-list-chaos-member", "mailing-list-intern-member"));
tester = user("tester", Map.of(
SSH_KEY_1, "tester-ssh-key-1",
SSH_KEY_2, "tester-ssh-key-2",
MAILING_LIST_CHAOS, "tester+chaos@example.com",
MAILING_LIST_INTERN, "tester+intern@example.com"),
tester = user("tester", "tester@example.com", Map.of(
SSH_KEY_1, List.of("tester-ssh-key-1"),
SSH_KEY_2, List.of("tester-ssh-key-2"),
MAILING_LIST_CHAOS, List.of("tester+chaos@example.com"),
MAILING_LIST_INTERN, List.of("tester+intern@example.com")),
List.of("mailing-list-chaos-member"));
noone = user("noone", Map.of(
SSH_KEY_1, "noone-ssh-key-1",
SSH_KEY_2, "noone-ssh-key-2",
MAILING_LIST_CHAOS, "noone+chaos@example.org",
MAILING_LIST_INTERN, "noone+intern@example.org"),
noone = user("noone", "noone@example.org", Map.of(
SSH_KEY_1, List.of("noone-ssh-key-1"),
SSH_KEY_2, List.of("noone-ssh-key-2"),
MAILING_LIST_CHAOS, List.of("noone+chaos@example.org"),
MAILING_LIST_INTERN, List.of("noone+intern@example.org", "-")),
Collections.emptyList());
UserProvider userProvider = mock(UserProvider.class);
@ -134,7 +136,7 @@ public class AttributeEndpointsResourceProviderTest {
.exportAttributeValues("mailing-list-addresses-chaos"))) {
assertEquals(200, response.getStatus());
assertEquals(List.of("hacker+chaos@example.net", "tester+chaos@example.com"), response.getEntity());
assertEquals(List.of("hacker@example.net", "tester+chaos@example.com"), response.getEntity());
}
}
@ -157,7 +159,7 @@ public class AttributeEndpointsResourceProviderTest {
assertEquals(200, response.getStatus());
assertEquals(Map.of(MAILING_LIST_CHAOS,
List.of("hacker+chaos@example.net", "tester+chaos@example.com")),
List.of("hacker@example.net", "tester+chaos@example.com")),
response.getEntity());
}
}
@ -176,9 +178,11 @@ public class AttributeEndpointsResourceProviderTest {
public void exportAttributeValues_duplicateSlugConfiguration_throwsNotFound() {
List<ComponentModel> duplicateComponents = List.of(
attributeEndpointComponent("duplicate-slug",
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys"),
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
false),
attributeEndpointComponent("duplicate-slug",
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys"));
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
false));
when(realm.getComponentsStream()).thenAnswer(inv -> duplicateComponents.stream());
NotFoundException exception = assertThrows(NotFoundException.class,
@ -193,7 +197,8 @@ public class AttributeEndpointsResourceProviderTest {
public void exportAttributeValues_missingAuthRole_throwsServerError() {
List<ComponentModel> components = List.of(
attributeEndpointComponent("bad-auth-role",
"nonexistent-role", "dooris-authorized", "dooris-ssh-keys"));
"nonexistent-role", "dooris-authorized", "dooris-ssh-keys",
false));
when(realm.getComponentsStream()).thenAnswer(inv -> components.stream());
ServerErrorException exception = assertThrows(ServerErrorException.class,
@ -208,7 +213,8 @@ public class AttributeEndpointsResourceProviderTest {
public void exportAttributeValues_missingMatchRole_throwsServerError() {
List<ComponentModel> components = List.of(
attributeEndpointComponent("bad-match-role",
"export-dooris-ssh-keys", "nonexistent-role", "dooris-ssh-keys"));
"export-dooris-ssh-keys", "nonexistent-role", "dooris-ssh-keys",
false));
when(realm.getComponentsStream()).thenAnswer(inv -> components.stream());
ServerErrorException exception = assertThrows(ServerErrorException.class,
@ -222,7 +228,8 @@ public class AttributeEndpointsResourceProviderTest {
@Test
public void exportAttributeValues_invalidAttributeRegex_throwsServerError() {
ComponentModel component = attributeEndpointComponent("bad-regex",
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys");
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
false);
component.put("attribute-regex", "[");
when(realm.getComponentsStream()).thenAnswer(inv -> Stream.of(component));
@ -261,13 +268,14 @@ public class AttributeEndpointsResourceProviderTest {
}
private static ComponentModel attributeEndpointComponent(String slug, String authRole, String matchRole,
String attributeGroup) {
String attributeGroup, boolean defaultToUserEmail) {
ComponentModel component = new ComponentModel();
component.setProviderId(AdminUiPage.PROVIDER_ID);
component.put("slug", slug);
component.put("auth-role", authRole);
component.put("match-role", matchRole);
component.put("attribute-group", attributeGroup);
component.put("default-to-user-email", Boolean.toString(defaultToUserEmail));
return component;
}
@ -291,13 +299,15 @@ public class AttributeEndpointsResourceProviderTest {
return attribute;
}
private UserModel user(String username, Map<String, String> attributes, List<String> roleNames) {
private UserModel user(String username, String email, Map<String, List<String>> attributes, List<String> roleNames) {
UserModel user = mock(UserModel.class);
when(user.getUsername()).thenReturn(username);
when(user.getEmail()).thenReturn(email.isBlank() ? null : email);
when(user.getAttributes()).thenReturn(attributes);
when(user.getAttributeStream(anyString())).thenAnswer(inv -> Stream.empty());
attributes.forEach((name, value) ->
when(user.getAttributeStream(eq(name))).thenAnswer(inv -> Stream.of(value)));
when(user.getAttributeStream(eq(name))).thenAnswer(inv -> value.stream()));
when(user.hasRole(any(RoleModel.class))).thenReturn(false);
roleNames.forEach(name -> when(user.hasRole(roles.get(name))).thenReturn(true));

View file

@ -447,8 +447,7 @@
"attributes" : {
"ssh-key-1" : [ "hacker-ssh-key-1" ],
"mailing-list-address-intern" : [ "hacker+intern@example.net" ],
"ssh-key-2" : [ "hacker-ssh-key-2" ],
"mailing-list-address-chaos" : [ "hacker+chaos@example.net" ]
"ssh-key-2" : [ "hacker-ssh-key-2" ]
},
"enabled" : true,
"createdTimestamp" : 1784376038850,
@ -1478,7 +1477,7 @@
"subType" : "authenticated",
"subComponents" : { },
"config" : {
"allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper" ]
"allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ]
}
}, {
"id" : "a49de9bf-462b-4c61-bb52-0373732f4b1b",
@ -1538,7 +1537,7 @@
"subType" : "anonymous",
"subComponents" : { },
"config" : {
"allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper" ]
"allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-property-mapper" ]
}
}, {
"id" : "dd4024e9-f080-4319-aeb7-7f9906c345c5",
@ -1605,8 +1604,9 @@
"subComponents" : { },
"config" : {
"match-role" : [ "mailing-list-intern-member" ],
"attribute-group" : [ "mailing-list-address-intern" ],
"default-to-user-email" : [ "true" ],
"auth-role" : [ "export-mailing-list-addresses" ],
"attribute-group" : [ "mailing-list-address-intern" ],
"slug" : [ "mailing-list-addresses-intern" ]
}
}, {
@ -1625,8 +1625,9 @@
"subComponents" : { },
"config" : {
"match-role" : [ "mailing-list-chaos-member" ],
"auth-role" : [ "export-mailing-list-addresses" ],
"default-to-user-email" : [ "true" ],
"attribute-group" : [ "mailing-list-address-chaos" ],
"auth-role" : [ "export-mailing-list-addresses" ],
"slug" : [ "mailing-list-addresses-chaos" ]
}
} ]