Flag default-to-user-email
When set for an export config, if the user doesn't have that attribute, their email will be substituted as a default. If any of the values is not a valid email address, they are filtered out. Closes #29
This commit is contained in:
parent
1c2adb1a92
commit
149d98f90e
5 changed files with 79 additions and 37 deletions
|
|
@ -14,6 +14,7 @@ Each endpoint configuration requires:
|
|||
- the name of an attribute or an attribute group that should be exported
|
||||
- the name of a role that users must have to be included in the list
|
||||
- an optional regular expression that must match to have a value included
|
||||
- whether to default to the user email if the attribute is empty
|
||||
|
||||
> **Note** The attribute (group) and the roles need to exist before you can create the endpoint configuration.
|
||||
|
||||
|
|
|
|||
|
|
@ -148,6 +148,13 @@ public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<Compon
|
|||
.type(ProviderConfigProperty.STRING_TYPE)
|
||||
.add()
|
||||
|
||||
.property()
|
||||
.name("default-to-user-email")
|
||||
.label("Default to User Email")
|
||||
.helpText("When the attribute value is empty, use the users email address instead. If the value is not a valid email address, it will not be included in the export.")
|
||||
.type(ProviderConfigProperty.BOOLEAN_TYPE)
|
||||
.add()
|
||||
|
||||
.build();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -52,8 +52,9 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
|
||||
List<String> attribute_list = ctx.users
|
||||
.map(user -> {
|
||||
Stream<String> attributeStream = ctx.attributeNames.stream()
|
||||
.map(attributeName -> user.getAttributeStream(attributeName).toList())
|
||||
Stream<String> attributeStream = ctx.attributeNames.stream();
|
||||
|
||||
attributeStream = attributeStream.map(attributeName -> ctx.MapUserAttribute(user, attributeName).toList())
|
||||
.flatMap(Collection::stream);
|
||||
|
||||
return attributeStream
|
||||
|
|
@ -87,7 +88,7 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
.collect(Collectors.toMap(
|
||||
attributeName -> attributeName,
|
||||
attributeName -> userList.stream()
|
||||
.flatMap(user -> user.getAttributeStream(attributeName))
|
||||
.flatMap(user -> ctx.MapUserAttribute(user, attributeName))
|
||||
.filter(attribute -> !attribute.isEmpty())
|
||||
.filter(ctx.filter::matches)
|
||||
.toList()));
|
||||
|
|
@ -101,9 +102,12 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
* values for a given slug, exposing the results as member variables.
|
||||
*/
|
||||
private class AttributeExportContext {
|
||||
final Pattern validEmail = Pattern.compile("@");
|
||||
|
||||
List<String> attributeNames;
|
||||
UserModel authUser;
|
||||
String configAttributeGroup;
|
||||
boolean defaultToUserEmail;
|
||||
RegExFilter filter;
|
||||
UPConfig upconfig;
|
||||
Stream<UserModel> users;
|
||||
|
|
@ -169,6 +173,25 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
UserProvider userProvider = session.users();
|
||||
users = userProvider.searchForUserStream(realm, Map.of())
|
||||
.filter(user -> user.hasRole(matchRole));
|
||||
defaultToUserEmail = Boolean.parseBoolean(component.getConfig().getFirstOrDefault("default-to-user-email", "false"));
|
||||
}
|
||||
|
||||
/**
|
||||
* If defaultToUserEmail is set, default to user email if no attribute exists, and remove any value that is not
|
||||
* a valid email address.
|
||||
*
|
||||
* @param user the user whose attributes are being exported
|
||||
* @param attributeName the attribute to export
|
||||
* @return a stream of attribute values
|
||||
*/
|
||||
Stream<String> MapUserAttribute(UserModel user, String attributeName) {
|
||||
if (defaultToUserEmail) {
|
||||
// need to load everything otherwise we can't check for non-existent attribute
|
||||
Map<String, List<String>> attrs = user.getAttributes();
|
||||
return attrs.getOrDefault(attributeName,
|
||||
List.of(user.getEmail())).stream().filter(v -> !validEmail.matcher(v).matches());
|
||||
}
|
||||
return user.getAttributeStream(attributeName);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -68,34 +68,36 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
|
||||
List<ComponentModel> components = List.of(
|
||||
attributeEndpointComponent("dooris-ssh-keys",
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys"),
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
|
||||
false),
|
||||
attributeEndpointComponent("mailing-list-addresses-chaos",
|
||||
"export-mailing-list-addresses", "mailing-list-chaos-member", MAILING_LIST_CHAOS),
|
||||
"export-mailing-list-addresses", "mailing-list-chaos-member", MAILING_LIST_CHAOS,
|
||||
true),
|
||||
attributeEndpointComponent("mailing-list-addresses-intern",
|
||||
"export-mailing-list-addresses", "mailing-list-intern-member", MAILING_LIST_INTERN));
|
||||
"export-mailing-list-addresses", "mailing-list-intern-member", MAILING_LIST_INTERN,
|
||||
true));
|
||||
when(realm.getComponentsStream()).thenAnswer(inv -> components.stream());
|
||||
|
||||
UserProfileProvider userProfileProvider = mock(UserProfileProvider.class);
|
||||
when(session.getProvider(UserProfileProvider.class)).thenReturn(userProfileProvider);
|
||||
when(userProfileProvider.getConfiguration()).thenReturn(testUserProfileConfig());
|
||||
|
||||
hacker = user("hacker", Map.of(
|
||||
SSH_KEY_1, "hacker-ssh-key-1",
|
||||
SSH_KEY_2, "hacker-ssh-key-2",
|
||||
MAILING_LIST_CHAOS, "hacker+chaos@example.net",
|
||||
MAILING_LIST_INTERN, "hacker+intern@example.net"),
|
||||
hacker = user("hacker", "hacker@example.net", Map.of(
|
||||
SSH_KEY_1, List.of("hacker-ssh-key-1"),
|
||||
SSH_KEY_2, List.of("hacker-ssh-key-2"),
|
||||
MAILING_LIST_INTERN, List.of("hacker+intern@example.net")),
|
||||
List.of("dooris-authorized", "mailing-list-chaos-member", "mailing-list-intern-member"));
|
||||
tester = user("tester", Map.of(
|
||||
SSH_KEY_1, "tester-ssh-key-1",
|
||||
SSH_KEY_2, "tester-ssh-key-2",
|
||||
MAILING_LIST_CHAOS, "tester+chaos@example.com",
|
||||
MAILING_LIST_INTERN, "tester+intern@example.com"),
|
||||
tester = user("tester", "tester@example.com", Map.of(
|
||||
SSH_KEY_1, List.of("tester-ssh-key-1"),
|
||||
SSH_KEY_2, List.of("tester-ssh-key-2"),
|
||||
MAILING_LIST_CHAOS, List.of("tester+chaos@example.com"),
|
||||
MAILING_LIST_INTERN, List.of("tester+intern@example.com")),
|
||||
List.of("mailing-list-chaos-member"));
|
||||
noone = user("noone", Map.of(
|
||||
SSH_KEY_1, "noone-ssh-key-1",
|
||||
SSH_KEY_2, "noone-ssh-key-2",
|
||||
MAILING_LIST_CHAOS, "noone+chaos@example.org",
|
||||
MAILING_LIST_INTERN, "noone+intern@example.org"),
|
||||
noone = user("noone", "noone@example.org", Map.of(
|
||||
SSH_KEY_1, List.of("noone-ssh-key-1"),
|
||||
SSH_KEY_2, List.of("noone-ssh-key-2"),
|
||||
MAILING_LIST_CHAOS, List.of("noone+chaos@example.org"),
|
||||
MAILING_LIST_INTERN, List.of("noone+intern@example.org", "-")),
|
||||
Collections.emptyList());
|
||||
|
||||
UserProvider userProvider = mock(UserProvider.class);
|
||||
|
|
@ -134,7 +136,7 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
.exportAttributeValues("mailing-list-addresses-chaos"))) {
|
||||
|
||||
assertEquals(200, response.getStatus());
|
||||
assertEquals(List.of("hacker+chaos@example.net", "tester+chaos@example.com"), response.getEntity());
|
||||
assertEquals(List.of("hacker@example.net", "tester+chaos@example.com"), response.getEntity());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -157,7 +159,7 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
|
||||
assertEquals(200, response.getStatus());
|
||||
assertEquals(Map.of(MAILING_LIST_CHAOS,
|
||||
List.of("hacker+chaos@example.net", "tester+chaos@example.com")),
|
||||
List.of("hacker@example.net", "tester+chaos@example.com")),
|
||||
response.getEntity());
|
||||
}
|
||||
}
|
||||
|
|
@ -176,9 +178,11 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
public void exportAttributeValues_duplicateSlugConfiguration_throwsNotFound() {
|
||||
List<ComponentModel> duplicateComponents = List.of(
|
||||
attributeEndpointComponent("duplicate-slug",
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys"),
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
|
||||
false),
|
||||
attributeEndpointComponent("duplicate-slug",
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys"));
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
|
||||
false));
|
||||
when(realm.getComponentsStream()).thenAnswer(inv -> duplicateComponents.stream());
|
||||
|
||||
NotFoundException exception = assertThrows(NotFoundException.class,
|
||||
|
|
@ -193,7 +197,8 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
public void exportAttributeValues_missingAuthRole_throwsServerError() {
|
||||
List<ComponentModel> components = List.of(
|
||||
attributeEndpointComponent("bad-auth-role",
|
||||
"nonexistent-role", "dooris-authorized", "dooris-ssh-keys"));
|
||||
"nonexistent-role", "dooris-authorized", "dooris-ssh-keys",
|
||||
false));
|
||||
when(realm.getComponentsStream()).thenAnswer(inv -> components.stream());
|
||||
|
||||
ServerErrorException exception = assertThrows(ServerErrorException.class,
|
||||
|
|
@ -208,7 +213,8 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
public void exportAttributeValues_missingMatchRole_throwsServerError() {
|
||||
List<ComponentModel> components = List.of(
|
||||
attributeEndpointComponent("bad-match-role",
|
||||
"export-dooris-ssh-keys", "nonexistent-role", "dooris-ssh-keys"));
|
||||
"export-dooris-ssh-keys", "nonexistent-role", "dooris-ssh-keys",
|
||||
false));
|
||||
when(realm.getComponentsStream()).thenAnswer(inv -> components.stream());
|
||||
|
||||
ServerErrorException exception = assertThrows(ServerErrorException.class,
|
||||
|
|
@ -222,7 +228,8 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
@Test
|
||||
public void exportAttributeValues_invalidAttributeRegex_throwsServerError() {
|
||||
ComponentModel component = attributeEndpointComponent("bad-regex",
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys");
|
||||
"export-dooris-ssh-keys", "dooris-authorized", "dooris-ssh-keys",
|
||||
false);
|
||||
component.put("attribute-regex", "[");
|
||||
when(realm.getComponentsStream()).thenAnswer(inv -> Stream.of(component));
|
||||
|
||||
|
|
@ -261,13 +268,14 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
}
|
||||
|
||||
private static ComponentModel attributeEndpointComponent(String slug, String authRole, String matchRole,
|
||||
String attributeGroup) {
|
||||
String attributeGroup, boolean defaultToUserEmail) {
|
||||
ComponentModel component = new ComponentModel();
|
||||
component.setProviderId(AdminUiPage.PROVIDER_ID);
|
||||
component.put("slug", slug);
|
||||
component.put("auth-role", authRole);
|
||||
component.put("match-role", matchRole);
|
||||
component.put("attribute-group", attributeGroup);
|
||||
component.put("default-to-user-email", Boolean.toString(defaultToUserEmail));
|
||||
return component;
|
||||
}
|
||||
|
||||
|
|
@ -291,13 +299,15 @@ public class AttributeEndpointsResourceProviderTest {
|
|||
return attribute;
|
||||
}
|
||||
|
||||
private UserModel user(String username, Map<String, String> attributes, List<String> roleNames) {
|
||||
private UserModel user(String username, String email, Map<String, List<String>> attributes, List<String> roleNames) {
|
||||
UserModel user = mock(UserModel.class);
|
||||
when(user.getUsername()).thenReturn(username);
|
||||
when(user.getEmail()).thenReturn(email.isBlank() ? null : email);
|
||||
when(user.getAttributes()).thenReturn(attributes);
|
||||
|
||||
when(user.getAttributeStream(anyString())).thenAnswer(inv -> Stream.empty());
|
||||
attributes.forEach((name, value) ->
|
||||
when(user.getAttributeStream(eq(name))).thenAnswer(inv -> Stream.of(value)));
|
||||
when(user.getAttributeStream(eq(name))).thenAnswer(inv -> value.stream()));
|
||||
|
||||
when(user.hasRole(any(RoleModel.class))).thenReturn(false);
|
||||
roleNames.forEach(name -> when(user.hasRole(roles.get(name))).thenReturn(true));
|
||||
|
|
|
|||
|
|
@ -447,8 +447,7 @@
|
|||
"attributes" : {
|
||||
"ssh-key-1" : [ "hacker-ssh-key-1" ],
|
||||
"mailing-list-address-intern" : [ "hacker+intern@example.net" ],
|
||||
"ssh-key-2" : [ "hacker-ssh-key-2" ],
|
||||
"mailing-list-address-chaos" : [ "hacker+chaos@example.net" ]
|
||||
"ssh-key-2" : [ "hacker-ssh-key-2" ]
|
||||
},
|
||||
"enabled" : true,
|
||||
"createdTimestamp" : 1784376038850,
|
||||
|
|
@ -1478,7 +1477,7 @@
|
|||
"subType" : "authenticated",
|
||||
"subComponents" : { },
|
||||
"config" : {
|
||||
"allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper" ]
|
||||
"allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ]
|
||||
}
|
||||
}, {
|
||||
"id" : "a49de9bf-462b-4c61-bb52-0373732f4b1b",
|
||||
|
|
@ -1538,7 +1537,7 @@
|
|||
"subType" : "anonymous",
|
||||
"subComponents" : { },
|
||||
"config" : {
|
||||
"allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper" ]
|
||||
"allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-property-mapper" ]
|
||||
}
|
||||
}, {
|
||||
"id" : "dd4024e9-f080-4319-aeb7-7f9906c345c5",
|
||||
|
|
@ -1605,8 +1604,9 @@
|
|||
"subComponents" : { },
|
||||
"config" : {
|
||||
"match-role" : [ "mailing-list-intern-member" ],
|
||||
"attribute-group" : [ "mailing-list-address-intern" ],
|
||||
"default-to-user-email" : [ "true" ],
|
||||
"auth-role" : [ "export-mailing-list-addresses" ],
|
||||
"attribute-group" : [ "mailing-list-address-intern" ],
|
||||
"slug" : [ "mailing-list-addresses-intern" ]
|
||||
}
|
||||
}, {
|
||||
|
|
@ -1625,8 +1625,9 @@
|
|||
"subComponents" : { },
|
||||
"config" : {
|
||||
"match-role" : [ "mailing-list-chaos-member" ],
|
||||
"auth-role" : [ "export-mailing-list-addresses" ],
|
||||
"default-to-user-email" : [ "true" ],
|
||||
"attribute-group" : [ "mailing-list-address-chaos" ],
|
||||
"auth-role" : [ "export-mailing-list-addresses" ],
|
||||
"slug" : [ "mailing-list-addresses-chaos" ]
|
||||
}
|
||||
} ]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue