rename provider

attribute-endpoints-provider/.gitignore

@@ -0,0 +1 @@
+target/

attribute-endpoints-provider/pom.xml

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>de.ccc.hamburg.keycloak.attribute_endpoints</groupId>
+  <artifactId>attribute-endpoints-provider</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>attribute-endpoints-provider</name>
+  <!-- FIXME change it to the project's website -->
+  <url>http://www.example.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
+    <keycloak.version>26.4.2</keycloak.version>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-server-spi-private</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-server-spi</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-services</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.auto.service</groupId>
+      <artifactId>auto-service</artifactId>
+      <version>1.1.1</version>
+    </dependency>
+  </dependencies>
+
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.keycloak</groupId>
+        <artifactId>keycloak-parent</artifactId>
+        <version>${keycloak.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+
+  <build>
+    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to
+      parent pom) -->
+      <plugins>
+        <!-- clean lifecycle, see
+        https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <!-- default lifecycle, jar packaging: see
+        https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+        <!-- site lifecycle, see
+        https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>

attribute-endpoints-provider/src/main/java/de/ccc/hamburg/keycloak/attribute_endpoints/AdminUiPage.java

@@ -0,0 +1,83 @@
+package de.ccc.hamburg.keycloak.attribute_endpoints;
+
+import com.google.auto.service.AutoService;
+import org.keycloak.Config;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.provider.ProviderConfigurationBuilder;
+import org.keycloak.services.ui.extend.UiPageProvider;
+import org.keycloak.services.ui.extend.UiPageProviderFactory;
+
+import java.util.List;
+
+/**
+ * Implements UiPageProvider to show a config page in the admin
+ */
+@AutoService(UiPageProviderFactory.class)
+public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<ComponentModel> {
+    public static final String PROVIDER_ID = "🪪 Attribute Endpoints 🚀";
+
+    @Override
+    public void init(Config.Scope config) {
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+    }
+
+    @Override
+    public void close() {
+    }
+    
+    @Override
+    public String getId() {
+        return PROVIDER_ID;
+    }
+
+    @Override
+    public String getHelpText() {
+        return "Configure endpoints of the Attribute Endpoint Provider.";
+    }
+
+    @Override
+    public List<ProviderConfigProperty> getConfigProperties() {
+        return ProviderConfigurationBuilder.create()
+                .property()
+                .name("slug")
+                .label("Slug")
+                .helpText("The slug in the path of the API endpoint (e.g. /realms/:realm/attribute-endpoint-provider/export/:slug)")
+                .type(ProviderConfigProperty.STRING_TYPE)
+                .add()
+                
+                .property()
+                .name("attribute-group")
+                .label("Attribute Group")
+                .helpText("The attribute group to export.")
+                .type(ProviderConfigProperty.STRING_TYPE)
+                .add()
+                
+                .property()
+                .name("match-role")
+                .label("Match Role")
+                .helpText("Export only attributes of users with this role.")
+                .type(ProviderConfigProperty.STRING_TYPE)
+                .add()
+                
+                .property()
+                .name("auth-role")
+                .label("Auth Role")
+                .helpText("Role needeed by the authenticated account to be able to use this endpoint.")
+                .type(ProviderConfigProperty.STRING_TYPE)
+                .add()
+                
+                .property()
+                .name("attribute-regex")
+                .label("Attribute RegEx")
+                .helpText("A RegEx Rule used to verify each attribute value. Only matching values are returned.")
+                .type(ProviderConfigProperty.STRING_TYPE)
+                .add()
+                
+                .build();
+    }
+}

attribute-endpoints-provider/src/main/java/de/ccc/hamburg/keycloak/attribute_endpoints/AttributeEndpointsResourceProvider.java

@@ -0,0 +1,160 @@
+package de.ccc.hamburg.keycloak.attribute_endpoints;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Stream;
+
+import org.jboss.logging.Logger;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakContext;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.RoleModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.UserProvider;
+import org.keycloak.representations.userprofile.config.UPConfig;
+import org.keycloak.services.managers.AppAuthManager;
+import org.keycloak.services.managers.Auth;
+import org.keycloak.services.managers.AuthenticationManager.AuthResult;
+import org.keycloak.services.resource.RealmResourceProvider;
+import org.keycloak.userprofile.UserProfileProvider;
+
+import io.quarkus.security.UnauthorizedException;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.NotAuthorizedException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.ServerErrorException;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+
+public class AttributeEndpointsResourceProvider implements RealmResourceProvider {
+    private static final Logger LOG = Logger.getLogger(AttributeEndpointsResourceProvider.class);
+    private final KeycloakSession session;
+
+    public AttributeEndpointsResourceProvider(KeycloakSession keycloakSession) {
+        this.session = keycloakSession;
+    }
+
+    @Override
+    public Object getResource() {
+        return this;
+    }
+
+    @Override
+    public void close() {
+    }
+
+    @GET
+    @Path("export/{slug}")
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response exportKeys(@PathParam("slug") String slug) {
+        KeycloakContext context = session.getContext();
+        RealmModel realm = context.getRealm();
+
+        List<ComponentModel> componentList = realm.getComponentsStream()
+                .filter(c -> c.getProviderId().equals(AdminUiPage.PROVIDER_ID))
+                .filter(c -> c.getConfig().getFirst("slug").equals(slug))
+                .toList();
+
+        if (componentList.isEmpty()) {
+            throw new NotFoundException("Endpoint not found.");
+        }
+
+        Auth auth = AttributeEndpointsResourceProvider.getAuth(session);
+
+        ComponentModel component = componentList.get(0);
+
+        String configAuthRole = component.getConfig().getFirst("auth-role");
+        RoleModel authRole = realm.getRole(configAuthRole);
+        if (authRole == null) {
+            throw new ServerErrorException("Endpoint Configuration Error - auth-role does not exist.", 500);
+        }
+
+        String configMatchRole = component.getConfig().getFirst("match-role");
+        RoleModel matchRole = realm.getRole(configMatchRole);
+        if (matchRole == null) {
+            throw new ServerErrorException("Endpoint Configuration Error - match-role does not exist.", 500);
+        }
+
+        UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
+        UPConfig upconfig = profileProvider.getConfiguration();
+        String configAttributeGroup = component.getConfig().getFirst("attribute-group");
+        if (!upconfig.getGroups().stream().anyMatch(g -> g.getName().equals(configAttributeGroup))) {
+            throw new ServerErrorException("Endpoint Configuration Error - attribute-group does not exist.", 500);
+        }
+
+        String configAttributeRegex = component.getConfig().getFirst("attribute-regex");
+        Pattern attributeRegex;
+        try {
+            attributeRegex = Pattern.compile(configAttributeRegex);
+        } catch (Exception e) {
+            throw new ServerErrorException(
+                    "Endpoint Configuration Error - attribute-regex is not a valid regex pattern.", 500);
+        }
+
+        try {
+            UserModel user = auth.getUser();
+            if (!user.hasRole(authRole)) {
+                throw new UnauthorizedException("User does not have required auth role.");
+            }
+        } catch (Exception e) {
+            System.err.println(e);
+            return Response.status(403, e.getMessage()).build();
+        }
+
+        if (componentList.size() > 1) {
+            throw new NotFoundException(
+                    "Endpoint Configuration Error - Multiple configurations exist for this endpoint.");
+        }
+
+        List<String> attributeNames = upconfig.getAttributes()
+                .stream()
+                .filter(a -> a.getGroup() != null && a.getGroup().equals(configAttributeGroup))
+                .map(a -> a.getName())
+                .toList();
+
+        UserProvider userProvider = session.users();
+        Stream<UserModel> users = userProvider.getRoleMembersStream(realm, matchRole);
+
+        List<String> attribute_list = users
+                .map(user -> {
+                    Stream<String> attributeStream = attributeNames.stream()
+                            .map(attributeName -> user.getAttributeStream(attributeName).toList())
+                            .flatMap(Collection::stream);
+
+                    return attributeStream
+                            .filter(attribute -> !attribute.isEmpty())
+                            .toList();
+                })
+                .flatMap(List::stream)
+                .map(attribute -> {
+                    final Matcher matcher = attributeRegex.matcher(attribute);
+                    return matcher.find() ? attribute : null;
+                })
+                .filter(Objects::nonNull)
+                .toList();
+
+        return Response.ok(attribute_list).build();
+
+    }
+
+    private static Auth getAuth(KeycloakSession session) {
+        AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
+
+        if (auth == null) {
+            throw new NotAuthorizedException("Bearer");
+        }
+
+        RealmModel realm = session.getContext().getRealm();
+        ClientModel client = auth.getClient();
+        return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
+    }
+
+}

attribute-endpoints-provider/src/main/java/de/ccc/hamburg/keycloak/attribute_endpoints/AttributeEndpointsResourceProviderFactory.java

@@ -0,0 +1,36 @@
+package de.ccc.hamburg.keycloak.attribute_endpoints;
+
+import org.keycloak.Config;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.services.resource.RealmResourceProvider;
+import org.keycloak.services.resource.RealmResourceProviderFactory;
+
+import com.google.auto.service.AutoService;
+
+@AutoService(RealmResourceProviderFactory.class)
+public class AttributeEndpointsResourceProviderFactory implements RealmResourceProviderFactory {
+    static final String PROVIDER_ID = "attribute-endpoints-provider";
+
+    @Override
+	public RealmResourceProvider create(KeycloakSession keycloakSession) {
+		return new AttributeEndpointsResourceProvider(keycloakSession);
+	}
+
+	@Override
+	public void init(Config.Scope config) {
+	}
+
+	@Override
+	public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
+	}
+
+	@Override
+	public void close() {
+	}
+
+	@Override
+	public String getId() {
+		return PROVIDER_ID;
+	}
+}

attribute-endpoints-provider/src/test/java/de/ccc/hamburg/keycloak/AppTest.java

@@ -0,0 +1,20 @@
+package de.ccc.hamburg.keycloak;
+
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+
+/**
+ * Unit test for simple App.
+ */
+public class AppTest 
+{
+    /**
+     * Rigorous Test :-)
+     */
+    @Test
+    public void shouldAnswerWithTrue()
+    {
+        assertTrue( true );
+    }
+}