CCCHH/keycloak-attribute-endpoints-provider
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

implement TODOs

Browse source 
- fetch configuration of AdminUiPage Component
- validate config
- use configuration to get attributes
This commit is contained in:
kritzl 2026-02-17 15:16:16 +01:00
commit 8ea38a0748
Signed by: kritzl
SSH key fingerprint: SHA256:5BmINP9VjZWaUk5Z+2CTut1KFhwLtd0ZynMekKbtViM
2 changed files with 57 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AdminUiPage.java
View file

@ -12,10 +12,11 @@ import org.keycloak.services.ui.extend.UiPageProviderFactory;
import java.util.List;
/**
* Implements UiPageProvider to show a config page in the admin ui
* Implements UiPageProvider to show a config page in the admin
*/
@AutoService(UiPageProviderFactory.class)
public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<ComponentModel> {
public static final String PROVIDER_ID = "🪪 Attribute Endpoints 🚀";
@Override
public void init(Config.Scope config) {
@ -31,7 +32,7 @@ public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<Compon
@Override
public String getId() {
return "🪪 Attribute Endpoints 🚀";
return PROVIDER_ID;
}
@Override

93
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
View file

@ -1,5 +1,6 @@
package de.ccc.hamburg.keycloak.ssh_key;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.regex.Matcher;
@ -7,6 +8,7 @@ import java.util.regex.Pattern;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
@ -24,9 +26,11 @@ import org.keycloak.userprofile.UserProfileProvider;
import io.quarkus.security.UnauthorizedException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.ServerErrorException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
@ -34,10 +38,6 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
private static final Logger LOG = Logger.getLogger(SSHKeyResourceProvider.class);
private final KeycloakSession session;
// taken from: https://github.com/nemchik/ssh-key-regex
private static final Pattern SSH_PUBLIC_KEY = Pattern.compile(
"^(?<key>(ssh-dss AAAAB3NzaC1kc3|ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNT|ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzOD|ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1Mj|sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb2|ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3})(\\s.*)?$");
public SSHKeyResourceProvider(KeycloakSession keycloakSession) {
this.session = keycloakSession;
}
@ -58,68 +58,85 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
KeycloakContext context = session.getContext();
RealmModel realm = context.getRealm();
// TODO: check if slug exists
List<ComponentModel> componentList = realm.getComponentsStream()
.filter(c -> c.getProviderId().equals(AdminUiPage.PROVIDER_ID))
.filter(c -> c.getConfig().getFirst("slug").equals(slug))
.toList();
// TODO: get config defined by AdminUiPage
// get config for slug and check if it is valid
RoleModel authRole;
RoleModel matchRole;
String attributeGroup;
String attributeRegex;
try {
authRole = realm.getRole("dooris-export");
matchRole = realm.getRole("dooris-access");
attributeGroup = "dooris";
attributeRegex = "placeholder_config_attributeRegex";
// TODO: check if AttributeGroup exists
} catch (Exception e) {
System.err.println(e);
return Response.status(500, e.getMessage()).build();
if (componentList.isEmpty()) {
throw new NotFoundException("Endpoint not found.");
}
Auth auth;
Auth auth = SSHKeyResourceProvider.getAuth(session);
ComponentModel component = componentList.get(0);
String configAuthRole = component.getConfig().getFirst("auth-role");
RoleModel authRole = realm.getRole(configAuthRole);
if (authRole == null) {
throw new ServerErrorException("Endpoint Configuration Error - auth-role does not exist.", 500);
}
String configMatchRole = component.getConfig().getFirst("match-role");
RoleModel matchRole = realm.getRole(configMatchRole);
if (matchRole == null) {
throw new ServerErrorException("Endpoint Configuration Error - match-role does not exist.", 500);
}
UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
UPConfig upconfig = profileProvider.getConfiguration();
String configAttributeGroup = component.getConfig().getFirst("attribute-group");
if (!upconfig.getGroups().stream().anyMatch(g -> g.getName().equals(configAttributeGroup))) {
throw new ServerErrorException("Endpoint Configuration Error - attribute-group does not exist.", 500);
}
String configAttributeRegex = component.getConfig().getFirst("attribute-regex");
Pattern attributeRegex;
try {
auth = SSHKeyResourceProvider.getAuth(session);
attributeRegex = Pattern.compile(configAttributeRegex);
} catch (Exception e) {
System.err.println(e);
return Response.status(401, e.getMessage()).build();
throw new ServerErrorException(
"Endpoint Configuration Error - attribute-regex is not a valid regex pattern.", 500);
}
try {
UserModel user = auth.getUser();
if (!user.hasRole(authRole)) {
throw new UnauthorizedException("User does not have requires auth role.");
throw new UnauthorizedException("User does not have required auth role.");
}
} catch (Exception e) {
System.err.println(e);
return Response.status(403, e.getMessage()).build();
}
UserProvider userProvider = session.users();
UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
UPConfig upconfig = profileProvider.getConfiguration();
if (componentList.size() > 1) {
throw new NotFoundException(
"Endpoint Configuration Error - Multiple configurations exist for this endpoint.");
}
List<String> attributeNames = upconfig.getAttributes()
.stream()
.filter(a -> a.getGroup() != null && a.getGroup().equals(attributeGroup))
.filter(a -> a.getGroup() != null && a.getGroup().equals(configAttributeGroup))
.map(a -> a.getName())
.toList();
UserProvider userProvider = session.users();
Stream<UserModel> users = userProvider.getRoleMembersStream(realm, matchRole);
List<String> attribute_list = users
.map(user -> {
return attributeNames
.stream()
.map(attributeName -> user.getAttributeStream(attributeName).findFirst())
.filter(attribute -> attribute.isPresent())
.map(attribute -> attribute.get())
Stream<String> attributeStream = attributeNames.stream()
.map(attributeName -> user.getAttributeStream(attributeName).toList())
.flatMap(Collection::stream);
return attributeStream
.filter(attribute -> !attribute.isEmpty())
.toList();
})
.flatMap(List::stream)
.map(key -> {
final Matcher matcher = SSH_PUBLIC_KEY.matcher(key);
return matcher.find() ? matcher.group("key") : null;
.map(attribute -> {
final Matcher matcher = attributeRegex.matcher(attribute);
return matcher.find() ? attribute : null;
})
.filter(Objects::nonNull)
.toList();