Merge branch 'main' into add-map-endpoint
This commit is contained in:
commit
9073ef086a
8 changed files with 2486 additions and 23 deletions
|
|
@ -7,7 +7,7 @@ jobs:
|
|||
name: Verify
|
||||
runs-on: docker
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: Install maven
|
||||
run: |
|
||||
apt update
|
||||
|
|
|
|||
|
|
@ -20,6 +20,10 @@ Once all dependencies are met, simply call `make` to build the provider, which s
|
|||
|
||||
There's also `make clean` available for removing the output directory.
|
||||
|
||||
## Testing Setup
|
||||
|
||||
See [testing/README.md](testing/README.md) for details on the Docker Compose based setup that includes a realm and the ability to attach a debugger to the running Keycloak.
|
||||
|
||||
## Example Setup
|
||||
|
||||
We assume an unconfigured, fresh Keycloak installation running under `http://localhost:8080`.
|
||||
|
|
|
|||
|
|
@ -86,7 +86,7 @@
|
|||
</plugin>
|
||||
<plugin>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>3.5.5</version>
|
||||
<version>3.5.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<artifactId>maven-jar-plugin</artifactId>
|
||||
|
|
@ -104,7 +104,7 @@
|
|||
https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
|
||||
<plugin>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.21.0</version>
|
||||
<version>3.22.0</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
|
|
|
|||
|
|
@ -3,6 +3,13 @@ package de.ccc.hamburg.keycloak.attribute_endpoints;
|
|||
import jakarta.ws.rs.*;
|
||||
import jakarta.ws.rs.core.MediaType;
|
||||
import jakarta.ws.rs.core.Response;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.models.*;
|
||||
|
|
@ -198,13 +205,33 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
.map(a -> a.getName())
|
||||
.toList();
|
||||
|
||||
userProvider = session.users();
|
||||
// getRoleMembersStream only returns users with matchRole assigned directly; it misses
|
||||
// users who have the role via group membership (incl. parent groups) or composite roles.
|
||||
// hasRole() resolves the role the same way authUser.hasRole(authRole) does above.
|
||||
users = userProvider.searchForUserStream(realm, Map.of())
|
||||
.filter(user -> user.hasRole(matchRole));
|
||||
}
|
||||
UserProvider userProvider = session.users();
|
||||
Stream<UserModel> users = userProvider.searchForUserStream(realm, Map.of())
|
||||
.filter(user -> user.hasRole(matchRole));
|
||||
|
||||
List<String> attribute_list = users
|
||||
.map(user -> {
|
||||
Stream<String> attributeStream = attributeNames.stream()
|
||||
.map(attributeName -> user.getAttributeStream(attributeName).toList())
|
||||
.flatMap(Collection::stream);
|
||||
|
||||
return attributeStream
|
||||
.filter(attribute -> !attribute.isEmpty())
|
||||
.toList();
|
||||
})
|
||||
.flatMap(List::stream)
|
||||
.filter(attribute -> {
|
||||
if (regexIsBlank) {
|
||||
return true;
|
||||
}
|
||||
final Pattern pattern = Pattern.compile(configAttributeRegex);
|
||||
final Matcher matcher = pattern.matcher(attribute);
|
||||
return matcher.find();
|
||||
})
|
||||
.toList();
|
||||
|
||||
return Response.ok(attribute_list).build();
|
||||
|
||||
}
|
||||
|
||||
private static Auth getAuth(KeycloakSession session) {
|
||||
|
|
|
|||
13
compose.yaml
13
compose.yaml
|
|
@ -1,13 +0,0 @@
|
|||
services:
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:26.6.0
|
||||
pull_policy: always
|
||||
command: "start-dev --features=declarative-ui"
|
||||
environment:
|
||||
KEYCLOAK_ADMIN: admin
|
||||
KEYCLOAK_ADMIN_PASSWORD: admin
|
||||
KC_LOG_LEVEL: info
|
||||
ports:
|
||||
- "8080:8080"
|
||||
volumes:
|
||||
- ./attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar:/opt/keycloak/providers/attribute-endpoints-provider.jar
|
||||
56
testing/README.md
Normal file
56
testing/README.md
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
# Creating a Testing Keycloak
|
||||
|
||||
The Docker Compose setup in this directory sets up Keycloak and imports a realm `testing`.
|
||||
|
||||
## Starting Keycloak
|
||||
|
||||
Run `docker compose up -d` to start Keycloak. The admin console will be available at http://localhost:8080/.
|
||||
|
||||
You can attach a Java debugger at `localhost:8081`.
|
||||
|
||||
The realm export is in `import/testing.json`.
|
||||
It will be imported automatically when Keycloak starts.
|
||||
|
||||
## Updating the Realm
|
||||
|
||||
If you want to make changes to the testing realm and persist them, you need to export the realm.
|
||||
|
||||
The following command runs the Keycloak export for the realm `testing` storing it in the mapped directory `import/testing.json`.
|
||||
The copying of the database is necessary to avoid locking errors.
|
||||
`env -i` makes sure the regular environment variables are not set to avoid port conflicts.
|
||||
|
||||
```sh
|
||||
docker compose exec -it keycloak sh -c "cp -rp /opt/keycloak/data/h2 /tmp && env -i -- /opt/keycloak/bin/kc.sh export --db dev-file --db-url 'jdbc:h2:file:/tmp/h2/keycloakdb;NON_KEYWORDS=VALUE' --file /opt/keycloak/data/import/testing.json --realm testing"
|
||||
```
|
||||
|
||||
## Testing Realm Configuration
|
||||
|
||||
The realm contains these objects:
|
||||
|
||||
* Clients:
|
||||
* `export-dooris-ssh-keys` with secret `export-dooris-ssh-keys-secret` and role `export-dooris-ssh-keys`
|
||||
* `export-mailing-list-addresses` with secret `export-mailing-list-addresses-secret` and role `export-mailing-list-addresses`
|
||||
* Realm Roles:
|
||||
* `dooris-authorized`
|
||||
* `mailing-list-chaos-member`
|
||||
* `mailing-list-intern-member`
|
||||
* `export-dooris-ssh-keys`
|
||||
* `export-mailing-list-addresses`
|
||||
* Groups:
|
||||
* `chaos` with role `mailing-list-chaos-member`
|
||||
* `ìntern` with roles `dooris-authorized` and `mailing-list-intern-member`
|
||||
* Users:
|
||||
* `tester` (Tony Tester), email `tester@example.com`, member of group `chaos`
|
||||
* Mailing List Addresses:
|
||||
* Chaos: `tester+chaos@example.com`
|
||||
* Intern: `tester+intern@example.com`
|
||||
* Dooris SSH Keys:
|
||||
* SSH Key 1: `tester-ssh-key-1`
|
||||
* SSH Key 2: `tester-ssh-key-2`
|
||||
* `hacker` (Hans Acker), email `hacker@example.net`, member of groups `chaos`and `intern`
|
||||
* Mailing List Addresses:
|
||||
* Chaos: `hacker+chaos@example.net`
|
||||
* Intern: `hacker+intern@example.net`
|
||||
* Dooris SSH Keys:
|
||||
* SSH Key 1: `hacker-ssh-key-1`
|
||||
* SSH Key 2: `hacker-ssh-key-2`
|
||||
17
testing/compose.yaml
Normal file
17
testing/compose.yaml
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
services:
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:26.6.0
|
||||
pull_policy: always
|
||||
command: "start-dev --features=declarative-ui --import-realm"
|
||||
environment:
|
||||
KC_BOOTSTRAP_ADMIN_USERNAME: admin
|
||||
KC_BOOTSTRAP_ADMIN_PASSWORD: admin
|
||||
KC_LOG_LEVEL: info
|
||||
KC_DEBUG: true
|
||||
KC_DEBUG_PORT: "*:8081"
|
||||
ports:
|
||||
- "8080:8080"
|
||||
- "8081:8081"
|
||||
volumes:
|
||||
- ./import:/opt/keycloak/data/import/
|
||||
- ../attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar:/opt/keycloak/providers/attribute-endpoints-provider.jar
|
||||
2372
testing/import/testing.json
Normal file
2372
testing/import/testing.json
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Add table
Add a link
Reference in a new issue