CCCHH/keycloak-attribute-endpoints-provider
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Attempt to use the UiPageProvider to configure endpoints

Browse source 
Co-authored-by: June june@jsts.xyz
This commit is contained in:
kritzl 2026-02-16 18:53:43 +01:00
commit a7be1213af
Signed by: kritzl
SSH key fingerprint: SHA256:5BmINP9VjZWaUk5Z+2CTut1KFhwLtd0ZynMekKbtViM
7 changed files with 5362 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

82
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AdminUiPage.java Normal file
View file

@ -0,0 +1,82 @@
package de.ccc.hamburg.keycloak.ssh_key;
import com.google.auto.service.AutoService;
import org.keycloak.Config;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.services.ui.extend.UiPageProvider;
import org.keycloak.services.ui.extend.UiPageProviderFactory;
import java.util.List;
/**
* Implements UiPageProvider to show a config page in the admin ui
*/
@AutoService(UiPageProviderFactory.class)
public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<ComponentModel> {
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return "🪪 Attribute Endpoints 🚀";
}
@Override
public String getHelpText() {
return "Configure endpoints of the Attribute Endpoint Provider.";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return ProviderConfigurationBuilder.create()
.property()
.name("slug")
.label("Slug")
.helpText("The slug in the path of the API endpoint (e.g. /realms/:realm/attribute-endpoint-provider/export/:slug)")
.type(ProviderConfigProperty.STRING_TYPE)
.add()
.property()
.name("attribute-group")
.label("Attribute Group")
.helpText("The attribute group to export.")
.type(ProviderConfigProperty.STRING_TYPE)
.add()
.property()
.name("match-role")
.label("Match Role")
.helpText("Export only attributes of users with this role.")
.type(ProviderConfigProperty.STRING_TYPE)
.add()
.property()
.name("auth-role")
.label("Auth Role")
.helpText("Role needeed by the authenticated account to be able to use this endpoint.")
.type(ProviderConfigProperty.STRING_TYPE)
.add()
.property()
.name("attribute-regex")
.label("Attribute RegEx")
.helpText("A RegEx Rule used to verify each attribute value. Only matching values are returned.")
.type(ProviderConfigProperty.STRING_TYPE)
.add()
.build();
}
}

80
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
View file

@ -1,7 +1,6 @@
package de.ccc.hamburg.keycloak.ssh_key;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@ -9,20 +8,20 @@ import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.representations.userprofile.config.UPConfig;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AppAuthManager.BearerTokenAuthenticator;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager.AuthResult;
import org.keycloak.services.resource.RealmResourceProvider;
import org.keycloak.userprofile.UserProfileProvider;
import jakarta.ws.rs.ForbiddenException;
import io.quarkus.security.UnauthorizedException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.Path;
@ -53,33 +52,62 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
}
@GET
@Path("export/{group_id}")
@Path("export/{slug}")
@Produces(MediaType.APPLICATION_JSON)
public Response exportKeys(@PathParam("group_id") String groupId) {
public Response exportKeys(@PathParam("slug") String slug) {
KeycloakContext context = session.getContext();
RealmModel realm = context.getRealm();
// TODO: check if slug exists
// TODO: get config defined by AdminUiPage
// get config for slug and check if it is valid
RoleModel authRole;
RoleModel matchRole;
String attributeGroup;
String attributeRegex;
try {
SSHKeyResourceProvider.getAuth(session);
authRole = realm.getRole("dooris-export");
matchRole = realm.getRole("dooris-access");
attributeGroup = "dooris";
attributeRegex = "placeholder_config_attributeRegex";
// TODO: check if AttributeGroup exists
} catch (Exception e) {
System.err.println(e);
return Response.status(500, e.getMessage()).build();
}
Auth auth;
try {
auth = SSHKeyResourceProvider.getAuth(session);
} catch (Exception e) {
System.err.println(e);
return Response.status(401, e.getMessage()).build();
}
try {
UserModel user = auth.getUser();
if (!user.hasRole(authRole)) {
throw new UnauthorizedException("User does not have requires auth role.");
}
} catch (Exception e) {
System.err.println(e);
return Response.status(403, e.getMessage()).build();
}
UserProvider userProvider = session.users();
UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
UPConfig upconfig = profileProvider.getConfiguration();
List<String> attributeNames = upconfig.getAttributes()
.stream()
.filter(a -> a.getGroup() != null && a.getGroup().equals("de.ccc.hamburg.keycloak.ssh_key.keys"))
.filter(a -> a.getGroup() != null && a.getGroup().equals(attributeGroup))
.map(a -> a.getName())
.toList();
RealmModel realm = session.getContext().getRealm();
Stream<UserModel> users = userProvider.getRoleMembersStream(realm, matchRole);
// TODO: add allowlist check
GroupModel group = realm.getGroupById(groupId);
Stream<UserModel> users = userProvider.getGroupMembersStream(realm, group);
List<String> keys = users
List<String> attribute_list = users
.map(user -> {
return attributeNames
.stream()
@ -96,22 +124,20 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
.filter(Objects::nonNull)
.toList();
return Response.ok(Map.of("keys", keys)).build();
return Response.ok(attribute_list).build();
}
private static Auth getAuth(KeycloakSession session) {
AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
if (auth == null) {
throw new NotAuthorizedException("Bearer");
} else if (!auth.getToken().getIssuedFor().equals("admin-cli")) {
throw new ForbiddenException();
}
RealmModel realm = session.getContext().getRealm();
ClientModel client = auth.getClient();
return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
if (auth == null) {
throw new NotAuthorizedException("Bearer");
}
RealmModel realm = session.getContext().getRealm();
ClientModel client = auth.getClient();
return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
}
}

2
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProviderFactory.java
View file

@ -18,7 +18,7 @@ public class SSHKeyResourceProviderFactory implements RealmResourceProviderFacto
}
@Override
public void init(Config.Scope scope) {
public void init(Config.Scope config) {
}
@Override