Attempt to use the UiPageProvider to configure endpoints

Co-authored-by: June june@jsts.xyz
2026-02-16 18:53:43 +01:00 · 2026-02-16 18:53:43 +01:00 · a7be1213af
commit a7be1213af
parent 8d190c2970
7 changed files with 5362 additions and 30 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,32 @@
 What does this Keykloak Provider do?
 Export an anonymized list of User-Attribute values.
 This provider will provide an api endpoit for every configured attribute-group.
 Multivalues attribues are not supported (yet).
 Configuration in Keykloak
 - Client with Service-Account
  - Assigned roles allow access to attribute export
 - User profile Groups with attributes
 ```json
 {
    "endpoints": [
        {
            "slug": "myattribute",
            "attribute-group": "myattributes",
            "match-role": "myattribute-access",
            "auth-role": "myattribute-export",
            "attribute-regex": "^(?<key>(ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3})(\\s.*)?$",
        }
    ]
 }
 ```
 We recommend using a client with service-account, but you can also use a bot-account to authenticate against the provider.
--- a/compose.yaml
+++ b/compose.yaml
@ -1,8 +1,8 @@
 services:
  keycloak:
-    image: quay.io/keycloak/keycloak:26.4.2
+    image: quay.io/keycloak/keycloak:26.5.3
    pull_policy: always
-    command: start-dev
+    command: "start-dev --features=declarative-ui"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
--- a/realm-export.json
+++ b/realm-export.json
--- a/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AdminUiPage.java
+++ b/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AdminUiPage.java
@ -0,0 +1,82 @@
 package de.ccc.hamburg.keycloak.ssh_key;
 import com.google.auto.service.AutoService;
 import org.keycloak.Config;
 import org.keycloak.component.ComponentModel;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.provider.ProviderConfigurationBuilder;
 import org.keycloak.services.ui.extend.UiPageProvider;
 import org.keycloak.services.ui.extend.UiPageProviderFactory;
 import java.util.List;
 /**
 * Implements UiPageProvider to show a config page in the admin ui
 */
@AutoService(UiPageProviderFactory.class)
 public class AdminUiPage implements UiPageProvider, UiPageProviderFactory<ComponentModel> {
    @Override
    public void init(Config.Scope config) {
    }
    @Override
    public void postInit(KeycloakSessionFactory factory) {
    }
    @Override
    public void close() {
    }
    @Override
    public String getId() {
        return "🪪 Attribute Endpoints 🚀";
    }
    @Override
    public String getHelpText() {
        return "Configure endpoints of the Attribute Endpoint Provider.";
    }
    @Override
    public List<ProviderConfigProperty> getConfigProperties() {
        return ProviderConfigurationBuilder.create()
                .property()
                .name("slug")
                .label("Slug")
                .helpText("The slug in the path of the API endpoint (e.g. /realms/:realm/attribute-endpoint-provider/export/:slug)")
                .type(ProviderConfigProperty.STRING_TYPE)
                .add()
                .property()
                .name("attribute-group")
                .label("Attribute Group")
                .helpText("The attribute group to export.")
                .type(ProviderConfigProperty.STRING_TYPE)
                .add()
                .property()
                .name("match-role")
                .label("Match Role")
                .helpText("Export only attributes of users with this role.")
                .type(ProviderConfigProperty.STRING_TYPE)
                .add()
                .property()
                .name("auth-role")
                .label("Auth Role")
                .helpText("Role needeed by the authenticated account to be able to use this endpoint.")
                .type(ProviderConfigProperty.STRING_TYPE)
                .add()
                .property()
                .name("attribute-regex")
                .label("Attribute RegEx")
                .helpText("A RegEx Rule used to verify each attribute value. Only matching values are returned.")
                .type(ProviderConfigProperty.STRING_TYPE)
                .add()
                .build();
    }
 }
--- a/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
+++ b/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
@ -1,7 +1,6 @@
 package de.ccc.hamburg.keycloak.ssh_key;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@ -9,20 +8,20 @@ import java.util.stream.Stream;
 import org.jboss.logging.Logger;
 import org.keycloak.models.ClientModel;
-import org.keycloak.models.GroupModel;
+import org.keycloak.models.KeycloakContext;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserProvider;
 import org.keycloak.representations.userprofile.config.UPConfig;
 import org.keycloak.services.managers.AppAuthManager;
 import org.keycloak.services.managers.AppAuthManager.BearerTokenAuthenticator;
 import org.keycloak.services.managers.Auth;
 import org.keycloak.services.managers.AuthenticationManager.AuthResult;
 import org.keycloak.services.resource.RealmResourceProvider;
 import org.keycloak.userprofile.UserProfileProvider;
-import jakarta.ws.rs.ForbiddenException;
+import io.quarkus.security.UnauthorizedException;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.NotAuthorizedException;
 import jakarta.ws.rs.Path;
@ -53,33 +52,62 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
    }
    @GET
-    @Path("export/{group_id}")
+    @Path("export/{slug}")
    @Produces(MediaType.APPLICATION_JSON)
-    public Response exportKeys(@PathParam("group_id") String groupId) {
+    public Response exportKeys(@PathParam("slug") String slug) {
        KeycloakContext context = session.getContext();
        RealmModel realm = context.getRealm();
        // TODO: check if slug exists
        // TODO: get config defined by AdminUiPage
        // get config for slug and check if it is valid
        RoleModel authRole;
        RoleModel matchRole;
        String attributeGroup;
        String attributeRegex;
        try {
-            SSHKeyResourceProvider.getAuth(session);
+            authRole = realm.getRole("dooris-export");
            matchRole = realm.getRole("dooris-access");
            attributeGroup = "dooris";
            attributeRegex = "placeholder_config_attributeRegex";
            // TODO: check if AttributeGroup exists
        } catch (Exception e) {
            System.err.println(e);
            return Response.status(500, e.getMessage()).build();
        }
        Auth auth;
        try {
            auth = SSHKeyResourceProvider.getAuth(session);
        } catch (Exception e) {
            System.err.println(e);
            return Response.status(401, e.getMessage()).build();
        }
        try {
            UserModel user = auth.getUser();
            if (!user.hasRole(authRole)) {
                throw new UnauthorizedException("User does not have requires auth role.");
            }
        } catch (Exception e) {
            System.err.println(e);
            return Response.status(403, e.getMessage()).build();
        }
        UserProvider userProvider = session.users();
        UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
        UPConfig upconfig = profileProvider.getConfiguration();
        List<String> attributeNames = upconfig.getAttributes()
                .stream()
-                .filter(a -> a.getGroup() != null && a.getGroup().equals("de.ccc.hamburg.keycloak.ssh_key.keys"))
+                .filter(a -> a.getGroup() != null && a.getGroup().equals(attributeGroup))
                .map(a -> a.getName())
                .toList();
-        RealmModel realm = session.getContext().getRealm();
+        Stream<UserModel> users = userProvider.getRoleMembersStream(realm, matchRole);
-        // TODO: add allowlist check
+        List<String> attribute_list = users
        GroupModel group = realm.getGroupById(groupId);
        Stream<UserModel> users = userProvider.getGroupMembersStream(realm, group);
        List<String> keys = users
                .map(user -> {
                    return attributeNames
                            .stream()
@ -96,22 +124,20 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
                .filter(Objects::nonNull)
                .toList();
-        return Response.ok(Map.of("keys", keys)).build();
+        return Response.ok(attribute_list).build();
    }
    private static Auth getAuth(KeycloakSession session) {
-    	AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
+        AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
-    
+
-    	if (auth == null) {
+        if (auth == null) {
-    		throw new NotAuthorizedException("Bearer");
+            throw new NotAuthorizedException("Bearer");
-    	} else if (!auth.getToken().getIssuedFor().equals("admin-cli")) {
+        }
-    		throw new ForbiddenException();
+
-    	}
+        RealmModel realm = session.getContext().getRealm();
-    	
+        ClientModel client = auth.getClient();
-    	RealmModel realm = session.getContext().getRealm();
+        return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
    	ClientModel client = auth.getClient();
    	return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
    }
 }
--- a/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProviderFactory.java
+++ b/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProviderFactory.java
@ -18,7 +18,7 @@ public class SSHKeyResourceProviderFactory implements RealmResourceProviderFacto
 	}
 	@Override
-	public void init(Config.Scope scope) {
+	public void init(Config.Scope config) {
 	}
 	@Override
--- a/test.json
+++ b/test.json