Add just the refactoring from #26.
All checks were successful
/ Verify (pull_request) Successful in 48s
All checks were successful
/ Verify (pull_request) Successful in 48s
This is based off #31, so that needs to be merged first.
This commit is contained in:
parent
f204ab7f28
commit
e5d68bb9ad
1 changed files with 104 additions and 96 deletions
|
|
@ -1,21 +1,12 @@
|
|||
package de.ccc.hamburg.keycloak.attribute_endpoints;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import jakarta.ws.rs.*;
|
||||
import jakarta.ws.rs.core.MediaType;
|
||||
import jakarta.ws.rs.core.Response;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.KeycloakContext;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.RoleModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserProvider;
|
||||
import org.keycloak.models.*;
|
||||
import org.keycloak.representations.userprofile.config.UPAttribute;
|
||||
import org.keycloak.representations.userprofile.config.UPConfig;
|
||||
import org.keycloak.services.managers.AppAuthManager;
|
||||
import org.keycloak.services.managers.Auth;
|
||||
|
|
@ -23,16 +14,11 @@ import org.keycloak.services.managers.AuthenticationManager.AuthResult;
|
|||
import org.keycloak.services.resource.RealmResourceProvider;
|
||||
import org.keycloak.userprofile.UserProfileProvider;
|
||||
|
||||
import jakarta.ws.rs.ForbiddenException;
|
||||
import jakarta.ws.rs.GET;
|
||||
import jakarta.ws.rs.NotAuthorizedException;
|
||||
import jakarta.ws.rs.NotFoundException;
|
||||
import jakarta.ws.rs.Path;
|
||||
import jakarta.ws.rs.PathParam;
|
||||
import jakarta.ws.rs.Produces;
|
||||
import jakarta.ws.rs.ServerErrorException;
|
||||
import jakarta.ws.rs.core.MediaType;
|
||||
import jakarta.ws.rs.core.Response;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
public class AttributeEndpointsResourceProvider implements RealmResourceProvider {
|
||||
private static final Logger LOG = Logger.getLogger(AttributeEndpointsResourceProvider.class);
|
||||
|
|
@ -51,81 +37,21 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
public void close() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a list of all attribute values selected by the attribute group attributeGroupName.
|
||||
*
|
||||
* @param attributeGroupName attribute group name
|
||||
* @return a list of attribute values.
|
||||
*/
|
||||
@GET
|
||||
@Path("export/{slug}")
|
||||
@Produces(MediaType.APPLICATION_JSON)
|
||||
public Response exportAttributeValues(@PathParam("slug") String slug) {
|
||||
KeycloakContext context = session.getContext();
|
||||
RealmModel realm = context.getRealm();
|
||||
public Response exportAttributeValues(@PathParam("slug") String attributeGroupName) {
|
||||
AttributeExportContext ctx = new AttributeExportContext(attributeGroupName);
|
||||
|
||||
List<ComponentModel> componentList = realm.getComponentsStream()
|
||||
.filter(c -> c.getProviderId().equals(AdminUiPage.PROVIDER_ID))
|
||||
.filter(c -> c.getConfig().getFirst("slug").equals(slug))
|
||||
.toList();
|
||||
|
||||
Auth auth = AttributeEndpointsResourceProvider.getAuth(session);
|
||||
|
||||
if (componentList.isEmpty()) {
|
||||
throw new NotFoundException("Endpoint not found.");
|
||||
}
|
||||
|
||||
if (componentList.size() > 1) {
|
||||
throw new NotFoundException(
|
||||
"Endpoint Configuration Error - Multiple configurations exist for this endpoint.");
|
||||
}
|
||||
|
||||
ComponentModel component = componentList.get(0);
|
||||
|
||||
String configAuthRole = component.getConfig().getFirst("auth-role");
|
||||
RoleModel authRole = realm.getRole(configAuthRole);
|
||||
if (authRole == null) {
|
||||
throw new ServerErrorException("Endpoint Configuration Error - auth-role does not exist.", 500);
|
||||
}
|
||||
|
||||
String configMatchRole = component.getConfig().getFirst("match-role");
|
||||
RoleModel matchRole = realm.getRole(configMatchRole);
|
||||
if (matchRole == null) {
|
||||
throw new ServerErrorException("Endpoint Configuration Error - match-role does not exist.", 500);
|
||||
}
|
||||
|
||||
UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
|
||||
UPConfig upconfig = profileProvider.getConfiguration();
|
||||
String configAttributeGroup = component.getConfig().getFirst("attribute-group");
|
||||
if (!upconfig.getGroups().stream().anyMatch(g -> g.getName().equals(configAttributeGroup))) {
|
||||
throw new ServerErrorException("Endpoint Configuration Error - attribute-group does not exist.", 500);
|
||||
}
|
||||
|
||||
String configAttributeRegex = component.getConfig().getFirst("attribute-regex");
|
||||
Boolean regexIsBlank = configAttributeRegex == null;
|
||||
|
||||
if (!regexIsBlank) {
|
||||
try {
|
||||
Pattern.compile(configAttributeRegex);
|
||||
} catch (Exception e) {
|
||||
throw new ServerErrorException(
|
||||
"Endpoint Configuration Error - attribute-regex is not a valid regex pattern.", 500);
|
||||
}
|
||||
}
|
||||
|
||||
UserModel authUser = auth.getUser();
|
||||
if (!authUser.hasRole(authRole)) {
|
||||
LOG.info("User " + authUser.getUsername() + " does not have required role " + authRole.getName());
|
||||
throw new ForbiddenException("User does not have required auth role.");
|
||||
}
|
||||
|
||||
List<String> attributeNames = upconfig.getAttributes()
|
||||
.stream()
|
||||
.filter(a -> a.getGroup() != null && a.getGroup().equals(configAttributeGroup))
|
||||
.map(a -> a.getName())
|
||||
.toList();
|
||||
|
||||
UserProvider userProvider = session.users();
|
||||
Stream<UserModel> users = userProvider.searchForUserStream(realm, Map.of())
|
||||
.filter(user -> user.hasRole(matchRole));
|
||||
|
||||
List<String> attribute_list = users
|
||||
List<String> attribute_list = ctx.users
|
||||
.map(user -> {
|
||||
Stream<String> attributeStream = attributeNames.stream()
|
||||
Stream<String> attributeStream = ctx.attributeNames.stream()
|
||||
.map(attributeName -> user.getAttributeStream(attributeName).toList())
|
||||
.flatMap(Collection::stream);
|
||||
|
||||
|
|
@ -134,18 +60,83 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
.toList();
|
||||
})
|
||||
.flatMap(List::stream)
|
||||
.filter(attribute -> {
|
||||
if (regexIsBlank) {
|
||||
return true;
|
||||
}
|
||||
final Pattern pattern = Pattern.compile(configAttributeRegex);
|
||||
final Matcher matcher = pattern.matcher(attribute);
|
||||
return matcher.find();
|
||||
})
|
||||
.filter(ctx.filter::matches)
|
||||
.toList();
|
||||
|
||||
return Response.ok(attribute_list).build();
|
||||
}
|
||||
|
||||
/**
|
||||
* Resolves and validates the configuration and request state needed to export attribute
|
||||
* values for a given slug, exposing the results as member variables.
|
||||
*/
|
||||
private class AttributeExportContext {
|
||||
List<String> attributeNames;
|
||||
UserModel authUser;
|
||||
String configAttributeGroup;
|
||||
RegExFilter filter;
|
||||
UPConfig upconfig;
|
||||
Stream<UserModel> users;
|
||||
|
||||
AttributeExportContext(String slug) {
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
|
||||
List<ComponentModel> componentList = realm.getComponentsStream()
|
||||
.filter(c -> c.getProviderId().equals(AdminUiPage.PROVIDER_ID))
|
||||
.filter(c -> c.getConfig().getFirst("slug").equals(slug))
|
||||
.toList();
|
||||
|
||||
if (componentList.isEmpty()) {
|
||||
throw new NotFoundException("Endpoint not found");
|
||||
}
|
||||
|
||||
if (componentList.size() > 1) {
|
||||
throw new NotFoundException(
|
||||
"Endpoint Configuration Error - Multiple configurations exist for this endpoint.");
|
||||
}
|
||||
|
||||
ComponentModel component = componentList.get(0);
|
||||
|
||||
RoleModel authRole = realm.getRole(component.getConfig().getFirst("auth-role"));
|
||||
if (authRole == null) {
|
||||
throw new ServerErrorException("Endpoint Configuration Error - auth-role does not exist.", 500);
|
||||
}
|
||||
|
||||
RoleModel matchRole = realm.getRole(component.getConfig().getFirst("match-role"));
|
||||
if (matchRole == null) {
|
||||
throw new ServerErrorException("Endpoint Configuration Error - match-role does not exist.", 500);
|
||||
}
|
||||
|
||||
upconfig = session.getProvider(UserProfileProvider.class).getConfiguration();
|
||||
configAttributeGroup = component.getConfig().getFirst("attribute-group");
|
||||
if (upconfig.getGroups().stream().noneMatch(g -> g.getName().equals(configAttributeGroup))) {
|
||||
throw new ServerErrorException("Endpoint Configuration Error - attribute-group does not exist.", 500);
|
||||
}
|
||||
|
||||
try {
|
||||
filter = new RegExFilter(component.getConfig().getFirst("attribute-regex"));
|
||||
} catch (Exception e) {
|
||||
throw new ServerErrorException(
|
||||
"Endpoint Configuration Error - attribute-regex is not a valid regex pattern.", 500);
|
||||
}
|
||||
|
||||
authUser = AttributeEndpointsResourceProvider.getAuth(session).getUser();
|
||||
if (!authUser.hasRole(authRole)) {
|
||||
LOG.info("User " + authUser.getUsername() + " does not have required role " + authRole.getName() + " for attribute endpoint " + slug);
|
||||
throw new ForbiddenException("User does not have required auth role.");
|
||||
}
|
||||
|
||||
// select all attributes that match configAttributeGroup, or that are in a group that matches configAttributeGroup
|
||||
attributeNames = upconfig.getAttributes()
|
||||
.stream()
|
||||
.filter(a -> a.getGroup() != null && a.getGroup().equals(configAttributeGroup))
|
||||
.map(UPAttribute::getName)
|
||||
.toList();
|
||||
|
||||
UserProvider userProvider = session.users();
|
||||
users = userProvider.searchForUserStream(realm, Map.of())
|
||||
.filter(user -> user.hasRole(matchRole));
|
||||
}
|
||||
}
|
||||
|
||||
private static Auth getAuth(KeycloakSession session) {
|
||||
|
|
@ -156,8 +147,25 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
|
|||
}
|
||||
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
ClientModel client = auth.getClient();
|
||||
return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
|
||||
ClientModel client = auth.client();
|
||||
return new Auth(realm, auth.token(), auth.user(), client, auth.session(), false);
|
||||
}
|
||||
|
||||
private static class RegExFilter {
|
||||
Pattern pattern;
|
||||
|
||||
RegExFilter(String regex) {
|
||||
if (regex == null)
|
||||
pattern = null;
|
||||
else
|
||||
pattern = Pattern.compile(regex);
|
||||
}
|
||||
|
||||
boolean matches(String input) {
|
||||
if (pattern == null)
|
||||
return true;
|
||||
return pattern.matcher(input).matches();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue