libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

[KEYCLOAK-13273] - Remove group policy when group is removed

Browse source
This commit is contained in:
Pedro Igor 2020-03-12 09:52:43 -03:00 committed by Stian Thorgersen
parent 3d95637102
commit 2eab44d3f3
3 changed files with 125 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
View file

@ -22,9 +22,11 @@ import java.util.HashMap;
import java.util.Map;
import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer;
import org.keycloak.authorization.store.syncronization.GroupSynchronizer;
import org.keycloak.authorization.store.syncronization.RealmSynchronizer;
import org.keycloak.authorization.store.syncronization.Synchronizer;
import org.keycloak.authorization.store.syncronization.UserSynchronizer;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel.ClientRemovedEvent;
import org.keycloak.models.RealmModel.RealmRemovedEvent;
@ -48,6 +50,7 @@ public interface AuthorizationStoreFactory extends ProviderFactory<StoreFactory>
synchronizers.put(ClientRemovedEvent.class, new ClientApplicationSynchronizer());
synchronizers.put(RealmRemovedEvent.class, new RealmSynchronizer());
synchronizers.put(UserRemovedEvent.class, new UserSynchronizer());
synchronizers.put(GroupModel.GroupRemovedEvent.class, new GroupSynchronizer());
factory.register(event -> {
try {

70
server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/GroupSynchronizer.java Normal file
View file

@ -0,0 +1,70 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.store.syncronization;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.representations.idm.authorization.GroupPolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class GroupSynchronizer implements Synchronizer<GroupModel.GroupRemovedEvent> {
@Override
public void synchronize(GroupModel.GroupRemovedEvent event, KeycloakSessionFactory factory) {
ProviderFactory<AuthorizationProvider> providerFactory = factory.getProviderFactory(AuthorizationProvider.class);
AuthorizationProvider authorizationProvider = providerFactory.create(event.getKeycloakSession());
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
GroupModel group = event.getGroup();
Map<String, String[]> attributes = new HashMap<>();
attributes.put("type", new String[] {"group"});
attributes.put("config:groups", new String[] {group.getId()});
List<Policy> search = policyStore.findByResourceServer(attributes, null, -1, -1);
for (Policy policy : search) {
PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
GroupPolicyRepresentation representation = GroupPolicyRepresentation.class.cast(policyFactory.toRepresentation(policy, authorizationProvider));
Set<GroupPolicyRepresentation.GroupDefinition> groups = representation.getGroups();
groups.removeIf(groupDefinition -> groupDefinition.getId().equals(group.getId()));
if (groups.isEmpty()) {
policyFactory.onRemove(policy, authorizationProvider);
policyStore.delete(policy.getId());
} else {
policyFactory.onUpdate(policy, representation, authorizationProvider);
}
}
}
}

53
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/GroupPolicyManagementTest.java
View file

@ -18,11 +18,13 @@ package org.keycloak.testsuite.admin.client.authorization;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.util.Arrays;
import java.util.Collections;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.ws.rs.NotFoundException;
@ -32,6 +34,7 @@ import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.GroupPoliciesResource;
import org.keycloak.admin.client.resource.GroupPolicyResource;
import org.keycloak.admin.client.resource.GroupsResource;
import org.keycloak.admin.client.resource.PolicyResource;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.GroupRepresentation;
@ -56,7 +59,16 @@ public class GroupPolicyManagementTest extends AbstractPolicyManagementTest {
}
return GroupBuilder.create().name(name).build();
}).collect(Collectors.toList()))
.build()).group(GroupBuilder.create().name("Group F").build());
.build()).group(GroupBuilder.create().name("Group F").build())
.group(GroupBuilder.create().name("Group G").build())
.group(GroupBuilder.create().name("Group H")
.subGroups(Arrays.asList("Group I", "Group J").stream().map(name -> {
if ("Group I".equals(name)) {
return GroupBuilder.create().name(name).subGroups(Arrays.asList("Group K", "Group L").stream().map(name1 -> GroupBuilder.create().name(name1).build()).collect(Collectors.toList())).build();
}
return GroupBuilder.create().name(name).build();
}).collect(Collectors.toList()))
.build());
}
@Test
@ -201,6 +213,45 @@ public class GroupPolicyManagementTest extends AbstractPolicyManagementTest {
}
}
@Test
public void testDeleteGroupAndPolicy() {
AuthorizationResource authorization = getClient().authorization();
GroupPolicyRepresentation representation = new GroupPolicyRepresentation();
representation.setName(UUID.randomUUID().toString());
representation.setDescription("description");
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.setGroupsClaim("groups");
representation.addGroupPath("/Group G", true);
assertCreated(authorization, representation);
GroupsResource groups = getRealm().groups();
GroupRepresentation group = groups.groups("Group G", null, null).get(0);
groups.group(group.getId()).remove();
GroupPolicyRepresentation policy = getClient().authorization().policies().group().findByName(representation.getName());
assertNull(policy);
representation.getGroups().clear();
representation.addGroupPath("/Group H/Group I/Group K");
representation.addGroupPath("/Group F");
assertCreated(authorization, representation);
group = groups.groups("Group K", null, null).get(0);
groups.group(group.getId()).remove();
policy = getClient().authorization().policies().group().findByName(representation.getName());
assertNotNull(policy);
assertEquals(1, policy.getGroups().size());
}
private void assertCreated(AuthorizationResource authorization, GroupPolicyRepresentation representation) {
GroupPoliciesResource policies = authorization.policies().group();
Response response = policies.create(representation);