libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Remove deleted roles from policy on update

Browse source 
Closes #26915

Signed-off-by: EnneS <nathan.soulier26@gmail.com>
This commit is contained in:
EnneS 2024-04-02 10:03:05 +02:00 committed by Pedro Igor
parent 4dd97557cb
commit 365a3feafa
1 changed files with 36 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
View file

@ -85,8 +85,9 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
if (roles == null) { if (roles == null) {
representation.setRoles(Collections.emptySet()); representation.setRoles(Collections.emptySet());
} else { } else {
representation.setRoles(new HashSet<>( List<RolePolicyRepresentation.RoleDefinition> roleDefinitions = Arrays.asList(JsonSerialization.readValue(roles, RolePolicyRepresentation.RoleDefinition[].class));
Arrays.asList(JsonSerialization.readValue(roles, RolePolicyRepresentation.RoleDefinition[].class)))); roleDefinitions.removeIf(definition -> getRole(definition, authorization.getRealm()) == null);
representation.setRoles(new HashSet<>(roleDefinitions));
} }
String fetchRoles = policy.getConfig().get("fetchRoles"); String fetchRoles = policy.getConfig().get("fetchRoles");
@ -171,35 +172,9 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
if (roles != null) { if (roles != null) {
RealmModel realm = authorization.getRealm(); RealmModel realm = authorization.getRealm();
for (RolePolicyRepresentation.RoleDefinition definition : roles) { for (RolePolicyRepresentation.RoleDefinition definition : roles) {
String roleName = definition.getId(); RoleModel role = getRole(definition, realm);
String clientId = null;
int clientIdSeparator = roleName.indexOf("/");
if (clientIdSeparator != -1) {
clientId = roleName.substring(0, clientIdSeparator);
roleName = roleName.substring(clientIdSeparator + 1);
}
RoleModel role;
if (clientId == null) {
role = realm.getRole(roleName);
if (role == null) {
role = realm.getRoleById(roleName);
}
} else {
ClientModel client = realm.getClientByClientId(clientId);
if (client == null) {
throw new RuntimeException("Client with id [" + clientId + "] not found.");
}
role = client.getRole(roleName);
}
if (role == null) { if (role == null) {
throw new RuntimeException("Error while updating policy [" + policy.getName() + "]. Role [" + roleName + "] could not be found."); continue;
} }
definition.setId(role.getId()); definition.setId(role.getId());
@ -222,58 +197,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
@Override @Override
public void postInit(KeycloakSessionFactory factory) { public void postInit(KeycloakSessionFactory factory) {
factory.register(event -> {
if (event instanceof RoleRemovedEvent) {
KeycloakSession keycloakSession = ((RoleRemovedEvent) event).getKeycloakSession();
AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
StoreFactory storeFactory = provider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
RoleModel removedRole = ((RoleRemovedEvent) event).getRole();
RoleContainerModel container = removedRole.getContainer();
ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
if (container instanceof RealmModel) {
RealmModel realm = (RealmModel) container;
realm.getClientsStream()
.forEach(clientModel -> updateResourceServer(clientModel, removedRole, resourceServerStore, policyStore));
} else {
ClientModel clientModel = (ClientModel) container;
updateResourceServer(clientModel, removedRole, resourceServerStore, policyStore);
}
}
});
}
private void updateResourceServer(ClientModel clientModel, RoleModel removedRole, ResourceServerStore resourceServerStore, PolicyStore policyStore) {
ResourceServer resourceServer = resourceServerStore.findByClient(clientModel);
if (resourceServer != null) {
policyStore.findByType(resourceServer, getId()).forEach(policy -> {
List<Map> roles = new ArrayList<>();
for (Map<String,Object> role : getRoles(policy)) {
if (!role.get("id").equals(removedRole.getId())) {
Map updated = new HashMap();
updated.put("id", role.get("id"));
Object required = role.get("required");
if (required != null) {
updated.put("required", required);
}
roles.add(updated);
}
}
try {
if (roles.isEmpty()) {
policyStore.delete(policy.getId());
} else {
policy.putConfig("roles", JsonSerialization.writeValueAsString(roles));
}
} catch (IOException e) {
throw new RuntimeException("Error while synchronizing roles with policy [" + policy.getName() + "].", e);
}
});
}
} }
@Override @Override
@ -299,4 +223,35 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
return new Map[] {}; return new Map[] {};
} }
private RoleModel getRole(RolePolicyRepresentation.RoleDefinition definition, RealmModel realm) {
String roleName = definition.getId();
String clientId = null;
int clientIdSeparator = roleName.indexOf("/");
if (clientIdSeparator != -1) {
clientId = roleName.substring(0, clientIdSeparator);
roleName = roleName.substring(clientIdSeparator + 1);
}
RoleModel role;
if (clientId == null) {
role = realm.getRole(roleName);
if (role == null) {
role = realm.getRoleById(roleName);
}
} else {
ClientModel client = realm.getClientByClientId(clientId);
if (client == null) {
throw new RuntimeException("Client with id [" + clientId + "] not found.");
}
role = client.getRole(roleName);
}
return role;
}
} }