Support role exclusion patterns; default excl. on tech. roles

repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties

@@ -64,6 +64,9 @@ keycloak.roles.realmFilter.aggregate.property.granularFilters.list.csv.ref=
 keycloak.roles.realmMapper.aggregate._parent=roleMapperAggregateBase
 keycloak.roles.realmMapper.aggregate.property.granularMappers.list.csv.ref=realmMapper.static,realmMapper.prefix
 
+keycloak.roles.realmFilter.pattern._parent=roleFilterPatternBase
+keycloak.roles.realmFilter.pattern.property.forbiddenRoleNamePatterns.list.csv=offline_access,uma_authorization
+
 # user is a default realm role
 keycloak.roles.realmMapper.static._parent=roleMapperStaticBase
 keycloak.roles.realmMapper.static.property.nameMappings.map.user=ROLE_KEYCLOAK_USER

repository/src/main/java/de/acosix/alfresco/keycloak/repo/roles/PatternRoleNameFilter.java

@@ -15,7 +15,7 @@
  */
 package de.acosix.alfresco.keycloak.repo.roles;
 
-import java.util.Set;
+import java.util.List;
 
 import org.alfresco.util.ParameterCheck;
 import org.slf4j.Logger;
@@ -31,17 +31,28 @@ public class PatternRoleNameFilter implements RoleNameFilter
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PatternRoleNameFilter.class);
 
-    protected Set<String> allowedRoleNamePatterns;
+    protected List<String> allowedRoleNamePatterns;
+
+    protected List<String> forbiddenRoleNamePatterns;
 
     /**
      * @param allowedRoleNamePatterns
      *            the allowedRoleNamePatterns to set
      */
-    public void setAllowedRoleNamePatterns(final Set<String> allowedRoleNamePatterns)
+    public void setAllowedRoleNamePatterns(final List<String> allowedRoleNamePatterns)
     {
         this.allowedRoleNamePatterns = allowedRoleNamePatterns;
     }
 
+    /**
+     * @param forbiddenRoleNamePatterns
+     *            the forbiddenRoleNamePatterns to set
+     */
+    public void setForbiddenRoleNamePatterns(final List<String> forbiddenRoleNamePatterns)
+    {
+        this.forbiddenRoleNamePatterns = forbiddenRoleNamePatterns;
+    }
+
     /**
      * {@inheritDoc}
      */
@@ -50,13 +61,17 @@ public class PatternRoleNameFilter implements RoleNameFilter
     {
         ParameterCheck.mandatoryString("roleName", roleName);
 
-        boolean exposed = false;
+        boolean exposed;
 
-        if (this.allowedRoleNamePatterns != null)
-        {
-            exposed = this.allowedRoleNamePatterns.stream().anyMatch(roleName::matches);
-            LOGGER.debug("Determined exposure flag of {} for role {} using a static match pattern set", exposed, roleName);
-        }
+        final boolean matchAllowedPattern = this.allowedRoleNamePatterns != null
+                ? this.allowedRoleNamePatterns.stream().anyMatch(roleName::matches)
+                : true;
+        final boolean notMatchForbiddenPattern = this.forbiddenRoleNamePatterns != null
+                ? !this.forbiddenRoleNamePatterns.stream().anyMatch(roleName::matches)
+                : true;
+
+        exposed = matchAllowedPattern && notMatchForbiddenPattern;
+        LOGGER.debug("Determined exposure flag of {} for role {} using a static match pattern set", exposed, roleName);
 
         return exposed;
     }

repository/src/main/java/de/acosix/alfresco/keycloak/repo/util/RefreshableAccessTokenHolder.java

@@ -17,16 +17,15 @@ package de.acosix.alfresco.keycloak.repo.util;
 
 import java.io.Serializable;
 
+import org.alfresco.cmis.client.authentication.OAuthCMISAuthenticationProvider.AccessToken;
 import org.alfresco.util.ParameterCheck;
 
 import de.acosix.alfresco.keycloak.repo.deps.keycloak.adapters.rotation.AdapterTokenVerifier.VerifiedTokens;
-import de.acosix.alfresco.keycloak.repo.deps.keycloak.common.util.Time;
-import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.AccessToken;
 import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.AccessTokenResponse;
 import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.IDToken;
 
 /**
- * Instances of this class encapsulate an access token with its associated refresh data.
+ * Instances of this class encapsulate a potentially refreshable access token.
  *
  * @author Axel Faust
  */