inteligr8/alfresco-keycloak
1
0
Fork 0
mirror of https://github.com/bmlong137/alfresco-keycloak.git synced 2025-09-17 14:21:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support role exclusion patterns; default excl. on tech. roles

Browse Source
This commit is contained in:
AFaust
2020-03-08 20:13:57 +01:00
parent f8bdd8ce43
commit 9e8d709399
3 changed files with 29 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
View File

@@ -64,6 +64,9 @@ keycloak.roles.realmFilter.aggregate.property.granularFilters.list.csv.ref=
keycloak.roles.realmMapper.aggregate._parent=roleMapperAggregateBase keycloak.roles.realmMapper.aggregate._parent=roleMapperAggregateBase
keycloak.roles.realmMapper.aggregate.property.granularMappers.list.csv.ref=realmMapper.static,realmMapper.prefix keycloak.roles.realmMapper.aggregate.property.granularMappers.list.csv.ref=realmMapper.static,realmMapper.prefix
keycloak.roles.realmFilter.pattern._parent=roleFilterPatternBase
keycloak.roles.realmFilter.pattern.property.forbiddenRoleNamePatterns.list.csv=offline_access,uma_authorization
# user is a default realm role # user is a default realm role
keycloak.roles.realmMapper.static._parent=roleMapperStaticBase keycloak.roles.realmMapper.static._parent=roleMapperStaticBase
keycloak.roles.realmMapper.static.property.nameMappings.map.user=ROLE_KEYCLOAK_USER keycloak.roles.realmMapper.static.property.nameMappings.map.user=ROLE_KEYCLOAK_USER

33
repository/src/main/java/de/acosix/alfresco/keycloak/repo/roles/PatternRoleNameFilter.java
View File

@@ -15,7 +15,7 @@
*/ */
package de.acosix.alfresco.keycloak.repo.roles; package de.acosix.alfresco.keycloak.repo.roles;
import java.util.Set; import java.util.List;
import org.alfresco.util.ParameterCheck; import org.alfresco.util.ParameterCheck;
import org.slf4j.Logger; import org.slf4j.Logger;
@@ -31,17 +31,28 @@ public class PatternRoleNameFilter implements RoleNameFilter
private static final Logger LOGGER = LoggerFactory.getLogger(PatternRoleNameFilter.class); private static final Logger LOGGER = LoggerFactory.getLogger(PatternRoleNameFilter.class);
protected Set<String> allowedRoleNamePatterns; protected List<String> allowedRoleNamePatterns;
protected List<String> forbiddenRoleNamePatterns;
/** /**
* @param allowedRoleNamePatterns * @param allowedRoleNamePatterns
* the allowedRoleNamePatterns to set * the allowedRoleNamePatterns to set
*/ */
public void setAllowedRoleNamePatterns(final Set<String> allowedRoleNamePatterns) public void setAllowedRoleNamePatterns(final List<String> allowedRoleNamePatterns)
{ {
this.allowedRoleNamePatterns = allowedRoleNamePatterns; this.allowedRoleNamePatterns = allowedRoleNamePatterns;
} }
/**
* @param forbiddenRoleNamePatterns
* the forbiddenRoleNamePatterns to set
*/
public void setForbiddenRoleNamePatterns(final List<String> forbiddenRoleNamePatterns)
{
this.forbiddenRoleNamePatterns = forbiddenRoleNamePatterns;
}
/** /**
* {@inheritDoc} * {@inheritDoc}
*/ */
@@ -50,13 +61,17 @@ public class PatternRoleNameFilter implements RoleNameFilter
{ {
ParameterCheck.mandatoryString("roleName", roleName); ParameterCheck.mandatoryString("roleName", roleName);
boolean exposed = false; boolean exposed;
if (this.allowedRoleNamePatterns != null) final boolean matchAllowedPattern = this.allowedRoleNamePatterns != null
{ ? this.allowedRoleNamePatterns.stream().anyMatch(roleName::matches)
exposed = this.allowedRoleNamePatterns.stream().anyMatch(roleName::matches); : true;
LOGGER.debug("Determined exposure flag of {} for role {} using a static match pattern set", exposed, roleName); final boolean notMatchForbiddenPattern = this.forbiddenRoleNamePatterns != null
} ? !this.forbiddenRoleNamePatterns.stream().anyMatch(roleName::matches)
: true;
exposed = matchAllowedPattern && notMatchForbiddenPattern;
LOGGER.debug("Determined exposure flag of {} for role {} using a static match pattern set", exposed, roleName);
return exposed; return exposed;
} }

5
repository/src/main/java/de/acosix/alfresco/keycloak/repo/util/RefreshableAccessTokenHolder.java
View File

@@ -17,16 +17,15 @@ package de.acosix.alfresco.keycloak.repo.util;
import java.io.Serializable; import java.io.Serializable;
import org.alfresco.cmis.client.authentication.OAuthCMISAuthenticationProvider.AccessToken;
import org.alfresco.util.ParameterCheck; import org.alfresco.util.ParameterCheck;
import de.acosix.alfresco.keycloak.repo.deps.keycloak.adapters.rotation.AdapterTokenVerifier.VerifiedTokens; import de.acosix.alfresco.keycloak.repo.deps.keycloak.adapters.rotation.AdapterTokenVerifier.VerifiedTokens;
import de.acosix.alfresco.keycloak.repo.deps.keycloak.common.util.Time;
import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.AccessToken;
import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.AccessTokenResponse; import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.AccessTokenResponse;
import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.IDToken; import de.acosix.alfresco.keycloak.repo.deps.keycloak.representations.IDToken;
/** /**
* Instances of this class encapsulate an access token with its associated refresh data. * Instances of this class encapsulate a potentially refreshable access token.
* *
* @author Axel Faust * @author Axel Faust
*/ */