From 116e22bbd655e52f0a1da7e111eb5f538e7893dd Mon Sep 17 00:00:00 2001 From: "Brian M. Long" Date: Wed, 25 Aug 2021 15:53:13 -0400 Subject: [PATCH] refactored tenant handling; outputing all tenant groups --- ...nteligr8SecurityConfigurationRegistry.java | 42 ++++++++++++------- .../KeycloakActivitiAppAuthenticator.java | 27 ++++++++---- 2 files changed, 48 insertions(+), 21 deletions(-) diff --git a/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java b/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java index 735fd1f..130bfde 100644 --- a/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java +++ b/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java @@ -67,6 +67,9 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC @Autowired(required = false) private GroupService groupService; + @Value("${keycloak-ext.tenant:#{null}}") + private String tenant; + @Value("${keycloak-ext.default.admins.users:#{null}}") private String adminUserStrs; @@ -107,11 +110,15 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC if (this.groupService == null) return; - Long tenantId = this.findDefaultTenantId(); - if (tenantId != null) { - // not first boot - this.logger.trace("Functional groups: {}", this.toGroupNames(this.groupService.getFunctionalGroups(tenantId))); - this.logger.trace("System groups: {}", this.toGroupNames(this.groupService.getSystemGroups(tenantId))); + List tenantObjs = this.tenantService.getAllTenants(); + for (Object[] tenantObj : tenantObjs) { + Long tenantId = (Long)tenantObj[0]; + if (tenantId != null) { + Tenant tenant = this.tenantService.getTenant(tenantId); + this.logger.trace("Tenant: {} => {}", tenantId, tenant.getName()); + this.logger.trace("Functional groups: {}", this.toGroupNames(this.groupService.getFunctionalGroups(tenantId))); + this.logger.trace("System groups: {}", this.toGroupNames(this.groupService.getSystemGroups(tenantId))); + } } } @@ -119,7 +126,7 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC if (this.groupService == null) return; - Long tenantId = this.findDefaultTenantId(); + Long tenantId = this.findTenantId(); Group group = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId); if (group == null) { List groups = this.groupService.getGroupByNameAndTenantId(this.adminGroupName, tenantId); @@ -155,24 +162,31 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC List adminUsers = Arrays.asList(this.adminUserStrs.split(",")); if (adminUsers.isEmpty()) return; - - Long tenantId = this.findDefaultTenantId(); - List groups = this.groupService.getSystemGroupWithName("Administrators", tenantId); + + Long tenantId = this.findTenantId(); + List groups; + Group group1 = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId); + if (group1 != null) { + groups = Arrays.asList(group1); + } else { + groups = this.groupService.getGroupByNameAndTenantId(this.adminGroupName, tenantId); + } + this.logger.debug("Found {} admin group(s)", groups.size()); for (String email : adminUsers) { User user = this.userService.findUserByEmail(email); - this.logger.debug("Adding {} to {}", user.getEmail(), "Administrators"); + this.logger.debug("Adding {} to admin group(s)", user.getEmail()); for (Group group : groups) this.groupService.addUserToGroup(group, user); } } - private Long findDefaultTenantId() { - String defaultTenantName = this.licenseService.getDefaultTenantName(); - this.logger.trace("Default Tenant: {}", defaultTenantName); + private Long findTenantId() { + String tenantName = this.tenant == null ? this.licenseService.getDefaultTenantName() : this.tenant; + this.logger.trace("Using Tenant: {}", tenantName); - List tenants = this.tenantService.findTenantsByName(defaultTenantName); + List tenants = this.tenantService.findTenantsByName(tenantName); if (tenants == null || tenants.isEmpty()) { this.logger.warn("Default tenant not found"); return null; diff --git a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java index 42703c5..ed3df1f 100644 --- a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java +++ b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java @@ -61,6 +61,9 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu @Autowired private GroupService groupService; + @Value("${keycloak-ext.tenant:#{null}}") + private String tenant; + @Value("${keycloak-ext.external.id:ais}") protected String externalIdmSource; @@ -81,7 +84,7 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu */ @Override public void preAuthenticate(Authentication auth) throws AuthenticationException { - Long tenantId = this.findDefaultTenantId(); + Long tenantId = this.findTenantId(); this.logger.trace("Tenant ID: {}", tenantId); User user = this.findUser(auth, tenantId); @@ -122,20 +125,20 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu */ @Override public void postAuthenticate(Authentication auth) throws AuthenticationException { - Long tenantId = this.findDefaultTenantId(); + Long tenantId = this.findTenantId(); User user = this.findUser(auth, tenantId); this.logger.debug("Inspecting user: {} => {}", user.getId(), user.getExternalId()); this.syncUserRoles(user, auth, tenantId); } - private Long findDefaultTenantId() { - String defaultTenantName = this.licenseService.getDefaultTenantName(); - this.logger.trace("Default Tenant: {}", defaultTenantName); + private Long findTenantId() { + String tenantName = this.tenant == null ? this.licenseService.getDefaultTenantName() : this.tenant; + this.logger.trace("Using Tenant: {}", tenantName); - List tenants = this.tenantService.findTenantsByName(defaultTenantName); + List tenants = this.tenantService.findTenantsByName(tenantName); if (tenants == null || tenants.isEmpty()) { - this.logger.warn("Default tenant not found"); + this.logger.warn("Tenant not found: {}", tenantName); return null; } @@ -193,8 +196,18 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu this.logger.trace("Inspecting group: {} => {} ({})", group.getId(), group.getName(), group.getExternalId()); if (group.getExternalId() != null && this.removeMapEntriesByValue(roles, this.apsGroupExternalIdToKeycloakRole(group.getExternalId()))) { + if (group.getTenantId() == null) { + // fix stray groups + group.setTenantId(tenantId); + group.setLastUpdate(new Date()); + this.groupService.save(group); + } // role already existed and the user is already a member } else if (group.getExternalId() == null && roles.remove(this.apsGroupNameToKeycloakRole(group.getName())) != null) { + // register the group as external + group.setExternalId(this.keycloakRoleToApsGroupExternalId(this.apsGroupNameToKeycloakRole(group.getName()))); + group.setLastUpdate(new Date()); + this.groupService.save(group); // internal role already existed and the user is already a member } else { // at this point, we have a group that the user does not have a corresponding role for