From a55d1c32d064af5e7f4cc17eb1ff3227d5462599 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Tue, 24 Aug 2021 21:12:04 -0400 Subject: [PATCH] group sync fixes --- README.md | 6 +++--- pom.xml | 19 ++++++++++++++----- .../KeycloakActivitiAppAuthenticator.java | 14 +++++++++++--- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index d5145ec..a358832 100644 --- a/README.md +++ b/README.md @@ -37,12 +37,14 @@ The library is highly configurable. You configure it with properties specified | `keycloak-ext.group.format.regex.replacements` | | Reformat roles with the specified replacement expressions. The regular expressions are specified in another property. Multiple expressions may be specified by using commas. Whitespace is not stripped. | | `keycloak-ext.group.include.regex.patterns` | | If specified, only the roles that match the specified regular expressions will be considered; otherwise all roles are included. | | `keycloak-ext.group.exclude.regex.patterns` | | If specified, the roles that match the specified regular expressions will be ignored. This overrides any role explicitly included. | +| `keycloak-ext.syncInternalGroup` | `false` | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. Also register that internal group as external. | ### For Activiti App Only | Property | Default | Description | -| ------------------------------------- - | -------------- | ----------- | +| ----------------------------------------- | -------------- | ----------- | | `keycloak-ext.syncGroupAs` | `organization` | When creating a new group, should it be a functional (`organization`) group or a system (`capability`) group? | +| `keycloak-ext.external.id` | `ais` | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. | ### Rare @@ -56,8 +58,6 @@ The library is highly configurable. You configure it with properties specified | `keycloak-ext.createMissingGroup` | `true` | Before authorization, check to make sure groups exist for the roles the user claims; if they don't, create the groups. | | `keycloak-ext.syncGroupAdd` | `true` | If the user belongs to a role but not its corresponding group, add the user to the group. | | `keycloak-ext.syncGroupRemove` | `true` | If the user belongs to a group but does not have the corresponding role, remove the user from the group. | -| `keycloak-ext.syncInternalGroup` | `false` | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. | -| `keycloak-ext.syncInternalGroup` | `false` | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. | ### Untested diff --git a/pom.xml b/pom.xml index eab43c2..cc1f205 100644 --- a/pom.xml +++ b/pom.xml @@ -78,12 +78,21 @@ activiti-releases https://artifacts.alfresco.com/nexus/content/repositories/activiti-enterprise-releases + + inteligr8-releases + https://repos.inteligr8.com/nexus/repository/inteligr8-private + - - + + inteligr8-releases - https://repos.inteligr8.com/nexus/repository/inteligr8-public - - + https://repos.inteligr8.com/nexus/repository/inteligr8-private + + + inteligr8-snapshots + https://repos.inteligr8.com/nexus/repository/inteligr8-snapshots + + + \ No newline at end of file diff --git a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java index 7b2207d..42703c5 100644 --- a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java +++ b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java @@ -48,7 +48,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu private final Logger logger = LoggerFactory.getLogger(this.getClass()); private final Pattern emailNamesPattern = Pattern.compile("([A-Za-z]+)[A-Za-z0-9]*\\.([A-Za-z]+)[A-Za-z0-9]*@.*"); - private final String externalIdmSource = "ais"; @Autowired private LicenseService licenseService; @@ -61,6 +60,9 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu @Autowired private GroupService groupService; + + @Value("${keycloak-ext.external.id:ais}") + protected String externalIdmSource; @Value("${keycloak-ext.syncGroupAs:organization}") protected String syncGroupAs; @@ -217,22 +219,28 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu continue; } - if (group == null) { + if (group == null && this.syncInternalGroups) { List groups = this.groupService.getGroupByNameAndTenantId(this.keycloakRoleToApsGroupName(role.getValue()), tenantId); if (groups.size() > 1) { this.logger.warn("There are multiple groups with the same name; not adding user to group: {}", role.getValue()); continue; } else if (groups.size() == 1) { group = groups.iterator().next(); + this.logger.debug("Found an internal group; registering as external: {}", group.getName()); + group.setExternalId(this.keycloakRoleToApsGroupExternalId(role.getKey())); + group.setLastSyncTimeStamp(new Date()); + group.setLastUpdate(new Date()); + this.groupService.save(group); } } if (group == null) { if (this.createMissingGroup) { - this.logger.trace("Creating new group: {}", role); + this.logger.trace("Creating new group for role: {}", role); String name = this.keycloakRoleToApsGroupName(role.getValue()); String externalId = this.keycloakRoleToApsGroupExternalId(role.getKey()); int type = syncAsOrg ? Group.TYPE_FUNCTIONAL_GROUP : Group.TYPE_SYSTEM_GROUP; + this.logger.trace("Creating new group: {} ({}) [type: {}]", name, externalId, type); group = this.groupService.createGroupFromExternalStore(name, tenantId, type, null, externalId, new Date()); } else { this.logger.debug("Group does not exist; group creation is disabled: {}", role);