group sync fixes

README.md

@@ -37,12 +37,14 @@ The library is highly configurable.  You configure it with properties specified
 | `keycloak-ext.group.format.regex.replacements` |           | Reformat roles with the specified replacement expressions.  The regular expressions are specified in another property.  Multiple expressions may be specified by using commas.  Whitespace is not stripped. |
 | `keycloak-ext.group.include.regex.patterns`    |           | If specified, only the roles that match the specified regular expressions will be considered; otherwise all roles are included. |
 | `keycloak-ext.group.exclude.regex.patterns`    |           | If specified, the roles that match the specified regular expressions will be ignored.  This overrides any role explicitly included. |
+| `keycloak-ext.syncInternalGroup`               | `false`   | If an internal group with the same name already exists, use that group instead of creating a new one with the same name.  Also register that internal group as external. |
 
 ### For Activiti App Only
 
 | Property                                  | Default        | Description |
-| -------------------------------------   - | -------------- | ----------- |
+| ----------------------------------------- | -------------- | ----------- |
 | `keycloak-ext.syncGroupAs`                | `organization` | When creating a new group, should it be a functional (`organization`) group or a system (`capability`) group? |
+| `keycloak-ext.external.id`                | `ais`            | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. |
 
 ### Rare
 
@@ -56,8 +58,6 @@ The library is highly configurable.  You configure it with properties specified
 | `keycloak-ext.createMissingGroup`         | `true`          | Before authorization, check to make sure groups exist for the roles the user claims; if they don't, create the groups. |
 | `keycloak-ext.syncGroupAdd`               | `true`          | If the user belongs to a role but not its corresponding group, add the user to the group. |
 | `keycloak-ext.syncGroupRemove`            | `true`          | If the user belongs to a group but does not have the corresponding role, remove the user from the group. |
-| `keycloak-ext.syncInternalGroup`          | `false`         | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. |
-| `keycloak-ext.syncInternalGroup`          | `false`         | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. |
 
 ### Untested
 

pom.xml

@@ -78,12 +78,21 @@
 			<id>activiti-releases</id>
 			<url>https://artifacts.alfresco.com/nexus/content/repositories/activiti-enterprise-releases</url>
 		</repository>
+		<repository>
+			<id>inteligr8-releases</id>
+			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-private</url>
+		</repository>
 	</repositories>
 	
-	<pluginRepositories>
+	<distributionManagement>
-		<pluginRepository>
+		<repository>
 			<id>inteligr8-releases</id>
-			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-public</url>
+			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-private</url>
-		</pluginRepository>
+		</repository>
-	</pluginRepositories>
+		<snapshotRepository>
+			<id>inteligr8-snapshots</id>
+			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-snapshots</url>
+		</snapshotRepository>
+	</distributionManagement>
+	
 </project>

src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java

@@ -48,7 +48,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
     
     private final Pattern emailNamesPattern = Pattern.compile("([A-Za-z]+)[A-Za-z0-9]*\\.([A-Za-z]+)[A-Za-z0-9]*@.*");
-    private final String externalIdmSource = "ais";
 
     @Autowired
     private LicenseService licenseService;
@@ -62,6 +61,9 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
     @Autowired
     private GroupService groupService;
     
+    @Value("${keycloak-ext.external.id:ais}")
+    protected String externalIdmSource;
+
     @Value("${keycloak-ext.syncGroupAs:organization}")
     protected String syncGroupAs;
     
@@ -217,22 +219,28 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
 				continue;
 			}
 
-			if (group == null) {
+			if (group == null && this.syncInternalGroups) {
 				List<Group> groups = this.groupService.getGroupByNameAndTenantId(this.keycloakRoleToApsGroupName(role.getValue()), tenantId);
 				if (groups.size() > 1) {
 					this.logger.warn("There are multiple groups with the same name; not adding user to group: {}", role.getValue());
 					continue;
 				} else if (groups.size() == 1) {
 					group = groups.iterator().next();
+					this.logger.debug("Found an internal group; registering as external: {}", group.getName());
+					group.setExternalId(this.keycloakRoleToApsGroupExternalId(role.getKey()));
+					group.setLastSyncTimeStamp(new Date());
+					group.setLastUpdate(new Date());
+					this.groupService.save(group);
 				}
 			}
 			
 			if (group == null) {
 				if (this.createMissingGroup) {
-					this.logger.trace("Creating new group: {}", role);
+					this.logger.trace("Creating new group for role: {}", role);
 					String name = this.keycloakRoleToApsGroupName(role.getValue());
 					String externalId = this.keycloakRoleToApsGroupExternalId(role.getKey());
 					int type = syncAsOrg ? Group.TYPE_FUNCTIONAL_GROUP : Group.TYPE_SYSTEM_GROUP;
+					this.logger.trace("Creating new group: {} ({}) [type: {}]", name, externalId, type);
 					group = this.groupService.createGroupFromExternalStore(name, tenantId, type, null, externalId, new Date());
 				} else {
 	    			this.logger.debug("Group does not exist; group creation is disabled: {}", role);