From 03c6e5aaa29f2655e9ae0dd5a7fda1d3d3ed64d0 Mon Sep 17 00:00:00 2001 From: "Brian M. Long" Date: Thu, 19 Aug 2021 17:49:52 -0400 Subject: [PATCH] refactored group management/validation --- ...nteligr8SecurityConfigurationRegistry.java | 56 +++++++++++++++++++ ...AbstractKeycloakActivitiAuthenticator.java | 8 --- .../KeycloakActivitiAppAuthenticator.java | 29 ---------- 3 files changed, 56 insertions(+), 37 deletions(-) diff --git a/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java b/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java index 020b442..605596a 100644 --- a/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java +++ b/src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java @@ -1,13 +1,17 @@ package com.inteligr8.activiti; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; +import java.util.HashSet; import java.util.List; +import java.util.Set; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.stereotype.Component; @@ -15,7 +19,9 @@ import org.springframework.stereotype.Component; import com.activiti.api.security.AlfrescoSecurityConfigOverride; import com.activiti.domain.idm.Group; import com.activiti.domain.idm.Tenant; +import com.activiti.domain.idm.User; import com.activiti.service.api.GroupService; +import com.activiti.service.api.UserService; import com.activiti.service.idm.TenantService; import com.activiti.service.license.LicenseService; @@ -44,8 +50,17 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC @Autowired(required = false) private TenantService tenantService; + @Autowired(required = false) + private UserService userService; + @Autowired(required = false) private GroupService groupService; + + @Value("${keycloak-ext.default.admins.users:#{null}}") + private String adminUserStrs; + + @Value("${keycloak-ext.group.admins.validate:false}") + private boolean validateAdministratorsGroup; @Override public void configureGlobal(AuthenticationManagerBuilder authmanBuilder, UserDetailsService userDetailsService) { @@ -55,6 +70,10 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC if (this.logger.isTraceEnabled()) this.logGroups(); + if (this.validateAdministratorsGroup) + this.validateAdmins(); + if (this.adminUserStrs != null && this.adminUserStrs.length() > 0) + this.associateAdmins(); for (ActivitiSecurityConfigAdapter adapter : this.adapters) { if (adapter.isEnabled()) { @@ -68,6 +87,9 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC } private void logGroups() { + if (this.groupService == null) + return; + Long tenantId = this.findDefaultTenantId(); if (tenantId != null) { // not first boot @@ -75,6 +97,40 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC this.logger.trace("System groups: {}", this.toGroupNames(this.groupService.getSystemGroups(tenantId))); } } + + private void validateAdmins() { + if (this.groupService == null) + return; + + Long tenantId = this.findDefaultTenantId(); + List groups = this.groupService.getSystemGroupWithName("Administrators", tenantId); + if (groups.isEmpty()) + groups = Arrays.asList(this.groupService.createGroup("Administrators", tenantId, Group.TYPE_SYSTEM_GROUP, null)); + + this.logger.info("Validating 'Administrators' group ..."); + for (Group group : groups) + this.groupService.addCapabilitiesToGroup(group.getId(), Arrays.asList("access-all-models-in-tenant", "access-editor", "access-reports", "publish-app-to-dashboard", "tenant-admin", "tenant-admin-api", "upload-license")); + } + + private void associateAdmins() { + if (this.userService == null || this.groupService == null) + return; + + List adminUsers = Arrays.asList(this.adminUserStrs.split(",")); + if (adminUsers.isEmpty()) + return; + + Long tenantId = this.findDefaultTenantId(); + List groups = this.groupService.getSystemGroupWithName("Administrators", tenantId); + + for (String email : adminUsers) { + User user = this.userService.findUserByEmail(email); + + this.logger.debug("Adding {} to {}", user.getEmail(), "Administrators"); + for (Group group : groups) + this.groupService.addUserToGroup(group, user); + } + } private Long findDefaultTenantId() { String defaultTenantName = this.licenseService.getDefaultTenantName(); diff --git a/src/main/java/com/inteligr8/activiti/keycloak/AbstractKeycloakActivitiAuthenticator.java b/src/main/java/com/inteligr8/activiti/keycloak/AbstractKeycloakActivitiAuthenticator.java index 32a8357..1667d3d 100644 --- a/src/main/java/com/inteligr8/activiti/keycloak/AbstractKeycloakActivitiAuthenticator.java +++ b/src/main/java/com/inteligr8/activiti/keycloak/AbstractKeycloakActivitiAuthenticator.java @@ -1,6 +1,5 @@ package com.inteligr8.activiti.keycloak; -import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -62,14 +61,10 @@ public abstract class AbstractKeycloakActivitiAuthenticator implements Authentic @Value("${keycloak-ext.group.exclude.regex.patterns:#{null}}") protected String regexExcludes; - @Value("${keycloak-ext.default.admins.users:#{null}}") - private String adminUserStrs; - protected final List> groupFormatters = new LinkedList<>(); protected final Set resourceIncludes = new HashSet<>(); protected final Set groupIncludes = new HashSet<>(); protected final Set groupExcludes = new HashSet<>(); - protected final Set adminUsers = new HashSet<>(); @Override public void afterPropertiesSet() { @@ -100,9 +95,6 @@ public abstract class AbstractKeycloakActivitiAuthenticator implements Authentic for (int i = 0; i < regexPatternStrs.length; i++) this.groupExcludes.add(Pattern.compile(regexPatternStrs[i])); } - - if (this.adminUserStrs != null && this.adminUserStrs.length() > 0) - this.adminUsers.addAll(Arrays.asList(this.adminUserStrs.split(","))); } diff --git a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java index 7fab239..732ff2f 100644 --- a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java +++ b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java @@ -1,6 +1,5 @@ package com.inteligr8.activiti.keycloak; -import java.util.Arrays; import java.util.Date; import java.util.LinkedList; import java.util.List; @@ -16,7 +15,6 @@ import org.keycloak.representations.AccessToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Lazy; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -64,33 +62,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu @Autowired private GroupService groupService; - @Value("${keycloak-ext.group.admins.validate:false}") - private boolean validateAdministratorsGroup; - - @Override - public void afterPropertiesSet() { - super.afterPropertiesSet(); - - if (!this.adminUsers.isEmpty()) { - Long tenantId = this.findDefaultTenantId(); - List groups = this.groupService.getSystemGroupWithName("Administrators", tenantId); - - if (this.validateAdministratorsGroup) { - this.logger.info("Validating 'Administrators' group ..."); - for (Group group : groups) - this.groupService.addCapabilitiesToGroup(group.getId(), Arrays.asList("access-all-models-in-tenant", "access-editor", "access-reports", "publish-app-to-dashboard", "tenant-admin", "tenant-admin-api", "upload-license")); - } - - for (String email : this.adminUsers) { - User user = this.userService.findUserByEmail(email); - - this.logger.debug("Adding {} to {}", user.getEmail(), "Administrators"); - for (Group group : groups) - this.groupService.addUserToGroup(group, user); - } - } - } - /** * This method validates that the user exists, if not, it creates the * missing user. Without this functionality, SSO straight up fails in APS.