Merge branch 'develop' into stable

pom.xml

@@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.inteligr8.activiti</groupId>
 	<artifactId>keycloak-activiti-app-ext</artifactId>
-	<version>1.1.0</version>
+	<version>1.1.1</version>
 	<name>Keycloak Authentication &amp; Authorization for APS</name>
 
 	<properties>

src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java

@@ -1,13 +1,16 @@
 package com.inteligr8.activiti;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Date;
 import java.util.List;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.stereotype.Component;
@@ -15,7 +18,9 @@ import org.springframework.stereotype.Component;
 import com.activiti.api.security.AlfrescoSecurityConfigOverride;
 import com.activiti.domain.idm.Group;
 import com.activiti.domain.idm.Tenant;
+import com.activiti.domain.idm.User;
 import com.activiti.service.api.GroupService;
+import com.activiti.service.api.UserService;
 import com.activiti.service.idm.TenantService;
 import com.activiti.service.license.LicenseService;
 
@@ -44,9 +49,24 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
     @Autowired(required = false)
     private TenantService tenantService;
     
+    @Autowired(required = false)
+    private UserService userService;
+    
     @Autowired(required = false)
     private GroupService groupService;
     
+    @Value("${keycloak-ext.default.admins.users:#{null}}")
+    private String adminUserStrs;
+    
+    @Value("${keycloak-ext.group.admins.name:admins}")
+    private String adminGroupName;
+    
+    @Value("${keycloak-ext.group.admins.externalId:aps-admin}")
+    private String adminGroupExternalId;
+    
+    @Value("${keycloak-ext.group.admins.validate:false}")
+    private boolean validateAdministratorsGroup;
+	
 	@Override
 	public void configureGlobal(AuthenticationManagerBuilder authmanBuilder, UserDetailsService userDetailsService) {
 		this.logger.trace("configureGlobal()");
@@ -55,6 +75,10 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
 		
 		if (this.logger.isTraceEnabled())
 			this.logGroups();
+		if (this.validateAdministratorsGroup)
+			this.validateAdmins();
+    	if (this.adminUserStrs != null && this.adminUserStrs.length() > 0)
+    		this.associateAdmins();
 		
 		for (ActivitiSecurityConfigAdapter adapter : this.adapters) {
 			if (adapter.isEnabled()) {
@@ -68,6 +92,9 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
 	}
 	
 	private void logGroups() {
+		if (this.groupService == null)
+			return;
+		
 		Long tenantId = this.findDefaultTenantId();
 		if (tenantId != null) {
 			// not first boot
@@ -76,6 +103,42 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
 		}
 	}
 	
+	private void validateAdmins() {
+		if (this.groupService == null)
+			return;
+		
+    	Long tenantId = this.findDefaultTenantId();
+		Group group = this.groupService.getGroupByExternalId(this.adminGroupExternalId);
+		if (group == null) {
+			this.logger.info("Creating '{}' group ...", this.adminGroupName);
+			group = this.groupService.createGroupFromExternalStore(
+					this.adminGroupExternalId, tenantId, Group.TYPE_SYSTEM_GROUP, null, this.adminGroupName, new Date());
+		}
+		
+		this.logger.info("Granting '{}' group all capabilities ...", group.getName());
+		this.groupService.addCapabilitiesToGroup(group.getId(), Arrays.asList("access-all-models-in-tenant", "access-editor", "access-reports", "publish-app-to-dashboard", "tenant-admin", "tenant-admin-api", "upload-license"));
+	}
+	
+	private void associateAdmins() {
+		if (this.userService == null || this.groupService == null)
+			return;
+		
+		List<String> adminUsers = Arrays.asList(this.adminUserStrs.split(","));
+		if (adminUsers.isEmpty())
+			return;
+		
+    	Long tenantId = this.findDefaultTenantId();
+		List<Group> groups = this.groupService.getSystemGroupWithName("Administrators", tenantId);
+		
+		for (String email : adminUsers) {
+    		User user = this.userService.findUserByEmail(email);
+
+    		this.logger.debug("Adding {} to {}", user.getEmail(), "Administrators");
+    		for (Group group : groups)
+    			this.groupService.addUserToGroup(group, user);
+		}
+	}
+    
     private Long findDefaultTenantId() {
     	String defaultTenantName = this.licenseService.getDefaultTenantName();
 		this.logger.trace("Default Tenant: {}", defaultTenantName);

src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java

@@ -1,12 +1,15 @@
 package com.inteligr8.activiti.keycloak;
 
 import java.util.Date;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.persistence.NonUniqueResultException;
+
 import org.apache.commons.lang3.StringUtils;
 import org.keycloak.representations.AccessToken;
 import org.slf4j.Logger;
@@ -159,7 +162,7 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
 		// check Activiti groups
 		User userWithGroups = this.userService.findUserByEmailFetchGroups(user.getEmail());
 		for (Group group : userWithGroups.getGroups()) {
-			this.logger.trace("Inspecting group: {} => ", group.getId(), group.getName());
+			this.logger.trace("Inspecting group: {} => {} ({})", group.getId(), group.getName(), group.getExternalId());
 			
 			if (group.getExternalId() == null) {
 				// skip APS system groups
@@ -179,7 +182,18 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
 		for (Entry<String, String> role : roles.entrySet()) {
 			this.logger.trace("Syncing group membership: {}", role);
 			
-			Group group = this.groupService.getGroupByExternalId(role.getKey());
+			Group group;
+			try {
+				group = this.groupService.getGroupByExternalId(role.getKey());
+			} catch (NonUniqueResultException nure) {
+				if (this.logger.isDebugEnabled()) {
+					// FIXME only added to address a former bug
+					group = this.fixMultipleGroups(role.getKey(), tenantId);
+				} else {
+					throw nure;
+				}
+			}
+			
 			if (group == null) {
 				if (this.createMissingGroup) {
 					this.logger.trace("Creating new group: {}", role);
@@ -197,4 +211,29 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
 			}
 		}
     }
+    
+    private Group fixMultipleGroups(String externalId, Long tenantId) {
+    	List<Group> groupsToDelete = new LinkedList<>();
+    	Date earliestDate = new Date();
+    	Group earliestGroup = null;
+    	
+    	for (Group group : this.groupService.getSystemGroups(tenantId)) {
+    		if (externalId.equals(group.getExternalId())) {
+    			if (group.getLastUpdate().before(earliestDate)) {
+    				if (earliestGroup != null)
+    					groupsToDelete.add(earliestGroup);
+    				earliestDate = group.getLastUpdate();
+    				earliestGroup = group;
+    			} else {
+        			groupsToDelete.add(group);
+    			}
+    		}
+    	}
+    	
+    	for (Group group : groupsToDelete)
+    		this.groupService.deleteGroup(group.getId());
+    	
+    	return earliestGroup;
+    }
+    
 }