Compare commits
30 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 0d402f6014 | |||
| f000f1b134 | |||
| e7b6bd644e | |||
| 25093cd822 | |||
| 70ff0b5c5c | |||
| 343e1b65b9 | |||
| d10ff1103d | |||
| f5eefdb544 | |||
| 28a6f4d101 | |||
| 07a5ed959a | |||
| 14487b62eb | |||
| e87a6b68a7 | |||
| 19f21fdd5c | |||
| 5ecb627dbf | |||
| ea487fee31 | |||
| 9f9ededab2 | |||
| f76105b979 | |||
| a3cb17e402 | |||
| c6d0977b2f | |||
| 2405a8a313 | |||
| 173bfed44f | |||
| dc5a7dad39 | |||
| 10ed99b0a2 | |||
| 4e4a6aca8d | |||
| 44d0bf533d | |||
| 807294881b | |||
| a42c754a09 | |||
| 8b05c51ef6 | |||
| 8bc03e0ea9 | |||
| d32e3c7051 |
15
README.md
15
README.md
@@ -20,6 +20,13 @@ The installation is simple. Just include the JAR in the classpath of your Activ
|
||||
|
||||
Notice the use of `PostResources` instead of `PreResources`. This library needs to be loaded after the web application. This is the best way to load any other extensions or customization to the Activiti App, including `JavaDelegate` implementations.
|
||||
|
||||
## Support Matrix
|
||||
|
||||
| Keycloak Activiti App Extension | Activiti App |
|
||||
| ------------------------------- | --------------- |
|
||||
| v1.0 - v1.2 | v1.11.x |
|
||||
| v1.3+ | v1.11.x - v2.3+ |
|
||||
|
||||
## Configuration
|
||||
|
||||
The library is highly configurable. You configure it with properties specified in the `activiti-app.properties` file, which exists somewhere in the root of the classpath. That is typically in the `lib` folder. The properties to configure are enumerated in the table below.
|
||||
@@ -41,10 +48,10 @@ The library is highly configurable. You configure it with properties specified
|
||||
|
||||
### For Activiti App Only
|
||||
|
||||
| Property | Default | Description |
|
||||
| ----------------------------------------- | -------------- | ----------- |
|
||||
| `keycloak-ext.syncGroupAs` | `organization` | When creating a new group, should it be a functional (`organization`) group or a system (`capability`) group? |
|
||||
| `keycloak-ext.external.id` | `ais` | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. |
|
||||
| Property | Default | Description |
|
||||
| ---------------------------------------------- | ------- | ----------- |
|
||||
| `keycloak-ext.group.capability.regex.patterns` | | When creating a new group, sync as an APS Organization, except when the specified pattern matches the role. In those cases, sync as an APS Capability. |
|
||||
| `keycloak-ext.external.id` | `ais` | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. |
|
||||
|
||||
### Rare
|
||||
|
||||
|
||||
35
pom.xml
35
pom.xml
@@ -4,7 +4,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>com.inteligr8.activiti</groupId>
|
||||
<artifactId>keycloak-activiti-app-ext</artifactId>
|
||||
<version>1.2-SNAPSHOT</version>
|
||||
<version>1.3.0</version>
|
||||
<name>Keycloak Authentication & Authorization for APS</name>
|
||||
|
||||
<properties>
|
||||
@@ -12,9 +12,9 @@
|
||||
<maven.compiler.target>11</maven.compiler.target>
|
||||
<maven.compiler.release>11</maven.compiler.release>
|
||||
|
||||
<aps.version>1.11.1.1</aps.version>
|
||||
<keycloak.version>6.0.1</keycloak.version>
|
||||
<spring-security-oauth2.version>2.0.17.RELEASE</spring-security-oauth2.version>
|
||||
<aps.version>2.0.1</aps.version>
|
||||
<keycloak.version>10.0.2</keycloak.version>
|
||||
<spring-security-oauth2.version>2.5.2.RELEASE</spring-security-oauth2.version>
|
||||
<slf4j.version>1.7.26</slf4j.version>
|
||||
</properties>
|
||||
|
||||
@@ -37,6 +37,7 @@
|
||||
<version>${keycloak.version}</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<!-- Needed for Activiti App Identity Service inheritance/override -->
|
||||
<dependency>
|
||||
<groupId>com.activiti</groupId>
|
||||
<artifactId>activiti-app</artifactId>
|
||||
@@ -44,6 +45,7 @@
|
||||
<classifier>classes</classifier>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<!-- Needed for the Activiti App Public API -->
|
||||
<dependency>
|
||||
<groupId>com.activiti</groupId>
|
||||
<artifactId>activiti-app-logic</artifactId>
|
||||
@@ -52,36 +54,15 @@
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>io.repaint.maven</groupId>
|
||||
<artifactId>tiles-maven-plugin</artifactId>
|
||||
<version>2.21</version>
|
||||
<extensions>true</extensions>
|
||||
<configuration>
|
||||
<filtering>true</filtering>
|
||||
<tiles>
|
||||
<tile>com.inteligr8:maven-public-deploy-tile:[1.0.0,2.0.0)</tile>
|
||||
</tiles>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
|
||||
<repositories>
|
||||
<repository>
|
||||
<id>alfresco-public</id>
|
||||
<url>https://artifacts.alfresco.com/nexus/content/repositories/public</url>
|
||||
<id>alfresco-private</id>
|
||||
<url>https://artifacts.alfresco.com/nexus/content/groups/private</url>
|
||||
</repository>
|
||||
<repository>
|
||||
<id>activiti-releases</id>
|
||||
<url>https://artifacts.alfresco.com/nexus/content/repositories/activiti-enterprise-releases</url>
|
||||
</repository>
|
||||
<repository>
|
||||
<id>inteligr8-releases</id>
|
||||
<url>https://repos.inteligr8.com/nexus/repository/inteligr8-private</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
|
||||
<distributionManagement>
|
||||
|
||||
@@ -3,6 +3,8 @@ package com.inteligr8.activiti;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import javax.persistence.NonUniqueResultException;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@@ -65,21 +67,28 @@ public class ActivitiAppAdminMembersFixer implements DataFixer {
|
||||
return;
|
||||
|
||||
Long tenantId = this.tenantFinderService.findTenantId();
|
||||
List<Group> groups;
|
||||
Group group1 = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId);
|
||||
if (group1 != null) {
|
||||
groups = Arrays.asList(group1);
|
||||
} else {
|
||||
List<Group> groups = null;
|
||||
try {
|
||||
Group group1 = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId);
|
||||
if (group1 != null)
|
||||
groups = Arrays.asList(group1);
|
||||
} catch (NonUniqueResultException nure) {
|
||||
// suppress
|
||||
}
|
||||
if (groups == null)
|
||||
groups = this.groupService.getGroupByNameAndTenantId(this.adminGroupName, tenantId);
|
||||
}
|
||||
|
||||
this.logger.debug("Found {} admin group(s)", groups.size());
|
||||
|
||||
for (String email : adminUsers) {
|
||||
User user = this.userService.findUserByEmail(email);
|
||||
|
||||
this.logger.debug("Adding {} to admin group(s)", user.getEmail());
|
||||
for (Group group : groups)
|
||||
this.groupService.addUserToGroup(group, user);
|
||||
User user = this.userService.findUserByEmailAndTenantId(email, tenantId);
|
||||
if (user == null) {
|
||||
this.logger.info("The user with email '{}' does not exist, so they cannot be added as an administrator", email);
|
||||
} else {
|
||||
this.logger.debug("Adding {} to admin group(s)", user.getEmail());
|
||||
for (Group group : groups)
|
||||
this.groupService.addUserToGroup(group, user);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
package com.inteligr8.activiti;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
import com.activiti.domain.idm.User;
|
||||
import com.activiti.service.api.UserService;
|
||||
|
||||
/**
|
||||
* @author brian@inteligr8.com
|
||||
*/
|
||||
@Component
|
||||
public class ActivitiAppAdminPasswordFixer implements DataFixer {
|
||||
|
||||
private final Logger logger = LoggerFactory.getLogger(this.getClass());
|
||||
|
||||
@Autowired(required = false)
|
||||
private UserService userService;
|
||||
|
||||
@Autowired
|
||||
private TenantFinderService tenantFinderService;
|
||||
|
||||
@Value("${keycloak-ext.reset.admin.username:admin@app.activiti.com}")
|
||||
private String adminUsername;
|
||||
|
||||
@Value("${keycloak-ext.reset.admin.password:#{null}}")
|
||||
private String adminPassword;
|
||||
|
||||
@Override
|
||||
public void fix() {
|
||||
this.logger.trace("fix()");
|
||||
|
||||
if (this.adminPassword != null) {
|
||||
this.logger.info("Resetting the password for admin user '{}'", this.adminUsername);
|
||||
|
||||
Long tenantId = this.tenantFinderService.findTenantId();
|
||||
User adminUser = this.userService.findUserByEmailAndTenantId(this.adminUsername, tenantId);
|
||||
this.userService.changePassword(adminUser.getId(), this.adminPassword);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@@ -12,6 +12,8 @@ import java.util.Set;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.annotation.OverridingMethodsMustInvokeSuper;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.keycloak.KeycloakPrincipal;
|
||||
import org.keycloak.KeycloakSecurityContext;
|
||||
@@ -71,6 +73,7 @@ public abstract class AbstractKeycloakActivitiAuthenticator implements Authentic
|
||||
protected final Set<Pattern> groupExcludes = new HashSet<>();
|
||||
|
||||
@Override
|
||||
@OverridingMethodsMustInvokeSuper
|
||||
public void afterPropertiesSet() {
|
||||
if (this.regexPatterns != null) {
|
||||
String[] regexPatternStrs = StringUtils.split(this.regexPatterns, ',');
|
||||
|
||||
@@ -1,12 +1,15 @@
|
||||
package com.inteligr8.activiti.keycloak;
|
||||
|
||||
import java.util.Date;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.annotation.OverridingMethodsMustInvokeSuper;
|
||||
import javax.persistence.NonUniqueResultException;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
@@ -59,16 +62,22 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
|
||||
@Value("${keycloak-ext.external.id:ais}")
|
||||
protected String externalIdmSource;
|
||||
|
||||
@Value("${keycloak-ext.syncGroupAs:organization}")
|
||||
protected String syncGroupAs;
|
||||
@Value("${keycloak-ext.group.capability.regex.patterns:#{null}}")
|
||||
protected String regexCapIncludes;
|
||||
|
||||
protected boolean syncGroupAsOrganization() {
|
||||
return !this.syncGroupAsCapability();
|
||||
}
|
||||
protected final Set<Pattern> capIncludes = new HashSet<>();
|
||||
|
||||
protected boolean syncGroupAsCapability() {
|
||||
return this.syncGroupAs != null && this.syncGroupAs.toLowerCase().startsWith("cap");
|
||||
}
|
||||
@Override
|
||||
@OverridingMethodsMustInvokeSuper
|
||||
public void afterPropertiesSet() {
|
||||
super.afterPropertiesSet();
|
||||
|
||||
if (this.regexCapIncludes != null) {
|
||||
String[] regexPatternStrs = StringUtils.split(this.regexCapIncludes, ',');
|
||||
for (int i = 0; i < regexPatternStrs.length; i++)
|
||||
this.capIncludes.add(Pattern.compile(regexPatternStrs[i]));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This method validates that the user exists, if not, it creates the
|
||||
@@ -163,8 +172,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
|
||||
return;
|
||||
}
|
||||
|
||||
boolean syncAsOrg = this.syncGroupAsOrganization();
|
||||
|
||||
// check Activiti groups
|
||||
User userWithGroups = this.userService.getUser(user.getId(), true);
|
||||
for (Group group : userWithGroups.getGroups()) {
|
||||
@@ -228,6 +235,8 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
|
||||
if (group == null) {
|
||||
if (this.createMissingGroup) {
|
||||
this.logger.trace("Creating new group for role: {}", role);
|
||||
boolean syncAsOrg = this.isRoleToBeOrganization(role.getKey());
|
||||
this.logger.trace("Creating new group as {}: {}", syncAsOrg ? "organization" : "capability", role);
|
||||
String name = this.keycloakRoleToApsGroupName(role.getValue());
|
||||
String externalId = this.keycloakRoleToApsGroupExternalId(role.getKey());
|
||||
int type = syncAsOrg ? Group.TYPE_FUNCTIONAL_GROUP : Group.TYPE_SYSTEM_GROUP;
|
||||
@@ -264,4 +273,17 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
|
||||
return externalId;
|
||||
}
|
||||
|
||||
private boolean isRoleToBeOrganization(String role) {
|
||||
if (this.capIncludes.isEmpty())
|
||||
return true;
|
||||
|
||||
for (Pattern regex : this.capIncludes) {
|
||||
Matcher matcher = regex.matcher(role);
|
||||
if (matcher.matches())
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,162 +0,0 @@
|
||||
package com.inteligr8.activiti.keycloak;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
|
||||
import org.activiti.engine.IdentityService;
|
||||
import org.activiti.engine.identity.Group;
|
||||
import org.activiti.engine.identity.User;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.context.annotation.Lazy;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
/**
|
||||
* This is an unused implementation for non-APS installation. It is not tested
|
||||
* and probably pointless.
|
||||
*
|
||||
* @author brian.long@yudrio.com
|
||||
*/
|
||||
@Component("keycloak-ext.activiti-engine.authenticator")
|
||||
@Lazy
|
||||
public class KeycloakActivitiEngineAuthenticator extends AbstractKeycloakActivitiAuthenticator {
|
||||
|
||||
private final Logger logger = LoggerFactory.getLogger(this.getClass());
|
||||
|
||||
@Autowired
|
||||
private IdentityService identityService;
|
||||
|
||||
@Value("${keycloak-ext.group.prefix:KEYCLOAK_}")
|
||||
private String groupPrefix;
|
||||
|
||||
/**
|
||||
* This method validates that the user exists, if not, it creates the
|
||||
* missing user. Without this functionality, SSO straight up fails.
|
||||
*/
|
||||
@Override
|
||||
public void preAuthenticate(Authentication auth) throws AuthenticationException {
|
||||
User user = this.findUser(auth);
|
||||
if (user == null) {
|
||||
if (this.createMissingUser) {
|
||||
this.logger.debug("User does not yet exist; creating the user: {}", auth.getName());
|
||||
|
||||
user = this.createUser(auth);
|
||||
this.logger.debug("Created user: {} => {}", user.getId(), user.getEmail());
|
||||
|
||||
if (this.clearNewUserDefaultGroups) {
|
||||
this.logger.debug("Clearing groups: {}", user.getId());
|
||||
List<Group> groups = this.identityService.createGroupQuery()
|
||||
.groupMember(user.getId())
|
||||
.list();
|
||||
for (Group group : groups)
|
||||
this.identityService.deleteMembership(user.getId(), group.getId());
|
||||
}
|
||||
} else {
|
||||
this.logger.info("User does not exist; user creation is disabled: {}", auth.getName());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This method validates that the groups exist, if not, it creates the
|
||||
* missing ones. Without this functionality, SSO works, but the user's
|
||||
* authorities are not synchronized.
|
||||
*/
|
||||
@Override
|
||||
public void postAuthenticate(Authentication auth) throws AuthenticationException {
|
||||
User user = this.findUser(auth);
|
||||
this.logger.debug("Inspecting user: {} => {}", user.getId(), user.getEmail());
|
||||
|
||||
this.syncUserRoles(user, auth);
|
||||
}
|
||||
|
||||
private User findUser(Authentication auth) {
|
||||
String email = auth.getName();
|
||||
|
||||
User user = this.identityService.createUserQuery()
|
||||
.userEmail(email)
|
||||
.singleResult();
|
||||
|
||||
return user;
|
||||
}
|
||||
|
||||
private User createUser(Authentication auth) {
|
||||
User user = this.identityService.newUser(auth.getName());
|
||||
user.setEmail(auth.getName());
|
||||
this.identityService.saveUser(user);
|
||||
return user;
|
||||
}
|
||||
|
||||
private void syncUserRoles(User user, Authentication auth) {
|
||||
Map<String, String> roles = this.getKeycloakRoles(auth);
|
||||
if (roles == null) {
|
||||
this.logger.debug("The user roles could not be determined; skipping sync: {}", user.getEmail());
|
||||
return;
|
||||
}
|
||||
|
||||
// check Activiti groups
|
||||
List<Group> groups = this.identityService.createGroupQuery()
|
||||
.groupMember(user.getEmail())
|
||||
.list();
|
||||
this.logger.debug("User is currently a member of {} groups", groups.size());
|
||||
for (Group group : groups) {
|
||||
if (!group.getId().startsWith(this.groupPrefix) && this.syncInternalGroups)
|
||||
continue;
|
||||
|
||||
this.logger.trace("Inspecting group: {} => {} ({})", group.getId(), group.getName(), group.getType());
|
||||
if (roles.remove(this.activitiGroupIdToKeycloakRole(group.getId())) != null) {
|
||||
this.logger.trace("Group and membership already exist: {} => {}", user.getEmail(), group.getName());
|
||||
// already a member of the group
|
||||
} else {
|
||||
if (this.syncGroupRemove) {
|
||||
this.logger.trace("Group membership not in OIDC token; removing from group: {} => {}", user.getEmail(), group.getName());
|
||||
this.identityService.deleteMembership(user.getId(), group.getId());
|
||||
} else {
|
||||
this.logger.debug("User/group membership sync disabled; not removing user from group: {} => {}", user.getId(), group.getId());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
this.logger.debug("Unaddressed OIDC roles: {}", roles);
|
||||
|
||||
// check remainder/unaddressed roles
|
||||
for (Entry<String, String> role : roles.entrySet()) {
|
||||
this.logger.trace("Inspecting role: {}", role);
|
||||
|
||||
Group group = this.identityService.createGroupQuery()
|
||||
.groupId(this.keycloakRoleToActivitiGroupId(role.getKey()))
|
||||
.singleResult();
|
||||
if (group == null) {
|
||||
if (this.createMissingGroup) {
|
||||
this.logger.trace("Group does not exist; creating one");
|
||||
group = this.identityService.newGroup(this.keycloakRoleToActivitiGroupId(role.getKey()));
|
||||
group.setName(role.getValue());
|
||||
this.identityService.saveGroup(group);
|
||||
} else {
|
||||
this.logger.info("Group does not exist; group creation is disabled: {}", role.getKey());
|
||||
}
|
||||
}
|
||||
|
||||
if (group != null && this.syncGroupAdd) {
|
||||
this.logger.trace("Group membership not in Activiti; adding to group: {} => {}", user.getEmail(), group.getName());
|
||||
this.identityService.createMembership(user.getId(), group.getId());
|
||||
} else {
|
||||
this.logger.debug("User/group membership sync disabled; not adding user to group: {} => {}", user.getId(), group.getId());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private String keycloakRoleToActivitiGroupId(String role) {
|
||||
return this.groupPrefix + role;
|
||||
}
|
||||
|
||||
private String activitiGroupIdToKeycloakRole(String groupId) {
|
||||
return groupId.startsWith(this.groupPrefix) ? groupId.substring(this.groupPrefix.length()) : groupId;
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user