Authorization

cloudtrust · Apr 18, 2019 · 4005903 · 4005903
1 parent f5511a0
commit 4005903
Show file tree

Hide file tree

Showing 14 changed files with 1,662 additions and 40 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/api/management/api.go b/api/management/api.go
@@ -5,18 +5,19 @@ import (
 )
 
 type UserRepresentation struct {
-	Id               *string `json:"id,omitempty"`
-	Username         *string `json:"username,omitempty"`
-	Email            *string `json:"email,omitempty"`
-	Enabled          *bool   `json:"enabled,omitempty"`
-	EmailVerified    *bool   `json:"emailVerified,omitempty"`
-	FirstName        *string `json:"firstName,omitempty"`
-	LastName         *string `json:"lastName,omitempty"`
-	MobilePhone      *string `json:"mobilePhone,omitempty"`
-	Label            *string `json:"label,omitempty"`
-	Gender           *string `json:"gender,omitempty"`
-	BirthDate        *string `json:"birthDate,omitempty"`
-	CreatedTimestamp *int64  `json:"createdTimestamp,omitempty"`
+	Id               *string   `json:"id,omitempty"`
+	Username         *string   `json:"username,omitempty"`
+	Email            *string   `json:"email,omitempty"`
+	Enabled          *bool     `json:"enabled,omitempty"`
+	EmailVerified    *bool     `json:"emailVerified,omitempty"`
+	FirstName        *string   `json:"firstName,omitempty"`
+	LastName         *string   `json:"lastName,omitempty"`
+	MobilePhone      *string   `json:"mobilePhone,omitempty"`
+	Label            *string   `json:"label,omitempty"`
+	Gender           *string   `json:"gender,omitempty"`
+	BirthDate        *string   `json:"birthDate,omitempty"`
+	Groups           *[]string `json:"group,omitempty"`
+	CreatedTimestamp *int64    `json:"createdTimestamp,omitempty"`
 }
 
 type RealmRepresentation struct {

diff --git a/api/management/swagger-api_management.yaml b/api/management/swagger-api_management.yaml
@@ -59,7 +59,7 @@ paths:
     get:
       tags:
       - Clients
-      summary: Update an existing pet
+      summary: Get representation of the client
       parameters:
       - name: realm
         in: path
@@ -461,7 +461,7 @@ paths:
     get:
       tags:
       - Roles
-      summary: Get all roles for the realm or client
+      summary: Get all roles for the realm
       parameters:
       - name: realm
         in: path
@@ -507,7 +507,7 @@ paths:
     get:
       tags:
       - Roles
-      summary: Get all roles for the realm or client
+      summary: Get all clients roles
       parameters:
       - name: realm
         in: path

diff --git a/cmd/keycloakb/keycloak_bridge.go b/cmd/keycloakb/keycloak_bridge.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"math/rand"
 	"net/http"
 	"net/http/pprof"
@@ -15,6 +16,8 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/cloudtrust/keycloak-bridge/internal/security"
+
 	"github.com/cloudtrust/keycloak-bridge/internal/idgenerator"
 	gen "github.com/cloudtrust/keycloak-bridge/internal/idgenerator"
 	"github.com/cloudtrust/keycloak-bridge/internal/keycloakb"
@@ -82,7 +85,8 @@ func main() {
 	var c = config(log.With(logger, "unit", "config"))
 	var (
 		// Component
-		httpAddr = c.GetString("component-http-host-port")
+		httpAddr                = c.GetString("component-http-host-port")
+		authorizationConfigFile = c.GetString("authorization-file")
 
 		// Keycloak
 		keycloakConfig = keycloak.Config{
@@ -183,6 +187,24 @@ func main() {
 		}
 	}
 
+	// Authorization Manager
+	var authorizationManager security.AuthorizationManager
+	{
+		json, err := ioutil.ReadFile(authorizationConfigFile)
+
+		if err != nil {
+			logger.Log("msg", "could not read JSON authorization file", "error", err)
+			return
+		}
+
+		authorizationManager, err = security.NewAuthorizationManager(keycloakClient, string(json))
+
+		if err != nil {
+			logger.Log("msg", "could not load authorizations", "error", err)
+			return
+		}
+	}
+
 	// Sentry.
 	type Sentry interface {
 		CaptureError(err error, tags map[string]string, interfaces ...sentry.Interface) string
@@ -356,6 +378,7 @@ func main() {
 		var keycloakComponent management.Component
 		{
 			keycloakComponent = management.NewComponent(keycloakClient, eventsDBModule)
+			keycloakComponent = management.MakeAuthorizationManagementComponentMW(log.With(managementLogger, "mw", "endpoint"), keycloakClient, authorizationManager)(keycloakComponent)
 		}
 
 		managementEndpoints = management.Endpoints{
@@ -540,6 +563,7 @@ func config(logger log.Logger) *viper.Viper {
 
 	// Component default.
 	v.SetDefault("config-file", "./configs/keycloak_bridge.yml")
+	v.SetDefault("authorization-file", "./configs/authorization.json")
 	v.SetDefault("component-http-host-port", "0.0.0.0:8888")
 
 	// CORS configuration
@@ -603,7 +627,9 @@ func config(logger log.Logger) *viper.Viper {
 
 	// First level of override.
 	pflag.String("config-file", v.GetString("config-file"), "The configuration file path can be relative or absolute.")
+	pflag.String("authorization-file", v.GetString("authorization-file"), "The authorization file path can be relative or absolute.")
 	v.BindPFlag("config-file", pflag.Lookup("config-file"))
+	v.BindPFlag("authorization-file", pflag.Lookup("authorization-file"))
 	pflag.Parse()
 
 	// Load and log config.