Merge 5398652 into 9ac48e5

cloudtrust · May 28, 2019 · ad036b0 · ad036b0
2 parents 9ac48e5 + 5398652
commit ad036b0
Show file tree

Hide file tree

Showing 8 changed files with 251 additions and 0 deletions.
diff --git a/cmd/keycloakb/keycloak_bridge.go b/cmd/keycloakb/keycloak_bridge.go
@@ -382,6 +382,7 @@ func main() {
 			GetRolesOfUser:                 prepareEndpoint(management.MakeGetRolesOfUserEndpoint(keycloakComponent), "get_user_roles", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetRoles:                       prepareEndpoint(management.MakeGetRolesEndpoint(keycloakComponent), "get_roles_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetRole:                        prepareEndpoint(management.MakeGetRoleEndpoint(keycloakComponent), "get_role_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
+			GetGroups:                      prepareEndpoint(management.MakeGetGroupsEndpoint(keycloakComponent), "get_groups_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetClientRoles:                 prepareEndpoint(management.MakeGetClientRolesEndpoint(keycloakComponent), "get_client_roles_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			CreateClientRole:               prepareEndpoint(management.MakeCreateClientRoleEndpoint(keycloakComponent), "create_client_role_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetClientRoleForUser:           prepareEndpoint(management.MakeGetClientRolesForUserEndpoint(keycloakComponent), "get_client_roles_for_user_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
@@ -505,6 +506,8 @@ func main() {
 		var getClientRolesHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetClientRoles)
 		var createClientRolesHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.CreateClientRole)
 
+		var getGroupsHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetGroups)
+
 		var resetPasswordHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.ResetPassword)
 		var sendVerifyEmailHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.SendVerifyEmail)
 		var executeActionsEmailHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.ExecuteActionsEmail)
@@ -553,6 +556,9 @@ func main() {
 		managementSubroute.Path("/realms/{realm}/clients/{clientID}/roles").Methods("GET").Handler(getClientRolesHandler)
 		managementSubroute.Path("/realms/{realm}/clients/{clientID}/roles").Methods("POST").Handler(createClientRolesHandler)
 
+		//groups
+		managementSubroute.Path("/realms/{realm}/groups").Methods("GET").Handler(getGroupsHandler)
+
 		// custom configuration par realm
 		managementSubroute.Path("/realms/{realm}/configuration").Methods("GET").Handler(getRealmCustomConfigurationHandler)
 		managementSubroute.Path("/realms/{realm}/configuration").Methods("PUT").Handler(updateRealmCustomConfigurationHandler)

diff --git a/configs/authorization.json b/configs/authorization.json
@@ -31,6 +31,16 @@
           "*": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "master": {
           "*": {}
@@ -123,6 +133,22 @@
           "end_user": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        },
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        },
+        "DEP": {
+          "*": {}
+        }
+      },  
       "GetGroupsOfUser": {
         "master": {
           "integrator_agent": {}
@@ -245,6 +271,16 @@
           "*": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "DEP": {
           "*": {}
@@ -335,6 +371,16 @@
           "l2_support_agent": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "master": {
           "l2_support_agent": {}
@@ -399,6 +445,16 @@
         "*": {
           "*": {}
         }
+      }, 
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
       }
     },
     "l3_support_manager":{
@@ -430,6 +486,16 @@
           "l3_support_agent": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "master": {
           "l3_support_agent": {}
@@ -494,6 +560,16 @@
         "*": {
           "*": {}
         }
+      },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
       }
     }
   },
@@ -522,6 +598,16 @@
           "*": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "GetGroupsOfUser": {
         "DEP": {
           "*": {}
@@ -606,6 +692,16 @@
           "end_user": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "DEP": {
           "l1_support_agent": {},
@@ -685,6 +781,16 @@
           "end_user": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "DEP": {
           "end_user": {}
@@ -737,6 +843,16 @@
         "DEP": {
           "end_user": {}
         }
+      },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
       }
     }
   }

diff --git a/pkg/management/authorization.go b/pkg/management/authorization.go
@@ -32,6 +32,7 @@ const (
 	DeleteCredentialsForUser       = "DeleteCredentialsForUser"
 	GetRoles                       = "GetRoles"
 	GetRole                        = "GetRole"
+	GetGroups                      = "GetGroups"
 	GetClientRoles                 = "GetClientRoles"
 	CreateClientRole               = "CreateClientRole"
 	GetRealmCustomConfiguration    = "GetRealmCustomConfiguration"
@@ -303,6 +304,17 @@ func (c *authorizationComponentMW) GetRole(ctx context.Context, realmName string
 	return c.next.GetRole(ctx, realmName, roleID)
 }
 
+func (c *authorizationComponentMW) GetGroups(ctx context.Context, realmName string) ([]api.GroupRepresentation, error) {
+	var action = GetGroups
+	var targetRealm = realmName
+
+	if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
+		return nil, err
+	}
+
+	return c.next.GetGroups(ctx, realmName)
+}
+
 func (c *authorizationComponentMW) GetClientRoles(ctx context.Context, realmName, idClient string) ([]api.RoleRepresentation, error) {
 	var action = GetClientRoles
 	var targetRealm = realmName

diff --git a/pkg/management/authorization_test.go b/pkg/management/authorization_test.go
@@ -145,6 +145,9 @@ func TestDeny(t *testing.T) {
 		_, err = authorizationMW.GetRole(ctx, realmName, roleID)
 		assert.Equal(t, security.ForbiddenError{}, err)
 
+		_, err = authorizationMW.GetGroups(ctx, realmName)
+		assert.Equal(t, security.ForbiddenError{}, err)
+
 		_, err = authorizationMW.GetClientRoles(ctx, realmName, clientID)
 		assert.Equal(t, security.ForbiddenError{}, err)
 
@@ -236,6 +239,7 @@ func TestAllowed(t *testing.T) {
 					"DeleteCredentialsForUser": {"*": {"*": {} }},
 					"GetRoles": {"*": {"*": {} }},
 					"GetRole": {"*": {"*": {} }},
+					"GetGroups": {"*": {"*": {} }},
 					"GetClientRoles": {"*": {"*": {} }},
 					"CreateClientRole": {"*": {"*": {} }},
 					"GetRealmCustomConfiguration": {"*": {"*": {} }},
@@ -341,6 +345,10 @@ func TestAllowed(t *testing.T) {
 		_, err = authorizationMW.GetRole(ctx, realmName, roleID)
 		assert.Nil(t, err)
 
+		mockManagementComponent.EXPECT().GetGroups(ctx, realmName).Return([]api.GroupRepresentation{}, nil).Times(1)
+		_, err = authorizationMW.GetGroups(ctx, realmName)
+		assert.Nil(t, err)
+
 		mockManagementComponent.EXPECT().GetClientRoles(ctx, realmName, clientID).Return([]api.RoleRepresentation{}, nil).Times(1)
 		_, err = authorizationMW.GetClientRoles(ctx, realmName, clientID)
 		assert.Nil(t, err)

diff --git a/pkg/management/component.go b/pkg/management/component.go
@@ -36,6 +36,7 @@ type KeycloakClient interface {
 	DeleteCredentialsForUser(accessToken string, realmReq, realmName string, userID string, credentialID string) error
 	GetRoles(accessToken string, realmName string) ([]kc.RoleRepresentation, error)
 	GetRole(accessToken string, realmName string, roleID string) (kc.RoleRepresentation, error)
+	GetGroups(accessToken string, realmName string) ([]kc.GroupRepresentation, error)
 	GetClientRoles(accessToken string, realmName, idClient string) ([]kc.RoleRepresentation, error)
 	CreateClientRole(accessToken string, realmName, clientID string, role kc.RoleRepresentation) (string, error)
 	GetGroup(accessToken string, realmName, groupID string) (kc.GroupRepresentation, error)
@@ -65,6 +66,7 @@ type Component interface {
 	DeleteCredentialsForUser(ctx context.Context, realmName string, userID string, credentialID string) error
 	GetRoles(ctx context.Context, realmName string) ([]api.RoleRepresentation, error)
 	GetRole(ctx context.Context, realmName string, roleID string) (api.RoleRepresentation, error)
+	GetGroups(ctx context.Context, realmName string) ([]api.GroupRepresentation, error)
 	GetClientRoles(ctx context.Context, realmName, idClient string) ([]api.RoleRepresentation, error)
 	CreateClientRole(ctx context.Context, realmName, clientID string, role api.RoleRepresentation) (string, error)
 	GetRealmCustomConfiguration(ctx context.Context, realmName string) (api.RealmCustomConfiguration, error)
@@ -573,6 +575,27 @@ func (c *component) GetRole(ctx context.Context, realmName string, roleID string
 	return roleRep, err
 }
 
+func (c *component) GetGroups(ctx context.Context, realmName string) ([]api.GroupRepresentation, error) {
+	var accessToken = ctx.Value(cs.CtContextAccessToken).(string)
+
+	groupsKc, err := c.keycloakClient.GetGroups(accessToken, realmName)
+
+	if err != nil {
+		return nil, err
+	}
+
+	var groupsRep []api.GroupRepresentation
+	for _, groupKc := range groupsKc {
+		var groupRep api.GroupRepresentation
+		groupRep.Id = groupKc.Id
+		groupRep.Name = groupKc.Name
+
+		groupsRep = append(groupsRep, groupRep)
+	}
+
+	return groupsRep, nil
+}
+
 func (c *component) GetClientRoles(ctx context.Context, realmName, idClient string) ([]api.RoleRepresentation, error) {
 	var accessToken = ctx.Value(cs.CtContextAccessToken).(string)
 

diff --git a/pkg/management/component_test.go b/pkg/management/component_test.go
@@ -1522,6 +1522,59 @@ func TestGetRole(t *testing.T) {
 	}
 }
 
+func TestGetGroups(t *testing.T) {
+	var mockCtrl = gomock.NewController(t)
+	defer mockCtrl.Finish()
+	var mockKeycloakClient = mock.NewKeycloakClient(mockCtrl)
+	var mockEventDBModule = mock.NewEventDBModule(mockCtrl)
+	var mockConfigurationDBModule = mock.NewConfigurationDBModule(mockCtrl)
+
+	var managementComponent = NewComponent(mockKeycloakClient, mockEventDBModule, mockConfigurationDBModule)
+
+	var accessToken = "TOKEN=="
+	var realmName = "master"
+
+	// Get groups with succces
+	{
+		var id = "1234-7454-4516"
+		var path = "path_group"
+		var name = "group1"
+		var realmRoles = []string{"role1"}
+
+		var kcGroupRep = kc.GroupRepresentation{
+			Id:         &id,
+			Name:       &name,
+			Path:       &path,
+			RealmRoles: &realmRoles,
+		}
+
+		var kcGroupsRep []kc.GroupRepresentation
+		kcGroupsRep = append(kcGroupsRep, kcGroupRep)
+
+		mockKeycloakClient.EXPECT().GetGroups(accessToken, realmName).Return(kcGroupsRep, nil).Times(1)
+
+		var ctx = context.WithValue(context.Background(), cs.CtContextAccessToken, accessToken)
+
+		apiGroupsRep, err := managementComponent.GetGroups(ctx, "master")
+
+		var apiGroupRep = apiGroupsRep[0]
+		assert.Nil(t, err)
+		assert.Equal(t, id, *apiGroupRep.Id)
+		assert.Equal(t, name, *apiGroupRep.Name)
+	}
+
+	//Error
+	{
+		mockKeycloakClient.EXPECT().GetGroups(accessToken, realmName).Return([]kc.GroupRepresentation{}, fmt.Errorf("Unexpected error")).Times(1)
+
+		var ctx = context.WithValue(context.Background(), cs.CtContextAccessToken, accessToken)
+
+		_, err := managementComponent.GetGroups(ctx, "master")
+
+		assert.NotNil(t, err)
+	}
+}
+
 func TestGetClientRoles(t *testing.T) {
 	var mockCtrl = gomock.NewController(t)
 	defer mockCtrl.Finish()