Merge 4c829cd into e4595cb

api/management/api.go

@@ -26,6 +26,7 @@ type UserRepresentation struct {
 	BirthDate           *string   `json:"birthDate,omitempty"`
 	CreatedTimestamp    *int64    `json:"createdTimestamp,omitempty"`
 	Groups              *[]string `json:"groups,omitempty"`
+	TrustIDGroups       *[]string `json:"trustIdGroups,omitempty"`
 	Roles               *[]string `json:"roles,omitempty"`
 	Locale              *string   `json:"locale,omitempty"`
 	SmsSent             *int      `json:"smsSent,omitempty"`
@@ -194,6 +195,11 @@ func ConvertToAPIUser(userKc kc.UserRepresentation) UserRepresentation {
 			counter, _ := strconv.Atoi(smsSent)
 			userRep.SmsSent = &counter
 		}
+
+		if m["trustIDGroups"] != nil {
+			var trustIDGroups = m["trustIDGroups"]
+			userRep.TrustIDGroups = &trustIDGroups
+		}
 	}
 	return userRep
 }

api/management/api_test.go

@@ -74,6 +74,12 @@ func TestConvertToAPIUser(t *testing.T) {
 	kcUser.Attributes = &m
 	m["smsSent"] = []string{"0"}
 	assert.NotNil(t, *ConvertToAPIUser(kcUser).SmsSent)
+
+	// trustID groups
+	assert.Nil(t, ConvertToAPIUser(kcUser).TrustIDGroups)
+	kcUser.Attributes = &m
+	m["trustIDGroups"] = []string{"en"}
+	assert.NotNil(t, *ConvertToAPIUser(kcUser).TrustIDGroups)
 }
 
 func TestConvertToAPIUsersPage(t *testing.T) {
@@ -131,6 +137,7 @@ func TestConvertToKCUser(t *testing.T) {
 	var locale = "it"
 	user.Locale = &locale
 	assert.Equal(t, locale, (*ConvertToKCUser(user).Attributes)["locale"][0])
+
 }
 
 func TestConvertToKCGroup(t *testing.T) {

cmd/keycloakb/keycloak_bridge.go

@@ -215,6 +215,9 @@ func main() {
 		}
 	}
 
+	// Security - allowed trustID groups
+	var trustIDGroups = c.GetStringSlice("trustid-groups")
+
 	// Keycloak client.
 	var keycloakClient *keycloak.Client
 	{
@@ -480,7 +483,7 @@ func main() {
 
 		var keycloakComponent management.Component
 		{
-			keycloakComponent = management.NewComponent(keycloakClient, eventsDBModule, configDBModule, managementLogger)
+			keycloakComponent = management.NewComponent(keycloakClient, eventsDBModule, configDBModule, trustIDGroups, managementLogger)
 			keycloakComponent = management.MakeAuthorizationManagementComponentMW(log.With(managementLogger, "mw", "endpoint"), authorizationManager)(keycloakComponent)
 		}
 
@@ -501,6 +504,7 @@ func main() {
 			GetUsers:             prepareEndpoint(management.MakeGetUsersEndpoint(keycloakComponent), "get_users_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetUserAccountStatus: prepareEndpoint(management.MakeGetUserAccountStatusEndpoint(keycloakComponent), "get_user_accountstatus", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetGroupsOfUser:      prepareEndpoint(management.MakeGetGroupsOfUserEndpoint(keycloakComponent), "get_user_groups", influxMetrics, managementLogger, tracer, rateLimit["management"]),
+			SetTrustIDGroups:     prepareEndpoint(management.MakeSetTrustIDGroupsEndpoint(keycloakComponent), "set_trustid_groups_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetRolesOfUser:       prepareEndpoint(management.MakeGetRolesOfUserEndpoint(keycloakComponent), "get_user_roles", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 
 			GetRoles: prepareEndpoint(management.MakeGetRolesEndpoint(keycloakComponent), "get_roles_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
@@ -717,6 +721,7 @@ func main() {
 		var getRolesForUserHandler = configureManagementHandler(keycloakb.ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetRolesOfUser)
 		var getGroupsForUserHandler = configureManagementHandler(keycloakb.ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetGroupsOfUser)
 		var getUserAccountStatusHandler = configureManagementHandler(keycloakb.ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetUserAccountStatus)
+		var setTrustIDGroupsHandler = configureManagementHandler(keycloakb.ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.SetTrustIDGroups)
 
 		var getClientRoleForUserHandler = configureManagementHandler(keycloakb.ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetClientRoleForUser)
 		var addClientRoleToUserHandler = configureManagementHandler(keycloakb.ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.AddClientRoleToUser)
@@ -771,6 +776,7 @@ func main() {
 		managementSubroute.Path("/realms/{realm}/users/{userID}/groups").Methods("GET").Handler(getGroupsForUserHandler)
 		managementSubroute.Path("/realms/{realm}/users/{userID}/roles").Methods("GET").Handler(getRolesForUserHandler)
 		managementSubroute.Path("/realms/{realm}/users/{userID}/status").Methods("GET").Handler(getUserAccountStatusHandler)
+		managementSubroute.Path("/realms/{realm}/users/{userID}/trustIdGroups").Methods("PUT").Handler(setTrustIDGroupsHandler)
 
 		// role mappings
 		managementSubroute.Path("/realms/{realm}/users/{userID}/role-mappings/clients/{clientID}").Methods("GET").Handler(getClientRoleForUserHandler)
@@ -937,6 +943,15 @@ func config(ctx context.Context, logger log.Logger) *viper.Viper {
 	// Security - Audience check
 	v.SetDefault("audience-required", "")
 	v.SetDefault("event-basic-auth-token", "")
+	v.SetDefault("trustid-groups",
+		[]string{
+			"l1_support_manager",
+			"l1_support_agent",
+			"product_administrator",
+			"registration_officer",
+			"papercard_administrator",
+			"technical",
+			"end_user"})
 
 	// CORS configuration
 	v.SetDefault("cors-allowed-origins", []string{})

configs/authorization.json

@@ -31,6 +31,11 @@
           "*": {}
         }
       },
+      "MGMT_SetTrustIDGroups": {
+        "*": {
+          "*": {}
+        }
+      },
       "MGMT_GetGroups": {
         "master": {
           "*": {}

configs/keycloak_bridge.yml

@@ -42,6 +42,17 @@ audience-required: "account"
 ## Password used to protect /internal/event endpoint
 event-basic-auth-token: "superpasswordverylongandstrong"
 
+
+## trustID groups allowed to be set
+trustid-groups: 
+  - "l1_support_manager"
+  - "l1_support_agent"
+  - "product_administrator"
+  - "registration_officer"
+  - "papercard_administrator"
+  - "technical"
+  - "end_user"
+
 # Keycloak configs
 keycloak-api-uri: http://localhost:8080
 keycloak-oidc-uri: http://localhost:8080 http://127.0.0.1:8080

internal/messages/errormessages.go

@@ -64,4 +64,5 @@ const (
 	Max                               = "max"
 	Timeshift                         = "timeshift"
 	IdentityProvider                  = "identityProvider"
+	TrustIDGroupName                  = "trustIDGroupName"
 )

pkg/management/authorization.go

@@ -36,6 +36,7 @@ var (
 	MGMTGetUserAccountStatus           = newAction("MGMT_GetUserAccountStatus", security.ScopeGroup)
 	MGMTGetRolesOfUser                 = newAction("MGMT_GetRolesOfUser", security.ScopeGroup)
 	MGMTGetGroupsOfUser                = newAction("MGMT_GetGroupsOfUser", security.ScopeGroup)
+	MGMTSetTrustIDGroups               = newAction("MGMT_SetTrustIDGroups", security.ScopeGroup)
 	MGMTGetClientRolesForUser          = newAction("MGMT_GetClientRolesForUser", security.ScopeGroup)
 	MGMTAddClientRolesToUser           = newAction("MGMT_AddClientRolesToUser", security.ScopeGroup)
 	MGMTResetPassword                  = newAction("MGMT_ResetPassword", security.ScopeGroup)
@@ -237,6 +238,17 @@ func (c *authorizationComponentMW) GetGroupsOfUser(ctx context.Context, realmNam
 	return c.next.GetGroupsOfUser(ctx, realmName, userID)
 }
 
+func (c *authorizationComponentMW) SetTrustIDGroups(ctx context.Context, realmName, userID string, groupNames []string) error {
+	var action = MGMTSetTrustIDGroups.String()
+	var targetRealm = realmName
+
+	if err := c.authManager.CheckAuthorizationOnTargetUser(ctx, action, targetRealm, userID); err != nil {
+		return err
+	}
+
+	return c.next.SetTrustIDGroups(ctx, realmName, userID, groupNames)
+}
+
 func (c *authorizationComponentMW) GetClientRolesForUser(ctx context.Context, realmName, userID, clientID string) ([]api.RoleRepresentation, error) {
 	var action = MGMTGetClientRolesForUser.String()
 	var targetRealm = realmName

pkg/management/authorization_test.go

@@ -36,6 +36,7 @@ func TestDeny(t *testing.T) {
 	var groupID = "123-789-454"
 	var groupIDs = []string{groupID}
 	var groupName = "titi"
+	var grpNames = []string{"grp1", "grp2"}
 
 	var authzMatrix = map[string]map[string]map[string]struct{}{}
 
@@ -138,6 +139,9 @@ func TestDeny(t *testing.T) {
 		_, err = authorizationMW.GetGroupsOfUser(ctx, realmName, userID)
 		assert.Equal(t, security.ForbiddenError{}, err)
 
+		err = authorizationMW.SetTrustIDGroups(ctx, realmName, userID, grpNames)
+		assert.Equal(t, security.ForbiddenError{}, err)
+
 		_, err = authorizationMW.GetClientRolesForUser(ctx, realmName, userID, clientID)
 		assert.Equal(t, security.ForbiddenError{}, err)
 
@@ -231,6 +235,7 @@ func TestAllowed(t *testing.T) {
 	var groupID = "123-789-454"
 	var groupIDs = []string{groupID}
 	var groupName = "titi"
+	var grpNames = []string{"grp1", "grp2"}
 
 	var authzMatrix = map[string]map[string]map[string]struct{}{}
 
@@ -295,6 +300,7 @@ func TestAllowed(t *testing.T) {
 					"MGMT_GetUserAccountStatus": {"*": {"*": {} }},
 					"MGMT_GetRolesOfUser": {"*": {"*": {} }},
 					"MGMT_GetGroupsOfUser": {"*": {"*": {} }},
+					"MGMT_SetTrustIDGroups": {"*": {"*": {} }},
 					"MGMT_GetClientRolesForUser": {"*": {"*": {} }},
 					"MGMT_AddClientRolesToUser": {"*": {"*": {} }},
 					"MGMT_ResetPassword": {"*": {"*": {} }},
@@ -439,6 +445,10 @@ func TestAllowed(t *testing.T) {
 		_, err = authorizationMW.GetGroups(ctx, realmName)
 		assert.Nil(t, err)
 
+		mockManagementComponent.EXPECT().SetTrustIDGroups(ctx, realmName, userID, grpNames).Return(nil).Times(1)
+		err = authorizationMW.SetTrustIDGroups(ctx, realmName, userID, grpNames)
+		assert.Nil(t, err)
+
 		mockManagementComponent.EXPECT().CreateGroup(ctx, realmName, group).Return("", nil).Times(1)
 		_, err = authorizationMW.CreateGroup(ctx, realmName, group)
 		assert.Nil(t, err)

pkg/management/component.go

@@ -89,6 +89,7 @@ type Component interface {
 	GetUserAccountStatus(ctx context.Context, realmName, userID string) (map[string]bool, error)
 	GetRolesOfUser(ctx context.Context, realmName, userID string) ([]api.RoleRepresentation, error)
 	GetGroupsOfUser(ctx context.Context, realmName, userID string) ([]api.GroupRepresentation, error)
+	SetTrustIDGroups(ctx context.Context, realmName, userID string, groupNames []string) error
 	GetClientRolesForUser(ctx context.Context, realmName, userID, clientID string) ([]api.RoleRepresentation, error)
 	AddClientRolesToUser(ctx context.Context, realmName, userID, clientID string, roles []api.RoleRepresentation) error
 
@@ -119,20 +120,28 @@ type Component interface {
 
 // Component is the management component.
 type component struct {
-	keycloakClient KeycloakClient
-	eventDBModule  database.EventsDBModule
-	configDBModule ConfigurationDBModule
-	logger         keycloakb.Logger
+	keycloakClient          KeycloakClient
+	eventDBModule           database.EventsDBModule
+	configDBModule          ConfigurationDBModule
+	authorizedTrustIDGroups map[string]bool
+	logger                  keycloakb.Logger
 }
 
 // NewComponent returns the management component.
 func NewComponent(keycloakClient KeycloakClient, eventDBModule database.EventsDBModule,
-	configDBModule ConfigurationDBModule, logger keycloakb.Logger) Component {
+	configDBModule ConfigurationDBModule, authorizedTrustIDGroups []string, logger keycloakb.Logger) Component {
+
+	var authzedTrustIDGroups = make(map[string]bool)
+	for _, grp := range authorizedTrustIDGroups {
+		authzedTrustIDGroups[grp] = true
+	}
+
 	return &component{
-		keycloakClient: keycloakClient,
-		eventDBModule:  eventDBModule,
-		configDBModule: configDBModule,
-		logger:         logger,
+		keycloakClient:          keycloakClient,
+		eventDBModule:           eventDBModule,
+		configDBModule:          configDBModule,
+		authorizedTrustIDGroups: authzedTrustIDGroups,
+		logger:                  logger,
 	}
 }
 
@@ -498,6 +507,43 @@ func (c *component) GetGroupsOfUser(ctx context.Context, realmName, userID strin
 	return groupsRep, nil
 }
 
+func (c *component) SetTrustIDGroups(ctx context.Context, realmName, userID string, groupNames []string) error {
+	var accessToken = ctx.Value(cs.CtContextAccessToken).(string)
+
+	// validate the input - trustID groups must be valid
+	var extGroupNames []string
+	for _, groupName := range groupNames {
+		if _, ok := c.authorizedTrustIDGroups[groupName]; ok {
+			extGroupNames = append(extGroupNames, "/"+groupName)
+		} else {
+			// unauthorized call (unknown trustID group) --> error
+			c.logger.Warn(ctx, "msg", groupName+" group is not allowed to be set as a trustID group")
+			return errorhandler.CreateBadRequestError(msg.MsgErrInvalidParam + "." + msg.TrustIDGroupName)
+		}
+	}
+
+	// get the "old" user representation
+	currentUser, err := c.keycloakClient.GetUser(accessToken, realmName, userID)
+	if err != nil {
+		c.logger.Warn(ctx, "err", err.Error())
+		return err
+	}
+
+	// set the trustID groups attributes
+	if currentUser.Attributes == nil {
+		var emtpyMap = make(map[string][]string)
+		currentUser.Attributes = &emtpyMap
+	}
+	(*currentUser.Attributes)["trustIDGroups"] = extGroupNames
+
+	err = c.keycloakClient.UpdateUser(accessToken, realmName, userID, currentUser)
+	if err != nil {
+		c.logger.Warn(ctx, "err", err.Error())
+		return err
+	}
+	return nil
+}
+
 func (c *component) GetClientRolesForUser(ctx context.Context, realmName, userID, clientID string) ([]api.RoleRepresentation, error) {
 	var accessToken = ctx.Value(cs.CtContextAccessToken).(string)