Merge 1e0fe1b into 4005903

cloudtrust · Apr 18, 2019 · d9c2318 · d9c2318
2 parents 4005903 + 1e0fe1b
commit d9c2318
Show file tree

Hide file tree

Showing 16 changed files with 409 additions and 74 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/api/management/swagger-api_management.yaml b/api/management/swagger-api_management.yaml
@@ -403,6 +403,54 @@ paths:
       responses:
         200:
           description: successful operation
+  /realms/{realm}/users/{userID}/execute-actions-email:
+    put:
+      tags:
+      - Users
+      summary: >
+        Send a update account email to the user An email contains a link the user can click to perform a set of required actions.
+        The redirectUri and clientId parameters are optional.
+        If no redirect is given, then there will be no link back to click after actions have completed.
+        Redirect uri must be a valid uri for the particular clientId.
+      parameters:
+      - name: realm
+        in: path
+        description: realm name (not id!)
+        required: true
+        schema:
+          type: string
+      - name: userID
+        in: path
+        description: User id
+        required: true
+        schema:
+          type: string
+      - name: client_id
+        in: query
+        schema:
+          type: string
+        allowEmptyValue: true
+      - name: lifespan
+        in: query
+        description: Number of seconds after which the generated token expires
+        schema:
+          type: string
+        allowEmptyValue: true
+      - name: redirect_uri
+        in: query
+        schema:
+          type: string
+        allowEmptyValue: true
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: array
+              items:
+                type: string
+      responses:
+        200:
+          description: successful operation
   /realms/{realm}/users/{userID}/credentials:
     get:
       tags:

diff --git a/cmd/keycloakb/keycloak_bridge.go b/cmd/keycloakb/keycloak_bridge.go
@@ -401,6 +401,7 @@ func main() {
 			GetRealmRoleForUser:      prepareEndpoint(management.MakeGetRealmRolesForUserEndpoint(keycloakComponent), "get_realm_roles_for_user_endpoint", influxMetrics, managementLogger, tracer, rateLimit),
 			ResetPassword:            prepareEndpoint(management.MakeResetPasswordEndpoint(keycloakComponent), "reset_password_endpoint", influxMetrics, managementLogger, tracer, rateLimit),
 			SendVerifyEmail:          prepareEndpoint(management.MakeSendVerifyEmailEndpoint(keycloakComponent), "send_verify_email_endpoint", influxMetrics, managementLogger, tracer, rateLimit),
+			ExecuteActionsEmail:      prepareEndpoint(management.MakeExecuteActionsEmailEndpoint(keycloakComponent), "execute_actions_email_endpoint", influxMetrics, managementLogger, tracer, rateLimit),
 			GetCredentialsForUser:    prepareEndpoint(management.MakeGetCredentialsForUserEndpoint(keycloakComponent), "get_credentials_for_user_endpoint", influxMetrics, managementLogger, tracer, rateLimit),
 			DeleteCredentialsForUser: prepareEndpoint(management.MakeDeleteCredentialsForUserEndpoint(keycloakComponent), "delete_credentials_for_user_endpoint", influxMetrics, managementLogger, tracer, rateLimit),
 		}
@@ -463,6 +464,7 @@ func main() {
 
 		var resetPasswordHandler = ConfigureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, tracer, logger)(managementEndpoints.ResetPassword)
 		var sendVerifyEmailHandler = ConfigureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, tracer, logger)(managementEndpoints.SendVerifyEmail)
+		var executeActionsEmailHandler = ConfigureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, tracer, logger)(managementEndpoints.ExecuteActionsEmail)
 
 		var getCredentialsForUserHandler = ConfigureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, tracer, logger)(managementEndpoints.GetCredentialsForUser)
 		var deleteCredentialsForUserHandler = ConfigureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, tracer, logger)(managementEndpoints.DeleteCredentialsForUser)
@@ -488,10 +490,15 @@ func main() {
 		managementSubroute.Path("/realms/{realm}/users/{userID}/role-mappings/clients/{clientID}").Methods("GET").Handler(getClientRoleForUserHandler)
 		managementSubroute.Path("/realms/{realm}/users/{userID}/role-mappings/clients/{clientID}").Methods("POST").Handler(addClientRoleToUserHandler)
 		managementSubroute.Path("/realms/{realm}/users/{userID}/role-mappings/realm").Methods("GET").Handler(getRealmRoleForUserHandler)
+
 		managementSubroute.Path("/realms/{realm}/users/{userID}/reset-password").Methods("PUT").Handler(resetPasswordHandler)
 		managementSubroute.Path("/realms/{realm}/users/{userID}/send-verify-email").Methods("PUT").Handler(sendVerifyEmailHandler)
+		managementSubroute.Path("/realms/{realm}/users/{userID}/execute-actions-email").Methods("PUT").Handler(executeActionsEmailHandler)
+
+		// Credentials
 		managementSubroute.Path("/realms/{realm}/users/{userID}/credentials").Methods("GET").Handler(getCredentialsForUserHandler)
 		managementSubroute.Path("/realms/{realm}/users/{userID}/credentials/{credentialID}").Methods("DELETE").Handler(deleteCredentialsForUserHandler)
+
 		//roles
 		managementSubroute.Path("/realms/{realm}/roles").Methods("GET").Handler(getRolesHandler)
 		managementSubroute.Path("/realms/{realm}/roles-by-id/{roleID}").Methods("GET").Handler(getRoleHandler)

diff --git a/configs/authorization.json b/configs/authorization.json
@@ -50,6 +50,16 @@
           "l3_support_manager": {},
           "l3_support_agent": {}
         }
+      },
+      "ExecuteActionsEmail": {
+        "master": {
+          "integrator_manager": {},
+          "integrator_agent": {},
+          "l2_support_manager": {},
+          "l2_support_agent": {},
+          "l3_support_manager": {},
+          "l3_support_agent": {}
+        }
       }
     },
     "integrator_manager":{
@@ -111,7 +121,15 @@
         "DEP": {
           "*": {}
         }
-      }      
+      }, 
+      "ExecuteActionsEmail": {
+        "master": {
+          "integrator_agent": {}
+        },
+        "DEP": {
+          "*": {}
+        }
+      }   
     },
     "integrator_agent":{
       "GetRealms": {
@@ -151,7 +169,12 @@
         "DEP": {
           "*": {}
         }
-      }           
+      },
+      "ExecuteActionsEmail": {
+        "DEP": {
+          "*": {}
+        }
+      }       
     },
     "l2_support_manager":{
       "GetRealms": {
@@ -191,7 +214,12 @@
         "master": {
           "l2_support_agent": {}
         }
-      }      
+      },
+      "ExecuteActionsEmail": {
+        "master": {
+          "l2_support_agent": {}
+        }
+      }
     },
     "l2_support_agent": {
       "GetRealms": {
@@ -236,7 +264,12 @@
         "master": {
           "l3_support_agent": {}
         }
-      } 
+      },
+      "ExecuteActionsEmail": {
+        "master": {
+          "l3_support_agent": {}
+        }
+      }
     },
     "l3_support_agent": {
       "GetRealms": {
@@ -283,7 +316,12 @@
         "DEP": {
           "*": {}
         }
-      }      
+      },
+      "ExecuteActionsEmail": {
+        "DEP": {
+          "*": {}
+        }
+      }   
     },
     "l1_support_manager": {
       "GetRealms": {
@@ -329,7 +367,13 @@
           "l1_support_agent": {},
           "end_user": {}
         }
-      }       
+      },
+      "ExecuteActionsEmail": {
+        "DEP": {
+          "l1_support_agent": {},
+          "end_user": {}
+        }
+      }      
     },
     "l1_support_agent": {
       "GetRealms": {
@@ -361,6 +405,11 @@
         "DEP": {
           "end_user": {}
         }
+      },
+      "ExecuteActionsEmail": {
+        "DEP": {
+          "end_user": {}
+        }
       }  
     }
   }

diff --git a/internal/security/authorization.go b/internal/security/authorization.go
@@ -13,19 +13,19 @@ func (am *authorizationManager) CheckAuthorizationOnTargetUser(ctx context.Conte
 
 	// Retrieve the group of the target user
 
-	var userRep kc.UserRepresentation
+	var groupsRep []kc.GroupRepresentation
 	var err error
-	if userRep, err = am.keycloakClient.GetUser(accessToken, targetRealm, userID); err != nil {
+	if groupsRep, err = am.keycloakClient.GetGroupsOfUser(accessToken, targetRealm, userID); err != nil {
 		return ForbiddenError{}
 	}
 
-	if userRep.Groups == nil {
+	if groupsRep == nil || len(groupsRep) == 0 {
 		// No groups assigned, nothing allowed
 		return ForbiddenError{}
 	}
 
-	for _, targetGroup := range *userRep.Groups {
-		if am.CheckAuthorizationOnTargetGroup(ctx, action, targetRealm, targetGroup) == nil {
+	for _, targetGroup := range groupsRep {
+		if am.CheckAuthorizationOnTargetGroup(ctx, action, targetRealm, *targetGroup.Name) == nil {
 			return nil
 		}
 	}
@@ -134,7 +134,7 @@ type authorizationManager struct {
 }
 
 type KeycloakClient interface {
-	GetUser(accessToken string, realmName, userID string) (kc.UserRepresentation, error)
+	GetGroupsOfUser(accessToken string, realmName, userID string) ([]kc.GroupRepresentation, error)
 }
 
 type AuthorizationManager interface {