Audit events

cmd/keycloakb/keycloak_bridge.go

@@ -325,14 +325,19 @@ func main() {
 		}
 	}
 
+	baseEventsDBModule := database.NewEventsDBModule(eventsDBConn)
+
 	// Events service.
 	var eventsEndpoints events.Endpoints
 	{
 		var eventsLogger = log.With(logger, "svc", "events")
 
+		// module to store API calls of the back office to the DB
+		eventsDBModule := configureEventsDbModule(baseEventsDBModule, influxMetrics, eventsLogger, tracer)
+
 		// new module for sending the events to the DB
 		eventsRODBModule := events.NewEventsDBModule(eventsRODBConn)
-		eventsComponent := events.NewEventsComponent(eventsRODBModule)
+		eventsComponent := events.NewEventsComponent(eventsRODBModule, eventsDBModule)
 		eventsComponent = events.MakeAuthorizationManagementComponentMW(log.With(eventsLogger, "mw", "endpoint"), authorizationManager)(eventsComponent)
 
 		eventsEndpoints = events.Endpoints{
@@ -342,8 +347,6 @@ func main() {
 		}
 	}
 
-	baseEventsDBModule := database.NewEventsDBModule(eventsDBConn)
-
 	// Management service.
 	var managementEndpoints = management.Endpoints{}
 	{
@@ -382,6 +385,7 @@ func main() {
 			GetRolesOfUser:                 prepareEndpoint(management.MakeGetRolesOfUserEndpoint(keycloakComponent), "get_user_roles", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetRoles:                       prepareEndpoint(management.MakeGetRolesEndpoint(keycloakComponent), "get_roles_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetRole:                        prepareEndpoint(management.MakeGetRoleEndpoint(keycloakComponent), "get_role_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
+			GetGroups:                      prepareEndpoint(management.MakeGetGroupsEndpoint(keycloakComponent), "get_groups_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetClientRoles:                 prepareEndpoint(management.MakeGetClientRolesEndpoint(keycloakComponent), "get_client_roles_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			CreateClientRole:               prepareEndpoint(management.MakeCreateClientRoleEndpoint(keycloakComponent), "create_client_role_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
 			GetClientRoleForUser:           prepareEndpoint(management.MakeGetClientRolesForUserEndpoint(keycloakComponent), "get_client_roles_for_user_endpoint", influxMetrics, managementLogger, tracer, rateLimit["management"]),
@@ -505,6 +509,8 @@ func main() {
 		var getClientRolesHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetClientRoles)
 		var createClientRolesHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.CreateClientRole)
 
+		var getGroupsHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.GetGroups)
+
 		var resetPasswordHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.ResetPassword)
 		var sendVerifyEmailHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.SendVerifyEmail)
 		var executeActionsEmailHandler = configureManagementHandler(ComponentName, ComponentID, idGenerator, keycloakClient, audienceRequired, tracer, logger)(managementEndpoints.ExecuteActionsEmail)
@@ -553,6 +559,9 @@ func main() {
 		managementSubroute.Path("/realms/{realm}/clients/{clientID}/roles").Methods("GET").Handler(getClientRolesHandler)
 		managementSubroute.Path("/realms/{realm}/clients/{clientID}/roles").Methods("POST").Handler(createClientRolesHandler)
 
+		//groups
+		managementSubroute.Path("/realms/{realm}/groups").Methods("GET").Handler(getGroupsHandler)
+
 		// custom configuration par realm
 		managementSubroute.Path("/realms/{realm}/configuration").Methods("GET").Handler(getRealmCustomConfigurationHandler)
 		managementSubroute.Path("/realms/{realm}/configuration").Methods("PUT").Handler(updateRealmCustomConfigurationHandler)

configs/authorization.json

@@ -31,6 +31,16 @@
           "*": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "master": {
           "*": {}
@@ -123,6 +133,22 @@
           "end_user": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        },
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        },
+        "DEP": {
+          "*": {}
+        }
+      },  
       "GetGroupsOfUser": {
         "master": {
           "integrator_agent": {}
@@ -245,6 +271,16 @@
           "*": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "DEP": {
           "*": {}
@@ -335,6 +371,16 @@
           "l2_support_agent": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "master": {
           "l2_support_agent": {}
@@ -399,6 +445,16 @@
         "*": {
           "*": {}
         }
+      }, 
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
       }
     },
     "l3_support_manager":{
@@ -430,6 +486,16 @@
           "l3_support_agent": {}
         }
       },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "master": {
           "l3_support_agent": {}
@@ -494,6 +560,16 @@
         "*": {
           "*": {}
         }
+      },
+      "GetGroups": {
+        "master": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "master": {
+          "*": {}
+        }
       }
     }
   },
@@ -522,6 +598,16 @@
           "*": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "GetGroupsOfUser": {
         "DEP": {
           "*": {}
@@ -606,6 +692,16 @@
           "end_user": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "DEP": {
           "l1_support_agent": {},
@@ -685,6 +781,16 @@
           "end_user": {}
         }
       },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
+      },
       "UpdateUser": {
         "DEP": {
           "end_user": {}
@@ -737,6 +843,16 @@
         "DEP": {
           "end_user": {}
         }
+      },
+      "GetGroups": {
+        "DEP": {
+          "*": {}
+        }
+      },
+      "GetRoles": {
+        "DEP": {
+          "*": {}
+        }
       }
     }
   }

pkg/events/component.go

@@ -3,6 +3,7 @@ package events
 import (
 	"context"
 
+	"github.com/cloudtrust/common-service/database"
 	"github.com/cloudtrust/common-service/http"
 	api "github.com/cloudtrust/keycloak-bridge/api/events"
 )
@@ -15,16 +16,22 @@ type EventsComponent interface {
 }
 
 type component struct {
-	db EventsDBModule
+	db            EventsDBModule
+	eventDBModule database.EventsDBModule
 }
 
 // NewEventsComponent returns an events DB module
-func NewEventsComponent(db EventsDBModule) EventsComponent {
+func NewEventsComponent(db EventsDBModule, eventDBModule database.EventsDBModule) EventsComponent {
 	return &component{
-		db: db,
+		db:            db,
+		eventDBModule: eventDBModule,
 	}
 }
 
+func (ec *component) reportEvent(ctx context.Context, apiCall string, values ...string) error {
+	return ec.eventDBModule.ReportEvent(ctx, apiCall, "back-office", values...)
+}
+
 // Get events according to optional parameters
 func (ec *component) GetEvents(ctx context.Context, params map[string]string) (api.AuditEventsRepresentation, error) {
 	var empty [0]api.AuditRepresentation
@@ -53,5 +60,6 @@ func (ec *component) GetUserEvents(ctx context.Context, params map[string]string
 	if val, ok := params["userID"]; !ok || len(val) == 0 {
 		return api.AuditEventsRepresentation{}, http.CreateMissingParameterError("userID")
 	}
+	ec.reportEvent(ctx, "GET_ACTIVITY", "realm_name", params["realm"], "user_id", params["userID"])
 	return ec.GetEvents(ctx, params)
 }

pkg/management/authorization.go

@@ -32,6 +32,7 @@ const (
 	DeleteCredentialsForUser       = "DeleteCredentialsForUser"
 	GetRoles                       = "GetRoles"
 	GetRole                        = "GetRole"
+	GetGroups                      = "GetGroups"
 	GetClientRoles                 = "GetClientRoles"
 	CreateClientRole               = "CreateClientRole"
 	GetRealmCustomConfiguration    = "GetRealmCustomConfiguration"
@@ -303,6 +304,17 @@ func (c *authorizationComponentMW) GetRole(ctx context.Context, realmName string
 	return c.next.GetRole(ctx, realmName, roleID)
 }
 
+func (c *authorizationComponentMW) GetGroups(ctx context.Context, realmName string) ([]api.GroupRepresentation, error) {
+	var action = GetGroups
+	var targetRealm = realmName
+
+	if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
+		return nil, err
+	}
+
+	return c.next.GetGroups(ctx, realmName)
+}
+
 func (c *authorizationComponentMW) GetClientRoles(ctx context.Context, realmName, idClient string) ([]api.RoleRepresentation, error) {
 	var action = GetClientRoles
 	var targetRealm = realmName

pkg/management/authorization_test.go

@@ -145,6 +145,9 @@ func TestDeny(t *testing.T) {
 		_, err = authorizationMW.GetRole(ctx, realmName, roleID)
 		assert.Equal(t, security.ForbiddenError{}, err)
 
+		_, err = authorizationMW.GetGroups(ctx, realmName)
+		assert.Equal(t, security.ForbiddenError{}, err)
+
 		_, err = authorizationMW.GetClientRoles(ctx, realmName, clientID)
 		assert.Equal(t, security.ForbiddenError{}, err)
 
@@ -236,6 +239,7 @@ func TestAllowed(t *testing.T) {
 					"DeleteCredentialsForUser": {"*": {"*": {} }},
 					"GetRoles": {"*": {"*": {} }},
 					"GetRole": {"*": {"*": {} }},
+					"GetGroups": {"*": {"*": {} }},
 					"GetClientRoles": {"*": {"*": {} }},
 					"CreateClientRole": {"*": {"*": {} }},
 					"GetRealmCustomConfiguration": {"*": {"*": {} }},
@@ -341,6 +345,10 @@ func TestAllowed(t *testing.T) {
 		_, err = authorizationMW.GetRole(ctx, realmName, roleID)
 		assert.Nil(t, err)
 
+		mockManagementComponent.EXPECT().GetGroups(ctx, realmName).Return([]api.GroupRepresentation{}, nil).Times(1)
+		_, err = authorizationMW.GetGroups(ctx, realmName)
+		assert.Nil(t, err)
+
 		mockManagementComponent.EXPECT().GetClientRoles(ctx, realmName, clientID).Return([]api.RoleRepresentation{}, nil).Times(1)
 		_, err = authorizationMW.GetClientRoles(ctx, realmName, clientID)
 		assert.Nil(t, err)

pkg/management/component.go

@@ -36,6 +36,7 @@ type KeycloakClient interface {
 	DeleteCredentialsForUser(accessToken string, realmReq, realmName string, userID string, credentialID string) error
 	GetRoles(accessToken string, realmName string) ([]kc.RoleRepresentation, error)
 	GetRole(accessToken string, realmName string, roleID string) (kc.RoleRepresentation, error)
+	GetGroups(accessToken string, realmName string) ([]kc.GroupRepresentation, error)
 	GetClientRoles(accessToken string, realmName, idClient string) ([]kc.RoleRepresentation, error)
 	CreateClientRole(accessToken string, realmName, clientID string, role kc.RoleRepresentation) (string, error)
 	GetGroup(accessToken string, realmName, groupID string) (kc.GroupRepresentation, error)
@@ -65,6 +66,7 @@ type Component interface {
 	DeleteCredentialsForUser(ctx context.Context, realmName string, userID string, credentialID string) error
 	GetRoles(ctx context.Context, realmName string) ([]api.RoleRepresentation, error)
 	GetRole(ctx context.Context, realmName string, roleID string) (api.RoleRepresentation, error)
+	GetGroups(ctx context.Context, realmName string) ([]api.GroupRepresentation, error)
 	GetClientRoles(ctx context.Context, realmName, idClient string) ([]api.RoleRepresentation, error)
 	CreateClientRole(ctx context.Context, realmName, clientID string, role api.RoleRepresentation) (string, error)
 	GetRealmCustomConfiguration(ctx context.Context, realmName string) (api.RealmCustomConfiguration, error)
@@ -505,6 +507,9 @@ func (c *component) SendNewEnrolmentCode(ctx context.Context, realmName string,
 		return "", err
 	}
 
+	// store the API call into the DB
+	_ = c.reportEvent(ctx, "SMS_CHALLENGE", "realm_name", realmName, "user_id", userID)
+
 	return *smsCodeKc.Code, err
 }
 
@@ -573,6 +578,27 @@ func (c *component) GetRole(ctx context.Context, realmName string, roleID string
 	return roleRep, err
 }
 
+func (c *component) GetGroups(ctx context.Context, realmName string) ([]api.GroupRepresentation, error) {
+	var accessToken = ctx.Value(cs.CtContextAccessToken).(string)
+
+	groupsKc, err := c.keycloakClient.GetGroups(accessToken, realmName)
+
+	if err != nil {
+		return nil, err
+	}
+
+	var groupsRep []api.GroupRepresentation
+	for _, groupKc := range groupsKc {
+		var groupRep api.GroupRepresentation
+		groupRep.Id = groupKc.Id
+		groupRep.Name = groupKc.Name
+
+		groupsRep = append(groupsRep, groupRep)
+	}
+
+	return groupsRep, nil
+}
+
 func (c *component) GetClientRoles(ctx context.Context, realmName, idClient string) ([]api.RoleRepresentation, error) {
 	var accessToken = ctx.Value(cs.CtContextAccessToken).(string)