Skip to content

Commit

Permalink
Integrate role assignment snychronizer into client controller
Browse files Browse the repository at this point in the history
  • Loading branch information
frank.buechel committed Jul 23, 2021
1 parent 500ef74 commit 832f3c2
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 50 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,18 @@ public class ClientController extends KubernetesController<ClientResource> {

final KeycloakController keycloak;
final AssignedClientScopesSyncer assignedClientScopesSyncer;
final ServiceAccountRoleAssignmentSynchronizer serviceAccountRoleAssignmentSynchronizer;

public ClientController(KeycloakController keycloak,
KubernetesClient kubernetes,
AssignedClientScopesSyncer assignedClientScopesSyncer) {
AssignedClientScopesSyncer assignedClientScopesSyncer,
ServiceAccountRoleAssignmentSynchronizer serviceAccountRoleAssignmentSynchronizer) {

super(kubernetes, ClientResource.DEFINITION, ClientResource.class, ClientResource.ClientResourceList.class,
ClientResource.ClientResourceDoneable.class);
this.keycloak = keycloak;
this.assignedClientScopesSyncer = assignedClientScopesSyncer;
this.serviceAccountRoleAssignmentSynchronizer = serviceAccountRoleAssignmentSynchronizer;
}

@Override
Expand Down Expand Up @@ -364,57 +367,9 @@ void manageMapper(RealmResource realmResource, String clientUuid, ClientResource
}

private void manageServiceAccountRealmRoles(RealmResource realmResource, String clientUuid, ClientResource clientResource) {
var keycloak = clientResource.getSpec().getKeycloak();
var realm = clientResource.getSpec().getRealm();
var clientId = clientResource.getSpec().getClientId();

org.keycloak.admin.client.resource.ClientResource keycloakClientResource = realmResource.clients().get(clientUuid);
RoleMappingResource serviceAccountRolesMapping = realmResource.users()
.get(keycloakClientResource.getServiceAccountUser().getId())
.roles();

List<String> requestedRealmRoles = clientResource.getSpec().getServiceAccountRealmRoles();

removeRoleMappingNotRequestedAnymore(keycloak, realm, clientId, serviceAccountRolesMapping, requestedRealmRoles);

List<String> realmRoleNames = realmResource.roles().list().stream().map(RoleRepresentation::getName).collect(Collectors.toList());
List<String> rolesToCreate = requestedRealmRoles.stream().filter(role -> !realmRoleNames.contains(role)).collect(Collectors.toList());
createRolesInRealm(keycloak, realm, clientId, realmResource.roles(), rolesToCreate);

List<RoleRepresentation> rolesToBind = realmResource.roles().list().stream()
.filter(roleInRealm -> requestedRealmRoles.contains(roleInRealm.getName()))
.collect(Collectors.toList());
this.serviceAccountRoleAssignmentSynchronizer.manageServiceAccountRealmRoles(realmResource, clientResource, clientUuid);

serviceAccountRolesMapping
.realmLevel()
.add(rolesToBind);
}

private void createRolesInRealm(String keycloak, String realm, String clientId, RolesResource rolesResource, List<String> rolesToCreate) {
for (String roleToCreate : rolesToCreate) {
var representation = new RoleRepresentation();
representation.setName(roleToCreate);
representation.setClientRole(false);
representation.setComposite(false);
rolesResource.create(representation);
log.info("{}/{}/{}: created realm role {}", keycloak, realm, clientId, roleToCreate);
}
}

private void removeRoleMappingNotRequestedAnymore(String keycloak, String realm, String clientId, RoleMappingResource serviceAccountRoleMapping, List<String> requestedRealmRoles) {
List rolesToRemove = new ArrayList();

List<RoleRepresentation> currentlyMappedRealmRoles = serviceAccountRoleMapping.getAll().getRealmMappings();
for (RoleRepresentation currentlyMappedRole : currentlyMappedRealmRoles) {
if (!requestedRealmRoles.contains(currentlyMappedRole.getName())) {
rolesToRemove.add(currentlyMappedRole);
log.info("{}/{}/{}: deleted role not requested anymore {}",
keycloak, realm, clientId, currentlyMappedRole.getName());
}
}
serviceAccountRoleMapping
.realmLevel()
.remove(rolesToRemove);
}

private void manageRoles(RealmResource realmResource, String clientUuid, ClientResource clientResource) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@
import java.util.List;
import java.util.stream.Collectors;

import javax.inject.Singleton;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.RoleMappingResource;
import org.keycloak.representations.idm.RoleRepresentation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
public class ServiceAccountRoleAssignment {
private final Logger LOG = LoggerFactory.getLogger(getClass());

Expand Down

0 comments on commit 832f3c2

Please sign in to comment.