Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DevServices Keycloack roles are not generated properly #22668

Closed
danielpetisme opened this issue Jan 5, 2022 · 2 comments · Fixed by #23241
Closed

DevServices Keycloack roles are not generated properly #22668

danielpetisme opened this issue Jan 5, 2022 · 2 comments · Fixed by #23241
Labels
area/devservices kind/bug Something isn't working
Milestone
2.7.1.Final

Comments

@danielpetisme
Copy link
Contributor

Describe the bug

There is an inconsistency in the way roles are created and managed in Keycloack Dev Services.

Given the following config

%dev.quarkus.keycloak.devservices.users.quarkus=quarkus
%dev.quarkus.keycloak.devservices.roles.quarkus=reader,writer

When the realm is created, the method createDefaultRealm is invoked. First the createRealmRep() method will be invoked. This is how roles are fetched:

List<String> distinctRoles = capturedDevServicesConfiguration.roles.values().stream().distinct()
                    .collect(Collectors.toList());
            for (String role : distinctRoles) {
                realm.getRoles().getRealm().add(new RoleRepresentation(role, null, false));
            }

quarkus/extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/devservices/keycloak/KeycloakDevServicesProcessor.java

Line 608 in a43f46e

List<String> distinctRoles = capturedDevServicesConfiguration.roles.values().stream().distinct()

This means a unique role "reader,writer" will be created where the original intent was to create 2 roles ("reader", "writer").

After creating the roles, createDefaultRealm will create the user and call getUserRoles. This is how roles are fetched for a user

private String[] getUserRoles(String user) {
   String roles = capturedDevServicesConfiguration.roles.get(user);
   return roles == null ? ("alice".equals(user) ? new String[] { "admin", "user" } : new String[] { "user" })
       : roles.split(",");
}

quarkus/extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/devservices/keycloak/KeycloakDevServicesProcessor.java

Line 584 in a43f46e

private String[] getUserRoles(String user) {

Here the role string is splitter on "," to collect a list.

Here is the result of the above config in Keycloak
image

At the end of the day, we have n+1 role ("reader", "writer" and not "reader,writer") so I guess all the tests work pretty fine.
My 2 cts are the UserRepresentation is creating behind the scene the correct roles hiding the lack of list management in the RoleRepresentation part.

Expected behavior

When providing a comma-separated list of roles, Dev Services should create each role, and not 1 is the exact text representation.

Actual behavior

No response

How to Reproduce?

See the bug description

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@danielpetisme danielpetisme added the kind/bug Something isn't working label Jan 5, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 5, 2022

/cc @stuartwdouglas

@gsmet
Copy link
Member

gsmet commented Jan 6, 2022

@danielpetisme looks like you have it all figured out, care to provide a PR? :)

@sberyozkin sberyozkin mentioned this issue Jan 27, 2022
Merged
@quarkus-bot quarkus-bot bot added this to the 2.8 - main milestone Jan 27, 2022
@gsmet gsmet modified the milestones: 2.8 - main, 2.7.1.Final Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/devservices kind/bug Something isn't working
Projects
None yet
Milestone
2.7.1.Final
Development

Successfully merging a pull request may close this issue.

Use List to capture configured roles in Dev Services for Keycloak sberyozkin/quarkus
2 participants
@danielpetisme @gsmet