tenant fixes
This commit is contained in:
parent
f6ea1e2b04
commit
1888711fe9
|
|
@ -3,16 +3,16 @@ package org.opencdmp.authorization;
|
|||
|
||||
import org.springframework.boot.context.properties.ConfigurationProperties;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
|
||||
@ConfigurationProperties(prefix = "authorization")
|
||||
public class AuthorizationProperties {
|
||||
|
||||
private String globalAdminRole;
|
||||
private String tenantAdminRole;
|
||||
|
||||
public String getGlobalAdminRole() {
|
||||
return globalAdminRole;
|
||||
return this.globalAdminRole;
|
||||
}
|
||||
|
||||
public void setGlobalAdminRole(String globalAdminRole) {
|
||||
|
|
@ -21,7 +21,7 @@ public class AuthorizationProperties {
|
|||
private Boolean autoAssignGlobalAdminToNewTenants;
|
||||
|
||||
public Boolean getAutoAssignGlobalAdminToNewTenants() {
|
||||
return autoAssignGlobalAdminToNewTenants;
|
||||
return this.autoAssignGlobalAdminToNewTenants;
|
||||
}
|
||||
|
||||
public void setAutoAssignGlobalAdminToNewTenants(Boolean autoAssignGlobalAdminToNewTenants) {
|
||||
|
|
@ -31,7 +31,7 @@ public class AuthorizationProperties {
|
|||
private List<String> allowedTenantRoles;
|
||||
|
||||
public List<String> getAllowedTenantRoles() {
|
||||
return allowedTenantRoles;
|
||||
return this.allowedTenantRoles;
|
||||
}
|
||||
|
||||
public void setAllowedTenantRoles(List<String> allowedTenantRoles) {
|
||||
|
|
@ -41,10 +41,18 @@ public class AuthorizationProperties {
|
|||
private List<String> allowedGlobalRoles;
|
||||
|
||||
public List<String> getAllowedGlobalRoles() {
|
||||
return allowedGlobalRoles;
|
||||
return this.allowedGlobalRoles;
|
||||
}
|
||||
|
||||
public void setAllowedGlobalRoles(List<String> allowedGlobalRoles) {
|
||||
this.allowedGlobalRoles = allowedGlobalRoles;
|
||||
}
|
||||
|
||||
public String getTenantAdminRole() {
|
||||
return this.tenantAdminRole;
|
||||
}
|
||||
|
||||
public void setTenantAdminRole(String tenantAdminRole) {
|
||||
this.tenantAdminRole = tenantAdminRole;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,11 +16,11 @@ public class KeycloakResourcesConfiguration {
|
|||
}
|
||||
|
||||
public KeycloakResourcesProperties getProperties() {
|
||||
return properties;
|
||||
return this.properties;
|
||||
}
|
||||
|
||||
public String getTenantGroupName(String tenantCode) {
|
||||
return properties.getTenantGroupsNamingStrategy()
|
||||
return this.properties.getTenantGroupsNamingStrategy()
|
||||
.replace("{tenantCode}", tenantCode);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,20 +1,18 @@
|
|||
package org.opencdmp.service.keycloak;
|
||||
|
||||
import org.opencdmp.convention.ConventionService;
|
||||
import gr.cite.commons.web.keycloak.api.configuration.KeycloakClientConfiguration;
|
||||
import gr.cite.tools.logging.LoggerService;
|
||||
import org.jetbrains.annotations.NotNull;
|
||||
import org.keycloak.representations.idm.GroupRepresentation;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.opencdmp.convention.ConventionService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
import java.util.*;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
@Service
|
||||
public class KeycloakServiceImpl implements KeycloakService {
|
||||
|
||||
private static final LoggerService logger = new LoggerService(LoggerFactory.getLogger(KeycloakServiceImpl.class));
|
||||
private final MyKeycloakAdminRestApi api;
|
||||
private final KeycloakResourcesConfiguration configuration;
|
||||
private final ConventionService conventionService;
|
||||
|
|
@ -28,26 +26,26 @@ public class KeycloakServiceImpl implements KeycloakService {
|
|||
|
||||
@Override
|
||||
public void addUserToGroup(@NotNull String subjectId, String groupId) {
|
||||
api.users().addUserToGroup(subjectId, groupId);
|
||||
this.api.users().addUserToGroup(subjectId, groupId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void removeUserFromGroup(@NotNull String subjectId, String groupId) {
|
||||
api.users().removeUserFromGroup(subjectId, groupId);
|
||||
this.api.users().removeUserFromGroup(subjectId, groupId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void addUserToGlobalRoleGroup(String subjectId, String role) {
|
||||
if (this.configuration.getProperties().getAuthorities() == null) return;
|
||||
KeycloakAuthorityProperties properties = this.configuration.getProperties().getAuthorities().getOrDefault(role, null);
|
||||
if (properties != null) addUserToGroup(subjectId, properties.getGroupId());
|
||||
if (properties != null) this.addUserToGroup(subjectId, properties.getGroupId());
|
||||
}
|
||||
|
||||
@Override
|
||||
public void removeUserGlobalRoleGroup(@NotNull String subjectId, String role) {
|
||||
if (this.configuration.getProperties().getAuthorities() == null) return;
|
||||
KeycloakAuthorityProperties properties = this.configuration.getProperties().getAuthorities().getOrDefault(role, null);
|
||||
if (properties != null) removeUserFromGroup(subjectId, properties.getGroupId());
|
||||
if (properties != null) this.removeUserFromGroup(subjectId, properties.getGroupId());
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -55,33 +53,33 @@ public class KeycloakServiceImpl implements KeycloakService {
|
|||
if (this.configuration.getProperties().getAuthorities() == null) return;
|
||||
KeycloakTenantAuthorityProperties properties = this.configuration.getProperties().getTenantAuthorities().getOrDefault(tenantRole, null);
|
||||
if (properties == null) return;
|
||||
GroupRepresentation group = api.groups().findGroupByPath(getTenantAuthorityParentPath(properties) + "/" + configuration.getTenantGroupName(tenantCode));
|
||||
if (group != null) addUserToGroup(subjectId, group.getId());
|
||||
GroupRepresentation group = this.api.groups().findGroupByPath(this.getTenantAuthorityParentPath(properties) + "/" + this.configuration.getTenantGroupName(tenantCode));
|
||||
if (group != null) this.addUserToGroup(subjectId, group.getId());
|
||||
}
|
||||
|
||||
@Override
|
||||
public void removeUserTenantRoleGroup(String subjectId, String tenantCode, String tenantRole) {
|
||||
KeycloakTenantAuthorityProperties properties = this.configuration.getProperties().getTenantAuthorities().getOrDefault(tenantRole, null);
|
||||
if (properties == null) return;
|
||||
GroupRepresentation group = api.groups().findGroupByPath(getTenantAuthorityParentPath(properties) + "/" + configuration.getTenantGroupName(tenantCode));
|
||||
if (group != null) removeUserFromGroup(subjectId, group.getId());
|
||||
GroupRepresentation group = this.api.groups().findGroupByPath(this.getTenantAuthorityParentPath(properties) + "/" + this.configuration.getTenantGroupName(tenantCode));
|
||||
if (group != null) this.removeUserFromGroup(subjectId, group.getId());
|
||||
}
|
||||
|
||||
private String getTenantAuthorityParentPath(KeycloakTenantAuthorityProperties keycloakTenantAuthorityProperties) {
|
||||
GroupRepresentation parent = api.groups().findGroupById(keycloakTenantAuthorityProperties.getParent());
|
||||
GroupRepresentation parent = this.api.groups().findGroupById(keycloakTenantAuthorityProperties.getParent());
|
||||
return parent.getPath();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void createTenantGroups(String tenantCode) {
|
||||
if (this.configuration.getProperties().getTenantAuthorities() == null) return;
|
||||
for (Map.Entry<String,KeycloakTenantAuthorityProperties> entry :configuration.getProperties().getTenantAuthorities().entrySet()){
|
||||
for (Map.Entry<String,KeycloakTenantAuthorityProperties> entry : this.configuration.getProperties().getTenantAuthorities().entrySet()){
|
||||
GroupRepresentation group = new GroupRepresentation();
|
||||
group.setName(configuration.getTenantGroupName(tenantCode));
|
||||
group.setName(this.configuration.getTenantGroupName(tenantCode));
|
||||
HashMap<String, List<String>> user_attributes = new HashMap<>();
|
||||
if (!this.conventionService.isNullOrEmpty(this.configuration.getProperties().getTenantRoleAttributeName())) user_attributes.put(this.configuration.getProperties().getTenantRoleAttributeName(), List.of(configuration.getTenantRoleAttributeValue(tenantCode, entry.getValue())));
|
||||
if (!this.conventionService.isNullOrEmpty(this.configuration.getProperties().getTenantRoleAttributeName())) user_attributes.put(this.configuration.getProperties().getTenantRoleAttributeName(), List.of(this.configuration.getTenantRoleAttributeValue(tenantCode, entry.getValue())));
|
||||
group.setAttributes(user_attributes);
|
||||
api.groups().addGroupWithParent(group, entry.getValue().getParent());
|
||||
this.api.groups().addGroupWithParent(group, entry.getValue().getParent());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,9 +1,20 @@
|
|||
package org.opencdmp.service.tenant;
|
||||
|
||||
import gr.cite.commons.web.authz.service.AuthorizationService;
|
||||
import gr.cite.tools.data.builder.BuilderFactory;
|
||||
import gr.cite.tools.data.deleter.DeleterFactory;
|
||||
import gr.cite.tools.data.query.QueryFactory;
|
||||
import gr.cite.tools.exception.MyApplicationException;
|
||||
import gr.cite.tools.exception.MyForbiddenException;
|
||||
import gr.cite.tools.exception.MyNotFoundException;
|
||||
import gr.cite.tools.exception.MyValidationException;
|
||||
import gr.cite.tools.fieldset.BaseFieldSet;
|
||||
import gr.cite.tools.fieldset.FieldSet;
|
||||
import gr.cite.tools.logging.LoggerService;
|
||||
import gr.cite.tools.logging.MapLogEntry;
|
||||
import org.opencdmp.authorization.AuthorizationFlags;
|
||||
import org.opencdmp.authorization.AuthorizationProperties;
|
||||
import org.opencdmp.authorization.Permission;
|
||||
import org.opencdmp.commons.XmlHandlingService;
|
||||
import org.opencdmp.commons.enums.IsActive;
|
||||
import org.opencdmp.commons.scope.tenant.TenantScope;
|
||||
import org.opencdmp.convention.ConventionService;
|
||||
|
|
@ -22,21 +33,7 @@ import org.opencdmp.model.deleter.TenantDeleter;
|
|||
import org.opencdmp.model.persist.TenantPersist;
|
||||
import org.opencdmp.query.UserCredentialQuery;
|
||||
import org.opencdmp.query.UserRoleQuery;
|
||||
import org.opencdmp.service.encryption.EncryptionService;
|
||||
import org.opencdmp.service.keycloak.KeycloakService;
|
||||
import gr.cite.commons.web.authz.service.AuthorizationService;
|
||||
import gr.cite.tools.data.builder.BuilderFactory;
|
||||
import gr.cite.tools.data.deleter.DeleterFactory;
|
||||
import gr.cite.tools.data.query.QueryFactory;
|
||||
import gr.cite.tools.exception.MyApplicationException;
|
||||
import gr.cite.tools.exception.MyForbiddenException;
|
||||
import gr.cite.tools.exception.MyNotFoundException;
|
||||
import gr.cite.tools.exception.MyValidationException;
|
||||
import gr.cite.tools.fieldset.BaseFieldSet;
|
||||
import gr.cite.tools.fieldset.FieldSet;
|
||||
import gr.cite.tools.logging.LoggerService;
|
||||
import gr.cite.tools.logging.MapLogEntry;
|
||||
import org.jetbrains.annotations.NotNull;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.MessageSource;
|
||||
|
|
@ -114,7 +111,7 @@ public class TenantServiceImpl implements TenantService {
|
|||
if (isUpdate) {
|
||||
data = this.entityManager.find(TenantEntity.class, model.getId());
|
||||
if (data == null)
|
||||
throw new MyNotFoundException(messageSource.getMessage("General_ItemNotFound", new Object[]{model.getId(), Tenant.class.getSimpleName()}, LocaleContextHolder.getLocale()));
|
||||
throw new MyNotFoundException(this.messageSource.getMessage("General_ItemNotFound", new Object[]{model.getId(), Tenant.class.getSimpleName()}, LocaleContextHolder.getLocale()));
|
||||
if (!this.conventionService.hashValue(data.getUpdatedAt()).equals(model.getHash()))
|
||||
throw new MyValidationException(this.errors.getHashConflict().getCode(), this.errors.getHashConflict().getMessage());
|
||||
} else {
|
||||
|
|
@ -147,7 +144,7 @@ public class TenantServiceImpl implements TenantService {
|
|||
return this.builderFactory.builder(TenantBuilder.class).authorize(AuthorizationFlags.OwnerOrDmpAssociatedOrPermission).build(BaseFieldSet.build(fields, Tenant._id), data);
|
||||
}
|
||||
|
||||
private void autoAssignGlobalAdminsToNewTenant(TenantEntity tenant){
|
||||
private void autoAssignGlobalAdminsToNewTenant(TenantEntity tenant) throws InvalidApplicationException {
|
||||
if (!this.authorizationProperties.getAutoAssignGlobalAdminToNewTenants()) return;
|
||||
List<UserRoleEntity> existingItems;
|
||||
List<UserCredentialEntity> userCredentialEntities;
|
||||
|
|
@ -167,10 +164,10 @@ public class TenantServiceImpl implements TenantService {
|
|||
UserRoleEntity item = new UserRoleEntity();
|
||||
item.setId(UUID.randomUUID());
|
||||
item.setUserId(userId);
|
||||
item.setRole(this.authorizationProperties.getGlobalAdminRole());
|
||||
item.setRole(this.authorizationProperties.getTenantAdminRole());
|
||||
item.setCreatedAt(Instant.now());
|
||||
this.entityManager.persist(item);
|
||||
this.keycloakService.addUserToGlobalRoleGroup(userCredential.getExternalId(), this.authorizationProperties.getGlobalAdminRole());
|
||||
this.keycloakService.addUserToTenantRoleGroup(userCredential.getExternalId(), this.tenantScope.getTenantCode(), this.authorizationProperties.getTenantAdminRole());
|
||||
}
|
||||
} finally {
|
||||
this.tenantScope.removeTempTenant(this.entityManager.getEntityManager());
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
authorization:
|
||||
globalAdminRole: Admin
|
||||
tenantAdminRole: TenantAdmin
|
||||
autoAssignGlobalAdminToNewTenants: true
|
||||
allowedTenantRoles:
|
||||
- TenantAdmin
|
||||
|
|
|
|||
Loading…
Reference in New Issue